Daily Archives: January 7, 2020

Malware in the Cloud: Protecting Yourself Based on Your Cloud Environment

In some ways, the cloud has made security management easier, as many cloud providers have taken the responsibilities traditionally associated with local server management out of your hands. But in other ways, the security management conversation has become more confusing for decision makers, as “cloud” is a very broadly defined term and could speak to […]… Read More

The post Malware in the Cloud: Protecting Yourself Based on Your Cloud Environment appeared first on The State of Security.

From Good to Great – Building on ICS Security Basics

Most industrial organizations are behind the curve when it comes to cybersecurity, facing mounting complexities like the IIoT, the skills gap and the IT/OT divide. But what about industrial organizations that are already taking steps in the right direction and need to know what awaits them on the horizon? What practical next steps can your […]… Read More

The post From Good to Great – Building on ICS Security Basics appeared first on The State of Security.

VERT Threat Alert: Citrix NetScaler/ADC Critical Flaw (CVE-2019-19781)

Vulnerability Description Citrix has indicated that an unauthenticated attacker can exploit this flaw to perform arbitrary code execution. Although details from Citrix are minimal, VERT’s research has identified three vulnerable behaviors which combine to enable code execution attacks on the NetScaler/ADC appliance. These flaws ultimately allow the attacker to bypass an authorization constraint to create […]… Read More

The post VERT Threat Alert: Citrix NetScaler/ADC Critical Flaw (CVE-2019-19781) appeared first on The State of Security.

U.S. Federal Website Defaced by Pro-Iranian Hackers

A federal website was defaced with pro-Iranian messaging in what is believed to be retaliation for the U.S. drone strike that killed one of Iran’s top military commanders.

The Federal Depository Library Program’s website was hacked and defaced to include imagery of an Iranian flag and doctored photos of a bloodied Donald Trump.

“Martyrdom was [Suleimani’s] reward for years of implacable efforts,” said a message on the hacked site, referring to Iranian military commander Qasem Suleimani.

The messaging and imagery on the site was signed by the “Iran Cyber Security Group Hackers,” and promised further action.

While the Iranian government hasn’t claimed responsibility for the incident, it did promise a “crushing and powerful” response for Suleimani’s death. 

The hacked website comes on the heels of a National Terrorism Advisory System bulletin issued by the Department of Homeland Security warning of potential reprisals from Iran. 

“Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” said the bulletin.


The post U.S. Federal Website Defaced by Pro-Iranian Hackers appeared first on Adam Levin.

Threat hunting in Azure Advanced Threat Protection (ATP)

As members of Microsoft’s Detection and Response Team (DART), we’ve seen a significant increase in adversaries “living off the land” and using compromised account credentials for malicious purposes. From an investigation standpoint, tracking adversaries using this method is quite difficult as you need to sift through the data to determine whether the activities are being performed by the legitimate user or a bad actor. Credentials can be harvested in numerous ways, including phishing campaigns, Mimikatz, and key loggers.

Recently, DART was called into an engagement where the adversary had a foothold within the on-premises network, which had been gained through compromising cloud credentials. Once the adversary had the credentials, they began their reconnaissance on the network by searching for documents about VPN remote access and other access methods stored on a user’s SharePoint and OneDrive. After the adversary was able to access the network through the company’s VPN, they moved laterally throughout the environment using legitimate user credentials harvested during a phishing campaign.

Once our team was able to determine the initially compromised accounts, we were able to begin the process of tracking the adversary within the on-premises systems. Looking at the initial VPN logs, we identified the starting point for our investigation. Typically, in this kind of investigation, your team would need to dive deeper into individual machine event logs, looking for remote access activities and movements, as well as looking at any domain controller logs that could help highlight the credentials used by the attacker(s).

Luckily for us, this customer had deployed Azure Advanced Threat Protection (ATP) prior to the incident. By having Azure ATP operational prior to an incident, the software had already normalized authentication and identity transactions within the customer network. DART began querying the suspected compromised credentials within Azure ATP, which provided us with a broad swath of authentication-related activities on the network and helped us build an initial timeline of events and activities performed by the adversary, including:

  • Interactive logins (Kerberos and NTLM)
  • Credential validation
  • Resource access
  • SAMR queries
  • DNS queries
  • WMI Remote Code Execution (RCE)
  • Lateral Movement Paths

Azure Advanced Threat Protection

Detect and investigate advanced attacks on-premises and in the cloud.

