New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development. The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space – namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem. The research was conducted by Kenna Security and the Cyentia … More →
Sophos published a report which flags how ransomware and fast-changing attacker behaviors, from advanced to entry level, will shape the threat landscape and IT security in 2021. Increased gap between ransomware operators The gap between ransomware operators at different ends of the skills and resource spectrum will increase. At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like … More →
TrapX Security and Enterprise Strategy Group (ESG) have released findings of a research that surveyed 150 cyber and IT professionals directly involved in security strategy, control and operations within manufacturing organizations about their current and future concerns. Manufacturing industry under threat The research findings point to an industry whose security teams are seeing the IT and OT environments converging at a rapid pace. Yet manufacturing organizations are struggling to safeguard OT assets as they are … More →
If you have children visiting or staying with family members (such as grandparents), make sure the family members know your rules concerning technology that your kids must follow. Just because your kids leave the house does not mean the rules about what they can do online change.
Bitglass released a report which uncovers whether organizations are properly equipped to defend themselves in the cloud. IT and security professionals were surveyed to understand their top security concerns and identify the actions that enterprises are taking to protect data in the cloud. Orgs struggling to use cloud-based resources safely 93% of respondents were moderately to extremely concerned about the security of the public cloud. The report’s findings suggest that organizations are struggling to use … More →
Home Affairs and DTA bosses detail the government's plan for how the public service will 'get its act together' and get rid of the silos that currently plague 180-plus 'cities and towns' within Canberra.
The use of publicly accessible MQTT brokers is prevalent across numerous verticals and technology fields. I was able to identify systems related to energy production, hospitality, finance, healthcare, pharmaceutical manufacturing, building management, surveillance, workplace safety, vehicle fleet management, shipping, construction, natural resource management, agriculture, smart homes and far more. Hackers have been sounding alarms about […]… Read More
Nutanix announced the findings of its survey and research report, which measures enterprise progress with adopting private, hybrid and public clouds. This year, survey respondents were also asked about the impact of the COVID-19 pandemic on current and future IT decisions and strategy. Hybrid cloud is still the frontrunner as the ideal IT infrastructure model (86% of respondents think so), and respondents running hybrid environments are more likely to plan to focus on strategic efforts … More →
Saviynt announced the general availability of their latest platform release, named Saviynt 2020. Designed to support the modern enterprise IT landscape, Saviynt 2020 is already helping 1.6M users at major global organizations manage risk, scale cloud initiatives, and maintain regulatory compliance. “Enterprise security challenges demand an intelligent, risk-based approach, especially with the drastic changes brought about by the global pandemic,” said Todd Soghier, Director, Identity & Access Management Governance at Marriott International. “We are continually … More →
Sysdig announced the global availability of Sysdig Secure embedded within IBM Cloud. IBM Cloud Monitoring with Sysdig, which uses Sysdig Monitor, is already the default monitoring solution used by IBM and offered to IBM Cloud customers when onboarding. With this addition of Sysdig Secure, the Sysdig Secure DevOps Platform is tightly integrated with IBM Cloud to provide customers end-to-end monitoring and security capabilities. The expansion of Sysdig Secure in IBM Cloud builds on the container, … More →
Anexinet announced its partnership with Alert Logic to deliver its Managed Detection and Response (MDR) solution to Anexinet customers. Through the agreement, Alert Logic’s cloud-based solution will provide 24/7 security monitoring against hacker threats, malware, and other cyberattacks. When a credible threat is detected, Anexinet’s trained response team will immediately quarantine impacted devices and rebuild systems if necessary. “The Alert Logic partnership broadens Anexinet’s cybersecurity portfolio with cutting-edge-threat intelligence to protect our customers against increasingly … More →
Spin Technology announced the next generation of SpinOne, an AI-powered ransomware and backup solution for Google Workspace and Office 365. In the last year alone, 51 percent of organizations were targeted by ransomware, and cybersecurity continues to be a top concern for business leaders. Including advanced new security features, a completely redesigned user interface, and improved platform functionality, the latest version of SpinOne will help organizations better protect against ransomware attacks in the cloud. Over … More →
StorMagic announced that StorMagic SvSAN has been validated with Hewlett Packard Enterprise (HPE) Edgeline Converged Edge Systems. The joint edge hyperconverged (HCI) solution meets all of the unique compute, storage and networking requirements found at the edge, including simplicity, high density and the ability to deliver 100 percent uptime. “StorMagic SvSAN provides an easy to use, reliable and affordable HCI solution for HPE Edgeline customers at their edge locations,” said Shelly Anello, General Manager of … More →
Watch out for a whole different type of shoulder-surfing, researchers uncover the CostaRicto hackers-for-hire gang, and we take a peek at who is behind Parler.
