Daily Archives: November 18, 2020

The effectiveness of vulnerability disclosure and exploit development

New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development. The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space – namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem. The research was conducted by Kenna Security and the Cyentia … More

The post The effectiveness of vulnerability disclosure and exploit development appeared first on Help Net Security.

A perspective on security threats and trends, from inception to impact

Sophos published a report which flags how ransomware and fast-changing attacker behaviors, from advanced to entry level, will shape the threat landscape and IT security in 2021. Increased gap between ransomware operators The gap between ransomware operators at different ends of the skills and resource spectrum will increase. At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like … More

The post A perspective on security threats and trends, from inception to impact appeared first on Help Net Security.

Manufacturing industry overwhelmed by innovative threat actors

TrapX Security and Enterprise Strategy Group (ESG) have released findings of a research that surveyed 150 cyber and IT professionals directly involved in security strategy, control and operations within manufacturing organizations about their current and future concerns. Manufacturing industry under threat The research findings point to an industry whose security teams are seeing the IT and OT environments converging at a rapid pace. Yet manufacturing organizations are struggling to safeguard OT assets as they are … More

The post Manufacturing industry overwhelmed by innovative threat actors appeared first on Help Net Security.

93% of businesses are worried about public cloud security

Bitglass released a report which uncovers whether organizations are properly equipped to defend themselves in the cloud. IT and security professionals were surveyed to understand their top security concerns and identify the actions that enterprises are taking to protect data in the cloud. Orgs struggling to use cloud-based resources safely 93% of respondents were moderately to extremely concerned about the security of the public cloud. The report’s findings suggest that organizations are struggling to use … More

The post 93% of businesses are worried about public cloud security appeared first on Help Net Security.

Adventures in MQTT Part II: Identifying MQTT Brokers in the Wild

The use of publicly accessible MQTT brokers is prevalent across numerous verticals and technology fields. I was able to identify systems related to energy production, hospitality, finance, healthcare, pharmaceutical manufacturing, building management, surveillance, workplace safety, vehicle fleet management, shipping, construction, natural resource management, agriculture, smart homes and far more. Hackers have been sounding alarms about […]… Read More

The post Adventures in MQTT Part II: Identifying MQTT Brokers in the Wild appeared first on The State of Security.

Hybrid environments driving positive business impact amid pandemic

Nutanix announced the findings of its survey and research report, which measures enterprise progress with adopting private, hybrid and public clouds. This year, survey respondents were also asked about the impact of the COVID-19 pandemic on current and future IT decisions and strategy. Hybrid cloud is still the frontrunner as the ideal IT infrastructure model (86% of respondents think so), and respondents running hybrid environments are more likely to plan to focus on strategic efforts … More

The post Hybrid environments driving positive business impact amid pandemic appeared first on Help Net Security.

Saviynt 2020: Helping orgs manage risk, scale cloud initiatives, and maintain regulatory compliance

Saviynt announced the general availability of their latest platform release, named Saviynt 2020. Designed to support the modern enterprise IT landscape, Saviynt 2020 is already helping 1.6M users at major global organizations manage risk, scale cloud initiatives, and maintain regulatory compliance. “Enterprise security challenges demand an intelligent, risk-based approach, especially with the drastic changes brought about by the global pandemic,” said Todd Soghier, Director, Identity & Access Management Governance at Marriott International. “We are continually … More

The post Saviynt 2020: Helping orgs manage risk, scale cloud initiatives, and maintain regulatory compliance appeared first on Help Net Security.

Sysdig Secure integrates with IBM Cloud to provide end-to-end monitoring and security capabilities

Sysdig announced the global availability of Sysdig Secure embedded within IBM Cloud. IBM Cloud Monitoring with Sysdig, which uses Sysdig Monitor, is already the default monitoring solution used by IBM and offered to IBM Cloud customers when onboarding. With this addition of Sysdig Secure, the Sysdig Secure DevOps Platform is tightly integrated with IBM Cloud to provide customers end-to-end monitoring and security capabilities. The expansion of Sysdig Secure in IBM Cloud builds on the container, … More

The post Sysdig Secure integrates with IBM Cloud to provide end-to-end monitoring and security capabilities appeared first on Help Net Security.

Anexinet broadens its cybersecurity portfolio with Alert Logic MDR solution

Anexinet announced its partnership with Alert Logic to deliver its Managed Detection and Response (MDR) solution to Anexinet customers. Through the agreement, Alert Logic’s cloud-based solution will provide 24/7 security monitoring against hacker threats, malware, and other cyberattacks. When a credible threat is detected, Anexinet’s trained response team will immediately quarantine impacted devices and rebuild systems if necessary. “The Alert Logic partnership broadens Anexinet’s cybersecurity portfolio with cutting-edge-threat intelligence to protect our customers against increasingly … More

The post Anexinet broadens its cybersecurity portfolio with Alert Logic MDR solution appeared first on Help Net Security.

Spin Technology adds new security features to its SpinOne for Google Workspace and Office 365

Spin Technology announced the next generation of SpinOne, an AI-powered ransomware and backup solution for Google Workspace and Office 365. In the last year alone, 51 percent of organizations were targeted by ransomware, and cybersecurity continues to be a top concern for business leaders. Including advanced new security features, a completely redesigned user interface, and improved platform functionality, the latest version of SpinOne will help organizations better protect against ransomware attacks in the cloud. Over … More

The post Spin Technology adds new security features to its SpinOne for Google Workspace and Office 365 appeared first on Help Net Security.

StorMagic SvSAN validated with HPE Edgeline Converged Edge Systems

StorMagic announced that StorMagic SvSAN has been validated with Hewlett Packard Enterprise (HPE) Edgeline Converged Edge Systems. The joint edge hyperconverged (HCI) solution meets all of the unique compute, storage and networking requirements found at the edge, including simplicity, high density and the ability to deliver 100 percent uptime. “StorMagic SvSAN provides an easy to use, reliable and affordable HCI solution for HPE Edgeline customers at their edge locations,” said Shelly Anello, General Manager of … More

The post StorMagic SvSAN validated with HPE Edgeline Converged Edge Systems appeared first on Help Net Security.

Smashing Security podcast #205: Zoom password pinching and Parler problems

Watch out for a whole different type of shoulder-surfing, researchers uncover the CostaRicto hackers-for-hire gang, and we take a peek at who is behind Parler. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Chris Cochran from the Hacker Valley Studio podcast.

Flashpoint acquires CRFT to build automation around actionable threat intelligence

Flashpoint announced it has acquired CRFT, a security automation provider that empowers teams of all sizes and skill levels to streamline daily security tasks through a seamless, no-code design and delivery engine. This acquisition augments the value of Flashpoint’s intelligence by empowering security and threat teams to streamline workflows and trigger actions that mitigate threats automatically. Flashpoint already produces the industry’s highest-quality threat intelligence from online illicit communities. By integrating CRFT’s no-code security automation into … More

The post Flashpoint acquires CRFT to build automation around actionable threat intelligence appeared first on Help Net Security.

Reeling from ransomware attack, Managed.com takes took down its entire web hosting infrastructure

In the early hours of Monday morning, Managed.com - a major provider of managed web hosting solutions - discovered it was the victim of a co-ordinated ransomware attack. Such is the severity of the attack that Managed.com has taken client websites offline out of "an abundance of caution" as a $500,000 ransom is demanded by the attackers.

Cisco fixed flaws in WebEx that allow ghost participants in meetings

Cisco has addressed three flaws in Webex Meetings that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants.

Cisco has addressed three vulnerabilities in Webex Meetings (CVE-2020-3441CVE-2020-3471, and CVE-2020-3419) that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants.

“A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list.” reads the security advisory published by Cisco.

The vulnerabilities were discovered earlier this year by security by IBM researchers as part of an assessment of the tools used by its personnel for remote working during the COVID-19 pandemic.

Ghost participants to a meeting could be seen in the user list, but they can access any media within the meeting, even if they were not invited.

The flaws also allowed attackers to remain in the Webex meeting as ghost audio users after admins would remove them, they also allowed them to access Webex users’ information, including full names, email addresses, and IP addresses.

The bugs affect Cisco Webex Meetings and Cisco Webex Meetings Server, they reside in the “handshake” process that allows establishing a new Webex meeting.

“Malicious actors could abuse these flaws to become a ‘ghost’ joining a meeting without being detected.” reads the report published by IBM. “The now-patched flaws, discovered by IBM researchers, would have allowed an attacker to:

  1. Join a Webex meeting as a ghost without being seen on the participant list with full access to audio, video, chat and screen-sharing capabilities.
  2. Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection.
  3. Gain access to information on meeting attendees — including full names, email addresses and IP addresses — from the meeting room lobby, even without being admitted to the call.”

The experts were able to exploit the flaws on MacOS, Windows, and the iOS version of Meetings applications and Webex Room Kit appliance.

IBM experts also published a video PoC of the attack.