Get started

This data enabled the team to perform more in-depth analysis on both user and machine level logs for the systems the adversary-controlled account touched. Azure ATP’s ability to identify and investigate suspicious user activities and advanced attack techniques throughout the cyber kill chain enabled our team to completely track the adversary’s movements in less than a day. Without Azure ATP, investigating this incident could have taken weeks—or even months—since the data sources don’t often exist to make this type of rapid response and investigation possible.

Once we were able to track the user throughout the environment, we were able to correlate that data with Microsoft Defender ATP to gain an understanding of the tools used by the adversary throughout their journey. Using the right tools for the job allowed DART to jump start the investigation; identify the compromised accounts, compromised systems, other systems at risk, and the tools being used by the adversaries; and provide the customer with the needed information to recover from the incident faster and get back to business.

Learn more and keep updated

Learn more about how DART helps customers respond to compromises and become cyber-resilient. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Threat hunting in Azure Advanced Threat Protection (ATP) appeared first on Microsoft Security.

An Overview of Zero Trust Architecture, According to NIST

NIST recently released a draft publication, SP 800-207: Zero Trust Architecture (ZTA), an overview of a new approach to network security.

While ZTA is already present in many cybersecurity policies and programs that sought to restrict access to data and resources, this document is intended to both “abstractly define” ZTA and provide more guidance on deployment models, uses cases and roadmaps to implementation.

What’s the problem they’re trying to solve? Agencies and enterprise networks have given authorized users broad access to resources, since they’ve traditionally focused on perimeter defenses. But that’s led to lateral movement within the network – one of the biggest security challenges for federal agencies.

Realistically, NIST recognizes that the migration to a ZTA is more of a journey rather than a complete replacement of an enterprise’s infrastructure. Most enterprises will likely continue to operate in a hybrid model – of both zero trust + legacy mode – for awhile as they continue their IT modernization investments.

And despite the misleading name, they state that ZTA is not a single network architecture, but rather a set of guiding principles.

The overall design denotes:

  • A shift away from wide network perimeters to a narrower focus on protecting individual or small groups of resources
  • No implicit trust is granted to systems based on their physical or network location

While traditional methods block attacks coming from the internet, they may not be effective at detecting or blocking attacks originating from inside the network.

ZTA seeks to focus on the crux of the issue, which NIST defines as two main objectives:

  1. Eliminate unauthorized access to data and services
  2. Make the access control enforcement as granular as possible

Zero Trust Architecture Tenets

NIST lists out a few conceptual guidelines that the design and deployment of a ZTA should align with (summarized for brevity below):

  1. All data and computing services are considered resources. For example, an enterprise might classify personally-owned devices as resources, if they’re allowed to access enterprise resources.
  2. All communication is secure regardless of network location. This means access requests from within the network must meet the same security requirements as those from outside of it, and communication must be encrypted and authenticated.
  3. Access to individual enterprise resources is granted on a per-connection basis. The trust of whatever is requesting access is evaluated before granted access – authentication to one resource doesn’t automatically mean they get access to another resource.
  4. Access to resources is determined by policy, including the state of user identity and the requesting system, and may include other behavioral attributes. NIST defines ‘user identity’ as a network account used to request access, plus any enterprise-assigned attributes to that account. A ‘requesting system’ refers to device characteristics (software versions, network location, etc.). ‘Behavioral attributes’ include user & device analytics, any behavior deviations from baselined patterns.
  5. The enterprise ensures all owned and associated systems are in the most secure state possible, while monitoring systems to ensure they remain secure. Enterprises need to monitor the state of systems and apply patches or fixes as needed – any systems discovered to be vulnerable or non-enterprise owned may be denied access to enterprise resources.
  6. User authentication is dynamic and strictly enforced before access is allowed. NIST refers to this as a ‘constant cycle of access’ of threat assessment and continuous authentication, requiring user provisioning and authorization (the use of MFA for access to enterprise resources), as well as continuous monitoring and re-authentication throughout user interaction.

