Monthly Archives: May 2020

When SOCs never stop: How to fill the intelligence gaps in security

Demand for security analysts and security operations centre experts is high – so high that Frost and Sullivan found only two percent unemployment in the sector and that demand continues outstrip the supply of newly skilled professionals. (ISC)² suggests that the number of skilled professionals will have to grow from 2.8 million worldwide to 4.07 million to close the skills gap. All these roles will require the right skills and the right data. Alongside filling … More

The post When SOCs never stop: How to fill the intelligence gaps in security appeared first on Help Net Security.

The challenge of updating locally cached credentials

As organizations work to ensure remote workforce productivity, the issue of cached credentials will inevitably appear, causing a problem for the impacted user, and the IT service desk. It’s no secret that some material portion of nearly every workforce is functioning remotely. You’ve spent the last few months scurrying to establish remote connectivity, cloud-based productivity, and some form of encompassing security – all to allow your remote employees to get their job done while meeting … More

The post The challenge of updating locally cached credentials appeared first on Help Net Security.

Agile security helps software teams deliver quicker and better software

Agile adoption improves key capabilities needed to respond to current business challenges, especially those resulting from the pandemic, according to Digital.ai. With 60 percent of survey respondents saying Agile has helped increase speed to market, 41 percent agreeing they are better able to manage distributed teams, and 58 percent saying they have improved team productivity it is clear these practices are invaluable during these challenging times. “Our all-in move to the cloud in recent years … More

The post Agile security helps software teams deliver quicker and better software appeared first on Help Net Security.

Factors driving API growth in industry

This is third in a series of articles that introduces and explains application programming interfaces (API) security threats, challenges, and solutions for participants in software development, operations, and protection. Explosion of APIs The API explosion is also driven by several business-oriented factors. First, enterprises are moving away from large monolithic applications that are updated annually at best. Instead, legacy and new applications are being broken into small, independently functional components, often rolled out as container-based … More

The post Factors driving API growth in industry appeared first on Help Net Security.

The Cybersecurity Implications of 5G Technology

The coming of widespread 5G technology promises more than just faster everything, enhanced capacity and greater reliability. Leading proponents of the wonders of 5G, such as the theoretical physicist and author Michio Kaku, paint a picture of a true technological “paradigm shift, a game-changer.” The self-described futurist invites us to imagine a lightning-fast global communications […]… Read More

The post The Cybersecurity Implications of 5G Technology appeared first on The State of Security.

41% of organizations have not taken any steps to expand secure access for the remote workforce

Currently, organizations are struggling to adjust to the new normal amidst the COVID-19 pandemic, a Bitglass survey reveals. 41% have not taken any steps to expand secure access for the remote workforce, and 50% are citing proper equipment as the biggest impediment to doing so. Consequently, 65% of organizations now enable personal devices to access managed applications. Remote work and secure access concerns When asked what their organizations are primarily concerned with securing while employees … More

The post 41% of organizations have not taken any steps to expand secure access for the remote workforce appeared first on Help Net Security.

A math formula could help 5G networks efficiently share communications frequencies

Researchers at the National Institute of Standards and Technology (NIST) have developed a mathematical formula that, computer simulations suggest, could help 5G and other wireless networks select and share communications frequencies about 5,000 times more efficiently than trial-and-error methods. NIST engineer Jason Coder makes mathematical calculations for a machine learning formula that may help 5G and other wireless networks select and share communications frequencies efficiently The novel formula is a form of machine learning that … More

The post A math formula could help 5G networks efficiently share communications frequencies appeared first on Help Net Security.

Tripwire Patch Priority Index for May 2020

Tripwire’s May 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, SaltStack, and VMware. Up first on the patch priority list this month are patches for VMware vCenter Server and SaltStack Salt. The Metasploit exploit framework has recently integrated exploits for VMware vCenter Server (CVE-2020-3952) and SaltStack Salt (CVE-2020-11652, CVE-2020-11651). Administrators with […]… Read More

The post Tripwire Patch Priority Index for May 2020 appeared first on The State of Security.

Blackpoint Cyber launches 365 Defense, a Microsoft 365 security add-on for its MDR service

Blackpoint Cyber released 365 Defense – a Microsoft 365 security add-on for its true Managed Detection and Response (MDR) service. With 365 Defense, Blackpoint adds 24/7 monitoring, threat detection, and security policy enforcement for Microsoft 365 environments. The add-on is available to existing and new clients and provides an additional offering for Blackpoint partners, including Managed Service Providers (MSPs). There’s been an alarming increase in Microsoft 365 account takeover (ATO) attacks according to a report … More

The post Blackpoint Cyber launches 365 Defense, a Microsoft 365 security add-on for its MDR service appeared first on Help Net Security.

Thierry Delaporte joins Wipro as Chief Executive Officer and Managing Director

Wipro announced the appointment of Thierry Delaporte as the Chief Executive Officer and Managing Director of the company, effective July 6, 2020. Until recently, Thierry Delaporte was the Chief Operating Officer of Capgemini Group and a member of its Group Executive Board. During his twenty-five year career with Capgemini, he held several leadership roles including that of Chief Executive Officer of the Global Financial Services Strategic Business Unit, and head of all global service lines. … More

The post Thierry Delaporte joins Wipro as Chief Executive Officer and Managing Director appeared first on Help Net Security.

Anonymous demands justice for George Floyd and threatens attacks

The hacktivist collective group Anonymous demands justice for George Floyd and threatens to ‘expose the many crimes’ of Minneapolis Police.

Anonymous demands justice for George Floyd and threatens to ‘expose the many crimes’ of Minneapolis Police. George Floyd was killed by a white police officer by kneeling on his neck for more than eight minutes.

While widespread civil unrest escalated in the US and the protest against the brutality of the police is spreading in the principal cities, Anonymous released a video, threatening Minneapolis Police Department (MPD) that it will “expose your many crimes to the world.”

The video was shared on May 28 through a Facebook page affiliated with the group, the electronic voice accuses MPD of having “a horrific track record of violence and corruption,” claiming that the killing of George Floyd was “merely the tip of the iceberg.”

“Officers who kill people and commit other crimes need to be held accountable just like the rest of us. Otherwise, they will believe that they have a license to do whatever they want.” the Anonymous narrator says.

“People have had enough of this corruption and violence from an organization that promises to keep them safe. After the events of the past few years, many people are beginning to learn that you are not here to save us but rather you are here to oppress us and carry out the will of the criminal ruling class.”

“You are here to keep order for the people in control, not to provide safety for the people who are controlled. In fact, you are the very mechanism that elites use to continue their global system of oppression.”

“These officers must face criminal charges and officer Chauvin especially should face murder charges. Unfortunately, we do not trust your corrupt organization to carry out justice so will be exposing your many crimes to the world. We are legion. Expect us.”

“Sadly, in the vast majority of police killings, the only one left alive to tell the story is the officer who took the person’s life,” the Anonymous narrator continues. “This travesty has gone on for far too long… and now the people have had enough.”

The collective has launched its offensive against the authorities, the MPD’s website was taken offline late on Saturday, and today alleged members of the group (@PowerfulArmyGR, @namatikure) announced on Pastebin that the site was hacked and leaked the database of email and passwords.

“The Minneapolis official website was been hacked and database with emails and passwords leaked.” reads the post published on PasteBin.

Anonymous has yet to claim responsibility for taking down the website.

In the last hours other operations have been attributed to Anonymous, including the hack of Chicago police radios,

Pierluigi Paganini

(SecurityAffairs – George Floyd, Anonymous)

The post Anonymous demands justice for George Floyd and threatens attacks appeared first on Security Affairs.

ENISA published “Proactive detection – Measures and information sources” report

EU Agency for Cybersecurity ENISA has published a new report of the proactive detection of incidents, including measures and information sources.

The EU Agency for Cybersecurity ENISA has published a new report and accompanying repository on measures and information sources that could help security experts and operators of IT and critical infrastructure to proactively detect network security incidents in the EU.

The documents aims at evaluating methods, tools, activities and information sources for proactive detection of network security incidents.

The proactive detection process aims at discovering malicious activity conducted by threat actors through internal monitoring tools or external sources that shares information about detected incidents.

“The current project aims to provide a complete inventory of all available methods, tools, activities and information sources for proactive detection of network security incidents, which are used already or potentially could be used by incident response teams in Europe nowadays.” reads the report. “The current report evaluates available methods, tools, activities and information sources for proactive detection of network incidents.”

ENISA proactive detection security incidents

The EU agency launched this project to improve the detection of network security incidents in the EU, by:

  • Providing an inventory of available measures and information sources;
  • Identifying good practices;
  • Recommending possible areas for development.

This report identifies and analyzes how proactive detection in the EU is evolved between 2011 and 2019. Among the goals of the project there is the exploration of new areas that could help to improve operational cooperation and information sharing.

The deliverable of the project are three reports and in a living repository hosted on GitHub.

“The objective is to offer a point of reference for new or well-established teams who need to identify or reassess appropriate measures for proactive detection of incidents.” continues the post published by ENISA.

1- Report – Survey results

  • Survey among incident response teams in Europe;
  • Comparison with the 2011 survey.

2- Report – Measures and information sources

  • Inventory of available methods, tools, activities and information sources;
  • Evaluation of identified measures and information sources.

3- Report – Good practices gap analysis recommendations

  • Analysis of the data gathered;
  • Recommendations.

4- Online repository – GitHub

  • Information sources;
  • Measures and tools.

Enjoy the report!

Pierluigi Paganini

(SecurityAffairs – ENISA, cybersecurity)

The post ENISA published “Proactive detection – Measures and information sources” report appeared first on Security Affairs.

Coronavirus-themed attacks May 24 – May 30, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 24 to May 30, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 26 – Hangzhou could permanently adopt COVID-19 contact-tracing app

The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

May 27 – Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

May 29 – Himera and AbSent-Loader Leverage Covid19 lures

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

May 30 – A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, Coronavirus themed campaigns)

The post Coronavirus-themed attacks May 24 – May 30, 2020 appeared first on Security Affairs.

Security Affairs newsletter Round 266

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Experts observed a spike in COVID-19 related malspam emails containing GuLoader
Silent Night Zeus botnet available for sale in underground forums
The Florida Unemployment System suffered a data breach
Voter information for 2 millions of Indonesians leaked online
25 million Mathway user records available for sale on the dark web
Online education site EduCBA discloses data breach and reset customers pwds
Personal details and documents for millions of Indians available in the deep web
Unc0ver is the first jailbreak that works on all recent iOS versions since 2014
3 hacking forums have been hacked and database have been leaked online
Cisco fixed a critical issue in the Unified Contact Center Express
Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid
Maze ransomware operators leak credit card data from Costa Ricas BCR bank
Ragnar Ransomware encrypts files from virtual machines to evade detection
Bugs in open-source libraries impact 70% of modern software
Hangzhou could permanently adopt COVID-19 contact-tracing app
New Turla ComRAT backdoor uses Gmail for Command and Control
StrandHogg 2.0 Android flaw affects over 1 Billion devices
Boris Johnson to reduce Huaweis role in national 5G network
Fuckunicorn ransomware targets Italy in COVID-19 lures
Grandoreiro Malware implements new features in Q2 2020
Microsoft warns about ongoing PonyFinal ransomware attacks
Real estate app leaking thousands of user records and sensitive private messages
Researchers dismantled ShuangQiang gangs botnet that infected thousands of PCs
The evolution of ransomware in 2019: attackers think bigger, go deeper and grow more advanced
Google TAG report Q1 details about nation-state hacking and disinformation
Israel s national cyber chief warns of rising of cyber-warfare
Ke3chang hacking group adds new Ketrum malware to its arsenal
NSA warns Russia-linked APT group is exploiting Exim flaw since 2019
Security breach impacted Cisco VIRL-PE infrastructure
Valak a sophisticated malware that completely changed in 6 months
An archive with 20 Million Taiwanese citizens leaked in the dark web
Himera and AbSent-Loader Leverage Covid19 lures
ICT solutions provider NTT Com discloses security breach
Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub
Steganography in targeted attacks on industrial enterprises in Japan and Europe
A new COVID-19-themed campaign targets Italian users
A New York man was charged with stealing credit card data via SQL Injection attacks
API Security and Hackers: Whats the Need?
NetWalker ransomware gang threatens to release Michigan State University files

Pierluigi Paganini

(SecurityAffairs – newsletter, hacking)

The post Security Affairs newsletter Round 266 appeared first on Security Affairs.

Over 100K+ WordPress sites using PageLayer plugin exposed to hack

Two security flaws in the PageLayer WordPress plugin can be exploited to potentially wipe the contents or take over WordPress sites.

Security experts from WordFence discovered two high severity security vulnerabilities in the PageLayer WordPress plugin that could potentially allow attackers to wipe the contents or take over WordPress sites using vulnerable plugin versions.

PageLayer is a WordPress page builder plugin, it is very easy to use and actually has over 200,000 active installations according to numbers available on its WordPress plugins repository entry.

The vulnerabilities were reported to PageLayer’s developer by the Wordfence Threat Intelligence team on April 30 and were patched with the release of version 1.1.2 on May 6.

One vulnerability could allow an authenticated user with subscriber-level and above permissions to update and modify posts.

“One flaw allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content, amongst many other things,” reads the post published by Wordfence.

The second vulnerability could allow attackers to forge a request on behalf of a site’s administrator to change the plugin settings allowing to inject malicious Javascript.

Both vulnerabilities are the result of unprotected AJAX actions, nonce disclosure, and a lack of Cross-Site Request Forgery (CSRF) protection. An attacker could exploit the vulnerabilities to inject malicious JavaScript code, alter the pages of the site, create rogue admin accounts, redirect site visitors to malicious sites, and exploit a site’s user’s browser to compromise their computer.

WordFence experts reported the issue to PageLayer’s developers on April 30 and both were addressed with the release of version 1.1.2 on May 6.

Developers implemented permissions checks on all of the sensitive functions that could allow to change the site and reconfigured the plugin to create separate nonces for the public and administrative areas of a WordPress site.

At the time of writing, more than a hundred thousand WordPress sites still use vulnerable versions of PageLayer plugin.

When it comes to WordPress attacks involving the exploitation of vulnerabilities, malicious actors usually target unpatched plugins, for this reason, it is essential to keep them up to date.

I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

Pierluigi Paganini

(SecurityAffairs – PageLayer, hacking)

The post Over 100K+ WordPress sites using PageLayer plugin exposed to hack appeared first on Security Affairs.