“Once a host starts or unlocks a meeting, a ghost could slip in and join the meeting using the handshake manipulation, without ever showing up on any participant list, including the host’s participant list. The ghost could see and hear other participants, as well as view shared screens and chat without revealing their presence.” continues the report.

“With this technique, the only indication the participants would have that they may not be alone is the beep of a new audio connection. For especially large meetings, the host might disable the entry and exit tone, allowing the ghost to enter perfectly stealthily. In other instances, the ghost’s entry tone would play, but may go unnoticed by the host or other participants who aren’t counting and associating each tone with a specific participant.”

Cisco has patched cloud-based Cisco Webex Meetings sites and released security updates for on-premises software to address the flaws.

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

The post Cisco fixed flaws in WebEx that allow ghost participants in meetings appeared first on Security Affairs.

Cryptocurrency exchange Liquid suffers security breach, user data exposed

Cryptocurrency exchange Liquid has revealed that it was hacked last week, after a malicious attacker managed to seize control of its DNS records, seized control of some internal email accounts, and gained access to the firm's document storage infrastructure. And, as a consequence, personal details of customers may now be in the hands of hackers.

Majority of Canadian cyber incidents happen due to poor cyber hygiene, new report says

Cyber threats against Canadians and organizations show no signs of slowing, according to the federal government’s latest analysis, and many attacks are successful for one reason: Failure to follow basic security hygiene.

“The vast majority of cyber incidents in Canada occurred because basic elements of cybersecurity weren’t followed,” wrote Scott Jones, the head of the Canadian Cyber Security Centre, in its national cyber threat assessment released this afternoon.

The centre is the public-facing division of the Communications Security Establishment, otherwise known as the country’s electronic spy agency. The CSE protects federal networks while the centre advises the private and public sectors on cyber strategies.

One of the key conclusions said Defence Minister Harjit Sajjan, who oversees the CSE, is that “the internet is at a crossroads, with countries like China and Russia pushing to change the way it is governed, to turn it into a tool for censorship, surveillance, and state control.”

This is a reference to pressure at the United Nations and the International Telecommunications Union by some countries for technical and policy changes. China and Chinese telecom companies have pressed the ITU to adopt what they call the New Internet Protocol to develop a “top-down design for the future network.” According to reports, the NIP would allow a state to in effect have a kill switch on Internet traffic it doesn’t like.

The centre’s report said the NIP might provide certain cybersecurity advantages, “but it would enable powerful censorship, surveillance, and state control.”

At a press conference for reporters, Jones said successful attacks largely exploit unpatched systems. “We still as a nation are making it far too easy for any cyber actor to execute their operations against us. One simple thing that everyone can do is deal with the basics.”

Not only does the black market sell more sophisticated attack tools, he added, but they boast “better support than many of us can get for our IT products.”

Asked why organizations aren’t hitting the basics, Jones acknowledged many small and medium-sized businesses find security products and services too expensive or too complex to implement. The centre has a guide for SMBs with “very simple things” like turning on automatic software patching.

Jones also said the centre is looking for industry partners like the Canadian Bankers Association, which is urging young companies to pay attention to that SMB guidance.

In addition, the IT industry should make it easier for customers to keep their systems up to date, he said. “It needs to be less drastic, it needs to be easier, it needs to be automatic to apply security patches.”

Meanwhile, large organizations, with their large IT staff, need to share more threat information widely with other firms, Jone said.

The report notes that its 2018 edition also said “many cyber threats can be mitigated through awareness and best practices in cybersecurity and business continuity. Cyber threats and [foreign] influence operations continue to succeed today because they exploit deeply-rooted human behaviours and social patterns, and not merely technological vulnerabilities.

“Defending Canada against cyber threats and related influence operations requires addressing both the technical and social elements of cyber threat activity. Cybersecurity investments will allow Canadians to benefit from new technologies while ensuring that we do not unduly risk our safety, privacy, economic prosperity, and national security.”

The threat assessment and predictions are used by the government to set its priorities, as well as to inform Canadians about cyber hazards.

Key findings include:

  • The number of cyber threat actors is rising, and they are becoming more sophisticated. The commercial sale of cyber tools coupled with a global pool of talent has resulted in more threat actors and more sophisticated threat activity. Illegal online markets for cyber tools and services have also allowed cybercriminals to conduct more complex and sophisticated campaigns.
  • Cybercrime continues to be the cyber threat most likely to affect Canadians and Canadian organizations.
  • Ransomware will almost certainly continue to target large Canadian enterprises and critical infrastructure providers. These entities cannot tolerate sustained disruptions and are willing to pay up to millions of dollars to quickly restore their operations. Many Canadian victims will likely continue to give in to ransom demands due to the severe costs of losing business and rebuilding their networks and the potentially destructive consequences of refusing payment.
  • While cybercrime is the most likely threat, the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada.
  • State-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals. But the centre feels it unlikely cyber threat actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life in the absence of international hostilities. Nevertheless, cyber threat actors may target critical Canadian organizations to collect information, pre-position for future activities, or as a form of intimidation.
  • State-sponsored actors will almost certainly continue to conduct commercial espionage against Canadian businesses, academia, and governments to steal Canadian intellectual property and proprietary information. We assess that these threat actors will almost certainly continue attempting to steal intellectual property related to combatting COVID-19 to support their own domestic public health responses or to profit from its illegal reproduction by their own firms. The threat of cyber espionage is almost certainly higher for Canadian organizations that operate abroad or work directly with foreign state-owned enterprises.
  • Online foreign influence campaigns are almost certainly ongoing and aren’t limited to key political events like elections. “Online foreign influence activities are a new normal, and adversaries seek to influence domestic events as well as impact international discourse related to current events.”

The post Majority of Canadian cyber incidents happen due to poor cyber hygiene, new report says first appeared on IT World Canada.

China-linked APT10 leverages ZeroLogon exploits in recent attacks

Researchers uncovered a large-scale campaign conducted by China-linked APT10 targeting businesses using the recently-disclosed ZeroLogon vulnerability. 

Symantec’s Threat Hunter Team, a Broadcom division, uncovered a global campaign conducted by a China-linked APT10 cyber-espionage group targeting businesses using the recently-disclosed ZeroLogon vulnerability. 

The group, also known as Cicada, Stone Panda, and Cloud Hopper, has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

The group has been observed while attempting to exploit the Windows Zerologon vulnerability in attacks aimed at Japanese organizations from multiple industry sectors in 17 regions around the globe. Targeted sectors include:

  • Automotive
  • Clothing
  • Conglomerates
  • Electronics
  • Engineering
  • General Trading Company
  • Government
  • Industrial Products
  • Managed Service Providers
  • Manufacturing
  • Pharmaceutical
  • Professional Services
APT10

The latest campaign has been active since mid-October in 2019 and appears to be still ongoing.

The APT10 is well-resourced cyberespionage group that employed multiple tools and sophisticated techniques in its attacks. In the recent campaign, the attackers extensively used DLL side-loading and leveraged the ZeroLogon vulnerability.

Experts observed that attackers using a wide variety of living-off-the-land, dual-use, and publicly available tools.

Other attack techniques used by the group are network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, PowerShell scripts, and both RAR archiving and a legitimate cloud hosting service and data exfiltration.

The APT10 group also employed custom malware, tracked the Backdoor.Hartip, that was never detected before.

“Intelligence gathering and stealing information has generally been the motivation behind Cicada’s attacks in the past, and that would appear to be the case in this attack campaign too.” reads the report published by Symantec. “We observed the attackers archiving some folders of interest in these attacks, including in one organization folders relating to human resources (HR), audit and expense data, and meeting memos.”

The attribution to APT10 is based on multiple pieces of evidence, including clues in how code is obfuscated; the use of a Third-stage DLL with an export named “FuckYouAnti,” the use of QuasarRAT as the final payload.

“Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous,” Symantec concludes. “Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor […] show that it continues to evolve its tools and tactics to actively target its victims.”

Pierluigi Paganini

(SecurityAffairs – hacking, APT10)

The post China-linked APT10 leverages ZeroLogon exploits in recent attacks appeared first on Security Affairs.

Dubliner Jailed Over $2m Cryptocurrency Theft

Dubliner Jailed Over $2m Cryptocurrency Theft

An Irish cyber-thief has been jailed for his part in a SIM-swap conspiracy that robbed victims of their life savings.

Conor Freeman was identified by US Homeland Security as a member of a criminal group that stole over $2m worth of cryptocurrency from multiple victims in 2018.

Freeman, of Dun Laoghaire, Dublin, pleaded guilty to stealing cryptocurrency, dishonestly operating a computer to make a gain, and knowingly engaging in the possession of the proceeds of crime.

The 21-year-old handed over a virtual wallet containing 142.75682712 Bitcoin—now worth over $2m—to the gardaí­ at the time of his arrest. 

Together with at least five co-conspirators based in the US, Freeman used a SIM-swap scam to steal cryptocurrency worth $100,000 from Darran Marble on May 15, 2018. The next day, the group targeted Seth Shapiro, making off with $1,921,335 in virtual money. 