All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Chris Cochran from the Hacker Valley Studio podcast.
Flashpoint announced it has acquired CRFT, a security automation provider that empowers teams of all sizes and skill levels to streamline daily security tasks through a seamless, no-code design and delivery engine. This acquisition augments the value of Flashpoint’s intelligence by empowering security and threat teams to streamline workflows and trigger actions that mitigate threats automatically. Flashpoint already produces the industry’s highest-quality threat intelligence from online illicit communities. By integrating CRFT’s no-code security automation into … More →
Fraudsters Using Evasive Techniques to Bypass Secure Email Gateways Microsoft's Security Intelligence team is warning users of the Office 365 suite about an ongoing phishing campaign that appears to be harvesting victims' credentials. The emails use several techniques to bypass and evade secure email gateways.
Researchers: 'FunnyDream' Targeted Over 200 Entities in Southeast Asia A recently identified Chinese hacking group dubbed "FunnyDream" has targeted more than 200 government entities in Southeast Asia since 2018 as part of an ongoing cyberespionage campaign, according to research from Bitdefender.
Andrii Kolpakov Faces 25 Years for Wire Fraud And Conspiracy, Documents Show An accused ringleader of the notorious FIN7 hacking group, which prosecutors say stole 15 million payment cards over several years, has pleaded guilty to multiple federal charges, according to court documents. Andrii Kolpakov faces a possible 25-year prison term.
In the early hours of Monday morning, Managed.com - a major provider of managed web hosting solutions - discovered it was the victim of a co-ordinated ransomware attack.
Such is the severity of the attack that Managed.com has taken client websites offline out of "an abundance of caution" as a $500,000 ransom is demanded by the attackers.
Cisco has addressed three flaws in Webex Meetings that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants.
Cisco has addressed three vulnerabilities in Webex Meetings (CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419) that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants.
“A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list.” reads the security advisory published by Cisco.
The vulnerabilities were discovered earlier this year by security by IBM researchers as part of an assessment of the tools used by its personnel for remote working during the COVID-19 pandemic.
Ghost participants to a meeting could be seen in the user list, but they can access any media within the meeting, even if they were not invited.
The flaws also allowed attackers to remain in the Webex meeting as ghost audio users after admins would remove them, they also allowed them to access Webex users’ information, including full names, email addresses, and IP addresses.
The bugs affect Cisco Webex Meetings and Cisco Webex Meetings Server, they reside in the “handshake” process that allows establishing a new Webex meeting.
“Malicious actors could abuse these flaws to become a ‘ghost’ joining a meeting without being detected.” reads the report published by IBM. “The now-patched flaws, discovered by IBM researchers, would have allowed an attacker to:
Join a Webex meeting as a ghost without being seen on the participant list with full access to audio, video, chat and screen-sharing capabilities.
Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection.
Gain access to information on meeting attendees — including full names, email addresses and IP addresses — from the meeting room lobby, even without being admitted to the call.”
The experts were able to exploit the flaws on MacOS, Windows, and the iOS version of Meetings applications and Webex Room Kit appliance.
IBM experts also published a video PoC of the attack.
“Once a host starts or unlocks a meeting, a ghost could slip in and join the meeting using the handshake manipulation, without ever showing up on any participant list, including the host’s participant list. The ghost could see and hear other participants, as well as view shared screens and chat without revealing their presence.” continues the report.