Week in review: Windows RDP backdoor, GDPR enforcement, application threats and security trends

Here’s an overview of some of last week’s most interesting news and articles: How do I select a backup solution for my business? In order to select an appropriate backup solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic. StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft Google has released a patch for CVE-2020-0096, a critical … More

The post Week in review: Windows RDP backdoor, GDPR enforcement, application threats and security trends appeared first on Help Net Security.

A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

Security experts from D3Lab have uncovered a new COVID-19-themed phishing campaign that is targeting the users of the Italian National Institute for Social Security (INPS). Like a previous campaign observed in early April, threat actors set up a fake INPS site used (“inps-it[.]top”) to trick victims into downloading a malicious app.

“A new Phishing campaign against INPS users , similar to the previous one of April 6, 2020 , has been detected in the past few hours by our research and analysis center for Phishing campaigns.” reads the post published D3Lab.

“The fraudulent activity is carried out through a web domain created Ad Hoc with similarities, in the name, to the official one of the national social security institution with the intent to download malware to users interested in receiving the Covid-19 allowance allocated from the Italian state.”

COVID-19 campaign INPS
COVID-19 campaign INPS

D3Lab reported its findings to the Italian CERT-AGID that published a security advisory.

Cybercriminals are attempting to take advantage of the Covid-19 indemnity that the Italian government will give to some Italian citizens with specific requirements.

The citizens have to request the Covid-19 indemnity to the goverment through the INPS portal, for this reason, threat actors set up a fake INPS site asking people to download a phantom “application for the new COVID-19 indemnity” which actually returns a malicious APK for Android devices..

The malicious APT, named “acrobatreader.apk,” is a Trojan-Banker malware that is able to monitor the actions performed by the user.

The malware asks users to enable the accessibility service in order to take advantage of the legitimate functions of this service and achieve wider access to the system APIs to communicate with other apps on the device.

“As soon as the presence of connectivity is detected, an HTTP POST request is sent to C2 through the following url ” http: // greedyduck [.] Top / gate [.] Php ” passing two parameters:

  • ” Action “: with botcheck or injcheck values ;
  • ” Data “: information collected and passed in encrypted form (RC4).”

The CERT-AGID published the Indicators of Compromise (IoCs) here.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post A new COVID-19-themed campaign targets Italian users appeared first on Security Affairs.

Former IT Administrator Sentenced in Insider Threat Case

Charles E. Taylor Caused $800,000 in Damages to His Former Company
A former IT administrator for an Atlanta-based building products distribution company has been sentenced to 18 months in federal prison after he sabotaged the firm by changing router passwords and damaging a critical command server. Overall, Charles E. Taylor caused more than $800,000 in damages.

Critical ‘Sign in with Apple’ Bug Could Have Let Attackers Hijack Anyone’s Account

Apple recently paid Indian vulnerability researcher Bhavuk Jain a huge $100,000 bug bounty for reporting a highly critical vulnerability affecting its 'Sign in with Apple' system. The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users' accounts on third-party services and apps that have been registered using 'Sign in with Apple'

NetWalker ransomware gang threatens to release Michigan State University files

Michigan State University is the last victim of the NetWalker ransomware, attackers threaten to leak stolen files if it will not pay the ransom in seven days.

Michigan State University hit by ransomware gang, NetWalker ransomware operators are threatening to leak stolen files if the university will not pay the ransom in seven days.

At the time of writing the ransom demand to decrypt their files was not disclosed.

Even if the MSU will restore from backups, the NetWalker ransomware gang will leak the documents stolen on its dark web leak site.

As a proof of the attack, NetWalker ransomware operators have shared five images on the leak site.

“These include two images showing a directory structure allegedly from the university’s network, a passport scan for a student, and two scans of Michigan State financial documents.” reported ZDNet.

Source ZDNet

The NetWalker group is very active in this period, the list of the victims of the gang includes the shipping giant Toll. Researchers also identified a new Coronavirus phishing campaign that aims at delivering the Netwalker Ransomware using COVID-19 lures.

The university did not reveal the extent of the attack, students and employees are still working from home due to the COVID-19 outbreak, anyway, the incident may not impact the e-learning activity.

NetWalker isn’t the unique ransomware gang that is threatening to publish data of the victims to force to pay the ransom, other gangs are DopplePaymer, Maze, Nefilim, Nemty, RagnarLocker, and REvil.

Pierluigi Paganini

(SecurityAffairs – Michigan State University, hacking)

The post NetWalker ransomware gang threatens to release Michigan State University files appeared first on Security Affairs.

API Security and Hackers: What’s the Need?

API Security – There is a considerable demand for data-centric projects, that is why companies have quickly opened their data to their ecosystem through REST or SOAP APIs.

APIs work as doors for a company – closely guarding data of an organization. However, there are some challenges created: how do we hold the doors open to the world while simultaneously sealing them off from hackers?

Here are the simple tips for API security, let’s have a look! 

Authentication

Don’t communicate with strangers. To increase the complexity of hacking your device, always get to know who is calling your APIs, by using a simple access authentication (user/password) or an API key (asymmetric key).

Encryption 

Just be cryptic. For internal or external correspondence nothing should be in the open.

You and your partners can cipher all TLS (the successor to SSL) transfers, be it one-way encryption (also called standard one-way TLS) or even better, shared encryption (two-way TLS).

Using the new versions of TLS to block the use of weaker cipher suites.

Monitoring: Audit, Log, and Version 

In case of an error, you need to be ready to troubleshoot: audit and log relevant information on the server. Also, keep that history as long as it is reasonable in terms of capacity for your servers in production. In case of any accidents, you can convert your logs into debugging tools. Follow-up dashboards are also highly recommended resources for monitoring your API use.

Do not forget to add the version to all APIs, ideally in the API direction, to give several APIs with different versions working concurrently, and to be able to delete and depreciate one version over another.

Call Security Experts

It is better to use ICAP (Internet Content Adaptation Protocol) servers or excellent Antivirus systems to protect the data of your company. 

Share as Little as Possible 

For API security, it’s okay to be paranoid and show very little information, particularly in error messages. Limit content and email subjects to predefined messages that are non-customizable. Since you can send locations to IP addresses, keep them for yourself. To limit access to your accounts, use IP Whitelist and IP Blacklist where possible. You can also check your ip address by simply searching what is my ip and you will get the details. Limit the number of administrators, divide access into diverse roles, and hide sensitive information in all your interfaces. 

OAuth & OpenID Connect 

Delegate all responsibilities. A good manager takes accountability, and a fantastic API does so too. The authorization and/or authentication of your APIs should be delegated.

OAuth is a magical mechanism which prevents you from having to remember 10,000 passwords. Instead of creating an account on a website, you can connect via credentials from another provider, such as Facebook or Google. This works the same way for APIs: the API provider depends on a third-party server to handle permissions. The user does not supply their credentials but then gives the third-party server a token. This protects the user because they don’t reveal their passwords, and the provider of the API doesn’t need to worry about protecting data about the authorization, because it only collects tokens.

OAuth is a delegation protocol widely used to forward authorizations. You can add an identity layer on top of it to protect your APIs even further and add authentication: this is the Open I d Connect standard which extends OAuth 2.0 with ID tokens.

System Protection with Throttling and Quotas 

Keep a Control. To protect your backend network bandwidth according to the capability of your servers, you can restrict access to your device to a limited number of messages per second.

You can also limit access by the API and the user (or application) to make sure that no one, in particular, can misuse the program or any API.

Throttling thresholds and quotas – if well defined – are essential to avoid attacks from different sources from overwhelming the network with numerous requests (DDOS-Distributed Denial of Service Attack).

OWASP top 10

Avoid wasps. The top 10 of the OWASP (Open Web Application Security Project) is a list of the ten worst vulnerabilities, measured by their exploitability and effect. In addition to the above, make sure that you have checked all of the bugs in OWASP to check the program.

Data Validation 

Be picky and refuse surprise presents, especially when they’re massive. You should verify that your server is accepting anything. Be vigilant to reject any content that is added, data that is too high, and also test the information that customers give you. Use XML or JSON schema validation to verify whether your restrictions are what they should be (integer, string …) to avoid all kinds of XML blast and SOL injection. 

Infrastructure 

Stay up-to-date. To be stable and still benefit from the latest security updates, a good API should rely on a good security network, infrastructure and up-to-date applications (servers, load balancers).

API Firewalling 

Create a wall: Building of a wall will solve all the immigration issues for some citizens. That is the case, at least for APIs! The protection of your API should be divided into two levels:

  • DMZ is the first level, with an API firewall to perform simple protection measures, including checking message size, SQL injections, and any HTTP layer-based protection that blocks intruders early. The message is then forwarded to the second sheet.
  • The second level is LAN, with advanced data information protection mechanisms.

Set a Budget for Security Testing 

Security monitoring takes time and resources, and the investment needs to be made by the businesses. Although new functionality drives growth, security testing should be allocated about 5 percent to 10 percent of the budget. Use of APIs is growing and encouraging companies to create more diverse applications. Nonetheless, as they exploit these resources, companies need to be mindful of and close the possible security holes.

About the author: Waqas Baig

Waqas Baig is a Tech Writer having experience of 8 years in journalism, reporting and editing. In his spare time, he reads and writes about tech products including gadgets, smart watches, home security products and others. If you have story ideas, feel free to share here waqasbaigblog@gmail.com

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post API Security and Hackers: What’s the Need? appeared first on Security Affairs.

New Noise-Resilient Attack On Intel and AMD CPUs Makes Flush-based Attacks Effective

Modern Intel and AMD processors are susceptible to a new form of side-channel attack that makes flush-based cache attacks resilient to system noise, newly published research shared with The Hacker News has revealed. The findings are from a paper "DABANGG: Time for Fearless Flush based Cache Attacks" published by a pair of researchers, Biswabandan Panda and Anish Saxena, from the Indian

A New York man was charged with stealing credit card data via SQL Injection attacks

The US DoJ announced that a New York City man was charged with hacking, credit card trafficking, and money laundering conspiracies.

New York City man Vitalii Antonenko (28) was charged with hacking, credit card trafficking, and money laundering conspiracies, states the US DoJ.

The man was arrested in March 2019 and detained after his arrival from Ukraine. The man was carrying computers and other digital media holding containing hundreds of thousands of stolen payment card numbers.

“Vitalii Antonenko, 28, was indicted on one count of conspiracy to gain unauthorized access to computer networks and to traffic in unauthorized access devices, and one count of money laundering conspiracy.” reads the press release published by US DoJ. “In March 2019, Antonenko was arrested and detained on money laundering charges at New York’s John F. Kennedy International Airport after he arrived there from Ukraine carrying computers and other digital media that held hundreds of thousands of stolen payment card numbers.”

The man nd co-conspirators obtained the credit card data by hacking into vulnerable computer networks.

The hackers launched SQL injection attacks to access vulnerable networks and steal Payment Card Data and other PII.

Crooks were able to steal card account numbers, expiration dates, and card verification values, along with other personally identifiable information (PII), then they were offering them for sale on cybercrime marketplaces.

“They used a hacking technique known as a “SQL injection attack” to access those networks without authorization, extracted Payment Card Data and other PII, and transferred it for sale on online criminal marketplaces.” continues the DoJ. “Once a co-conspirator sold the data, Antonenko and others used Bitcoin as well as traditional bank and cash transactions to launder the proceeds in order to disguise their nature, location, source, ownership, and control.”

The charges related to unauthorized access carry a sentence of up to five years in prison, three years of supervised release, a $250,000 fine, restitution and forfeiture.

Antonenko faces up to 20 years in prison and a $500,000 fine for the money laundering conspiracy charges.

Pierluigi Paganini

(SecurityAffairs – Card Data, hacking)

The post A New York man was charged with stealing credit card data via SQL Injection attacks appeared first on Security Affairs.

Exclusive – Any Mitron (Viral TikTok Clone) Profile Can Be Hacked in Seconds

Mitron (means "friends" in Hindi), you have been fooled again! Mitron is not really a 'Made in India' product, and the viral app contains a highly critical, unpatched vulnerability that could allow anyone to hack into any user account without requiring interaction from the targeted users or their passwords. I am sure many of you already know what TikTok is, and those still unaware, it's a

Hackers Breached 6 Unpatched Cisco Internal Servers

Servers Support Company's Virtual Networking Service
Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities. The company did not describe the damage done, saying only that "a limited set of customers" was impacted.

Threat Roundup for May 22 to May 29

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 22 and May 29. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

 

Reference

20200529-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for May 22 to May 29 appeared first on Cisco Blogs.

Career Choice Tip: Cybercrime is Mostly Boring

When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way combat cybercrime and steer offenders toward a better path.

Yes, I realize hooded hacker stock photos have become a meme, but that’s the point.

The findings come in a new paper released by researchers at Cambridge University’s Cybercrime Centre, which examined the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. In particular, the academics focused on botnets and DDoS-for-hire or “booter” services, the maintenance of underground forums, and malware-as-a-service offerings.

In examining these businesses, the academics stress that the romantic notions of those involved in cybercrime ignore the often mundane, rote aspects of the work that needs to be done to support online illicit economies. The researchers concluded that for many people involved, cybercrime amounts to little more than a boring office job sustaining the infrastructure on which these global markets rely, work that is little different in character from the activity of legitimate system administrators.

Richard Clayton, a co-author of the report and director of Cambridge’s Cybercrime Centre, said the findings suggest policymakers and law enforcement agencies may be doing nobody a favor when they issue aggrandizing press releases that couch their cybercrime investigations as targeting sophisticated actors.

“The way in which everyone looks at cybercrime is they’re all interested in the rockstars and all the exciting stuff,” Clayton told KrebsOnSecurity. “The message put out there is that cybercrime is lucrative and exciting, when for most of the people involved it’s absolutely not the case.”

From the paper:

“We find that as cybercrime has developed into industrialized illicit economies, so too have a range of tedious supportive forms of labor proliferated, much as in mainstream industrialized economies. We argue that cybercrime economies in advanced states of growth have begun to create their own tedious, low-fulfillment jobs, becoming less about charismatic transgression and deviant identity, and more about stability and the management and diffusion of risk. Those who take part in them, the research literature suggests, may well be initially attracted by exciting media portrayals of hackers and technological deviance.”