Two days later, the cyber-criminals used the same technique to illegally relieve Micheal Templeman of cryptocurrencies with an approximate value of $167,622.22.

Passing sentencing in Dublin Circuit Criminal Court on Tuesday, Judge Martin Nolan noted that Shapiro lost the proceeds of the sale of his house and his entire life savings to Freeman and his co-conspirators.

Although Nolan deemed it unlikely that Freeman would reoffend, he gave the Dubliner a custodial sentence of three years for crimes that involved "guile and deception." 

The court heard that Freeman met his co-conspirators online. Together, the group combed social media for targets that might have access to large amounts of cryptocurrency. 

After choosing a victim, the group would scour the internet until they found the target's email address and phone number. Contacts who worked in telecommunications transferred the phone numbers of potential victims onto SIM cards bought by the group. 

By initiating protocols set up to assist people who forget their passwords, the group managed to gain access to victims' online accounts. Freeman's role was to sift through victims' emails to identify sources of cryptocurrencies they possessed. 

Defending Freeman, Paul O'Carroll SC described his client as "very much a loner" who started hacking the accounts of other gamers for a thrill while he was in his teens.

Freeman's five co-conspirators are before the courts in the United States.

Cyberattacks targeting health care must stop

In recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for COVID-19. The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium.

 

The post Cyberattacks targeting health care must stop appeared first on Microsoft Security.

US Holiday Shoppers Fear Cyber-Scams

US Holiday Shoppers Fear Cyber-Scams

Americans are planning to do more of their holiday shopping online this year despite being concerned that they might fall victim to cyber-scams.

Research by global computer security software company McAfee found that 36% of American consumers are planning on buying gifts online this year despite 60% feeling that cyber-scams become more prevalent during the holiday season.

The findings were included in McAfee's "2020 Holiday Season: State of Today’s Digital e-Shopper" survey that was published yesterday. McAfee commissioned 3Gem to conduct a survey of 1,000 adults over the age of 18 in the United States between October 8 and October 13, 2020.

During last year's Black Friday to Cyber Monday holiday weekend, more than 124 million consumers chose to make their purchases in-store. In 2020, as the world grapples with COVID-19, consumers have shifted direction, shopping more and buying what they need through their devices. 

The survey revealed that 49% of Americans said they are buying online more since the global pandemic struck. Nearly one in five consumers (18%) said that shopping online is a daily activity, while one in three (34%) make purchases via the internet 3 to 5 days a week.

Over a quarter (27%) of respondents ages 18 to 24 said that they checked the authenticity of discounts and deals sent to them via email and text message. Overall, fewer than half (43%) said that they would be checking to see if Black Friday or Cyber Monday emails and text messages sent are trustworthy and genuine.

Researchers noticed a difference in concern over cybercrime across generational age groups. While 79% of those aged 65 or older believe there is a greater cyber-risk due to COVID-19, this view was shared by only (70%) of those aged 18 to 24.

“Many are wondering what this year’s holiday season will look like as consumer shopping behaviors continue to evolve and adapt to the challenges faced throughout 2020,” said Judith Bitterli, vice president of consumer marketing.

“With results showing the growing prevalence of online shopping, consumers need to be aware of how cyber-criminals are looking to take advantage and take the necessary steps to protect themselves—and their loved ones—this holiday season.”

Nature vs. Nurture Tip 1: Use DAST With SAST

When conducting research for this year???s State of Software Security report, we looked at how ???nature??? and ???nurture??? contribute to the time it takes to close out a security flaw. For the ???nature??? side, we looked at attributes that we cannot change, like application size or age. For ???nurture,??? we looked at application attributes we can change, like security scan frequency and cadence.

We found that the ???nature??? of applications can have a negative effect on how long it takes to remediate a security flaw. Applications with a high flaw density take, on average, 63 days longer to remediate security flaws than applications with a lower flaw density. Large applications or organizations and old applications also slow down remediation.

Nature of apps

But on a positive note, we found that there are ways you can ???nurture??? applications (even when the ???nature??? is less than ideal) to speed up time to remediation. Over the next several weeks, we will provide three tips ??? including frequent and steady scanning and API integration ??? for nurturing applications. The first tip, proven to be the most effective method for nurturing the security of your applications, is using dynamic application security testing (DAST) in conjunction with static application security testing (SAST). In fact, we found that organizations that combine DAST with SAST address 50 percent of their open security findings almost 25 days faster than organizations that only use SAST.

Why does using DAST with SAST improve time to remediation?

Static analysis scans for flaws during the development phase of the software development lifecycle (SDLC), and it looks for common issues, such as directory traversals, Cross-Site Scripting, and various injection flaws. Dynamic analysis scans during runtime, looking for issues with server and deployment configuration and authentication issues.

CWE

The chart above shows how much deeper the scanning goes when DAST is added to SAST.ツ? As you will see, dynamic analysis is able to draw out significantly more flaws when added to static analysis than when static is used alone. For example, static analysis finds around 10 percent of CWE-297 flaws, but when DAST is added, the number of CWE-297 flaws discovered more than doubles.ツ?

It can be surmised that when developers see the flaws drawn out by dynamic analysis, not just the magnitude of flaws but the severity and exploitability, developers are more likely to remediate the security flaws at a faster rate.

To learn more about our nature vs. nature findings or for additional information on the benefits of adding DAST to SAST, check out our recent State of Software Security report. And stay tuned for our Nature vs. Nurture Tip 2 and Tip 3 blogs, coming soon!

Twitter Appoints “Mudge” as Head of Security

Twitter Appoints "Mudge" as Head of Security

Social media giant Twitter has created a new head of security position and hired a world-famous hacker to fill it.

The appointment of 49-year-old American Peiter Zatko, known online by his hacking handle "Mudge," was announced by Twitter on November 16. 

According to Reuters, guitarist and Berklee College of Music graduate Zatko has been given a broad mandate to review the security structure and practices of the networking site and recommend changes. After a review period that will last up to 60 days, Zatko will report his findings and suggestions directly to Twitter's CEO, Jack Dorsey. 

In an exclusive interview with Reuters, the new appointee said he will be digging deep into Twitter's “information security, site integrity, physical security, platform integrity—which starts to touch on abuse and manipulation of the platform—and engineering.”

Previously, Zatko worked at electronic payments unicorn Stripe, where he oversaw security. Prior to that position, the network security expert was hired by Google to oversee the distribution of grants for projects relating to cybersecurity at the Pentagon's Defense Advanced Research and Projects Agency (DARPA).

Dan Kaufman, who supervised Zatko during his time at DARPA, commented: “I don’t know if anyone can fix Twitter’s security, but he’d be at the top of my list."

Hacker, writer, and open-source programmer Zatko began his career as a government contractor carrying out classified work while simultaneously leading hacking group Cult of the Dead Cow. The group gained notoriety for placing pressure on Microsoft to up its security game by releasing Windows hacking tools.

Zatko was also the most prominent member of hacker think tank L0pht Heavy Industries, a group known for pioneering responsible disclosure of vulnerabilities. Zatko was among seven L0pht members who claimed that they could shut down the internet in 30 minutes while giving testimony before the Congress of the United States in 1998 on national cybersecurity. 

Describing his new employer, Zatko said: “They are willing to take some risks. With the challenges of algorithms and algorithmic bias, they are not standing by and waiting until someone else solves the problem.”

Kali Linux 2020.4 released: New default shell, fresh tools, and more!

Offensive Security has released Kali Linux 2020.4, the latest version of its popular open source penetration testing platform. You can download it or upgrade to it. Kali Linux 2020.4 changes The changes in this version include: ZSH is now Kali’s new default shell on desktop images and cloud, Bash remains the default shell for other platforms (ARM, containers, NetHunter, WSL) for the time being. Users can, of course, use that which they prefer, but be … More

The post Kali Linux 2020.4 released: New default shell, fresh tools, and more! appeared first on Help Net Security.

#ISC2Congress: Which Pen-Testing Approach is Right for Your Business?

#ISC2Congress: Which Pen-Testing Approach is Right for Your Business?

Speaking during the virtual (ISC)2 Security Congress Alex Haynes, CISO at CDL, explored the various pen-testing approaches available to organizations and outlined how companies can determine which is the best option for their business use cases.

“The problem with pen-testing in the market is that there’s an ‘alphabet soup’ of terminology and it is very easy to get confused when there are all these marketing terms being thrown around.”

Essentially, there are three key approaches to pen-testing that organizations can implement, Haynes said.

The first is traditional pen-testing, defined as a “snapshot of your security posture at a particular point in time.”

The pros of traditional pen-testing methods include cost efficiency, flexibility and standardization. However, there are important inadequacies to consider when it comes to traditional pen-testing approaches, Haynes warned. These include the fact that they are infrequent, time-limited, lack diversity in approach and can invoke pen-tester syndrome (a focus on theoretical vulnerabilities that make things appear worse than they actually are).