Zero Trust Architecture Threats

What follows is a summary of some of the key potential ZTA threats listed in the publication:

Insider Threat

To reduce the risk of an insider threat, a ZTA can:

  • Prevent a compromised account or system from accessing resources outside of how it’s intended
  • MFA for network access can reduce the risk of access from a compromised account
  • Prevent compromised accounts or systems from moving laterally through the network
  • Using context to detect any access activity outside of the norm and block account or system access

To prevent the threat of unauthorized access, Duo provides MFA for every application, as part of the Cisco Zero Trust framework. An additional layer of identity verification can help mitigate attacker access using stolen passwords or brute-force attacks. That paired with Duo’s device insight and policies provides a solid foundation for zero trust for the workforce.

Learn more about Duo’s new federal editions tailored to align with:

  • FedRAMP/FISMA security controls
  • NIST’s Digital Identity Guidelines (NIST SP 800-63-3)
  • FIPS 140-2 compliance

See more about FedRAMP authorized authentication, providing secure application access for federal agencies and other public sector customers, including role/location-based access policies, biometric authentication, and more.

Network Visibility

In a ZTA, all traffic should be inspected, logged and analyzed to identify and respond to network attacks against the enterprise. But some enterprise network traffic may be difficult to monitor, as it comes from third-party systems or applications that cannot be examined due to encrypted traffic.

In this situation, NIST recommends collecting encrypted traffic metadata and analyzing it to detect malware or attackers on the network. It also references Cisco’s research on machine learning techniques for encrypted traffic (section 5.4, page 22):

“The enterprise can collect metadata about the encrypted traffic and use that to detect possible malware communicating on the network or an active attacker. Machine learning techniques [Anderson] can be used to analyze traffic that cannot be decrypted and examined. Employing this type of machine learning would allow the enterprise to categorize traffic as valid or possibly malicious and subject to remediation.”

Cisco Encrypted Traffic Analytics (ETA) allows you to detect and mitigate network threats in encrypted traffic to gain deeper insight without decryption. It also allows you to quickly contain infected devices and uses, while securing your network. Paired with Cisco Stealthwatch, you can get real-time monitoring using machine learning and context-aware analysis.

Zero Trust Architecture: Continuous Monitoring

The publication also references having a strong Continuing Diagnostics and Mitigations (CDM) program as “key to the success of ZTA.”

This is a complete inventory of physical and virtual assets. In order to protect systems, agencies need insight into everything on their infrastructure:

  • What’s connected? The devices, applications and services used; as well as the security posture, vulnerabilities and threats associated.
  • Who’s using the network? The internal and external users, including any (non-person) entities acting autonomously, like service accounts that interact with resources.
  • What is happening on the network? Insight into the traffic patterns, messages and communication between systems.
  • How is data protected? Enterprise policies for how information is protected, both at rest and in transit.

Having visibility into the different areas of connectivity and access provides a baseline to start evaluating and responding to activity on and off the network.

Cisco Zero Trust

Asking the above discovery questions and finding a solution that can accurately and comprehensively answer them can be challenging, as it requires user, device, system and application telemetry that spans your entire IT environment – from the local corporate network to branches to the multi-cloud; encompassing all types of users from employees to vendors to contractors to remote workers, etc.

Get visibility into everything on your infrastructure, and get control over who can access what, on an ongoing basis. Cisco Zero Trust provides a comprehensive approach to securing all access across your applications and environment, from any user, device and location. It protects your workforce, workloads and workplace. 

It is comprised of a portfolio of the three following primary products:

  • To protect the workforce, Duo Security ensures that only the right users and secure devices can access applications.
  • To protect workloads, Tetration secures all connections within your apps, across multi-cloud.
  • To protect the workplace, SD-Access secures all user and device connections across your network, including IoT.

This complete zero-trust security model allows you to mitigate, detect and respond to risks across your environment. Verifying trust before granting access across your applications, devices and networks can help protect against identity-based and other access security risks.