“With this technique, the only indication the participants would have that they may not be alone is the beep of a new audio connection. For especially large meetings, the host might disable the entry and exit tone, allowing the ghost to enter perfectly stealthily. In other instances, the ghost’s entry tone would play, but may go unnoticed by the host or other participants who aren’t counting and associating each tone with a specific participant.”
Cisco has patched cloud-based Cisco Webex Meetings sites and released security updates for on-premises software to address the flaws.
Cryptocurrency exchange Liquid has revealed that it was hacked last week, after a malicious attacker managed to seize control of its DNS records, seized control of some internal email accounts, and gained access to the firm's document storage infrastructure.
And, as a consequence, personal details of customers may now be in the hands of hackers.
Meanwhile, Deputy CISA Director Resigns; Acting Director Reportedly Named Waves of support from the InfoSec community continue to pour in for former CISA Director Christopher Krebs, who was fired Tuesday by President Donald Trump. Meanwhile, an acting CISA director reportedly has been named, and Deputy Director Matt Travis has resigned.
Cyber threats against Canadians and organizations show no signs of slowing, according to the federal government’s latest analysis, and many attacks are successful for one reason: Failure to follow basic security hygiene.
“The vast majority of cyber incidents in Canada occurred because basic elements of cybersecurity weren’t followed,” wrote Scott Jones, the head of the Canadian Cyber Security Centre, in its national cyber threat assessment released this afternoon.
The centre is the public-facing division of the Communications Security Establishment, otherwise known as the country’s electronic spy agency. The CSE protects federal networks while the centre advises the private and public sectors on cyber strategies.
One of the key conclusions said Defence Minister Harjit Sajjan, who oversees the CSE, is that “the internet is at a crossroads, with countries like China and Russia pushing to change the way it is governed, to turn it into a tool for censorship, surveillance, and state control.”
This is a reference to pressure at the United Nations and the International Telecommunications Union by some countries for technical and policy changes. China and Chinese telecom companies have pressed the ITU to adopt what they call the New Internet Protocol to develop a “top-down design for the future network.” According to reports, the NIP would allow a state to in effect have a kill switch on Internet traffic it doesn’t like.
The centre’s report said the NIP might provide certain cybersecurity advantages, “but it would enable powerful censorship, surveillance, and state control.”
At a press conference for reporters, Jones said successful attacks largely exploit unpatched systems. “We still as a nation are making it far too easy for any cyber actor to execute their operations against us. One simple thing that everyone can do is deal with the basics.”
Not only does the black market sell more sophisticated attack tools, he added, but they boast “better support than many of us can get for our IT products.”
Asked why organizations aren’t hitting the basics, Jones acknowledged many small and medium-sized businesses find security products and services too expensive or too complex to implement. The centre has a guide for SMBs with “very simple things” like turning on automatic software patching.
Jones also said the centre is looking for industry partners like the Canadian Bankers Association, which is urging young companies to pay attention to that SMB guidance.
In addition, the IT industry should make it easier for customers to keep their systems up to date, he said. “It needs to be less drastic, it needs to be easier, it needs to be automatic to apply security patches.”
Meanwhile, large organizations, with their large IT staff, need to share more threat information widely with other firms, Jone said.
The report notes that its 2018 edition also said “many cyber threats can be mitigated through awareness and best practices in cybersecurity and business continuity. Cyber threats and [foreign] influence operations continue to succeed today because they exploit deeply-rooted human behaviours and social patterns, and not merely technological vulnerabilities.
“Defending Canada against cyber threats and related influence operations requires addressing both the technical and social elements of cyber threat activity. Cybersecurity investments will allow Canadians to benefit from new technologies while ensuring that we do not unduly risk our safety, privacy, economic prosperity, and national security.”
The threat assessment and predictions are used by the government to set its priorities, as well as to inform Canadians about cyber hazards.