“However, the kinds of work and practices in which they actually become involved are not reflective of the excitement and exploration which characterized early ‘hacker’ communities, but are more similar to low-level work in drug dealing gangs, involving making petty amounts of money for tedious work in the service of aspirations that they may one day be one of the major players. This creates the same conditions of boredom…which are found in mainstream jobs when the reality emerges that these status and financial goals are as blocked in the illicit economy as they are in the regular job market.”

The researchers drew on interviews with people engaged in such enterprises, case studies on ex- or reformed criminal hackers, and from scraping posts by denizens of underground forums and chat channels. They focused on the activity needed to keep various crime services operating efficiently and free from disruption from interlopers, internecine conflict, law enforcement or competitors.

BOOTER BLUES

For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks.

Booter services (a.k.a. “stressers”) — like many other cybercrime-as-a-service offerings — tend to live or die by their reputation for uptime, effectiveness, treating customers fairly, and for quickly responding to inquiries or concerns from users. As a result, these services typically require substantial investment in staff needed for customer support work (through a ticketing system or a realtime chat service) when issues arise with payments or with clueless customers failing to understand how to use the service.

In one interview with a former administrator of a booter service, the proprietor told researchers he quit and went on with a normal life after getting tired of dealing with customers who took for granted all the grunt work needed to keep the service running. From the interview:

“And after doing [it] for almost a year, I lost all motivation, and really didn’t care anymore. So I just left and went on with life. It wasn’t challenging enough at all. Creating a stresser is easy. Providing the power to run it is the tricky part. And when you have to put all your effort, all your attention. When you have to sit in front of a computer screen and scan, filter, then filter again over 30 amps per 4 hours it gets annoying.”

The researchers note that this burnout is an important feature of customer support work, “which is characterized less by a progressive disengagement with a once-interesting activity, and more by the gradual build-up of boredom and disenchantment, once the low ceiling of social and financial capital which can be gained from this work is reached.”

WHINY CUSTOMERS

Running a malware-as-a-service offering also can take its toll on developers, who quickly find themselves overwhelmed with customer support requests and negative feedback when a well-functioning service has intermittent outages.

Indeed, the author of the infamous ZeuS Trojan — a powerful password stealing tool that paved the way for hundreds of millions of dollars stolen from hacked businesses — is reputed to have quit the job and released the source code for the malware (thus spawning an entire industry of malware-as-a-service offerings) mainly to focus his skills on less tedious work than supporting hundreds of customers.

“While they may sound glamorous, providing these cybercrime services require the same levels of boring, routine work as is needed for many non-criminal enterprises, such as system administration, design, maintenance, customer service, patching, bug-fixing, account-keeping, responding to sales queries, and so on,” the report continues.

To some degree, the ZeuS’s author experience may not be the best example, because his desire to get away from supporting hundreds of customers ultimately led to his focusing attention and resources on building a far more sophisticated malware threat — the peer-to-peer based Gameover malware that he leased to a small group of organized crime groups.

Likewise, the cover story in this month’s Wired magazine profiles Marcus Hutchins, who said he “quickly grew bored with his botnets and his hosting service, which he found involved placating a lot of ‘whiny customers.’ So he quit and began to focus on something he enjoyed far more: perfecting his own malware.”

BORING THEM OUT OF BUSINESS

Cambridge’s Clayton and his colleagues argue the last two examples are more the exception than the rule, and that their research points to important policy implications for fighting cybercrime that are often discounted or overlooked: Namely, interventions that focus on the economics of attention and boredom, and on making such work as laborious and boring as possible.

Many cybersecurity experts often remark that taking down domain names and other infrastructure tied to cybercrime businesses amounts to little more than a game of whack-a-mole, because the perpetrators simply move somewhere else to resume their operations. But the Cambridge researchers note that each takedown creates further repetitive, tedious, work for the administrators to set up their sites anew.

“Recent research shows that the booter market is particularly susceptible to interventions targeted at this infrastructural work, which make the jobs of these server managers more boring and more risky,” the researchers note.

The paper takes care to note that its depictions of the ‘boredom’ of the untrained administrative work carried out in the illicit economy should not be taken as impugning the valuable and complex work of legitimate system administrators. “Rather, it is to recognize that this is a different kind of knowledge and set of skills from engineering work, which needs to be taught, learned, and managed differently.”

The authors conclude that refocusing interventions in this way might also be supported by changes to the predominant forms of messaging used by law enforcement and policy professionals around cybercrime:

“If participation within these economies is in fact based in deviant aspiration rather than deviant experience, the currently dominant approaches to messaging, which tend to focus on the dangerous and harmful nature of these behaviors, the high levels of technical skill possessed by cybercrime actors, the large amounts of money made in illicit online economies, and the risk of detection, arrest, and prosecution are potentially counterproductive, only feeding the aspiration which drives this work. Conversely, by emphasizing the tedious, low-skilled, low-paid, and low-status reality of much of this work, messaging could potentially dissuade those involved in deviant online subcultures from making the leap from posting on forums to committing low-level crime.”

“Additionally, diversionary interventions that emphasize the shortage of sysadmin and ‘pen tester’ workers in the legitimate economy (“you could be paid really good money for doing the same things in a proper job”) need to recognize that pathways, motivations, and experiences may be rather more prosaic than might be expected.”

“Conceptualizing cybercrime actors as high-skilled, creative adolescents with a deep love for and understanding of technology may in fact mischaracterize most of the people on whom these markets depend, who are often low-skilled administrators who understand fairly little about the systems they maintain and administer, and whose approach is more akin to the practical knowledge of the maintainer than the systematic knowledge of a software engineer or security researcher. Finding all these bored people appropriate jobs in the legitimate economy may be as much about providing basic training as about parachuting superstars into key positions.”

Further reading: Cybercrime is (often) Boring: Maintaining the Infrastructure of Cybercrime Economies (PDF).

Mapeando el MITRE ATT&CK Framework a Controles CIS

Durante la mayor parte de esta década, pasé una buena cantidad de tiempo analizando los marcos de seguridad y cumplimiento. Hay belleza en cada uno de ellos. Algunos son de muy alto nivel y dejan a la organización interpretar cómo implementar los diversos controles, como los controles de seguridad críticos de CIS. Otros son increíblemente […]… Read More

The post Mapeando el MITRE ATT&CK Framework a Controles CIS appeared first on The State of Security.

ICT solutions provider NTT Com discloses security breach

NTT Communications (NTT Com), a subsidiary of tech giant NTT Corp, disclosed a data breach that impacted hundreds of customers.

NTT Communications (NTT Com), a subsidiary of the tech giant NTT Corp, disclosed a data breach that impacted hundreds of customers.

NTT Com provides network management, security and solution services[3] to consumers, corporations and governments.

NTT Com Group has more than 30 companies in the Asia-Pacific regionEurope and the Americas.

The company launched an investigation after discovering unauthorized access to some systems on May 7, then this week it confirmed that threat actors may have been stolen.

“NTT Communications (hereafter NTT Com) detected an unauthorized access to our equipment that has been made by an attacker on May 7, and the possibility that some information may have leaked to the outside was confirmed on May 11.” reads the data breach notification.

Experts at NTT Com initially noticed suspicious activity on an Active Directory server, then they discovered that threat actors have breached an operational server and an information management server that stored customer information.

The internal investigation revealed that attackers initially targeted a server in Singapore, then used it for lateral movements and reach the infrastructure in Japan.

In response to the incident, the company shut down impacted servers to avoid the malware from spreading and communicating with external servers.

According to NTT, the security breach could impact 621 companies whose information was stored on the information management server.

The company announced that it has taken additional measures to prevent similar attacks in the future.

Other major Japanese companies recently disclosed security breaches, some of them took place years ago, including NEC, Mitsubishi ElectricPasco and Kobe Steel.

Pierluigi Paganini

(SecurityAffairs – NTT, hacking)

The post ICT solutions provider NTT Com discloses security breach appeared first on Security Affairs.

Why Manual Penetration Testing and Automation are Important Aspects of an AppSec Program

Authored by Jacques Lopez and Tom Estonツ?

As a result of the current COVID-19 pandemic, most companies are operating remotely. This ???new normal??? has led to an increased demand for digital transformations and cloud migrations. But Verizon???s 2020 Data Breach Investigations Report recently noted that cyberattackers are taking advantage of the digital transformations, finding new ways to attack web applications. As Tami Erwin, CEO of Verizon Business, recently stated, ???As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount.???

So how can you digitally transform your business while maintaining application security (AppSec)? You need to incorporate Manual Penetration Testing (MPT) along with AppSec automation. Only leveraging Manual Penetration Testing (MPT) can be costly and time-consuming, but ??? if you only leverage automated scans ??? you could miss authorization issues and business logic flaws. Let???s explore MPT and AppSec automation in-depth, and weigh the pros and cons, to show why both are essential to properly protect your applications.

Manual Penetration Testing

MPT is conducted by a human, known as a ???pen tester.??? The pen tester leverages security and assessment tools to uncover vulnerabilities in applications along with the resulting impact. MPT is vital for the deep inspection of critical apps because it finds classes of vulnerabilities that automated assessments can???t, such as authorization issues and business logic flaws. It also helps validate the results of an overall AppSec program. That said, it cannot be the only testing type used for your applications. It simply doesn???t integrate well enough to meet developer???s needs, and it???s not cost-effective.

Pros:

  • Leverages human understanding of business logic, finding vulnerabilities that automated assessments can???t identify
  • Offers in-depth testing into the application
  • Uses multiple tools to test the application
  • Provides an excellent snapshot in time of the security of the application
  • Is the generally accepted compliance step for a security review

Cons:

  • Does not always integrate well into the development process; although, there are more ???crowdsourced??? and ???continuous??? penetration testing models arising to reduce response times
  • Can be a bottleneck in the process and slow development down while they wait for the results
  • Results can vary between tests and penetration testers ??? just part of human nature that testers will see different things and have different approaches
  • Occasionally leaves security gaps in between testing
  • Can be cost-prohibitive to test the full portfolio of applications

AppSec Automation

AppSec Automation is the programmatic incorporation of automated security scanning into the DevOps process and the security risk management practice. Security automation is required for scale, cost-effectiveness, and integration into the DevOps process.ツ?Organizations that solely rely on MPT have a minimal chance of reaching the programmatic outcomes around risk reduction that continuous scanning can provide.

Pros: ツ?

  • Can be integrated into the development process which is much easier for developers to use
  • Scales to encompass most, if not all, of the application portfolio
  • Implements a consistent and repeatable security policy
  • Benchmarks to show improvement over time
  • Scans on-demand at multiple stages of development and security review
  • Less expensive per scan

Cons:

  • Can only scan for what it knows.ツ? It does not currently replace understanding the business logic of an application and creativity of a professional pen tester
  • May not be considered independent attestation if done with an on-premises tool

Both are required for a fully effective program but address different needs.ツ? MPT is best suited for a point-in-time assessment on business-critical applications where business logic considerations come into play.ツ?Automation builds a scalable AppSec program that benchmarks and demonstrates a reduction of risk over time.ツ? It also aligns with the development process which is key in getting developers to adopt security practices.

If your organization is considering a digital transformation and looking to implement MPT or automated scans, we can help. Veracode and our channel partners can help you build out a program that meets your needs. Visit our product page to learn more.

Thierry Delaporte to become the CEO and managing director of Wipro

The global information technology, consulting and business process services company Wipro today announced the appointment of Thierry Delaporte as the chief executive officer and managing director of the company. “I am delighted to welcome Thierry as CEO and managing director of the company. Thierry has an exceptional leadership track record, strong international exposure, deep strategic expertise,…

Revamped Valak Malware Targets Exchange Servers

Malware, Now Acting as an Infostealer, Spotted in US and Germany: Cybereason
A recently revamped version of the Valak strain of malware is targeting Microsoft Exchange servers in the U.S. and Germany, according to recent research from Cybereason. The malware has been redesigned to act as an information stealer that can extract corporate data.

Utah Tech CEO Jailed for Possessing Thousands of Files Depicting Child Sexual Abuse

Utah Tech CEO Jailed for Possessing Thousands of Files Depicting Child Sexual Abuse

The 40-year-old one-time CEO of a Utah tech company is serving a custodial sentence after downloading over 13,000 images of child sexual abuse, bestiality, and rape. 

Douglas Eugene Saltsman was sentenced yesterday to 210 days in prison and 48 months of probation by Utah 3rd District Judge Douglas Hogan after being convicted on three felony charges of sexual exploitation of a minor. 

Addressing the virtual court, Saltsman said he had sought help from a psychiatrist after recognizing that he had illegal sexual tendencies. 

The former CEO of the now defunct blockchain and cryptocurrency company Saltmine said he was unable to control himself despite being put on medication and enrolled in therapy.

Utah's Internet Crimes Against Children Task Force raided Saltsman's Sandy home on May 7 last year. A search of his laptop, computer, an SD card, and an SSD storage device turned up more than 13,000 files containing images of graphic sexual abuse.

One of the files consisted of a compilation video of girls from the ages of 3 to 8 years old being bound and raped. The files were seized and sent to the National Center for Missing and Exploited Children’s law enforcement clearinghouse in a bid to identify the victims. 

Saltsman initially faced 11 felony counts of sexual exploitation of a minor, but in March 2020 he agreed to plead guilty to three felonies in exchange for the dismissal of the remaining seven charges.

Under the terms of the deal, Saltsman could only be handed the maximum recommended sentence for a first-time offender set 14 years ago by the Utah Sentencing Commission—210 days in jail and four years on probation.

An online petition to recall Judge Hogan has been signed by 114,000 people who felt Saltsman's sentence was too lenient and were presumably unaware of the agreed-upon deal. 

Saltsman's sentencing comes just weeks after the former director of operations for Salt Lake City Airport, 69-year-old Randall Darwood Berg, was charged with 25 counts of sexual exploitation of a minor. 

Berg, of Draper, is accused of possessing approximately 50,000 images of child sexual abuse. His residence was searched following the submission of eight separate Cybertip reports to the NCMEC alleging Berg was storing illegal files on a Google Photo account.

The Power of Convergence

This blog was written by Rodman Ramezanian, Pre-Sales Security Engineer at McAfee

In cybersecurity, integration has become a near-obligatory requirement for organisations considering new products. They want to know new products will complement existing investments to collectively produce more effective and efficient solutions.

But as of late, the term convergence has emerged as another key capability and expectation of technology platforms.

I’d like to explore how these terms differ and how those differences will shape security outcomes in the future.