The second approach to pen-testing open to organizations is the crowdsourced security option, Haynes continued. This involves “having more than one tester who has no affiliation [with your systems] looking for bugs and vulnerabilities on your systems and applications.”

A crowdsourced security pen-testing strategy offers some key benefits that traditional pen-test methods cannot, including higher frequency rates, unlimited time-scales and a more cost-effective business model (in the short run) in which researchers are only paid per vulnerability rather than taking a full salary.

However, as with traditional pen-testing approaches, crowdsourced strategies have their own drawbacks to consider. These include web-heavy skillsets of researchers, potentially unethical behaviors and heavy network traffic .

The third and final approach to organizational pen-testing is automated pen-testing, Haynes said.

“This mimics the behavior of a human attacker by choosing the best kind of attack vector for a particular vulnerable system, at scale, without human intervention.”

Automated pen-testing can be run on a daily basis/continuously, generate reports on the fly and be configured to start from anywhere or only use certain vectors for testing certain attack scenarios, so they have clear benefits, Haynes explained.

At the same time, as with traditional and crowdsourced pen-testing, there are downsides to automated pen-testing such as the fact that they are only useful for pen-testing inside the network, have a lack of understanding regarding web applications and potentially high cost-per-asset expense for larger networks.

To conclude, Haynes said that deciding which pen-testing approach is best suited to any organization depends on various factors, but added that strategies are not mutually exclusive, always start with pen-testing to establish a baseline and, if your budget permits, can be layered with other approaches.

Gartner names Microsoft a Leader in the 2020 Magic Quadrant for Cloud Access Security Brokers

The past few months have changed the way we work in many ways, working from home, social distancing, and remote operations have all had impacts on our previously known ways of life. At Microsoft, we have been working hard to assist our customers adjust to this rapidly changing and evolving work environment. As has been the case for a while now, this is anchored in the framework of Zero Trust, an approach that we believe is critical to a strong security posture. At its heart, Zero Trust is all about applying visibility, adhering to governance requirements, and enforcing control of cloud apps, services, assets and workloads.

As businesses adapt to the increase in remote work and unmanaged device use, Cloud Access Security Broker (CASB) use has accelerated. According to the most recent report from Gartner, “CASBs (have become) essential elements of cloud security strategies.”

We believe that Cloud App Security is a critical component of any security portfolio to enable a Zero Trust security approach. Organizations across all customer segments are securing their apps with Microsoft Cloud App Security, from large enterprises in professional services like Accenture to health organizations such as St. Luke’s.

Placeholder

According to a recent Total Economic Impact (TEI) study commissioned from Forrester Consulting, customers can save time, resources, and improve security with Microsoft Cloud App Security. The Forrester study shows a three-year 151 percent return on investment (ROI) less than a three-month payback on Cloud App Security investment. Indeed, at Microsoft Cloud App Security is leveraged internally and it has been great to see the momentum across our customers, where we crossed the threshold of protecting 100 million users in the summer of 2020. We have been building to deliver a unique perspective from which customers can leverage control and governance has been recognized with this year’s Gartner Magic Quadrant for Cloud Access Security Brokers (CASB).

Placeholder

Microsoft Cloud App Security is Microsoft’s CASB. This essential productivity and security enabler helps organizations gain visibility into their cloud apps and services. It provides sophisticated analytics to identify and combat cyberthreats and control the travel of sensitive information to equally support Microsoft’s native cloud services, as well as numerous third party cloud apps and services, such as Dropbox, Salesforce, and others.

Our vision for the CASB category is to push beyond just controlling SaaS apps and into IaaS and PaaS posture recommendations and management. We believe it is incumbent on us to provide our customers with a holistic security solution that acknowledges their security estate across platforms and clouds. We deliver this vision through five key capabilities:

  • Shadow IT Discovery enables customers to see clearly into the opaque space of cloud usage; in addition to traditional proxy and firewall logs, we extend this discovery to the endpoint with an integration with Microsoft Defender for Endpoint. This integration also powers Endpoint CASB capabilities, allowing Cloud App Security to enforce threat protection and information protection policies on every supported endpoint. Once visibility into cloud resource usage is in place, customers can start applying control and management policies.
  • Information Protection capabilities, identifying the most critical information, and applying policy and access controls, are significant investments for customers. Through deep integration with Microsoft Information Protection, together with the reverse proxy capabilities of Cloud App Security, customers have the power to enforce complex information and DLP (Data Loss Prevention) policies across Microsoft and 3rd party enterprise apps.
  • Threat Protection leverages Microsoft Defender for Identity to provide a unified view into the identities of an organization across on-premises and cloud resources and monitor behaviors and highlight abnormalities, in addition to blocking nefarious content and malicious payloads.
  • Secure Access capabilities provided by Cloud App Security are deeply connected with Azure Active Directory (Azure AD) allowing customers to enforce and monitor access and session policies across all managed cloud resources.
  • Cloud Security Posture Management (CSPM) assessment and governance, which is founded in close collaboration with Azure Security Center, providing Multi-Cloud security posture (AWS, GCP, and more) to customers.

Microsoft remains committed to Cloud App Security and we are actively looking at which areas of investment are the most beneficial to our customers. For example, we will extend multi-application SaaS Security Posture Management (SSPM) capabilities as a core scenario across our security offerings, and we will continue to listen to our customers on how we can best help them in their efforts to maintain a strong security posture.

Learn more

Read this complimentary copy of the Gartner Magic Quadrant for Cloud Access Security Brokers for the analysis behind Microsoft’s position as a Leader.

You can also read Forrester’s Total Economic Impact ™ of Microsoft Cloud App Security for details on how Cloud App Security can save time and money.

For more information about our CASB solution, visit our website and stay up to date with our blog. Want to see our CASB in action? Start a free trial today and learn how to get started with our detailed technical documentation.

* Gartner Magic Quadrant for Cloud Access Security Brokers, Craig Lawson, Steve Riley, October 28, 2020.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Gartner names Microsoft a Leader in the 2020 Magic Quadrant for Cloud Access Security Brokers appeared first on Microsoft Security.

New Canadian privacy regime are steps in the right direction, but experts are ‘baffled’ and ‘troubled’ by key missing pieces

Worries over the proposed tribunal for setting fines recommended by the Privacy Commissioner and worries the law isn't clear on protecting personal data sent outside Canada were mentioned

The post New Canadian privacy regime are steps in the right direction, but experts are 'baffled' and 'troubled' by key missing pieces first appeared on IT World Canada.

#DxPsummit: Use Quarantine in Your Ransomware Recovery

#DxPsummit: Use Quarantine in Your Ransomware Recovery

Consider using a strategy of quarantine when implementing a ransomware recovery strategy, as reinfection can easily occur.

Speaking as part of Druva’s Cloud Data Protection Summit, Charles Green, sales engineer at Druva, said the shift of data outside the company perimeter and firewalls led to an increase in ransomware payments, as well as more cyber insurance options to cover those payments.

He explained that there are a number of challenges when dealing with a ransomware event, and he said anything you can do “that could be automated should be automated,” including:

  • Respond – quickly via automated or orchestrated response
  • Prevent – download of infected snapshots
  • Identify – last known good copy to recover from
  • Recover – with confidence

That last point, he claimed, requires air gaps, as data protection is “a last line of defense when all your other preventative controls have failed.” He said that your data protection solution should be able to provide automated anomaly detection, especially where there is a large number of files added or deleted from a backup set. “This will all enable an administrator to identify a last known good copy that they can recover from,” he said.

“Also, while you’re working through your environment, you should be able to quarantine backups and prevent users from reinfecting the environment.”

He recommended using a more granular quarantine approach, rather than having to quarantine all data. If you are also able to quarantine by a specific date range, you will be able to restore from snapshots that are “known good” and you can continue to function as a business whilst this is going on.

Also, remote wipe devices, to prevent further malware spread. This he called “defensible deletion,” as it deletes from devices and backups, and is something that is very critical when you’re dealing with ransomware.

He said ransomware recovery tools, such as one provided by Druva, can be used “to quarantine snapshots, know where your data is being accessed from and also leverage things like our federated search and defensible deletion process” to deal with ransomware attacks.

Green said ransomware prevention is reliant on backup, which he said was critical, and should be “secure by design; it should not be an add on or an option.” He also said you should know that a backup set is protected “and to get more from your backup, look for things like detective controls and anomaly detection that will alert you to a challenge to your environment.” He concluded by saying this will help you recover successfully and securely.

#ISC2Congress: Building a Resilient Cybersecurity Industry from #COVID19

#ISC2Congress: Building a Resilient Cybersecurity Industry from #COVID19

Learning lessons from the COVID-19 pandemic is vital to growing resiliency in the cybersecurity industry, according to Juliette Kayyem, former assistant secretary at the Department of Homeland Security, speaking during a keynote session at the virtual (ISC)2 Security Congress.

She began by outlining the five stages of crises management, noting that COVID-19 bears many similarities with other crises. These consist of two prior to the “boom,” which are protection and prevention, and three after: response, adaptive recovery and resiliency.