Key findings include:
The number of cyber threat actors is rising, and they are becoming more sophisticated. The commercial sale of cyber tools coupled with a global pool of talent has resulted in more threat actors and more sophisticated threat activity. Illegal online markets for cyber tools and services have also allowed cybercriminals to conduct more complex and sophisticated campaigns.
Cybercrime continues to be the cyber threat most likely to affect Canadians and Canadian organizations.
Ransomware will almost certainly continue to target large Canadian enterprises and critical infrastructure providers. These entities cannot tolerate sustained disruptions and are willing to pay up to millions of dollars to quickly restore their operations. Many Canadian victims will likely continue to give in to ransom demands due to the severe costs of losing business and rebuilding their networks and the potentially destructive consequences of refusing payment.
While cybercrime is the most likely threat, the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada.
State-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals. But the centre feels it unlikely cyber threat actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life in the absence of international hostilities. Nevertheless, cyber threat actors may target critical Canadian organizations to collect information, pre-position for future activities, or as a form of intimidation.
State-sponsored actors will almost certainly continue to conduct commercial espionage against Canadian businesses, academia, and governments to steal Canadian intellectual property and proprietary information. We assess that these threat actors will almost certainly continue attempting to steal intellectual property related to combatting COVID-19 to support their own domestic public health responses or to profit from its illegal reproduction by their own firms. The threat of cyber espionage is almost certainly higher for Canadian organizations that operate abroad or work directly with foreign state-owned enterprises.
Online foreign influence campaigns are almost certainly ongoing and aren’t limited to key political events like elections. “Online foreign influence activities are a new normal, and adversaries seek to influence domestic events as well as impact international discourse related to current events.”
Researchers uncovered a large-scale campaign conducted by China-linked APT10 targeting businesses using the recently-disclosed ZeroLogon vulnerability.
Symantec’s Threat Hunter Team, a Broadcom division, uncovered a global campaign conducted by a China-linked APT10 cyber-espionage group targeting businesses using the recently-disclosed ZeroLogon vulnerability.
The group, also known as Cicada, Stone Panda, and Cloud Hopper, has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.
The group has been observed while attempting to exploit the Windows Zerologon vulnerability in attacks aimed at Japanese organizations from multiple industry sectors in 17 regions around the globe. Targeted sectors include:
General Trading Company
Managed Service Providers
The latest campaign has been active since mid-October in 2019 and appears to be still ongoing.
The APT10 is well-resourced cyberespionage group that employed multiple tools and sophisticated techniques in its attacks. In the recent campaign, the attackers extensively used DLL side-loading and leveraged the ZeroLogon vulnerability.
Experts observed that attackers using a wide variety of living-off-the-land, dual-use, and publicly available tools.
Other attack techniques used by the group are network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, PowerShell scripts, and both RAR archiving and a legitimate cloud hosting service and data exfiltration.
The APT10 group also employed custom malware, tracked the Backdoor.Hartip, that was never detected before.
“Intelligence gathering and stealing information has generally been the motivation behind Cicada’s attacks in the past, and that would appear to be the case in this attack campaign too.” reads the report published by Symantec. “We observed the attackers archiving some folders of interest in these attacks, including in one organization folders relating to human resources (HR), audit and expense data, and meeting memos.”
The attribution to APT10 is based on multiple pieces of evidence, including clues in how code is obfuscated; the use of a Third-stage DLL with an export named “FuckYouAnti,” the use of QuasarRAT as the final payload.
“Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous,” Symantec concludes. “Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor […] show that it continues to evolve its tools and tactics to actively target its victims.”
An Irish cyber-thief has been jailed for his part in a SIM-swap conspiracy that robbed victims of their life savings.
Conor Freeman was identified by US Homeland Security as a member of a criminal group that stole over $2m worth of cryptocurrency from multiple victims in 2018.
Freeman, of Dun Laoghaire, Dublin, pleaded guilty to stealing cryptocurrency, dishonestly operating a computer to make a gain, and knowingly engaging in the possession of the proceeds of crime.