Definitions

Let’s start with a stone-cold definition. According to the Merriam-Webster Dictionary:

  • Integrate means “to end the segregation of and bring into equal membership in society or an organisation”
  • Converge means “to come together and unite in a common interest or focus”

Are we splitting hairs here? Are they much of a muchness?

These days, integration typically refers to the establishment of a common communication channel or route between disparate solutions to solve a particular challenge – usually to enable data sharing of some sort. Standard examples we hear sound like, “we’ve integrated this tool with that platform via API/Syslog/PowerShell” or various other methods.

Convergence approaches things differently by consolidating features and capabilities onto a common scalable architecture and platform. To take a common example from daily life (nowadays, anyway), converged networks such as Cisco WebEx, Zoom, and Microsoft Teams to name just a few, amalgamate voice, video, and data services within a unified infrastructure.

Convergence aims to deliver the following benefits:

  • Lower costs and complexity

* Consolidating vendors and technology stacks should reduce licensing and operational costs, as well as management overhead

  • Enabling new digital business scenarios

* Apps, services, APIs, and data shareable to partners and contractors with lower risk exposure.

  • Ease of use/transparency

* Avoiding app bloat, fewer agents per device, consistency of experience regardless of user location or device

  • Centralisation

* Cloud-based centralised management with distributed policy enforcement and decision making

While these benefits may not come as a surprise to some, many could argue that integration could very well yield the same outcomes and thus, the differences are negligible. Let’s take a moment to walk through a real-world example to show the contrast between the two.

Challenges and Benefits

It may be helpful to elaborate with examples to highlight just some challenges typically faced with integrations.

Let’s consider an organisation that wants to improve its security attentiveness and overall posture by blocking access to websites and Cloud services based on business risk, not just standard reputational checks. In this given scenario, let’s assume the organisation has mandated that its lines of business must ensure Cloud services being used must store their data encrypted when at rest.

In order to achieve this from a workflow perspective, they would need to integrate the business risk attributes for a given website (such as whether or not data at rest is encrypted) from a Cloud Access Security Broker (CASB) solution, along with the content filtering and blocking capabilities from a Secure Web Gateway (SWG) solution. Usually, this would be done via custom API integration; assuming that no further re-architecture work or implementation of data sharing platforms is needed.

No alt text provided for this image

Considering this, ask yourself what happens if/when:

  • The API is changed during an upgrade?
  • The SWG appliance requires a patch or version upgrade?
  • The personnel who wrote or implemented the integration leave the organisation?
  • Credentials and/or certificates used to authenticate between the solutions need to be refreshed?
  • The connection between the solutions breaks down, is the customer ultimately responsible for restitching the products together? Or are the respective vendors then called into action?

Now, let’s reflect on the benefits we mentioned earlier. Complexity goes out the window the moment we begin to mention bespoke integration via coding and credential/certificate management. Version control for the code, along with the dependence on version specific APIs, draw out more complexity as change management for each iteration of the configuration needs to be tested. In addition, we need to consider the additional complexity brought by the need to open up firewall ports between the various components involved to make this integration work.

Centralised management and enforcement don’t exist as the two solutions and their ontologies don’t align. That is, a risk attribute for a Cloud service in the CASB product cannot be natively stored in the SWG as its ontology lacks this concept. This means that they must resort to a common lower value ontology which is common across the two – in this case, the URL. The resultant integration means a dumbed-down list of URLs must be used. This list would be routinely and regularly pushed from the CASB to a list within the SWG. At that point, its accuracy and timeliness become highly dependent on the synchronisation and polling period between the two products.

With this, ease of use diminishes as attrition in personnel brings about lost institutional knowledge and know-how unless knowledge is transferred or sufficiently documented. Also, in the event of an incorrect block on a website, troubleshooting would become troublesome.

No alt text provided for this image

We could simplify this integration and remove some of the barriers mentioned above were we to use a Cloud-delivered SWG – however challenges such as different ontology, API management, credential management and integration testing remain unchanged.

So then, how does one go from integration to convergence? The answer is simple – acceptance of the need to change the approach and a willingness to get it done.

In order to adequately address the use case at hand, the technologies involved need to come together to ultimately become one. While this seems like something that could be blurred in a Cloud-delivered offering through converging parts of the UI with microservices from both products, doing so would technically fall into the integration bucket as ontologies and UI/UX remain different and would lack simplification. So, what would it take to converge CASB and SWG solutions?

  • Merging ontology – Bringing both CASB and SWG elements together. An example of this may be, using the same Cloud “Service Group” object in both solutions
  • Leveraging common capabilities – It doesn’t just stop with ontology. The solutions need to merge other components such as incident management, logging, dashboards, policy definitions, user authentication, etc. This convergence would not only improve the end user experience, but also reduce future technical debt in maintaining overlapping capabilities and components
  • Refactoring UI/UX – Rethinking and re-working the user experience to bring about the simplest flow to achieve the converged use cases
No alt text provided for this image

In the figure below, we have a policy example that creates a grouping of all high-risk Cloud services, current and future, that can be used as a restriction for web access. The result is that any high-risk Cloud service will be blocked by the Cloud-native SWG, preventing users from accessing these services to keep them safe from accidental data loss and/or malware. All this with no bespoke integration, no polling or pulling, no scripts, no firewall rules, no credential or certificate management and most importantly, no complexity!

No alt text provided for this image

Now, this is just but one example of convergence as part of McAfee’s Unified Cloud Edge (UCE) solution. Further convergence is necessary to refactor many of the data protection workflows traditionally kept separate from other enterprise security platforms.

According to an industry survey conducted by McAfee, only 31% of companies said their Cloud security tools could enforce the same DLP policies at their Devices, Network, and Cloud Services.

As part of McAfee’s Unified Cloud Edge solution, the convergence of Data Loss Prevention (DLP) policies and attributes with SWG and CASB technologies will ultimately lead to the unification of data classifications, rules, incidents, workflows, and so much more across Devices, Networks, and Cloud environments.

Final thoughts

Blended threats require a blended security response. Converging security practices and capabilities creates a whole that’s greater than the sum of its parts. Even something as simple as unifying an organisation’s security visibility – spanning from Device to Cloud – through a converged and centralised portal yields powerful gains in specific incidents and over the long run.

Converging security processes should align your security operations with your business goals and amplify your organisation’s performance of its most important functions. A converged security program protects your organisation’s key assets and helps get them back up and running faster when something does go wrong. Ultimately, converged security practices can be part of your organisation’s competitive advantage.

If you’d like to discuss any of the points covered here, or more specifically McAfee’s converged security solutions in further detail, please feel free to reach out to me.

* Special thanks to my manager Sahba Idelkhani for his guidance and input into this blog *

The post The Power of Convergence appeared first on McAfee Blogs.

Himera and AbSent-Loader Leverage Covid19 Themes

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

Introduction

During our Cyber Defense monitoring activities we intercepted waves of incoming emails directed to many companies under our protective umbrella. These messages were leveraging FMLA (Family and Medical Leave Act) requests related to the ongoing COVID19 pandemics. These emails were weaponized with two versatile cyber-criminal tools: Himera and Absent-Loader.  

Figure1: Email vector example

Loaders are a type of malicious code specialized in loading additional malware code into the victim’s machine. Sometimes, a loader can assume “stealer” behavior, to opportunistically gatherer sensitive information even if they are not supposed to do that. Absent-Loader does that and despite its name behaves this way. In fact, stolen information market is definitely remunerative for cyber criminals: information gathered from infected systems are constantly sell in the underground, typically acquired by other, more structured criminal organization or also by business competitors.

Technical Analysis  

The sample used in this campaign first uses word document which refers to an executable, then it drops another executable and does a renaming operations to evade controls. The following picture reports the infection chain used in this campaign:

Figure 2: Infection Chain

The malicious email wave contained a .doc attachment. Following, the static information of this file:

NameCovid-19-PESANTATION.doc
Hash97FA1F66BD2B2F8A34AAFE5A374996F8
ThreatHimera Loader dropper
Size95,4 KB (97.745 byte)
FiletypeMicrosoft Word document 
Ssdeep1536:7fVmPSiRO8cOV8xCcoHrZvIdTZ2DSXMqcI3iL5PEs8VlbeH0btGDYLlNq2l+SEg:7fVz8zyUHlvId7H3iL5MVlbeHGkQvqTU

Table 1: Static information about the Malicious document

The interesting feature of this document is the fact that it does not leverage any type of macro or exploit, but it contains the entire executable within it as an embedded object. So, the user is led to double-click on the malicious icon, representing the executable. 

Thus, once clicked, it allows this malicious document to execute a malicious file named HimeraLoader.exe.

NameHimeraLoader.exe
Hash4620C79333CE19E62EFD2ADC5173B99A
ThreatSecond stage dropper
Size143 KB (146.944 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep3072:jqW9iAayyenylzx0/2gJUSUZsnOA/TtYLeEoWj5PxJhQQeSH1pNGmHohurCMSiBf:jqW9iAayyenylzx0/2gJUSUZsnJ/TKLd

Table 2: Static information about the HimeraLoader executable

Inspecting the HimeraLoader.exe trace we noticed a really characteristic mutex created during the initial loading of the malicious code: the “HimeraLoader v1.6” mutex, or Mutant.

Figure 3: Himera Loader Mutex

Also, the sample performs some classic anti-analysis tricks using Windows API such as “IsDebbugerPresent”, “IsProcessorFeaturePresent” and “GetStartupInfoW”. The execution will take different paths in the program’s flow if the debugger is present. The function GetStartupInfoW retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created. This function takes as parameter a pointer to a STARTUPINFO structure that receives the startup information and does not return a value.

Figure 4: Relevant strings of the Loader

When the Himera Loader goes through its execution and passes all anti-analysis tricks, it gathers another binary from http:]//195.]2.]92.]151/ad/da/drop/smss.]exe . The remote server is operated by Hosting Technologies LLC, a company running the Russian hosting service brand “VDSina.ru”. 

The AbSent-Loader 

The file downloaded from the dropurl has the following static information:

Namesmss[1].exe
Hash4D2207059FE853399C8F2140E63C58E3
ThreatDropper/Injector
Size0,99 MB (1.047.040 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep24576:+9d+UObalbls+rcaN+cFsyQIDHx2JrjDwc9bmfRiHwl:+9d+UObaVzrcaN+cKypDHx2Jr/wYbmJd

Table 3: Static information about the AbsentLoader Payload

When “smms.exe” is executed, it copies itself in a new file winsvchost.exe in the %TEMP% path and creates a scheduled task to maintain persistence after reboot.

Figure 5: Evidence of the Scheduled Task

Moreover, the malware adopts some interesting anti-debug techniques, like the GetTickcount one. The technique is quite similar to that one described in one of our previous report. there is immediately the subtraction of the two values and it is placed in EAX register. After the “call eax” instruction, an immediate subtraction of the first GetTickCount  API call results and this second one is executed. 

Figure 6: GetTickCount anti-debug Technique

Then, the malware establishes TCP connection every 15 minutes. These connections are directed to the same remote host operated by Hosting Technologies LLC  (195.2.92.151) but this time it sends HTTP POST requests to the “/ad/da/gate.php” resource.

Figure 7: Evidence of some relevant strings inside the payload

This payload is a new version of AbSent-Loader, a piece of malware that, despite its name, behaves also like a bot, lacking most modern advanced features but sophisticated enough to maintain persistence on the victim host and to escalate the attack with follow up malware implants. 

Conclusion

The attack we intercepted and described here is a clear example of the new threats that are approaching cyberspace during these months: new criminal threat actors with the sole objective to economically exploit the emotional reactions of the people willing to keep the economic fabric alive and running to support the Covid19 response.

In this particular period, cyberspace is getting more and more risky for companies and people, the cyber criminality raised during the lock-downs and these malicious actors are using all the possible mediums to make more money at the expense of companies and organizations. For this reason, we strongly advise companies to adapt and enhance their cyber security perimeter to resist the new volumes and types of cyber attacks we are experiencing these days.

Indicators of Compromise (IoCs) and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – COVID19, hacking)

The post Himera and AbSent-Loader Leverage Covid19 Themes appeared first on Security Affairs.

Texas University to Create Cybersecurity Innovation Institute

Texas University to Create Cybersecurity Innovation Institute

The University of Texas at San Antonio (UTSA) is to create and lead a new federal digital research institute that will devise ways to shield America's manufacturers from cyber-threats. 

In addition to assisting US industry in blocking cyber-attacks, the Cybersecurity Manufacturing Innovation Institute (CyManII) will explore how to help manufacturers achieve energy efficiency. 

Other areas of focus will include supporting technical innovation, job creation, and assisting manufacturers to be more competitive. 

The National Security Collaboration Center (NSCC) at UTSA, with more than 25,000 square feet of space, has been dedicated as the home base for CyManII.

Explaining why UTSA was chosen for the institute, James Milliken, chancellor for the UT system said: “We selected UTSA to lead CyManII due to the university’s well-known strengths in cybersecurity and national connectivity in this space.”

In order to bring the project to life, UTSA will receive $70m over a five-year period under a cooperative agreement with the US Department of Energy.

The UT system will inject an additional $10m into the institute, and a further $30m will be contributed by other cost-sharing partners. 

“CyManII leverages the unique research capabilities of the Idaho, Oak Ridge and Sandia National Laboratories as well as critical expertise across our partner cyber manufacturing ecosystem,” said UTSA president Taylor Eighmy. “We look forward to formalizing our partnership with the DOE to advance cybersecurity in energy-efficient manufacturing for the nation.”

Building a national program for education and workforce development, securing automation, and securing the supply-chain network are three high-priority areas on which CyManII will focus its national strategy. 

“As United States manufacturers increasingly deploy automation tools in their daily work, those technologies must be embedded with powerful cybersecurity protections,” said Howard Grimes, CyManII chief executive officer and associate vice president and associate vice provost for institutional initiatives at UTSA. 

“UTSA has assembled a team of best-in-class national laboratories, industry, nonprofit and academic organizations to cyber-secure the US manufacturing enterprise. Together, we will share the mission to protect the nation’s supply chains, preserve its critical infrastructure and boost its economy.”

Bogus Security Technology: An Anti-5G USB Stick

The 5GBioShield sells for £339.60, and the description sounds like snake oil:

...its website, which describes it as a USB key that "provides protection for your home and family, thanks to the wearable holographic nano-layer catalyser, which can be worn or placed near to a smartphone or any other electrical, radiation or EMF [electromagnetic field] emitting device".