What differentiates COVID-19 from other crises, however, is the sustained focus on “adaptive recovery” with minimized contact intensity set to be in place for the foreseeable future. This is opposed to other crises which generally allow life to return to normal quickly. “This period is going to exist until further notice,” said Kayyem.

This adaptive stage does provide a unique opportunity for lasting resiliency to be achieved. This means that through learning the lessons of the pandemic, in many ways, life will not simply return to normal. In the context of the workplace, she anticipated that the experiences of the pandemic will lead to numerous permanent changes including much more remote working, a greater focus on employee health, including the rise of the chief health officer and better protections for gig and contract workers.

Kayyem stated: “COVID-19 has laid bare some necessary conversations that we’ve only been whispering about in the last couple of years, and just like so many other major crises that have happened in our past, they open up an important conversation about what kind of nations and what kind of world we want to be.”

This new landscape is going to heavily affect the cybersecurity sector and industry leaders need to now plan ahead rather than constantly introduce patchwork solutions, according to Kayyem. “Do you accept that you need to think about what it’s like to manage a security team through to the end of 2021?” she asked.

This includes anticipating early investments needed in technology systems, the kinds of security threats that may exist going forward and ways of communicating in this “new normal.” To do so, she advised: “You need to set an implementation plan that gets you to the end of 2021 in terms of needs, employees, workforce development, hiring and budget, and you need to make that case loud and clear.”

Another area Kayyem highlighted the importance of is working out how security teams can maintain some form of physical contact, which is likely to be a challenge in the current adaptive phase. “What combination of your security team will need to meet, who within the security team, how will you on-board and how employees will learn what the corporate culture is” she outlined.

Ensuring security stays a key focus throughout their organization over the coming 18 months also must be a key focus of security leaders, with complacency easy to set in. Kayyem commented: “It may be that you need to build new resources, do retraining and remind people… you’ve got to reiterate those security needs.”

She concluded: “We are in a time in which we are going to have to adapt and learn to live in the now normal and that means protecting yourselves, your family and continuing to protect your employees, teams and institutions through 2021.”

Trump Fires Security Chief Christopher Krebs

President Trump on Tuesday fired his top election security official Christopher Krebs (no relation). The dismissal came via Twitter two weeks to the day after Trump lost an election he baselessly claims was stolen by widespread voting fraud.

Chris Krebs. Image: CISA.

Krebs, 43, is a former Microsoft executive appointed by Trump to head the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security. As part of that role, Krebs organized federal and state efforts to improve election security, and to dispel disinformation about the integrity of the voting process.

Krebs’ dismissal was hardly unexpected. Last week, in the face of repeated statements by Trump that the president was robbed of re-election by buggy voting machines and millions of fraudulently cast ballots, Krebs’ agency rejected the claims as “unfounded,” asserting that “the November 3rd election was the most secure in American history.”

In a statement on Nov. 12, CISA declared “there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”

But in a tweet Tuesday evening, Trump called that assessment “highly inaccurate,” alleging there were “massive improprieties and fraud — including dead people voting, Poll watchers not allowed into polling locations, ‘glitches’ in the voting machines that changed votes from Trump to Biden, late voting, and many more.”

Twitter, as it has done with a remarkable number of the president’s tweets lately, flagged the statements as disputed.

By most accounts, Krebs was one of the more competent and transparent leaders in the Trump administration. But that same transparency may have cost him his job: Krebs’ agency earlier this year launched “Rumor Control,” a blog that sought to address many of the conspiracy theories the president has perpetuated in recent days.

Sen. Richard Burr, a Republican from North Carolina, said Krebs had done “a remarkable job during a challenging time,” and that the “creative and innovative campaign CISA developed to promote cybersecurity should serve as a model for other government agencies.”

Sen. Angus King, an Independent from Maine and co-chair of a commission to improve the nation’s cyber defense posture, called Krebs “an incredibly bright, high-performing, and dedicated public servant who has helped build up new cyber capabilities in the face of swiftly-evolving dangers.”

“By firing Mr. Krebs for simply doing his job, President Trump is inflicting severe damage on all Americans – who rely on CISA’s defenses, even if they don’t know it,” King said in a written statement. “If there’s any silver lining in this unjust decision, it’s this: I hope that President-elect Biden will recognize Chris’s contributions, and consult with him as the Biden administration charts the future of this critically important agency.”

KrebsOnSecurity has received more than a few messages these past two weeks from readers who wondered why the much-anticipated threat from Russian or other state-sponsored hackers never appeared to materialize in this election cycle.

That seems a bit like asking why the year 2000 came to pass with very few meaningful disruptions from the Y2K computer date rollover problem. After all, in advance of the new millennium, the federal government organized a series of task forces that helped coordinate readiness for the changeover, and to minimize the impact of any disruptions.

But the question also ignores a key goal of previous foreign election interference attempts leading up to the 2016 U.S. presidential and 2018 mid-term elections. Namely, to sow fear, uncertainty, doubt, distrust and animosity among the electorate about the democratic process and its outcomes.

To that end, it’s difficult to see how anyone has done more to advance that agenda than President Trump himself, who has yet to concede the race and continues to challenge the result in state courts and in his public statements.

What Truebill and Other Financial Apps Have in Common With EDR

Truebill, Chargebee, Fusebill and other financial apps have been inundating my social feeds and until recently I didn’t understand why I would need one of these apps. I’m the type that knows her bank account  balance to the penny and I was shocked to discover that many of my co-workers and, of course, my college kid had no idea their balance was low until they tried to use their debit card and got declined. What also surprises me is how many people don’t know what is coming out of their bank account.  I may not realize precisely how much my Starbucks addiction costs but I’m in security and I need my caffeine!  Keeping up with the latest ways cyber criminals can infiltrate an organization or sneak past endpoint solution takes a lot of energy.

Then I got to thinking about these new apps that I can’t imagine why anyone would need to use – UNTIL I decided to try one….and then I discovered I too had been compromised by subscriptions and fees I had no idea I was being charged for.  This led me to think about my false sense of security and how I felt I was protected because I checked my account and tracked what came in and out.  I use my debit card a lot, I use it constantly for purchases and have it attached to Apple Pay, Pay Pal and you name it, it is linked.

So why am I bringing this up? Well, in your job you might have responsibility for corporate security…and you might be feeling pretty comfortable that you have everything under control, a bit like I did with my finances – but you don’t know what you don’t know. It’s all well and good (and indeed highly advisable) having an endpoint protection product in place but is it possible that this is giving you a feeling of security beyond the true situation? Could there be sneaky activity happening at a really low level that is getting past those solutions? I didn’t think so, until I installed the app and I discovered exactly what I didn’t know.

Enter EDR

And that’s where EDR comes in – because EDR is designed to monitor what is happening on your endpoint devices, to track and trace activity, consolidate it and identify potential risks – the really good EDR solutions will also group related items into threads to speed up investigations, prioritize which groups should be examined first and even automate some of the investigation processes.

The Importance of Automation

And don’t overlook the importance of that automation – when I was looking at my finances if the app I tried had simply overwhelmed me with massive amounts of information (some of which I knew, some of which was a surprise, all of which was mixed up together), I’d have likely looked once, and decided that I was right all along…everything was probably under control, and the effort involved in digging deeper was likely to be greater than any return I might have got back. But, it was automated, it consolidated the information, it simplified things…and ultimately it showed me exactly what I needed to know with minimal effort on my part. The net effect of that was a positive result. EDR is the same – I’ve spoken with customers who have tried it and simply given up because it’s proven to be too complicated. It can feel easier not to find out what you don’t know – but it won’t be as secure!

MVISION EDR

That’s what security analysts are loving about MVISION EDR. MVISION EDR helps find what is hidden and lifts it to the surface where it can be examined and then either allowed or blocked. But unlike my bank account, we’re not talking about 5 or 10 things you may not have been aware of, we’re talking about potentially tens of thousands each and every day. And that’s the other thing they love about MVISION EDR – not only does it make identifying these potential risks easier to identify, but it groups them together into a much smaller number of potential incidents, prioritizes those incidents so they know which ones to investigate first and even uses AI to guide those investigations and make suggestions as to how they can reach a resolution quickly and accurately. What’s not to love?

If you want to see what you have been missing check out MVISION EDR.

The post What Truebill and Other Financial Apps Have in Common With EDR appeared first on McAfee Blogs.

Back from vacation: Analyzing Emotet’s activity in 2020

By Nick Biasini, Edmund Brumaghin, and Jaeson Schultz.

Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems   attempting to infect new systems with Emotet to continue growing the size of the botnets associated with this threat. Emotet is often the initial malware that is delivered as part of a multi-stage infection process and is not targeted in nature. Emotet has impacted systems in virtually every country on the planet over the past several years and often leads to high impact security incidents as the network access it provides to adversaries enables further attacks, such as big-game hunting and double-extortion ransomware attacks.