The 21-year-old handed over a virtual wallet containing 142.75682712 Bitcoin—now worth over $2m—to the gardaí at the time of his arrest.
Together with at least five co-conspirators based in the US, Freeman used a SIM-swap scam to steal cryptocurrency worth $100,000 from Darran Marble on May 15, 2018. The next day, the group targeted Seth Shapiro, making off with $1,921,335 in virtual money.
Two days later, the cyber-criminals used the same technique to illegally relieve Micheal Templeman of cryptocurrencies with an approximate value of $167,622.22.
Passing sentencing in Dublin Circuit Criminal Court on Tuesday, Judge Martin Nolan noted that Shapiro lost the proceeds of the sale of his house and his entire life savings to Freeman and his co-conspirators.
Although Nolan deemed it unlikely that Freeman would reoffend, he gave the Dubliner a custodial sentence of three years for crimes that involved "guile and deception."
The court heard that Freeman met his co-conspirators online. Together, the group combed social media for targets that might have access to large amounts of cryptocurrency.
After choosing a victim, the group would scour the internet until they found the target's email address and phone number. Contacts who worked in telecommunications transferred the phone numbers of potential victims onto SIM cards bought by the group.
By initiating protocols set up to assist people who forget their passwords, the group managed to gain access to victims' online accounts. Freeman's role was to sift through victims' emails to identify sources of cryptocurrencies they possessed.
Defending Freeman, Paul O'Carroll SC described his client as "very much a loner" who started hacking the accounts of other gamers for a thrill while he was in his teens.
Freeman's five co-conspirators are before the courts in the United States.
In recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for COVID-19. The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium.
Americans are planning to do more of their holiday shopping online this year despite being concerned that they might fall victim to cyber-scams.
Research by global computer security software company McAfee found that 36% of American consumers are planning on buying gifts online this year despite 60% feeling that cyber-scams become more prevalent during the holiday season.
The findings were included in McAfee's "2020 Holiday Season: State of Today’s Digital e-Shopper" survey that was published yesterday. McAfee commissioned 3Gem to conduct a survey of 1,000 adults over the age of 18 in the United States between October 8 and October 13, 2020.
During last year's Black Friday to Cyber Monday holiday weekend, more than 124 million consumers chose to make their purchases in-store. In 2020, as the world grapples with COVID-19, consumers have shifted direction, shopping more and buying what they need through their devices.
The survey revealed that 49% of Americans said they are buying online more since the global pandemic struck. Nearly one in five consumers (18%) said that shopping online is a daily activity, while one in three (34%) make purchases via the internet 3 to 5 days a week.
Over a quarter (27%) of respondents ages 18 to 24 said that they checked the authenticity of discounts and deals sent to them via email and text message. Overall, fewer than half (43%) said that they would be checking to see if Black Friday or Cyber Monday emails and text messages sent are trustworthy and genuine.
Researchers noticed a difference in concern over cybercrime across generational age groups. While 79% of those aged 65 or older believe there is a greater cyber-risk due to COVID-19, this view was shared by only (70%) of those aged 18 to 24.
“Many are wondering what this year’s holiday season will look like as consumer shopping behaviors continue to evolve and adapt to the challenges faced throughout 2020,” said Judith Bitterli, vice president of consumer marketing.
“With results showing the growing prevalence of online shopping, consumers need to be aware of how cyber-criminals are looking to take advantage and take the necessary steps to protect themselves—and their loved ones—this holiday season.”
When conducting research for this year???s State of Software Security report, we looked at how ???nature??? and ???nurture??? contribute to the time it takes to close out a security flaw. For the ???nature??? side, we looked at attributes that we cannot change, like application size or age. For ???nurture,??? we looked at application attributes we can change, like security scan frequency and cadence.
We found that the ???nature??? of applications can have a negative effect on how long it takes to remediate a security flaw. Applications with a high flaw density take, on average, 63 days longer to remediate security flaws than applications with a lower flaw density. Large applications or organizations and old applications also slow down remediation.