Cisco was recently named a leader in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019read the report to learn more about our market leadership in current zero-trust offerings and strategy.

The post An Overview of Zero Trust Architecture, According to NIST appeared first on Cisco Blogs.

3 Google Play Store Apps Exploit Android Zero-Day Used by NSO Group

Watch out! If you have any of the below-mentioned file managers and photography apps installed on your Android phone—even if downloaded from the official Google Store store⁠—you have been hacked and being tracked. These newly detected malicious Android apps are Camero, FileCrypt, and callCam that are believed to be linked to Sidewinder APT, a sophisticated hacking group specialized in cyber

Wrapping Up 2019 Cyber Range Events

When the Security Innovation team wrapped up October’s Attack in Autumn event we were intrigued to see how our community could impress us even more. With 9 perfect scores, nearly half of participants solving at least 10 challenges, and a variety of other impressive feats during Attack in Autumn, the participants set a high bar. Leave it to people who are willing to hack over the holidays for fun to raise that bar even higher! 

Veracode CEO Sam King Recognized in WomenInc. Magazine’s 2019 Top Influential Corporate Directors

We’re thrilled to announce that Veracode Chief Executive Officer Sam King has been named one of WomenInc. Magazine’s 2019 Most Influential Corporate Directors!

Honoring influencers, achievers, and executives, this announcement recognizes women who are making notable contributions to the world of business and technology. The list compiled by WomenInc. Magazine includes over 700 directors serving on the boards of S&P 1000/Mid-Cap publicly held companies.

To celebrate these accomplished leaders, WomenInc. maintains an exclusive online directory of honorees and publishes their yearly announcement in seasonal editions of the magazine.

King is recognized for her contributions on behalf of Progress Software, the leading provider of application development and digital experience technologies. Since joining the Board of Directors in February 2018, she has contributed to the implementation of Progress’ business strategy as well as its charter to operate as a socially responsible organization.

She is also a well-known expert in cybersecurity and is a founding member of the Veracode team. She helped lead the establishment and evolution of the application security category alongside industry experts and analysts. Veracode is the largest independent application security provider worldwide, valued at $1 billion.

“It is essential that the achievements and success of professional women are showcased in the highest regard and their stories are told in meaningful ways,” said Catrina Young, the Executive Vice President and Chief Communications Officer of WomenInc. “We are proud that we can recognize this distinguished group of women and we are inspired by their accomplishments, their distinguished careers and the corporations that demonstrate an inclusive board composition. We offer our congratulations.”

Encouraging positive dialogue from influential female voices in leadership, WomenInc. Magazine is a media platform dedicated to fostering the ideas, events, social commentary, and stories that inspire professional women.

To see the full list of honorees, visit the directory here or grab a copy of WomenInc.’s winter issue from your local newsstand.

Are You Ready for Microsoft Windows 7 End of Support on 14th January 2020?

January 14, 2020, is a day cybersecurity stakeholders should pay attention to, as it marks the end of Microsoft support in Windows 7. From a security perspective, both the routine monthly security patches as well as hotfixes for attacks in the wild will not be available, effectively making any newly discovered vulnerability a Windows 7 zero-day. Cynet 360 autonomous breach protection is a

Security at DevOps Speed: How Veracode Reduces False Positives

Originally Published on November 27, 2017 -- Updated on January 7, 2020

Application security solutions that slow or stall the development process simply aren’t feasible in a DevOps world. AppSec will increasingly need to fit as seamlessly as possible into developer processes, or it will be under-used or overlooked. But overlooking AppSec puts your organization at high risk of a damaging breach. Our most recent State of Software Security report found that a whopping 83 percent of apps had at least one vulnerability on initial scan. Leaving your code vulnerable leaves your organization open to breach. In the end, you need AppSec, but you also need AppSec that developers will use. Reduction of false positives is a big part of this requirement. False positives are always a key concern because they make developers and security folks spin their wheels, so solutions should minimize them as much as possible.