Cisco Talos obtained ownership of several domains that Emotet uses to send SMTP communications. We leveraged these domains to sinkhole email communications originating from the Emotet botnets for the purposes of observing the characteristics of these email campaigns over time and to gain additional insight into the scope and profile of Emotet infections and the organizations being impacted by this threat. Emotet has been observed taking extended breaks over the past few years, and 2020 was no exception. Let’s take a look at what Emotet has been up to in 2020 and the effect it’s had on the internet as a whole.

Read More >>

Phishing campaign targets LATAM e-commerce users with Chaes Malware

Experts from Cybereason Nocturnus uncovered an active campaign that targets users of a large e-commerce platform in Latin America with Chaes malware.

Cybereason Nocturnus security researchers have identified an active campaign focused on the users of a large e-commerce platform in Latin America.

Experts at Cybereason Nocturnus have uncovered an active campaign targeting the users of a large e-commerce platform in Latin America with malware tracked as Chaes.

The Chaes malware was first spotted in the middle to late 2020 by Cybereason researchers, it is a multistage information stealer that focuses
on Brazilian customers of MercadoLivre, the largest e-commerce company in Latin America.  In 2019, over 320 million users were registered with the MercadoLivre e-commerce platform. 

Chaes is written in several programming languages including Javascript,
Vbscript, .NET , Delphi and Node.js. Experts believe that the malicious code is under development.

“Chaes specifically targets the Brazilian website of e-commerce company MercadoLivre and its payment page MercadoPago to steal its customers’ financial information. The final payload of Chaes is a Node.Js information stealer that exfiltrates data using the node process.” reads the analysis published by Cybereason.

Chaes is also able to take screenshots of the victim’s machine, and
hook and monitor the Chrome web browser to collect user information from infected hosts.

The kill chain starts with phishing messages that use a .docx file that once is opened triggers a template injection attack.

Upon connecting to the command-and-control server, the malware downloads the first malicious payload in the form of a .msi file, which deploys a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin. The malware also installs three other files, hhc.exe, hha.dll and chaes1.bin, researchers also observed the use of a cryptocurrency mining module. 

Chaes malware

The attackers use Microsoft Word’s built-in feature to fetch a payload from a remote server, by changing the template target of the settings.xml file which is embedded in the document and populating this field with a download URL of the next payload.

Chaes attack chain is composed of several stages that include the use
of LoLbins and other legitimate software to avoid detection by AV products.

Experts observed several variants over the recent months, it authors have improved encryption and implemented new functionality of the final Node.js module.

“Multistage malware that uses such techniques in the LATAM region and specifically in Brazil have already been observed and investigated by Cybereason in the past years. Chaes demonstrates how sophisticated and creative malware authors in the Latin America region can be when attempting to reach their goals.” concludes the report. “The malware not only serves as a warning sign to information security researchers and IT professionals not to take lightly the existence of files that are legitimate in nature, but also raises the concern of a possible future trend in using the Puppeteer library for further attacks in other major financial institutions”

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Phishing campaign targets LATAM e-commerce users with Chaes Malware appeared first on Security Affairs.

Are you making zero progress on Zero Trust? Here’s how to get started

Organizations should press forward more urgently on adopting Zero Trust because traditional approaches to cybersecurity aren’t working anymore. It’s no longer enough to protect the perimeter, said Chris Ruetz, AVP and Country Manager for CyberArk, at a CanadianCIO Virtual Roundtable. “Perimeters are falling down now due to remote work and the cloud,” he said. “Zero…

The post Are you making zero progress on Zero Trust? Here’s how to get started first appeared on IT World Canada.

Increase in Ransomware Sophistication and Leverage of Legacy Malware Predicted for 2021

Increase in Ransomware Sophistication and Leverage of Legacy Malware Predicted for 2021

An increase in ransomware sophistication, commodity malware and abuse of legitimate tools are predicted to be the main threats for the next year.

According to the Sophos 2021 Threat Report, there will be a gap between ransomware operators at different ends of the skills and resource spectrum, with big-game hunting ransomware families continuing to refine and change their tactics, techniques and procedures to become more evasive and nation state-like in sophistication.

Sophos claimed this will involve the targeting of larger organizations with multi-million dollar ransom demands, while an increase in the number of entry level, apprentice-type attackers looking for ransomware-for-rent will also increase.

Chester Wisniewski, principal research scientist at Sophos, said: “During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative cartels.

“The cyber-threat landscape abhors a vacuum: if one threat disappears another one will quickly take its place. In many ways, it is almost impossible to predict where ransomware will go next, but the attack trends discussed in our report this year are likely to continue into 2021.”

Speaking to Infosecurity, Darren Guccione, CEO of Keeper Security, said in that 2020, cyber-criminals have taken advantage of the business disruptions caused by the global health crisis, particularly the sudden and dramatic rise in remote work. He cited statistics from Coveware which claim that the average enterprise ransomware payment increased to more than $100,000 in the first quarter of 2020, a rise of 33% from the final quarter of 2019.

“This dramatic surge is due to cyber-criminals increasingly attacking large enterprises with deep pockets and leveraging legacy systems,” he explained. “Additionally, healthcare organizations saw a 350% year-on-year increase in ransomware attacks at the end of 2019 compared to the same timeframe in 2018.”

Also, commodity malware, such as loaders and botnets, which can seem like low-level malware noise but are designed to secure a foothold in a target, gather essential data and share data back to a command-and-control network, should be taken seriously.

“Commodity malware can seem like a sandstorm of low-level noise clogging up the security alert system,” said Wisniewski. “Defenders need to take these attacks seriously, because of where they might lead: they may not realize that the attack was likely against more than one machine and that seemingly common malware like Emotet and Buer Loader can lead to Ryuk, Netwalker and other advanced attacks, which IT may not notice until the ransomware deploys. Underestimating ‘minor’ infections could prove very costly.”

Guccione said the environment most businesses are operating in at the moment is extremely volatile, and now more than ever businesses should look to educate employees from the ground-up on the increasing cyber-risks and provide best practices for ensuring devices within their network are secure.

“It is the responsibility of business leaders to remind employees of the accountability they have as individuals for the safety and security of their own devices,” he said. “Only with the buy-in of all stakeholders do organizations have the best chance of securing their endpoints in the most efficient way possible.”

Wisniewski also said the abuse of everyday tools and techniques to disguise an active attack featured prominently in Sophos’ research, as this technique challenges traditional security approaches because the appearance of known tools doesn’t automatically trigger a red flag. “This is where the rapidly growing field of human-led threat hunting and managed threat response really comes into its own.”

Office 365 phishing campaign uses redirector URLs and detects sandboxes to evade detection

Microsoft is tracking an ongoing Office 365 phishing campaign aimed at enterprises that is able to detect sandbox solutions and evade detection.

Microsoft is tracking an ongoing Office 365 phishing campaign that is targeting enterprises, the attacks are able to detect sandbox solutions and evade detection.

“We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering,” reads a message published by Microsoft via Twitter.

“The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.”

Threat actors behind the campaign leverage redirector URLs with the capability to detect incoming connections from sandbox environments.

Upon detecting connections for sandboxes the redirector will redirect them to legitimate sites to evade detection, while connections from real potential victims are redirected to phishing pages.

The phishing messages are also heavily obfuscated to bypass secure email gateways.

Microsoft experts also noticed that threat actors behind this campaign are also generating custom subdomains to use with redirector sites for each of the targets.

The subdomains always contain the target’s username and org domain name, Microsoft added.

This subdomain is unique in an attempt to evade detection and attackers add it to a set of base domains, typically compromised sites. The phishing URLs have an extra dot after the TLD, which is followed by the Base64-encoded email address of the recipient.

“The use of custom subdomains helps increase the believability of the lure. In addition, the campaign uses patterns in sender display names consistent with the social engineering lure: “Password Update”, “Exchange proteccion”, “Helpdesk-#”, “SharePoint”, “Projects_communications”.” continues Microsoft in a series of tweets published by its official account.

“The unique subdomains also mean huge volumes of phishing URLs in this campaign, an attempt at evading detection.”

Attackers used display name patterns like “Password Update”, “Exchange protection”, “Helpdesk-#”, “SharePoint”, and “Projects_communications” to trick the victims into believing that the messages are from legitimate source and clicking the phishing link embedded within each email.

Microsoft pointed out that its Defender for Office 365 product is able to detect phishing and other email threats and correlates threat data across email and data, endpoints, identities, and apps.

Recently, researchers at WMC Global have spotted a new creative Office 365 phishing campaign that has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by security solutions that scans the web for phishing sites.

In July, experts from Check Point reported that cybercriminals are increasingly leveraging public cloud services such as Google Cloud Services in phishing campaigns against Office 365 users.

Pierluigi Paganini

(SecurityAffairs – hacking, Office 365)

The post Office 365 phishing campaign uses redirector URLs and detects sandboxes to evade detection appeared first on Security Affairs.