But on a positive note, we found that there are ways you can ???nurture??? applications (even when the ???nature??? is less than ideal) to speed up time to remediation. Over the next several weeks, we will provide three tips ??? including frequent and steady scanning and API integration ??? for nurturing applications. The first tip, proven to be the most effective method for nurturing the security of your applications, is using dynamic application security testing (DAST) in conjunction with static application security testing (SAST). In fact, we found that organizations that combine DAST with SAST address 50 percent of their open security findings almost 25 days faster than organizations that only use SAST.
Why does using DAST with SAST improve time to remediation?
Static analysis scans for flaws during the development phase of the software development lifecycle (SDLC), and it looks for common issues, such as directory traversals, Cross-Site Scripting, and various injection flaws. Dynamic analysis scans during runtime, looking for issues with server and deployment configuration and authentication issues.
The chart above shows how much deeper the scanning goes when DAST is added to SAST.ﾂ? As you will see, dynamic analysis is able to draw out significantly more flaws when added to static analysis than when static is used alone. For example, static analysis finds around 10 percent of CWE-297 flaws, but when DAST is added, the number of CWE-297 flaws discovered more than doubles.ﾂ?
It can be surmised that when developers see the flaws drawn out by dynamic analysis, not just the magnitude of flaws but the severity and exploitability, developers are more likely to remediate the security flaws at a faster rate.
To learn more about our nature vs. nature findings or for additional information on the benefits of adding DAST to SAST, check out our recent State of Software Security report. And stay tuned for our Nature vs. Nurture Tip 2 and Tip 3 blogs, coming soon!
Social media giant Twitter has created a new head of security position and hired a world-famous hacker to fill it.
The appointment of 49-year-old American Peiter Zatko, known online by his hacking handle "Mudge," was announced by Twitter on November 16.
According to Reuters, guitarist and Berklee College of Music graduate Zatko has been given a broad mandate to review the security structure and practices of the networking site and recommend changes. After a review period that will last up to 60 days, Zatko will report his findings and suggestions directly to Twitter's CEO, Jack Dorsey.
In an exclusive interview with Reuters, the new appointee said he will be digging deep into Twitter's “information security, site integrity, physical security, platform integrity—which starts to touch on abuse and manipulation of the platform—and engineering.”
Previously, Zatko worked at electronic payments unicorn Stripe, where he oversaw security. Prior to that position, the network security expert was hired by Google to oversee the distribution of grants for projects relating to cybersecurity at the Pentagon's Defense Advanced Research and Projects Agency (DARPA).
Dan Kaufman, who supervised Zatko during his time at DARPA, commented: “I don’t know if anyone can fix Twitter’s security, but he’d be at the top of my list."
Hacker, writer, and open-source programmer Zatko began his career as a government contractor carrying out classified work while simultaneously leading hacking group Cult of the Dead Cow. The group gained notoriety for placing pressure on Microsoft to up its security game by releasing Windows hacking tools.
Zatko was also the most prominent member of hacker think tank L0pht Heavy Industries, a group known for pioneering responsible disclosure of vulnerabilities. Zatko was among seven L0pht members who claimed that they could shut down the internet in 30 minutes while giving testimony before the Congress of the United States in 1998 on national cybersecurity.
Describing his new employer, Zatko said: “They are willing to take some risks. With the challenges of algorithms and algorithmic bias, they are not standing by and waiting until someone else solves the problem.”
Offensive Security has released Kali Linux 2020.4, the latest version of its popular open source penetration testing platform. You can download it or upgrade to it. Kali Linux 2020.4 changes The changes in this version include: ZSH is now Kali’s new default shell on desktop images and cloud, Bash remains the default shell for other platforms (ARM, containers, NetHunter, WSL) for the time being. Users can, of course, use that which they prefer, but be … More →
Fixes Arriving to Safeguard DNS Against Newly Found 'SAD DNS' Side-Channel Attack Researchers are warning that many domain name system server implementations are vulnerable to a spoofing attack that allows attackers to redirect, intercept and manipulate traffic. Thankfully, fixes are already arriving for this so-called SAD DNS flaw.