"Through a process of quantum oscillation, the 5GBioShield USB key balances and re-harmonises the disturbing frequencies arising from the electric fog induced by devices, such as laptops, cordless phones, wi-fi, tablets, et cetera," it adds.

Turns out that it's just a regular USB stick.

Cisco is buying internet monitoring solution ThousandEyes

While Cisco wouldn’t say what it plans to pay, the tech giant announced Thursday it plans to buy internet monitoring solution startup ThousandEyes.

The move complements the company’s 2017 $3.7 billion acquisition of AppDynamics and is another clear sign that Cisco is pushing further into software and services. CNBC and other outlets have reported the ThousandEyes acquisition is valued at around $1 billion.

Also:

Your business application’s health is more important than ever 

 

ThousandEyes is backed by several venture capital firms, including Sutter Hill Ventures, Sequoia Capital, and Salesforce Ventures, according to Pitchbook. Its chief executive officer and co-founder Mohit Lad said early discussions with Cisco and AppDynamics could be traced back to early last year.

“In our customer base, we kept running into AppDynamics on the application side and Cisco products on the network side and naturally started having conversations on collaborating with both sides of Cisco to formulate a strong joint vision. It was during these conversations over the last 12 months or so, that the two companies have gotten to know each other and developed a strong sense of mutual respect,” Lad wrote in a blog post. “Cisco’s excitement about what we were doing and how it complements Cisco’s strengths has been evident in every conversation across different parts of the organization.”

Cisco said that the purchase will close before the first quarter of its fiscal year 2021.

People Are The Strongest Link

Here’s a little preview of what you’ll find in Episode 6 of the Security Stories podcast.

If you’re looking for behind the scenes tales from some of the leading figures in cybersecurity, then you’re in the right place. If you’re looking for anecdotes from significant security events in the past, then you’re also in the right place. 

If you’re looking for advice on how to create the perfect TicToc video, well, you’re in the wrong place, but do stick around and see if you find anything interesting.

Brian HonanOn today’s show we have a great interview with an altruistic Irishman who wears cool glasses and has a nice variety of white hats.

Nope, it’s not Bono, but we are lucky enough to have Brian Honan as our guest on this episode.

Brian is an internationally recognised expert on cybersecurity and data protection, but if you were to ask his young son what he did, the answer would be, ‘Dad catches hackers”.

In 2008 Brian founded Ireland’s first Computer Emergency Response Team. He’s also an adviser for Europol’s European Cybercrime Centre, and he runs his own independent security consultancy, BH Consulting, with a team based across the globe.

We cover a wide variety of topics during the interview, including the genesis of the Irish Emergency Response Team, running a company and managing a team, and why the cybersecurity industry needs more accountability.

A key part of our discussion is about people.  For many years, people have been deemed “the weakest link” when it comes to security.  Brian has an interesting take on why this isn’t the case. It’s really worth a listen.

Also in this episode is our regular “On This Day” feature. This is when my co-host Ben and I jump into the DeLorean and visit a significant cybersecurity event in the past.

This time we’re travelling back to the year 2000 which is when the “ILOVEYOU” worm or the “Love Bug”, or indeed the “Love letter for you” cyber attack ended up infecting over 10 million personal Windows computers.   Discover the unique story behind this attack, and the additional part of the story, which happened only a few days ago.

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

Listen to previous episodes of the Security Stories podcast right here

The post People Are The Strongest Link appeared first on Cisco Blogs.

Leaning into Change with the McAfee Family

With today’s current climate, many companies are building cultures and infrastructures to support working from home (WFH). Like most transitions, this brings equal parts expectation and surprise.

For some, working from home means having more quality time with family or finally being able to take that 10 a.m. yoga class. It means experimenting with homeschooling schedules and more puppy time. Learning how to use funny webcam filters and backgrounds has never seemed more important.

Read Our Stories

At McAfee, we are no exception to this evolution. We have virtual employees around the world, including team members who have recently transitioned to remote work. See how some of our McAfee family is adapting to this environment:

“It’s just my wife and me and our two cats, so we’ve been fortunate that our primary inconvenience has been trying to keep the kitties from pouncing on our warm laptops.” Dennis, Product Marketing

“Although walks are slightly different with trying to maintain the 6 ft distance with strangers, it’s nice to see more of the neighborhood going out for  walks with their family and pets. I’ve never seen so many people walking around before!” Sarah, Business Operations

“Thankfully, we set up our home office a few years ago, and it’s been very comfortable to work from for me. The hardest part is not having social interactions, but I’m trying to make conscious efforts to reach out to people.” Aki, Product Design

“I’m grateful for all the added family time that we have now! Also, the house has probably not been this clean in YEARS.” Tiffany, Product Marketing

“I was very used to going to the office so working from home has been a change. However, I get to see my family much more often than before.” Pablo, Product Management

“I was fortunate enough to work remotely before it was required, but my coworker here helps give structure to my days with morning, lunch, and evening walks, almost bookending my workday!” Jonathan, Product Marketing

“Transitioning to working from home full-time has taught me the need to establish a routine and stick to it. I make sure I’m exercising, setting work hours and taking breaks. The first couple of weeks without that routine in place was tough, but now I feel more balanced and not drained. Another good tip: Always keep healthy snacks and water at your work station!” Lily, Program Manager

“Working from home is turning out to be great! I have the perfect work station with a standing desk to stay productive. I love having my five-year-old daughter, Stella, visit me in my makeshift office between her online school sessions and seeing my wife and daughter more than ever before!” Martin, Product Management

“Transitioning to working remotely has been a bit rocky, but the 10-step commute and daily lunch with my wife makes it much less painful. My two dogs have been the real winners!” Alex, User Research

“I had minor shoulder surgery right before the quarantine and couldn’t carry a monitor from the office, so I made it work with an old TV on my kitchen counter! I can sit AND stand at my new desk, and the proximity to snacks and fresh coffee is a nice perk.” —Iram, Marketing Operations

“My three active kids were rarely in the house prior to this event. Now dinner together is a regular thing, and everyone is enjoying it. I’m thinking games and puzzles might be a way to avoid it devolving into a Lord of the Flies scenario.” —Tracy, Product Management

“The work/home balance is a constant effort of refinement. Though it has been somewhat rocky at times, I’ve found my stride and am now getting to spend more time with my family in the morning and at night.” Jon, Visual Design

“I’m so glad I took some time to set up a dedicated workspace – it made a huge difference. The cat’s still on my lap, and I’m still in the living room, but I’m off the couch and in a real chair, and have places to put my stuff, so I don’t have to hunt around every morning.” Paula, Executive Communications

 

Are you looking for a flexible career opportunity in a thriving culture? Search our openings.

The post Leaning into Change with the McAfee Family appeared first on McAfee Blogs.

UK Government Launches Funding Program to Boost Security of IoT Market

UK Government Launches Funding Program to Boost Security of IoT Market

The UK government has today launched a program to incentivize the creation of design schemes that test the security of Internet of things (IoT) products. Under the initiative, innovators are encouraged to bid for funding from a pot of £400,000 to create more assurance schemes, which ultimately aims to boost the security of consumer-smart products.

Assurance schemes are vital in the IoT product market, as they prove that a device has undergone independent testing or a robust and accredited self-assessment process. Their importance is set to grow, with an estimated 75 billion internet connected devices, such as televisions, cameras and home assistants, to be in homes around the world by the end of 2025.

It is hoped the program will provide manufacturers with a variety of options to choose from in testing their consumer-smart products in accordance with the UK’s Code of Practice for Consumer IoT Security. An increase in these assurance schemes will also assist retailers in stocking secure IoT devices and customers in making security-conscious purchasing decisions.

Digital Minister Matt Warman, from the Department for Digital, Culture, Media and Sport (DCMS) commented: “We are committed to making the UK the safest place to be online and are developing laws to make sure robust security standards for consumer internet-connected products are built in from the start.

“This new funding will allow shoppers to be sure the products they are buying have better cybersecurity and help retailers be confident they are stocking secure smart products.”

Commenting on the announcement, Jake Moore, cybersecurity specialist at ESET, said: “This comes at a time when IoT seems to have been forgotten about, yet funding to support the security of such devices couldn’t be more vital. Many people favor convenience over security so it’s paramount that IoT devices come fitted with security by design, to help protect the devices and customers. This is usually where the manufacturers choose cutting costs over the protection of the end users, which in turn puts the users at risk of a range of potential attacks. Hopefully this will be the beginning of more funding as I’m not sure how far this initial input will go.”

The move comes amid other initiatives being taken by the UK government to combat cybercrime. These include legislation to bring in minimum security requirements for smart devices, and last month the government launched the ‘Cyber Aware’ campaign to advise people on protecting passwords, accounts and devices.

Warman added: “People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber-criminals.”

Top Ransomware Attack Vectors: RDP, Drive-By, Phishing

Configure Defenses to Block Attackers, Security Experts Advise
Ransomware-wielding attackers are typically breaking into victims' networks using remote desktop protocol access, phishing emails or malware that's sometimes used in drive-by attacks against browsers, experts warn, advising organizations top make sure they have the right defenses in place.

3 reasons why Cisco Stealthwatch is the Michael Jordan of Network Traffic Analysis tools

The Last Dance, a 10-part docuseries about the historic career of NBA legend, Michael Jordan, came to an end recently. I was glued to my TV watching, and re-watching, these captivating hour-long episodes. It was chock full of uncut, never before seen footage that had sports fans around the world hooked. As a millennial who did not get the privilege of living through the Jordan-dominant era of the 90’s, I had accepted that Michael Jordan was the greatest of all time, but did I really believe it? I didn’t get to witness him firsthand- so probably not.

I am here to tell you how foolish that was. MJ was different.

The most striking thing about MJ was that he could do it all. His speed and athleticism at his size was something the NBA had never witnessed. The sport was dominated by one trick ponies, one-dimensional big men who could stand at the rim and score. MJ would out-smart you, out-score you and out-work you. Mike also became a better player in his later years. The young athlete stunned crowds during his first year out of UNC (the alma mater of our very own Chuck Robbins) and continued this success all the way through to his final years in the NBA. Like a fine wine, MJ got better with age– so much so that he won an MVP award at age 35! The last part of MJ’s game that struck me was his fearless lockdown defense, both on the perimeter and at the rim. Nothing got past Mike.

Source: ESG Master Survey Results, The Threat Detection and Response Landscape, April 2019

As the series came to an end, I couldn’t help but think- Cisco Stealthwatch is a lot like Michael Jordan. Here are 3 reasons why:

Just like Mike, Stealthwatch can do it all.

Cisco Stealthwatch is a Network Traffic Analysis (NTA) tool that looks at your network telemetry to deliver alerts, saving your organization time and resources. Stealthwatch is available in various deployment models that allow protection for all kinds of workloads – on-prem infrastructure, your data centers, switches and routers. In addition to an on-prem deployment as a hardware or virtual appliance, Stealthwatch is also available as a SaaS delivered model that can be deployed for both private network monitoring and public cloud monitoring. It can even ingest telemetry that is native to various public cloud platforms like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). No matter what your network looks like, Stealthwatch has a solution for you.

I also noticed that Mike kept getting better. He learned about his opponents, found their weak points and exploited those weaknesses. He tuned his own game to those around him and got better each and every day. Stealthwatch is no different.

Stealthwatch gets better over time with dynamic entity modeling

Stealthwatch is constantly learning. Stealthwatch uses a process called dynamic entity modeling to learn about your resources and classify them into various roles, groups and more. After deployment, the solution learns over the course of a few days what is happening on your network. It establishes a baseline for “normal” behavior, and triggers alerts to notify users of anomalies. Stealthwatch also uses Talos, the largest non-governmental threat intelligence organization in the world, to enhance its threat detections. Network telemetry is correlated with the global risk map from Talos, a database full of known Indicators of Compromise (IoCs), different types of malware, open TOR doorways and more. This allows Stealthwatch to generate high-fidelity actionable alerts that allow your SOC team to focus on other tasks. In summary, Stealthwatch is more effective over time. Just like Mike.

Perhaps the most effective part of MJ’s game was his defense. During his illustrious NBA career, MJ earned one Defensive Player of the Year award, a tough feat to achieve for a player of his stature. He stopped players at the perimeter before they became a problem. He played bigger than his position and bodied larger defenders trying to exploit him in the paint. Stealthwatch can do all of this, but better.

Stealthwatch provides end-to-end threat detection

Stealthwatch is an ideal tool for users who need to monitor various capacities of traffic in their networks. It can be used as a threat hunting system to detect malware and malicious activity before it becomes a breach. It can also be used to monitor east-west traffic to ensure compliance and generate alerts for potential port scanning, data exfiltration and more. In its public cloud deployment model, it can monitor unique cloud data such as VPC and NSG flow logs and keep your cloud workloads secure. Both Stealthwatch models can even detect threats in encrypted traffic.

Stealthwatch is the Michael Jordan of the Network Traffic Analysis market. Its end-to-end visibility, behavior-based machine learning over time, and ability to cover all of your on-prem and cloud assets make it the premier NTA tool.

Sign up today for a 2-week visibility assessment, or check out our SaaS-based 60 day free trial

The post 3 reasons why Cisco Stealthwatch is the Michael Jordan of Network Traffic Analysis tools appeared first on Cisco Blogs.

PCI DSS v4.0: Anticipated Timelines and Latest Updates

 

Industry feedback, together with the changes in payments, technology, and security, is driving our approach to PCI DSS v4.0. In discussions with industry stakeholders, we have received a number of questions about PCI DSS v4.0. Below we interview Lauren Holloway, Director, Data Security Standards, who answers some key questions about what is happening with PCI DSS v4.0.

Alabama Seniors Offered Free Cybersecurity Courses

Alabama Seniors Offered Free Cybersecurity Courses

Seniors in Alabama are being given the chance to learn about cybersecurity free of charge thanks to the University of Alabama.

Cybersecurity is just one of a batch of free online adult education courses being offered by the university's Osher Lifelong Learning Institute (OLLI).

Usually, OLLI courses are delivered in a traditional classroom setting; however, all in-person programming has been suspended in an effort to slow the spread of COVID-19. To keep adult education services up and running, courses are now being taught via the video-conferencing app Zoom.