Review: Group-IB Fraud Hunting Platform

Today’s Internet is a hectic place. A lot of different web technologies and services are “glued together” and help users shop online, watch the newest movies, or stream the newest hits while jogging. But these (paid) services are also constantly threatened by attackers – and no company, no matter how big, is completely immune. Take the recent Twitter compromise as an example: the attackers hijacked a number of influential Twitter accounts, including those belonging to … More

The post Review: Group-IB Fraud Hunting Platform appeared first on Help Net Security.

WebNavigator Browser Released by Well-Known Search Hijackers

Security researchers found several clues linking the WebNavigator web browser to well-known search hijackers. A Chromium-based browser, WebNavigator promises users that it’ll simplify their web browsing experience by providing “quick access” to their bookmarks. The browser also claims to yield quick search results by starting up with Windows and by constantly running in the background. […]… Read More

The post WebNavigator Browser Released by Well-Known Search Hijackers appeared first on The State of Security.

Complete Our Survey and Redeem an Extended 60-Day Trial of Thor Foresight Enterprise [EXTENDED]

Are you a Heimdal Security blog reader and/or customer? Then you already know how passionate we are about cybersecurity research and education. This is why we decided to create a survey to better understand how prepared educational institutions are to face cybersecurity challenges in remote learning times.  Based on your responses, we will compile the data […]

The post Complete Our Survey and Redeem an Extended 60-Day Trial of Thor Foresight Enterprise [EXTENDED] appeared first on Heimdal Security Blog.

Cyber Security Today – Open database with unprotected passwords found, COVID test results sent to wrong person and a defence against Zoombombing

Today's podcast reports on the discovery of a database with unprotected passwords, unencrypted COVID test results sent to the wrong person and a new defence against Zoombombing

The post Cyber Security Today - Open database with unprotected passwords found, COVID test results sent to wrong person and a defence against Zoombombing first appeared on IT World Canada.

Data flow mapping key to EU–third country data transfers

When the European Court of Justice invalidated the EU–US Privacy Shield earlier this year, organisations were left unsure about how to legally transfer personal data into and out of the EU.

The ruling was made following criticism from the Austrian privacy activist Max Schrems, who argued that the US government’s mass surveillance practices contradicted the protections that the Privacy Shield was supposed to provide.

Data privacy experts – and many organisations – agreed that the most suitable alternative was SCCs (standard contractual clauses), but these require a lot of additional work.

That’s why the EDPB (European Data Protection Board) has issued guidance urging organisations to create data flow maps before transferring any personal data. It notes that although the process can be difficult, it’s “necessary to ensure that [personal data] is afforded an essentially equivalent level of protection wherever it is processed”.

The EDPB adds that organisations must verify the transfer tool that they use and check to see whether the European Commission has made an adequacy decision regarding the country where the information is being shared.

This is something that UK organisations – and those that transfer personal data into the country – must bear in mind. The UK’s Brexit transition period ends on 31 December, and an adequacy decision is still a long way off, so there will be major changes in the way data transfers work.

Creating a data flow map

Thousands of EU businesses relied on the Privacy Shield – as well as countless others outside the EU – so there are huge implications when it comes to alternative methods for data transfers.

Data flow mapping has therefore never been more important. The process helps organisations identify data items (such as names and email addresses), the format in which the data is held, the transfer method (such as by post or email) and the location of the data.

A data map also helps organisations see who has access to the data at any given time and who is accountable for it.

You can find out how to create a map with the help of our sister company Vigilant Software.

Its Data Flow Mapping Tool enables you to create and edit data flow maps thanks to its dynamic drawing tools.

You’ll gain full visibility over the personal data you hold and identify how the data is used, where it’s stored and how it’s transferred.

Mapping your data and complying with the GDPR’s data transfer requirements have never been simpler.

Find out more

The post Data flow mapping key to EU–third country data transfers appeared first on IT Governance UK Blog.

Michael Ellis as NSA General Counsel

Over at Lawfare, Susan Hennessey has an excellent primer on how Trump loyalist Michael Ellis got to be the NSA General Counsel, over the objections of NSA Director Paul Nakasone, and what Biden can and should do about it.

While important details remain unclear, media accounts include numerous indications of irregularity in the process by which Ellis was selected for the job, including interference by the White House. At a minimum, the evidence of possible violations of civil service rules demand immediate investigation by Congress and the inspectors general of the Department of Defense and the NSA.

The moment also poses a test for President-elect Biden’s transition, which must address the delicate balance between remedying improper politicization of the intelligence community, defending career roles against impermissible burrowing, and restoring civil service rules that prohibit both partisan favoritism and retribution. The Biden team needs to set a marker now, to clarify the situation to the public and to enable a new Pentagon general counsel to proceed with credibility and independence in investigating and potentially taking remedial action upon assuming office.

The NSA general counsel is not a Senate-confirmed role. Unlike the general counsels of the CIA, Pentagon and Office of the Director of National Intelligence (ODNI), all of which require confirmation, the NSA’s general counsel is a senior career position whose occupant is formally selected by and reports to the general counsel of the Department of Defense. It’s an odd setup — ­and one that obscures certain realities, like the fact that the NSA general counsel in practice reports to the NSA director. This structure is the source of a perennial legislative fight. Every few years, Congress proposes laws to impose a confirmation requirement as more appropriately befits an essential administration role, and every few years, the executive branch opposes those efforts as dangerously politicizing what should be a nonpolitical job.

While a lack of Senate confirmation reduces some accountability and legislative screening, this career selection process has the benefit of being designed to eliminate political interference and to ensure the most qualified candidate is hired. The system includes a complex set of rules governing a selection board that interviews candidates, certifies qualifications and makes recommendations guided by a set of independent merit-based principles. The Pentagon general counsel has the final call in making a selection. For example, if the panel has ranked a first-choice candidate, the general counsel is empowered to choose one of the others.

Ryan Goodman has a similar article at Just Security.

Americold Operations Downed by Cyber-Attack

Americold Operations Downed by Cyber-Attack

US cold storage firm Americold has been hit by what appears to be a ransomware attack affecting business operations.

The 117-year-old firm operates temperature-controlled warehouses and transportation to support the cold chains needed to supply, for example, vaccines like the one being developed by Pfizer and BioNTech for COVID-19.

However, in a regulatory filing with the Securities and Exchange Commission (SEC), the firm revealed that its IT network was hit by an unspecified “cybersecurity incident” on Monday.

“As a precautionary measure, the company took immediate steps to help contain the incident and implemented business continuity plans, where appropriate, to continue ongoing operations. The company has notified and is working closely with law enforcement, cybersecurity experts and legal counsel,” it said.

“Security, in all its forms, remains a top priority at Americold, and the company will continue to seek to take all appropriate measures to further safeguard the integrity of its information technology infrastructure, data and customer information.”

With total revenue in 2020 so far exceeding $1.4bn, Americold would certainly seem like a prime candidate to extort with “human-operated” ransomware. The nature of its business also means that operational outages could seriously impact customers, potentially piling on the pressure to pay in order to resume business-as-usual.

One truck driver took to Twitter on Monday to post a picture of an affected Americold depot in the mid-west.

“At a Americold and their systems are down,” they noted. “They are unable to assign me to a door. Well let the waiting begin.”

Jamie Akhtar, CEO and co-founder of CyberSmart, said the incident highlighted the importance of good cybersecurity in supply chains.

“In order to strengthen the security ecosystem, businesses should not just concern themselves with their own security practices but hold their distributors and suppliers to account,” he added. “The UK is making some headway in this direction by requiring the Cyber Essentials certification for certain sectors. Other industries would do well to follow suit."

Is your organization ready to tackle the cyber skills gap?

By Julie Jeffries, Director, Microsoft 365 and Security Business Group With the ever-evolving cyber threat landscape, the need for security experts is increasing, but demand is far outstripping supply. Organizations are faced with both talent shortfall estimated at 3.5 million and the landscape changes rapidly requiring security professionals to continuously upgrade their skills. We hear…

The post Is your organization ready to tackle the cyber skills gap? first appeared on IT World Canada.

Chinese APT FunnyDream Runs Riot in Southeast Asia

Chinese APT FunnyDream Runs Riot in Southeast Asia

Security researchers have uncovered another Chinese APT group, this time targeting southeast Asian governments, which has compromised over 200 machines in the past two years.

Bitdefender dubbed the group “FunnyDream” after one of the backdoors used in the attacks. It appears to have been active since at least 2018.

Focused on exfiltrating sensitive information, it uses spyware tools such as Filepak for file collection, ScreenCap for taking screenshots and Keyrecord for logging keystrokes on victim machines.

Although the initial threat vector isn’t known, Bitdefender claimed it is likely to be a phishing email. Three backdoors are then used for command and control (C&C): Chinoxy to gain persistence after initial access, open source RAT PcShare for complex espionage and the custom made FunnyDream toolkit.

Controlling the three backdoors is C&C infrastructure located mainly in Hong Kong, but also elsewhere in China and Vietnam.

Although 200 systems have shown signs of infection so far, Bitdefender warned that in some victim networks the domain controllers may have been compromised, allowing attackers to move laterally and gain control over a large number of machines.