How Veracode Works to Reduce False Positives

We aim for full automation and high speeds for all of our scans, but that doesn’t mean that we compromise on quality. Unique to our position as a SaaS provider, our security research team regularly samples customer app submissions to manually review flaws. This ensures that we have met our standards for accuracy in terms of both false positives and negatives. By reviewing actual customer apps, we get a much broader and realistic set of cases than would be possible in a QA lab that only tests applications built as internal test cases.

Our review of these applications leads to improvements that are implemented back into our static analysis engine

The SaaS Advantage

As a native SaaS provider, Veracode has a strategic advantage in improving false-positive rates. To date, we’ve assessed over 13.5 trillion lines of code and performed more than 4 million scans, and with every release, our solution gets smarter. On-premises solutions, on the other hand, require their customers to manually create custom rules to adjust for false positives in their vendor’s software, which can be very time consuming and complicated, or to wait for their on-premises vendor to release a new revision to the scanner, which requires downtime and unplanned work for the security teams. We at Veracode improve our static analysis engine at least monthly, and improvements we have made by observing the behavior of all customer applications are available with minimal disruption to your processes.

The result for our customers is that they get very high quality at high speeds (89 percent of our scans finish in less than an hour), without having to train and maintain a team for customizing scan rules to avoid false positives. This rule customization can be costly and time consuming, and requires a skill set that is hard to come by. In addition, customizations can be challenging to maintain if the person who wrote the code leaves the company. Finally, rule customization can muddy results for attestations – it’s hard to prove to third parties that your apps are secure if anyone can rig the results by manipulating rules.

On the other hand, our false-positive rate is a low 1.1 percent – with zero rule customizing. This 1.1 percent false positive rate across real-world applications is verified and based on feedback from our customers on vulnerabilities they have reviewed. By comparison, our competitors claim a 32 percent false positive rate.

Bottom Line

The Veracode solution has scanned hundreds of thousands of enterprise, mobile and cloud-based apps, and we’ve helped our customers fix more than 48 million flaws. Bottom line? Better analytics, faster improvements, increased accuracy and the ability to create more software, more securely than ever before.

Find out more about the Veracode Application Security solution.

Webcast: Let’s Talk About ELK Baby, Let’s Talk About You and AD

BHIS’ Defensery Driven Duo Delivers Another Delectable Transmission! We know you are worried about your networks. After hours of discussion, we’ve come to the realization that some of our dedicated followers seem to be much more interested in catching malware than learning how to be (please forgive this next statement) “l33t hax0rs.” Download slides: https://www.activecountermeasures.com/presentations/ […]

The post Webcast: Let’s Talk About ELK Baby, Let’s Talk About You and AD appeared first on Black Hills Information Security.

Canyon Bicycles Revealed that Digital Attackers Accessed Its IT Systems

Canyon Bicycles revealed that malicious individuals succeeded in accessing its IT systems as the result of a digital attack. The German bike manufacturer announced in a press release that the digital attack occurred shortly before the turn of the year. For that attack, Canyon Bicycles explained that “a professionally organized group that specialize in attacking […]… Read More

The post Canyon Bicycles Revealed that Digital Attackers Accessed Its IT Systems appeared first on The State of Security.

USB Cable Kill Switch for Laptops

BusKill is designed to wipe your laptop (Linux only) if it is snatched from you in a public place:

The idea is to connect the BusKill cable to your Linux laptop on one end, and to your belt, on the other end. When someone yanks your laptop from your lap or table, the USB cable disconnects from the laptop and triggers a udev script [1, 2, 3] that executes a series of preset operations.

These can be something as simple as activating your screensaver or shutting down your device (forcing the thief to bypass your laptop's authentication mechanism before accessing any data), but the script can also be configured to wipe the device or delete certain folders (to prevent thieves from retrieving any sensitive data or accessing secure business backends).

Clever idea, but I -- and my guess is most people -- would be much more likely to stand up from the table, forgetting that the cable was attached, and yanking it out. My problem with pretty much all systems like this is the likelihood of false alarms.

Slashdot article.

EDITED TO ADD (1/14): There are Bluetooth devices that will automatically encrypt a laptop when the device isn't in proximity. That's a much better interface than a cable.