OLLI director Jennifer Anderson said: “OLLI is privileged to be in a position to provide educational and social opportunities online for its members and the community, some of whom are the most vulnerable to coronavirus and may be among the last of our citizens to emerge from their homes, even as social distancing guidelines are lifted in our community."

Anderson said adults aged over 50 were just as much in need of social and intellectual stimulation as any other group in society, especially while lockdown measures remain in place. 

“Our members, like everyone else, can only spend so much time alone, cleaning their homes and reading,” said Anderson. “They need their social network, and interactive online classes provide that along with intellectual aspects.”

OLLI's wide-ranging courses cover everything from shadow wars of tariffs and sanctions with Iran to arthritis exercises and awareness and the love stories that made history.

Courses are developed by OLLI’s curriculum committee and based on newsworthy topics, events that changed history, or useful skills to have in the modern world. Tutors are chosen by the committee from a pool of experts, educators, and professionals.

Anderson said that instead of simply logging on and viewing pre-recorded video content, mature students who take advantage of free OLLI courses are encouraged to actively engage with the learning process. 

“We hope viewers will experience the education, entertainment and social benefits,” Anderson said. 

“OLLI students will not just ‘view’ their classes. They will participate because the classes are synchronous. Participants can speak in class and the instructors can have discussions in addition to the lectures provided.”

Most Organizations Not Prepared to Safely Support Home Working

Most Organizations Not Prepared to Safely Support Home Working

Most organizations are not sufficiently prepared to securely support remote working even though 84% intend to continue this practice beyond COVID-19 lockdowns, according to Bitglass’ 2020 Remote Workforce Report. The survey of IT professionals found that 41% of businesses have not taken any steps to expand secure access for the remote workforce, while 65% are allowing personal devices to access managed applications.

The study was undertaken to better understand how well businesses were prepared, from a cybersecurity perspective, for the sudden surge in remote working as a result of the pandemic.

Of those surveyed, 50% said lack of proper equipment was the biggest barrier to providing secure access for employees working from home. The types of applications that organizations were most concerned about securing were file sharing (68%), web applications (47%) and video conferencing (45%).

Malware was listed as the most concerning threat vector related to remote working by IT professionals (72%), followed by unauthorized user access (59%). Unsurprisingly, anti-malware was the most utilized security tool for remote work, at 77%. However, there was a lack of deployment of tools like single sign-on (45%), data loss prevention (18%) and user and entity behaviour analytics (11%).

“This research indicates that many organizations are not implementing the security measures necessary to protect their data in the current business environment,” commented Anurag Kahol, CTO of Bitglass. “For example, while respondents said that the pandemic has accelerated the migration of user workflows and applications to the cloud, most are not employing cloud security solutions like single sign-on, data loss prevention, zero trust network access or cloud access security brokers.

“On top of that, 84% of organizations reported that they are likely to continue to support remote work capabilities even after stay at home orders are lifted. To do this safely, they must prioritize securing data in any app, any device, anywhere in the world.”

Another worrying aspect of the study was that 63% of respondents believed remote working would impact their compliance with regulatory mandates, with 50% citing GDPR specifically.

Top 5 Effective Ways of Dealing with Cyber Bullying

Due to an increase in internet usage, many people can access the internet. Cyber is considered a crime. Most people think that they can get away with online bullying as opposed to in person. Cyberbullying affects adults as much as children. Bullying can make one feel hurt, angry, or sad. You can develop depression or anxiety and low-self-esteem. The worst is that bullying happens in places where one is supposed to feel safe, like the home or even at work. Written words can hurt worse than spoken words since they are permanent. Every time you return to your page, you can see the comments. Here are ways of dealing with online bullying:

  1. Do not Take Negative Comments Personally

The rude comments made by the bullies have nothing to do with you. The bully is just trying to spill his negative energy to you. They may be having some personal issues they are dealing with and want somewhere to vent their sorrows.

  1. Avoid Rereading the Offending Comments

Rereading the offending comments will lead to obsession and further anger. You can report the offending remarks to group moderators for actions to be against them. You can keep away from social media for sometime to allow them to get off your back. For example, consider turning off your phone or computer for a night and organize some technology-free activities like meditating or enjoying a nice meal. You can also switch from social media to getting your news from digital news sites like Lusaka times.

  1. It would be best if you Understood that Not Everyone Shares your Beliefs

You should be open to other people’s opinions and thoughts. Accept that many people can be right and have a different view to yours. After thinking about it,what seems like a rude comment at first might be someone expressing a contrary opinion? To be able to appreciate other people’s ideas, you can read articles on online sites like zambian observer to get different views and events.

  1. Don’t Retaliate with Nasty Post

If you retaliate with the nasty post, the bully will know that they have hit you. Please do not give them the satisfaction of feeling good by putting you down. By ignoring their comments, they may feel you are not bothered and leave you alone. It would be best if you portrayed a picture of being emotionally stable.

  1. You Can Use the 30 Seconds Rule

To make sure that what you write is sober, make a habit of stepping away from your phone or computer for 30 seconds. When you are back,look at your message and reread it and evaluate how you’d feel incase someone writes that to you. By observing the 30 seconds rule, you ensure that whatever you post in social media does not attract negative comments that can lead to bullying.

Being considerate can make your online experience better. Combating cyberbullying should be everyone’s responsibility. If you consider reading from independent sites like Lusaka times help you appreciate different opinions and regard negative comments. You can also raise awareness about cyberbullying in comments sections of sites likeZambian observer. For the internet to feel safe, you should stick up for those who are bullied and shun the vice.

The post Top 5 Effective Ways of Dealing with Cyber Bullying appeared first on .

Hackers breached six Cisco servers through SaltStack Salt vulnerabilities

Earlier this month, when F-Secure publicly revealed the existence of two vulnerabilities affecting SaltStack Salt and attackers started actively exploiting them, Cisco was among the victims. The revelation was made on Thursday, when Cisco published an advisory saying that, on May 7, 2020, they’ve discovered the compromise of six of their salt-master servers, which are part of the Cisco VIRL-PE (Internet Routing Lab Personal Edition) service infrastructure. About SaltStack Salt, the vulnerabilities, and the problem … More

The post Hackers breached six Cisco servers through SaltStack Salt vulnerabilities appeared first on Help Net Security.

This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how, over the past five years, the cybercriminal underground has seen a major shift to new platforms, communications channels, products, and services. Also, read about a new wave of Sandworm cyberattacks against email servers conducted by one of Russia’s most advanced cyber-espionage units.

Read on:

How the Cybercriminal Underground Has Changed in 5 Years

Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, it has seen a major shift to new platforms, communications channels, products, and services, as trust on the dark web erodes and new market demands emerge. Trend Micro expects the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities.

Shadowserver, an Internet Guardian, Finds a Lifeline

In March, internet security group Shadowserver learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco’s facility—not to mention an additional $1.7 million to make it through the year—the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. This week, Trend Micro committed $600,000 to Shadowserver over three years, providing an important backbone to the organization’s fundraising efforts. 

#LetsTalkSecurity: No Trust for the Wicked 

This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Dave Lewis, Global Advisory CISO at Duo Security. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Principles of a Cloud Migration – Security W5H – The HOW

Security needs to be treated much like DevOps in evolving organizations, meaning everyone in the company has a shared responsibility to make sure it is implemented. It is not just a part of operations, but a cultural shift in doing things right the first time – security by default. In this blog from Trend Micro, learn 3 tips to get you started on your journey to securing the cloud.

What’s Trending on the Underground Market?

Trust has eroded among criminal interactions in the underground markets, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, a new Trend Micro report reveals. Determined efforts by law enforcement appear to be having an impact on the cybercrime underground as several forums have been taken down by global police entities.

Is Cloud Computing Any Safer from Malicious Hackers?

Cloud computing has revolutionized the IT world, making it easier for companies to deploy infrastructure and applications and deliver their services to the public. The idea of not spending millions of dollars on equipment and facilities to host an on-premises data center is a very attractive prospect to many. But is cloud computing any safer from malicious threat actors? Read this blog from Trend Micro to find out.

Smart Yet Flawed: IoT Device Vulnerabilities Explained

The variety and range of functions of smart devices present countless ways of improving different industries and environments. While the “things” in the internet of things (IoT) benefits homes, factories, and cities, these devices can also introduce blind spots and security risks in the form of vulnerabilities. Vulnerable smart devices open networks to attack vectors and can weaken the overall security of the internet. For now, it is better to be cautious and understand that “smart” can also mean vulnerable to threats.

Cyberattacks Against Hospitals Must Stop, Says Red Cross

Immediate action needs to be taken to stop cyberattacks targeting hospitals and healthcare organizations during the ongoing coronavirus pandemic – and governments around the world need to work together to make it happen, says a newly published open letter signed by the International Committee of the Red Cross, former world leaders, cybersecurity executives and others.

Securing the 4 Cs of Cloud-Native Systems: Cloud, Cluster, Container, and Code

Cloud-native technologies enable businesses to make the most of their cloud resources with less overhead, faster response times, and easier management. Like any technology that uses various interconnected tools and platforms, security plays a vital role in cloud-native computing. Cloud-native security adopts the defense-in-depth approach and divides the security strategies utilized in cloud-native systems into four different layers.

Coinminers Exploit SaltStack Vulnerabilities CVE-2020-11651 and CVE-2020-11652

Researchers from F-Secure recently disclosed two high-severity vulnerabilities in SaltStack Salt: CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability. These can be exploited by remote, unauthenticated attackers, and all versions of SaltStack Salt before 2019.2.4 and 3000 before 3000.2 are affected. Trend Micro has witnessed attacks exploiting these vulnerabilities, notably those using cryptocurrency miners.

PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time

A Java-based ransomware known as PonyFinal has emerged, targeting enterprise systems management servers as an initial infection vector. It exfiltrates information about infected environments, spreads laterally and then waits before striking — the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely.

Qakbot Resurges, Spreads through VBS Files

Trend Micro has seen events that point to the resurgence of Qakbot, a multi-component, information-stealing threat first discovered in 2007. Feedback from Trend Micro’s sensors indicates that Qakbot detections increased overall. A notable rise in detections of a particular Qakbot sample (detected by Trend Micro as Backdoor.Win32.QBOT.SMTH) was also witnessed in early April.

CSO Insights: SBV’s Ian Keller on the Challenges and Opportunities of Working Remotely

The COVID-19 pandemic has forced businesses to change the way they operate. These abrupt changes come with a unique set of challenges, including security challenges. Ian Keller, Chief Security Officer of SBV Services in South Africa, sat down with Trend Micro and shared his thoughts on how SBV is coping with the current pandemic, the main challenges they faced when transitioning their staff to remote work, as well as how they plan to move forward.

NSA Warns of New Sandworm Attacks on Email Servers

The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia’s most advanced cyber-espionage units. The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).

Forward-Looking Security Analysis of Smart Factories <Part 2> Security Risks of Industrial Application Stores

In the second part of this five series column, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This column is especially applicable for architects, engineers, and developers who are involved in smart factory technology.

Factory Security Problems from an IT Perspective (Part 2): People, Processes, and Technology

This blog is the second in a series that discusses the challenges that IT departments face when they are assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges. In this article, Trend Micro carries out an analysis to uncover the challenges that lie in the way of promoting factory security from an IT perspective.

21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac

If you brought a Mac home from the office, it’s likely already set up to meet your company’s security policies. But what if you are using your personal Mac to work from home? You need to outfit it for business, to protect it and your company from infections and snooping, while ensuring it continues to run smoothly over time. In this blog, learn 21 tips for staying secure, private, and productive while working from home on your Mac.

Surprised by the new wave of Sandworm attacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers appeared first on .

Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub

GitHub has issued a security alert warning of a malware campaign that is spreading on its platform via boobytrapped NetBeans Java projects.

GitHub has issued a security alert warning of a piece of malware dubbed Octopus Scanner that is spreading on its platform via boobytrapped NetBeans Java projects.

GitHub’s security team discovered the malicious code in projects managed using the Apache NetBeans IDE (integrated development environment), a complete environment composed of editors, wizards, and templates that help users to create applications in Java, PHP and many other languages. t

On March 9, a security researcher informed GitHub about a set of GitHub-hosted repositories that were actively serving malware. The company immediately investigated the incident and discovered malware designed to enumerate and backdoor NetBeans projects, “and which uses the build process and its resulting artifacts to spread itself.”

What makes this case different from previous abuses of the platforms is that the owners of the repositories were aware that they were committing backdoored code into their repositories.

GitHub’s Security Incident Response Team (SIRT) received its initial notification about a set of repositories serving malware-infected open source projects from security researcher JJ.” reads a post published by Github.

“this report was different. The owners of the repositories were completely unaware that they were committing backdoored code into their repositories.”

The Octopus Scanner identifies the NetBeans project files and embeds malicious payload both in project files and build JAR files.

Below is a high -evel description of the Octopus Scanner activity:

  • Identify user’s NetBeans directory
  • Enumerate all projects in the NetBeans directory
  • Copy malicious payload cache.dat to nbproject/cache.dat
  • Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build
  • If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.
Netbeans octopus-supply chain attack

Experts uncovered 26 open source projects that were backdoored by the Octopus Scanner malware and that were serving backdoored code.

The Octopus Scanner campaign is not recent, it has been going on for years. Experts reported that the oldest sample of the malware was uploaded on the VirusTotal in August 2018.

Upon downloading any of the 26 projects, the malware would infect users’ local computers. The malware scans the victim’s workstation for a local NetBeans IDE install, and attempt to backdoor other developer’s Java projects.

According to the experts, Octopus Scanner is a multiplatform malware, it runs on Windows, macOS, and Linux and downloads a remote access trojan (RAT).

“However, if it was found, the malware would proceed to backdoor NetBeans project builds through the following mechanisms:

  1. It makes sure that every time a project was built, any resulting JAR files got infected with a so-called dropper. A dropper is a mechanism that “drops” something to the filesystem to execute. When executed, the dropper payload ensured local system persistence and would subsequently spawn a Remote Administration Tool (RAT), which connects to a set of C2 servers.
  2. It tries to prevent any NEW project builds from replacing the infected one, to ensure that its malicious build artifacts remained in place.”

The ultimate goal of the campaign is to deliver the RAT on the machines of developers working on sensitive projects to steal sensitive information.

“It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today,” GitHub concludes.

“If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed,”

“While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend.”

Pierluigi Paganini

(SecurityAffairs – NetBeans, hacking)

The post Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub appeared first on Security Affairs.