“Attributing APT style attacks to a particular group or country can be extremely difficult — as false-flag forensic artifacts can be manufactured, C&C infrastructure can reside anywhere in the world and the tools used can be repurposed from other APT groups,” the vendor said.

“However, evidence suggests a Chinese-speaking APT group using Chinese language binaries, and the Chinoxy backdoor used during the campaign is a Trojan known to have been used by Chinese-speaking threat actors.”

The specific target governments were not named in the report, although China has tense relations with many countries that border the South China Sea due to territorial claims and other geopolitical disputes.

Hashtag Trending – End of PIPEDA? Twitter introduces Fleets, and Amazon Pharmacy is a go

Canadian privacy legislation is getting a facelift, Twitter introduces Fleets instead of an edit button, and Amazon is officially allowed to deliver prescription medications to its US customers.

The post Hashtag Trending - End of PIPEDA? Twitter introduces Fleets, and Amazon Pharmacy is a go first appeared on IT World Canada.

AWS Network Firewall: Network protection across all AWS workloads

Amazon Web Services announced the general availability of AWS Network Firewall, a new managed security service that makes it easier for customers to enable network protections across all of their AWS workloads. Customers can enable AWS Network Firewall in their desired Amazon Virtual Private Cloud (VPC) environments with just a few clicks in the AWS Console, and the service automatically scales with network traffic to provide high availability protections without the need to set up … More

The post AWS Network Firewall: Network protection across all AWS workloads appeared first on Help Net Security.

Trump Fires CISA Boss Who Said Election Was “Most Secure in History”

Trump Fires CISA Boss Who Said Election Was “Most Secure in History”

The well-respected head of a US government cybersecurity agency has been fired by Donald Trump after confirming the Presidential election was free, fair and secure.

As rumored last week and reported by Infosecurity, Christopher Krebs was on Tuesday “terminated” via a tweet from the White House, Trump’s increasingly favored way of dealing with high ranking government officials who displease him.

In it, the outgoing President repeated baseless allegations of voter fraud in the election, prompting Twitter to once again label his tweets with a warning label indicating possible misinformation.

In response, Krebs tweeted simply: “Honored to serve. We did it right. Defend Today, Secure Tomorrow.”

Trump’s ire seems to have been drawn by a recent statement from Krebs’s former employer, the Cybersecurity and Infrastructure Security Agency (CISA), and various election infrastructure agencies, that the November 3 election was “the most secure in American history.

“There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised,” it continued.

This official undermining of Trump’s narrative from the bodies whose job it is to monitor the election, proved too much for the President to take. CISA also runs a Rumor Control website to debunk mis- and disinformation circulating about the elections – many of which were promoted by Trump himself and supporters.

Although Krebs was a rare Trump appointee when he joined CISA as someone who enjoyed bipartisan support, there were no Republican lawmakers to speak out in support of his service.

However, Democrat senator and vice-chair of the Senate Intelligence Committee, Mark Warner, stepped up.

“Chris Krebs is an extraordinary public servant and exactly the person Americans want protecting the security of our elections,” he tweeted. “It speaks volumes that the President chose to fire him simply for telling the truth.”

Use This Ultimate Template to Plan and Monitor Your Cybersecurity Budgets

Sound security budget planning and execution are essential for CIO's/CISO's success. Now, for the first time, the Ultimate Security Budget Plan and Track Excel template (download here) provide security executives a clear and intuitive tool to keep track of planned vs. actual spend, ensuring that security needs are addressed while maintaining the budgetary frame. The dynamic nature of the

Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs

Apple is facing the heat for a new feature in macOS Big Sur that allows many of its own apps to bypass firewalls and VPNs, thereby potentially allowing malware to exploit the same shortcoming to access sensitive data stored on users' systems and transmit them to remote servers. The issue was first spotted last month by a Twitter user named Maxwell in a beta version of the operating system. "Some

Three-Quarters of IT/Security Execs Concerned Over Security of Remote Workforce

Three-Quarters of IT/Security Execs Concerned Over Security of Remote Workforce

Nearly three-quarters (73%) of security and IT executives are concerned about additional risks posed to their organization by a distributed workforce since COVID-19, according to the Skybox Security 2020 Cybersecurity in the New Normal: Securing the Distributed Workforce report.

In the survey of 295 executives, the security firm reported it has observed a 34% year-on-year rise in vulnerabilities in 2020, which it said is a “leading indicator for the growth of future attacks.”

It highlighted that many organizations are not taking the steps needed to adequately protect their remote workforces. Over 30% of respondents revealed that software updates and BYOD policies were deprioritized since the start of the pandemic, while 42% said reporting was deprioritized.

In addition, almost a third (32%) found it difficult to validate whether network and security configurations undermine their security posture, and over half (55%) admitted it was at least moderately difficult to determine whether these configurations did not increase risk.

This is despite the fact that 70% of the security and IT executives predict that at least a third of their workforce will still be operating remotely in 18 months’ time.

The researchers also found that there was some complacency amongst the respondents in regard to their organizations’ security capabilities. Although only 11% stated they could confidently maintain a holistic security approach, 93% felt sure changes were being correctly validated.

“Traditional detect-and-respond approaches are no longer enough. A radical new approach is needed – one that is rooted in the development of preventative and prescriptive vulnerability and threat management practices,” commented Gidi Cohen, co-founder and CEO, Skybox Security. “To advance change, it is integral that everything, including data and talent, is working towards enriching the security program as a whole.”

The Defeated President Trump fired CISA chief Chris Krebs

President Trump has fired Chris Krebs, Director of the CISA, over his statement claiming the recent presidential election the most secure in US history.

Former President Trump has fired Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA), over his statement calling the 2020 presidential election the most secure in US history.

Former President Trump stated that Krebs’ statement was “highly inaccurate” in a Tweet. You can notice that the social media platform labeled the tweet with the statement “This claim about election claim is disputed.”

Chris Krebs has hardly worked to protect the election process, as a consequence, it is not possible for Trump administrators to prove fraud or interference.

Krebs and its staff have made great work ensuring that the 2020 election was not tampered with by nation-state actors, this election was called by the DHS  “the most secure in election history.”

“The November 3rd election was the most secure in American history. Right now, across the country, election officials are reviewing and double checking the entire election process prior to finalizing the result.” reads the statement published by CISA.

“When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes or errors. There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.

Former President Trump, after having lost the election speculated that widespread voter fraud took place during the election, he also filed several lawsuits in several US states disavowing the result of the vote without producing evidence to support his allegations.

Krebs became the first director of the Cybersecurity and Infrastructure Security Agency (CISA) on November 16, 2018, as part of the Cybersecurity and Infrastructure Security Agency Act of 2018.

CISA set up a website dubbed “Rumor Control” to debunk misinformation about the election, a move that aroused the ire of the White House.

Kreb reiterated that there is no evidence that could demonstrate the manipulation of the election systems.

Krebs acknowledged his termination in a tweet posted on his personal account:

Let me say that Krebs and his team have done a great job, thanks to their efforts they really made this election the most secure in election history.

Pierluigi Paganini

(SecurityAffairs – hacking, Chris Krebs)

The post The Defeated President Trump fired CISA chief Chris Krebs appeared first on Security Affairs.

Large-scale campaign targets vulnerable Epsilon Framework WordPress themes

Hackers are scanning the Internet for WordPress websites with Epsilon Framework themes installed to launch Function Injection attacks.

Experts at the Wordfence Threat Intelligence team uncovered a large-scale wave of attacks targeting reported Function Injection vulnerabilities in themes using the Epsilon Framework.

Below a list of themes and related versions that are vulnerable to the above attacks:

Shapely <=1.2.7
NewsMag <=2.4.1
Activello <=1.4.0
Illdy <=2.1.4
Allegiant <=1.2.2
Newspaper X <=1.3.1
Pixova Lite <=2.0.5
Brilliance <=1.2.7
MedZone Lite <=1.2.4
Regina Lite <=2.0.4
Transcend <=1.1.8
Affluent <1.1.0
Bonkers <=1.0.4
Antreas <=1.0.2
NatureMag Lite <=1.0.5

According to the experts, the vulnerable themes are installed on over 150,000 sites.

“On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites.” reads the analysis published by WordFence. “So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses. While we occasionally see attacks targeting a large number of sites, most of them target older vulnerabilities.”

The vulnerabilities targeted by the threat actors could allow them to takeover WordPress installs through an exploit chain ending in remote code execution (RCE). The researcher did not provide technical details on the attacks because the exploit does not yet appear to be in a mature state.

The researchers pointed out the vast majority of these attacks appear to be probing attacks aimed at determining whether a site is running a vulnerable theme.

“These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries, though they will be visible in Wordfence Live Traffic.” continues the report.

Admins of websites running vulnerable versions of the themes are recommended to update them. If no security patch is available for the installed theme, admins should switch to another theme.

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

The post Large-scale campaign targets vulnerable Epsilon Framework WordPress themes appeared first on Security Affairs.