Cybercrime is moving towards smartphones – this is what you could do to protect your company

By 2021, cybercrimes will cost companies USD 6 trillion, according to a study.

The number of internet users has grown from an estimated at 2 billion in 2015 to 4.4 billion in 2019, but so have the cybercrimes which are expected to cost companies USD 6 trillion worldwide, according to a study by Cybersecurity Ventures.

Similarly, the number of smartphone users has grown from 2.5 billion in 2016 to 3.2 billion in 2019 and is forecasted to grow to 3.8 billion by 2021. Smartphones and the internet will make further inroads to our economic system. But there are certain risks involved as well.

Mobile phones are becoming targets of cybercriminals because of their widespread use and increasing computing power. Consider the fact that more than 60 % of online fraud occurs through mobile phones. This threat is not just towards individual users but businesses as well. It does not matter how large the company is either. 43% of the cyberattacks in 2019 were aimed at smaller businesses because they do not have adequate protection.

Given how vulnerable smartphones are and that the threat from cyber attacks is only expected to increase, here are some measures you can take to protect your business from cybercriminals:

Rethink BYOD:

Bring Your Own Devices (BYOD) offers several benefits to both the organization and employees. Such a policy allows employees at a company to use their mobile phones, tablets, or laptops for work, saving companies the hassle to purchase devices.

However, you need to rethink if you are saving more than what you are losing. Employees have confidential company information on their devices. Such a door into your organization can cost you heavily. Set aside the funds to obtain company devices for use by employees at the office. Consider such an investment as part of your cybersecurity strategy.


Cybersecurity assessments:

The cybersecurity threat landscape is ever-evolving due to the fast nature of innovation. Develop a comprehensive cybersecurity program that includes a regular assessment of your company’s security needs. Identify the strengths of your IT infrastructure against potential attacks, and do not let advances in technology or techniques take that away from you. Similarly, you should identify the vulnerabilities in your systems. Make sure any gaps in your defenses are appropriately plugged. A threat assessment should be an integral component of any cybersecurity policy.

Retrain staff:

Make sure that employees at your organization are informed and up to date on the latest in cyber threats. This way they can protect themselves and the company from cybercriminals. Even a single mistake by one employee can end up creating a door for individuals or groups wishing your company harm. All employees must be trained as a matter of policy. This way, they can identify phishing attacks and manage social engineering scams. Another factor your employees must be mindful of is resource monitoring. Suspicious resource use on company devices, whether it is excess internet or battery usage, should raise alarm bells. However, employees may not look into such things in detail because they do not own the devices. Train your staff to keep track of resource use too.


Employee monitoring:

Most organizations have some form of an employee monitoring policy and track their workers. If you haven’t done so already, develop such a policy, and keep your employees informed to ensure transparency. If you have decided to use company devices, you can opt to install monitoring apps on them. There are several modern monitoring apps currently available such as XNSPY. The app can keep track of online activities, generate a list of call logs, and remote control the device. Furthermore, you can track the location of the device in real-time, and use features such as geofencing and GPS history. There are other powerful features too, such as ambient recording, multimedia access, and online activity tracking. You can also wipe off all the data from a device in case of theft. Monitoring apps such as XNSPY should be a part of your strategy against cybercriminals.


Don’t forget physical infrastructure:

Cybersecurity may involve software updates and training policies, but making sure your physical infrastructure is safe is just as important. Re-evaluate how exposed your digital infrastructure is to physical access. Furthermore, go through the profiles of suppliers and vendors to vet them properly. A small door in any piece of equipment can let cybercriminals through and bypass your entire cybersecurity foundation. Be aware of this threat and make sure that suppliers work by following specific regulations.

Develop a threat monitoring policy:

Anticipating an attack and stopping it is an important part of comprehensive cybersecurity policy. Make sure that you are monitoring your digital infrastructure round the clock.

Invest in threat monitoring software and a team of professionals that can identify, track, and stop an attack.

The concept of designing a cybersecurity system as a fortification is changing to an adaptable system that can accommodate evolving security threats. Furthermore, a monitoring policy also needs to have a clear response plan.