Sandworm Team Exploiting Vulnerability in Exim Mail Transfer Agent

The U.S. National Security Agency (NSA) warned that the Sandworm team is exploiting a vulnerability that affects Exim Mail Transfer Agent (MTA) software. In a cybersecurity advisory published on May 28, the NSA revealed that the Sandworm team has been exploiting the Exim MTA security flaw since August 2019. The vulnerability (CVE-2019-10149) first appeared in […]… Read More

The post Sandworm Team Exploiting Vulnerability in Exim Mail Transfer Agent appeared first on The State of Security.

NSA: Russian Military Sandworm Group is Hacking Email Servers

NSA: Russian Military Sandworm Group is Hacking Email Servers

The US National Security Agency (NSA) has released a new alert warning that Russian state hackers have been exploiting a vulnerability in Exim email servers for over nine months.

Exim is mail transfer agent (MTA) software developed by the University of Cambridge which is used on Unix-based operating systems. Bundled with many popular Linus distributions like Red Hat and Debian, it’s thought to run on millions of email servers globally.

However, the NSA warned that organizations which have failed to patch CVE-2019-10149, which was fixed in June 2019, may be at risk of attack from the infamous Sandworm group.

“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the ‘MAIL FROM’ field of an SMTP (Simple Mail Transfer Protocol) message,” the advisory stated.

“An unauthenticated remote attacker can send a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data, and create new accounts.”

Specifically, when CVE-2019-10149 is exploited by Sandworm, the targeted machine downloads and executes and shell script from a domain under the group’s control. This script will in turn attempt to: add privileged users, disable network security settings, update SSH configuration to enable additional remote access and execute an additional script to enable follow-on exploitation.

The NSA urged organizations to upgrade their Exim installations to 4.93 or newer, and use network-based security appliances to detect and/or block CVE-2019-10149 exploit attempts.

Staffed by operatives from the Russian GRU (military intelligence) Main Center for Special Technologies (GTsST), field post number 74455, Sandworm is known to be one of the most sophisticated state hacking outfits around.

It has been widely linked to the BlackEnergy malware used in attacks on Ukrainian power stations in 2015 and 2016, which caused major outages during winter, as well as campaigns against NATO members and European governments in 2019.

NSA warns about Sandworm APT exploiting Exim flaw

The Russian APT group Sandworm has been exploiting a critical Exim flaw (CVE-2019-10149) to compromise mail servers since August 2019, the NSA has warned in a security advisory published on Thursday. “When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” they said. The script would then attempt to add privileged … More

The post NSA warns about Sandworm APT exploiting Exim flaw appeared first on Help Net Security.

An archive with 20 Million Taiwanese’ citizens leaked in the dark web

Security experts from Cyble discovered in the dark web a database containing details of over 20 Million Taiwanese citizens.

A few weeks ago, threat intelligence firm Cyble discovered in the dark web a database containing details of over 20 Million Taiwanese citizens.

According to the experts, the leak includes government data of an entire country, it was leaked online by a reputable actor that goes online with moniker ‘Toogod.”

“A few weeks ago, our researchers came across a leaked database on the darkweb where a known and reputable actor ‘Toogod” dropped the database of “Taiwan Whole Country Home Registry DB” comprising of 20 Million+ records.” reads a post published by Cyble.

The database size is 3.5 GB, exposed data includes full name, full address, ID, gender, date of birth, and other info.

Taiwanese government data leak

The seller claims the database dates back as 2019, but Cyble researchers noted the last DOB record was from 2008. The database contains certain records with ‘NULL/empty’ DoB records, making it impossible to determine how recent the dump is.

Experts are still investigating the leak and will provide an update as soon as possible.

Cyble researchers have acquired the leak and will add soon its data to its AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – Taiwanese database, dark web)

The post An archive with 20 Million Taiwanese’ citizens leaked in the dark web appeared first on Security Affairs.

Revealed: Advanced Java-Based Ransomware PonyFinal

Revealed: Advanced Java-Based Ransomware PonyFinal

Microsoft has warned of a new type of data stealing Java-based ransomware, dubbed PonyFinal.

PonyFinal is what Microsoft describes as “human-operated ransomware” — to distinguish it from commoditized variants that are distributed in an automated way by hackers.

The tech giant’s Security Intelligence group revealed in a series of tweets this week that the first stage involves access to a targeted organization via brute force attacks against the systems management server.

A VBScript is deployed to run a PowerShell reverse shell which enables data exfiltration to a C&C server over Port 80. The attackers also deploy a remote manipulator system to bypass event logging.

“In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run. However, evidence suggests that attackers use information stolen from the systems management server to target endpoints with JRE already installed,” Microsoft continued.

Thus, if organizations already have JRE on their systems, they may be blind to any attack.

“The PonyFinal ransomware is delivered through an MSI file that contains two batch files and the ransomware payload,” Microsoft continued. “UVNC_Install.bat creates a scheduled task named 'Java Updater' and calls RunTask.bat, which runs the payload, PonyFinal.JAR.”

According to Microsoft, PonyFinal encrypts files at a specific date and time and, like similar “human-operated” ransomware attacks, it is likely that those wielding it will bide their time to wait for the most opportune moment to deploy the payload.

In the case of recent attacks on hospitals, that was in early April when many healthcare organizations were battling a peak of COVID-19 admissions.

Microsoft recommends that organizations reduce their attack surface by ensuring internet-facing assets are up-to-date with patches, especially VPNs and other remote access infrastructure, and conducting regular audits of misconfigurations and vulnerabilities.

For PonyFinal in particular it is recommended to scan for brute force activity.

Over 600 NTT Customers Hit in Major Data Breach

Over 600 NTT Customers Hit in Major Data Breach

One of the world’s largest telecoms and IT services companies has revealed that attackers may have stolen data from its internal systems, affecting over 600 customers.

NTT Communications provides cloud, network and data center services to some of the world’s biggest companies. Its parent, NTT Group, is ranked in the top 100 of the Fortune Global 500.

The firm claimed in a lengthy statement on Thursday that it detected unauthorized access to its Active Directory (AD) server on May 7, confirming the attack four days later.

Although an English language version of the notice has yet to be published, it appears that hackers first compromised a cloud server (labelled server B by the firm) located in its Singapore data center, before using it as a stepping stone to attack another internal server (server A) and its AD server.

Attackers also jumped from server B to compromise an information management server (server C) used to service NTT's cloud and hosting customers.

It is server C which NTT Communications claimed attackers may have breached to steal data on 621 customers.  

The firm said it is taking steps to mitigate the incident and prevent anything similar happening in the future.

Just last week, NTT warned in its annual Global Threat Intelligence Report that the technology sector was the most attacked worldwide in 2019.

It claimed that hackers are increasingly using “multi-function attack tools” and artificial intelligence/machine learning capabilities, as well as automation techniques, to increase their chances of success. Over a fifth (21%) of attacks globally featured some form of vulnerability scanner, it said.

The type of NTT customer data stolen by hackers in May and the techniques used to compromise servers and move laterally inside its network are unclear at this stage.

Steganography in targeted attacks on industrial enterprises in Japan and Europe

Threat actors targeted industrial suppliers in Japan and several European countries in sophisticated attacks, Kaspersky reported.

Researchers from Kaspersky’s ICS CERT unit reported that threat actors targeted industrial suppliers in Japan and several European countries in sophisticated attacks.

The experts first observed the attacks in early 2020, while in early May, threat actors targeted organizations in Japan, Italy, Germany and the UK.

Hackers targeted suppliers of equipment and software for industrial enterprises with spear-phishing messages using malicious Microsoft Office documents. Attackers used PowerShell scripts, as well as various techniques to evade the detection and avoid the analysis of the malware.

“Phishing emails, used as the initial attack vector, were tailored and customized under the specific language for each specific victim. The malware used in this attack performed destructive activity only if the operating system had a localization that matched the language used in the phishing email.” reads the report published by Kaspersky. “For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese. “

The phishing messages are crafted to trick victims into opening the attached document and enable the macros. The emails are written in the target’s language, and the malware only starts if the operating system language on the machine matches the language in the phishing email.

Hackers used the Mimikatz tool to steal the authentication data of Windows accounts stored on a compromised system. At the time, the final goal of the threat actors is still unknown.

Kaspersky experts only observed malicious activity on IT systems, OT networks were not impacted in the attacks.

Upon executing the macro script contained in the bait document, a PowerShell script is decrypted and executed. This script downloads an image from image hosting services such as Imgur or imgbox, experts noticed that the URL of the image is randomly selected from a list.

The image contains data that is extracted by the malware to create another PowerShell script, which in turn creates another PowerShell script that is an obfuscated version of Mimikatz post-exploitation tool.

“The data is hidden in the image using steganographic techniques and is extracted by the malware from pixels defined by the algorithm. Using steganography enables the attackers to evade some security tools, including network traffic scanners.” continues the analysis.

“The data extracted from the image is consecutively encoded using the Base64 algorithm, encrypted with the RSA algorithm and encoded using Base64 again. Curiously, the script has an error in its code, included on purpose, with the exception message used as the decryption key.”

Attackers also used an exception message as the decryption key for a malicious payload, also in this case the technique aims at evade the detection.

Kaspersky confirmed that its solutions have blocked all the attacks it has detected.

“This attack has caught the attention of researchers because the attackers use several unconventional technical solutions.” concludes Kaspersky.

“The use of the above techniques, combined with the pinpoint nature of the infections, indicates that these were targeted attacks. It is a matter of concern that attack victims include contractors of industrial enterprises. If the attackers are able to harvest the credentials of a contractor organization’s employees, this can lead to a range of negative consequences, from the theft of sensitive data to attacks on industrial enterprises via remote administration tools used by the contractor.”

Pierluigi Paganini

(SecurityAffairs – industrial supplier attack, hacking)

The post Steganography in targeted attacks on industrial enterprises in Japan and Europe appeared first on Security Affairs.

Weekly Update 193

Weekly Update 193

First time back in a restaurant! Wandering down my local dining area during the week, I was rather excited to see a cafe that wasn't just open, but actually had spare seating. Being limited to only 10 patrons at present, demand is well in excess of supply and all you have to do is leave some contact info in case someone else in the restaurant tests positive at a later date. Fair enough too, yet somehow - still beyond my comprehension - there was a bunch of outrage expressed at the necessity to provide personal information. Talk of data breaches, stalking and government control ensued which all started to get a little "tinfoil hat", to my mind. My (more candid!) thoughts on that and more in this week's update.

Weekly Update 193
Weekly Update 193
Weekly Update 193
Weekly Update 193

References

  1. Somehow, a tweet about the joy of being able to return to restaurants became an opportunity for some people to whinge about privacy (some serious loss of priorities there amongst some people)
  2. I love getting fan mail about HIBP, and this one is particularly hilarious (ok, "fan mail" is a strong word here, but it's entertaining all the same)
  3. A heap of new data breaches have gone into HIBP this week (I make it 6 new ones which have kept me rather busy)
  4. Sponsored by NordVPN — secure your traffic with a faster VPN. For your remote work and browsing needs.

How to protect your business from COVID-19-themed vishing attacks

Cybercriminals have been using the COVID-19 pandemic as a central theme in all kinds of crisis-related email phishing campaigns. But because of the dramatic rise of the number of at-home workers, one method that has become increasingly common over the past few months are vishing attacks, i.e., phishing campaigns executed via phone calls. Rising success rates are the reason why vishing has become more common, and there are several factors driving this trend: People are … More

The post How to protect your business from COVID-19-themed vishing attacks appeared first on Help Net Security.

Despite lower number of vulnerability disclosures, security teams have their work cut out for them

The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals. Vulnerabilities of interest disclosed in Q1 2020 Vulnerabilities disclosed in Q1 2020: What happened? Many factors have been identified as potential contributors to this decline, including the COVID-19 pandemic, though its precise impact may not be known for another year. “Although the … More

The post Despite lower number of vulnerability disclosures, security teams have their work cut out for them appeared first on Help Net Security.

Personalized Scams

Cyber criminals now have a wealth of information on almost all of us. With so many hacked organizations now a days, cyber criminals simply purchase databases with personal information on millions of people, then use that information to customize their attacks, making them far more realistic. Just because an urgent email has your home address, phone number or birth date in it does not mean it is legitimate.

Why is SDP the most effective architecture for zero trust strategy adoption?

Software Defined Perimeter (SDP) is the most effective architecture for adopting a zero trust strategy, an approach that is being heralded as the breakthrough technology for preventing large-scale breaches, according to the Cloud Security Alliance. “Most of the existing zero trust security measures are applied as authentication and sometimes authorization, based on policy after the termination of Transport Layer Security (TLS) certificates,” said Nya Alison Murray, senior ICT architect and co-lead author of the report. … More

The post Why is SDP the most effective architecture for zero trust strategy adoption? appeared first on Help Net Security.

Employees abandoning security when working remotely

48% of employees are less likely to follow safe data practices when working from home, a report from Tessian reveals. The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss. Remote work compounds insider threats While 91% of IT leaders trust their staff to follow best security practices when working remotely, 52% of employees believe … More

The post Employees abandoning security when working remotely appeared first on Help Net Security.

Global WAN optimization market forecast to reach $1.4 billion by 2025

The WAN optimization market is expected to grow from $1,047.1 million in 2020 to $1,446.2 million by 2025, at a Compound Annual Growth Rate (CAGR) of 6.7% during the forecast period of 2020-2025, according to ResearchAndMarkets. Most cloud-based applications need good bandwidth and low latency for effective utilization. In large-scale WAN deployments, latency, bandwidth constraints, and packet losses are inevitable. WAN optimization enables enterprises and service providers to save money and reduce costs with reduced … More

The post Global WAN optimization market forecast to reach $1.4 billion by 2025 appeared first on Help Net Security.

AttackIQ Informed Defense: Automated continuous security validation and remediation

AttackIQ announced the launch of AttackIQ Informed Defense, the most significant product release in the company’s history. This new offering is in direct response to the evolution of attackers and their methods in becoming more targeted, sophisticated and automated. To stay ahead of the threat, enterprise security teams need to validate and continually assess that cyber defenses are always optimally configured. The AttackIQ Informed Defense Architecture (AIDA) enables a transparent and completely manageable attacker kill … More

The post AttackIQ Informed Defense: Automated continuous security validation and remediation appeared first on Help Net Security.

Netography launches two new data collection agents to enhance security and data privacy capabilities

Security platform provider Netography announced advanced security and enhanced data privacy capabilities with the release of two new powerful data collection agents. These agents significantly expand network visibility, enable pinpointed data access, and reduce mean time to resolution across an organization’s entire network. Netography recognizes that every enterprise network is unique, and security professionals face complex data collection challenges. Netography’s new innovative agents now allow access to terminal access points (TAPs), and port mirroring data, … More

The post Netography launches two new data collection agents to enhance security and data privacy capabilities appeared first on Help Net Security.

Unravel for AWS Databricks: Supporting big data workloads wherever they reside

Unravel Data announced Unravel for AWS Databricks, a solution to deliver comprehensive monitoring, troubleshooting, and application performance management for AWS Databricks environments. Unravel for AWS Databricks leverages Unravel’s AI-powered data operations platform to accelerate performance of Spark on AWS while providing unprecedented visibility into runtime behavior, resource usage, and cloud costs. “As business needs evolve, data workloads are moving to a growing variety of settings, stretching across on-prem environments, public clouds, multiple clouds and a … More

The post Unravel for AWS Databricks: Supporting big data workloads wherever they reside appeared first on Help Net Security.

Aptum unveils Managed DevOps Service with CloudOps to boost speed of application delivery

Aptum, a global hybrid cloud and managed services provider, launched its Managed DevOps Service in partnership with CloudOps, a cloud consulting and professional services company specializing in DevOps. The Managed DevOps Service offers a cloud-based DevOps platform that allows customers to automate their development pipelines and reduce application delivery times. Customers are also provided with hands-on training on DevOps practices and tools so they can succeed. Through this offering, customers gain access to two highly … More

The post Aptum unveils Managed DevOps Service with CloudOps to boost speed of application delivery appeared first on Help Net Security.

Siren 10.5: Fusing big local data with results returned dynamically by remote web services

Siren, the provider of Investigative Intelligence analytics, announced the release of Siren 10.5. The latest version of Siren features several notable improvements, including the ability to fuse big local data with results returned dynamically by remote web services – a capability Siren calls Knowledge Graph “augment on demand”. Dr. Giovanni Tummarello, Founder and Chief Product Officer at Siren, said: “With Siren, a data model is used to virtually connect organizational data – from DBs to … More

The post Siren 10.5: Fusing big local data with results returned dynamically by remote web services appeared first on Help Net Security.

Tufin SecureCloud now secures cloud-native, multi-cloud, and hybrid-cloud workloads and applications

Tufin announced a new release of Tufin SecureCloud, providing security for cloud-native, multi-cloud, and hybrid-cloud workloads and applications. The new release includes Center for Internet Security (CIS) Benchmarks for Kubernetes and public cloud environments, Kubernetes best practices and assessments, streamlined risk analysis, enhanced security policy discovery and automatic generation. With these new capabilities, companies can accelerate their digital transformation and cloud-first initiatives by securing cloud-native workloads, without compromising the speed and agility businesses have come … More

The post Tufin SecureCloud now secures cloud-native, multi-cloud, and hybrid-cloud workloads and applications appeared first on Help Net Security.

RapidAPI adds Microsoft Azure Cognitive Services to its Marketplace

RapidAPI announced that it has added a dozen Microsoft Azure Cognitive Services to its Marketplace including APIs for Vision, Language, Web Search, and Decision. The RapidAPI Marketplace provides the connective tissue for bringing thousands of APIs and microservices together, offering APIs from providers like Microsoft, Twilio, SendGrid, Nexmo, Skyscanner, Crunchbase, and more. With the addition of the Microsoft Azure Cognitive Services APIs, it is easier than ever for the RapidAPI developer community to incorporate advanced … More

The post RapidAPI adds Microsoft Azure Cognitive Services to its Marketplace appeared first on Help Net Security.

Signavio and Deloitte partnership addresses areas of DX, process digitization, and automation

Business transformation specialists Signavio and Deloitte have announced a new global partnership. The announcement brings together both companies to address the growing worldwide demand for solutions and services in the areas of digital transformation, process digitization, and automation. The partnership supports global users across all digital transformation projects, including the areas of process excellence, ERP transformation, RPA, risk and compliance, and customer excellence. To drive these global projects, the partnership will utilize the entire solution … More

The post Signavio and Deloitte partnership addresses areas of DX, process digitization, and automation appeared first on Help Net Security.

Microsoft and Alibaba Cloud join Crossplane project implementing the Open Application Model

Upbound, the company behind open source projects Rook and Crossplane, announced Alibaba Cloud and Microsoft have joined the Crossplane project. Announcements were made from the inaugural Crossplane Community Day, attended by community members from across the ecosystem. “We launched Crossplane over a year ago to bring the same control plane-centric approach pioneered by cloud providers like AWS, Microsoft Azure, and Google Cloud to the enterprise and open source community,” said Bassam Tabbara, Founder and CEO … More

The post Microsoft and Alibaba Cloud join Crossplane project implementing the Open Application Model appeared first on Help Net Security.

Splunk users now have access to Sixgill’s Darkfeed, enhancing security and threat protection

Sixgill announced that users of Splunk, the Data-for-Everything platform, will have access to Sixgill’s Darkfeed, the company’s automated stream of indicators of compromise. By leveraging Darkfeed in Splunk’s analytics-driven SIEM, enterprises gain contextual and actionable insights in real-time to enhance security and proactively protect against threats. “Manual threat intelligence can take days, while criminals operate by the hour. Darkfeed delivers automated insights in real-time so security teams can react instantly and stay ahead of threats,” … More

The post Splunk users now have access to Sixgill’s Darkfeed, enhancing security and threat protection appeared first on Help Net Security.

Synack raises $52M to transform security testing through its crowdsourced platform

Synack announced that it raised $52 million in Series D funding to transform security testing through its crowdsourced platform powered by the world’s most skilled ethical hackers who work with proprietary Synack technology to accelerate the hunt for critical software vulnerabilities. New investors B Capital Group and C5 Capital co-led the round, bringing total funding to $112.1 million. Previous investors GGV Capital, GV (formerly Google Ventures), Hewlett Packard Enterprise (“HPE”), Icon Ventures, Intel Capital, Kleiner … More

The post Synack raises $52M to transform security testing through its crowdsourced platform appeared first on Help Net Security.

Beyond Identity forms an all-star technical advisory board

On the heels of exiting stealth with $30 million in Series A funding from marquee investors and introducing a revolutionary, passwordless identity management solution, Beyond Identity announced the formation of an all-star technical advisory board comprising the “Father of SSL,” the co-inventor of public-key cryptography (PKC), and CISOs from two of America’s most successful companies, Koch Industries and Aflac. Dr. Taher Elgamal, Professor Dr. Martin Hellman, Jarrod Benson, and Timothy L. Callahan, respectively, have teamed … More

The post Beyond Identity forms an all-star technical advisory board appeared first on Help Net Security.

WhiteHat adds two application security executives to its leadership team

WhiteHat Security announced the appointment of Tanya Gay to Vice President of Operations and Business Strategy, and the promotion of Judy Sunblade, to Vice President of Revenue Growth and Enablement. Both Tanya and Judy will report to Chief Revenue Officer, Dave Gerry and are responsible for driving operational efficiencies and pipeline growth, respectively, to accelerate WhiteHat Security’s growth. “WhiteHat has seen tremendous success throughout the past few years, and we do not plan on slowing … More

The post WhiteHat adds two application security executives to its leadership team appeared first on Help Net Security.

Security breach impacted Cisco VIRL-PE infrastructure

Cisco discloses security breach that impacted VIRL-PE infrastructure, threat actors exploited SaltStack vulnerabilities to hack six company servers.

Cisco has disclosed a security incident that impacted part of its VIRL-PE infrastructure, threat actors exploited vulnerabilities in the SaltStack software package to breach six company servers.

These issues affect the following Cisco products running a vulnerable software release:

  • Cisco Modeling Labs Corporate Edition (CML)
  • Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)

Cisco’s advisory states that the SaltStack software package is bundled with some Cisco products, hackers exploited SaltStack issues to compromise six company servers:

  • us-1.virl.info
  • us-2.virl.info
  • us-3.virl.info
  • us-4.virl.info
  • vsm-us-1.virl.info
  • vsm-us-2.virl.info

“Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised. The servers were remediated on May 7, 2020.” reads the advisory.

The six servers are part of the backend infrastructure for VIRL-PE (Internet Routing Lab Personal Edition), a service that allows Cisco users to model and simulate their virtual network environment.

Cisco has it fixed and remediated all breached VIRL-PE servers on May 7, when it upgraded them by applying the patches for the SaltStack software.

Cisco also confirmed that the Cisco Modeling Labs Corporate Edition (CML), a network modeling tool, is affected by the issues.

At the end of April, researchers from F-Secure disclosed a number of vulnerabilities in the “Salt” framework, including two issues that could be exploited by attackers to take over Salt installations.

The two flaws, tracked as CVE-2020-11651 and CVE-2020-11652, are a directory traversal issue and an authentication bypass vulnerability respectively. Chaining the issue, an attacker could bypass authentication and run arbitrary code on Salt master servers exposed online.

Immediately after the public disclosure of the issues. administrators of Salt servers started reporting attacks exploiting the above vulnerabilities last week, threat actors used them to deliver backdoors and miners.

Shortly after the disclosure of the flaws, threat actors exploited them in several attacks against organizations, including mobile operating system vendor LineageOS, Digicert CA, blogging platform Ghost, cloud software provider Xen Orchestra, and search provider Algolia.

Pierluigi Paganini

(SecurityAffairs – Cisco VIRL-PE infrastructure, hacking)

The post Security breach impacted Cisco VIRL-PE infrastructure appeared first on Security Affairs.

Secure Development Without Sacrificing Innovation and Speed

If you know the term ???nightly build,??? chances are you???ve been a part of that process before. A nightly build - or code compiled overnight from previously checked code - is a foundational way to find flaws or issues that arise from changes made during long build processes. But while a staple in DevOps, nightly builds also present a problem: if new bugs are discovered the following morning after the build, everything slows down. Additionally, such activity only heightens the wall between development and security by compartmentalizing the tasks developers and security professionals must undertake every day (or night).

The history of the divide between security and development doesn???t fall solely on nightly builds, of course. It comes from a place of misconception, where developers fear that security leaders are ready to stall production at every turn, and security leaders lack the knowledge to fully understand the lingo, processes, or goals of developers. Historically, both teams have worked away in their own siloed departments with little to no direction from leadership on ways to come together.

Unifying security and development

By bridging the lines of communication, both teams can start to have serious conversations about producing more secure code without sacrificing the speed needed to meet tight deadlines. At the core of the issue is education. Both development and security teams need to find a common ground for working together and take it a step further to understand exactly how the other side of the aisle works ??? and how they can plug in their own processes to make that work more effective.

On the developer side of the aisle, that comes down to appreciating the value of security and sharpening the skills they need to write code with fewer flaws and bugs. On the security side, it means understanding developer timelines, tools, and processes, then working with leadership to figure out how to integrate security tools into their existing methods for time-saving automation and valuable coding feedback.

According to a recent report by Securosis, this should be a top-down effort involving members from all the necessary teams. ???With DevOps you need to close the loop on issues within infrastructure, security testing as well as code. And Dev and Ops offer different possible solutions to most vulnerabilities, so the people managing security need to include operations teams as well.???

Once members of these teams come together with open dialogue about current issues and business goals, they???re on the right path to begin discussing which processes and tools will improve the health of their application security without impacting deployment speed.

Know where to start when fixing flaws

Security debt is a real problem that adds up over time and should be addressed with a plan of action to bring it down and reduce risk. But not every vulnerability is mission-critical, whether it sits in a pile of security debt or it was discovered in a batch of new flaws during a recent scan.

According to the Securosis report, deciding which vulnerabilities to tackle first is a common issue for development teams. ???During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which did not,??? the report says.

Prioritization can speed up the entire development process as little time is wasted going back and forth. While helping to set priorities for developers, security leaders have an opportunity to help developers understand which flaws need to be addressed immediately during development, and which possible threats tie back to unattended vulnerabilities so that developers have a better understanding of how to prioritize flaws in the future.

Automation through integration

Automation brings rapidity and, if used long enough, consistency. With modern software development speeding up and not slowing down, it???s more important than ever that developers have the right scanning tools to plug directly into their existing processes with seamless integration. And while automated feedback and security testing alone won???t catch every flaw, error, or vulnerability, it sets a precedent for incorporating security into the development process, and a baseline for healthy code as the team moves through development.

Complete application security plans incorporate scanning and testing into every stage of the development process, from the IDE to the Pipeline and even review, staging, and production. Veracode Static Analysis has this covered, with automated security feedback in the IDE and Pipeline that alerts (and trains) developers while they work. Veracode Static Analysis conducts a full policy scan before deployment too, showing the vulnerabilities that developers should focus on, and leaving an audit trail for review.

With a tool like Veracode Static Analysis integrated into existing systems and processes, security and development teams will gain clear insight into not only which flaws to prioritize, but also areas where developers need more training and education so that they can produce more secure code in the future. This automated (and peer) feedback helps set a standard for consistency, and improves speed overall ??? those nightly builds can then turn into builds with continuous integration that facilitates faster fix rates.

eLearning tools for continuous education

Continuous education is something that both security and development should embrace if they want to help close the information and communication gaps between the two teams. Security leaders for their part should brush up on developer lingo, tools, and languages ??? especially when a new language is introduced into the development process.

For developers, boosting skills through hands-on courses, virtual workshops, and instructor-led training increases the speed at which developers work and the security of their applications. By bringing continuous education into the mix so that secure code is front of mind, security and development teams will have an easier time shifting security left with each new project. Eventually, it???ll become a regular part of the process to learn from past mistakes, grow to become more innovative and adapt to new security threats.

Tools like Veracode Security Labs take training to the next level by providing developers with real-world examples of threats that they can exploit and patch for practice. This hands-on-keyboard training is unlike cookie-cutter courses, as it is interactive and focuses on real applications with real vulnerabilities.

Security Labs helps meet training and compliance needs, too, with customized education in the languages an organization???s developers use most. That tailored experience becomes invaluable when every hour of the day is dedicated to improving the security of your applications. Developers start learning right away and plug back in when they???re ready for more; it???s a small step that has a big impact.

For more information on speeding up the development process through integration, automation, and feedback, read our eBook on how you can secure your software development pipeline with Veracode Static Analysis.