Such a plan details what needs to happen and when in case of an attack. This ensures that there is a speedy response by your company against any threat.


Smartphones have become powerful enough that they can be considered as computers in their own right. While this has created scores of opportunities, there are also clear threats posed by cybercrime. These threats are only going to increase as the internet and smartphone use increases. While protecting your business against cyber criminals requires a considerable investment of time and money, it will pay off in the long run.


Clark Thomas is an expert in VOIP. He helps businesses both small and medium-sized, in implementing and adopting the best security methods for their organization and network. He gives great advice regarding and assists people in boosting the security measures for their website and business.  

The post Cybercrime is moving towards smartphones – this is what you could do to protect your company appeared first on CyberDB.

What is Active Directory? (Cyber Security 101 for the Entire World)


Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.

Cyber Security 101

Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?

You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because  "Who really cares about just a phone book?"

In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.

Again, after all, who cares about a phone book?!

Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -

An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.

In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the  risk of complete, swift and colossal compromise.

Active Directory Security Must Be Organizational Cyber Security Priority #1

Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.

Here's why - A deeper, detailed look into What is Active Directory ?

For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)

In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.

Best wishes,

Google Play App Recent Android Exploits Zero-Day

A malicious code exploited a newly fixed zero-day flaw in the Google Play store that affects multiple Android devices, including Pixel phones from Google.

Tracked as CVE-2019-2215, Google Project Zero security researcher Maddie Stone announced the bug as a zero-day in October. The error could contribute to an exploitable accident, a use-free in the binder engine.

In the 4.14 Linux kernel, the Android Open Source Project (AOSP) 3.18 kernel, AOSP 4.4 kernel, and AOSP 4.9 kernel, the bug was first fixed in December 2017. Two years later, Pixel 2 still had an impact; Pixel 1; Huawei P20; Xiaomi Redmi 5A, Redmi Note 5, and A1; Oppo A3; Motorola Moto Z3; Android 8 Oreo LG phones; and Samsung Galaxy S7, S8, and S9 versions.

In its October 2019 set of Android fixes, Google included patches for the flaw and a proof-of-concept was released a few weeks later.

Once Stone first identified the flaw, she said she had received information that there was an exploit for it, and that it was being used by NSO, an Israeli spyware company known to develop the notorious Pegasus iOS malware.

She disclosed in a November blog outlining the discovery that the “details contained marketing materials for this exploit,” and also said the exploit was reportedly “used to update a beta of Pegasus.””[ W]e suspect attackers could use this flaw to target wild users. Given the information on the facilities NSO Group offers in various public records, it is more probable that this bug has been clustered with either an attack client renderer or other remote capability, “she added.

Today, Trend Micro reports that three malicious apps that have been released in Google Play since March 2019 are operating together to hack smartphones and capture user information, and one of them is taking advantage of CVE-2019-2215. Disguised as resources for photography and file manager, the applications tend to be connected to the danger community SideWinder.

Two of the applications serve as droppers, Camero and FileCrypt Manger. The additional DEX file will be downloaded from the C&C registry, instead code will be used to start a payload app called callCam.

On Pixel 2, Pixel 2 XL, Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A smartphones, Camero recovers a different vulnerability from the C&C— the researchers downloaded five exploits from the repository— with CVE-2019-2215 and MediaTek-SU being exploited to gain root prior to callCam deployment.

On the other side, FileCrypt Manager asks the user to allow accessibility permission and then presents a full screen window stating additional configuration steps are needed. Nonetheless, the window is meant to conceal malicious activity: it installs callCam and enables it to be allowed to access.

The payload collects data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome, such as position, battery level, system settings, enabled software list, device information, sensor information, camera information, account details, Wi-Fi information, screenshots, and results. All these data are encrypted and sent to the server of the C&C.

The applications appear to be related to SideWinder, an attack group that has been active since 2012, known for targeting military entities, based on the C&C used. In addition, on one of the C&C servers, a URL link to one of the Google Play pages of the apps was discovered, Trend Micro reveals.

The post Google Play App Recent Android Exploits Zero-Day appeared first on .