#ISC2Congress: Which Pen-Testing Approach is Right for Your Business?
Speaking during the virtual (ISC)2 Security Congress Alex Haynes, CISO at CDL, explored the various pen-testing approaches available to organizations and outlined how companies can determine which is the best option for their business use cases.
“The problem with pen-testing in the market is that there’s an ‘alphabet soup’ of terminology and it is very easy to get confused when there are all these marketing terms being thrown around.”
Essentially, there are three key approaches to pen-testing that organizations can implement, Haynes said.
The first is traditional pen-testing, defined as a “snapshot of your security posture at a particular point in time.”
The pros of traditional pen-testing methods include cost efficiency, flexibility and standardization. However, there are important inadequacies to consider when it comes to traditional pen-testing approaches, Haynes warned. These include the fact that they are infrequent, time-limited, lack diversity in approach and can invoke pen-tester syndrome (a focus on theoretical vulnerabilities that make things appear worse than they actually are).
The second approach to pen-testing open to organizations is the crowdsourced security option, Haynes continued. This involves “having more than one tester who has no affiliation [with your systems] looking for bugs and vulnerabilities on your systems and applications.”
A crowdsourced security pen-testing strategy offers some key benefits that traditional pen-test methods cannot, including higher frequency rates, unlimited time-scales and a more cost-effective business model (in the short run) in which researchers are only paid per vulnerability rather than taking a full salary.
However, as with traditional pen-testing approaches, crowdsourced strategies have their own drawbacks to consider. These include web-heavy skillsets of researchers, potentially unethical behaviors and heavy network traffic .
The third and final approach to organizational pen-testing is automated pen-testing, Haynes said.
“This mimics the behavior of a human attacker by choosing the best kind of attack vector for a particular vulnerable system, at scale, without human intervention.”
Automated pen-testing can be run on a daily basis/continuously, generate reports on the fly and be configured to start from anywhere or only use certain vectors for testing certain attack scenarios, so they have clear benefits, Haynes explained.
At the same time, as with traditional and crowdsourced pen-testing, there are downsides to automated pen-testing such as the fact that they are only useful for pen-testing inside the network, have a lack of understanding regarding web applications and potentially high cost-per-asset expense for larger networks.
To conclude, Haynes said that deciding which pen-testing approach is best suited to any organization depends on various factors, but added that strategies are not mutually exclusive, always start with pen-testing to establish a baseline and, if your budget permits, can be layered with other approaches.
The past few months have changed the way we work in many ways, working from home, social distancing, and remote operations have all had impacts on our previously known ways of life. At Microsoft, we have been working hard to assist our customers adjust to this rapidly changing and evolving work environment. As has been the case for a while now, this is anchored in the framework of Zero Trust, an approach that we believe is critical to a strong security posture. At its heart, Zero Trust is all about applying visibility, adhering to governance requirements, and enforcing control of cloud apps, services, assets and workloads.
As businesses adapt to the increase in remote work and unmanaged device use, Cloud Access Security Broker (CASB) use has accelerated. According to the most recent report from Gartner, “CASBs (have become) essential elements of cloud security strategies.”
We believe that Cloud App Security is a critical component of any security portfolio to enable a Zero Trust security approach. Organizations across all customer segments are securing their apps with Microsoft Cloud App Security, from large enterprises in professional services like Accenture to health organizations such as St. Luke’s.
According to a recent Total Economic Impact (TEI) study commissioned from Forrester Consulting, customers can save time, resources, and improve security with Microsoft Cloud App Security. The Forrester study shows a three-year 151 percent return on investment (ROI) less than a three-month payback on Cloud App Security investment. Indeed, at Microsoft Cloud App Security is leveraged internally and it has been great to see the momentum across our customers, where we crossed the threshold of protecting 100 million users in the summer of 2020. We have been building to deliver a unique perspective from which customers can leverage control and governance has been recognized with this year’s Gartner Magic Quadrant for Cloud Access Security Brokers (CASB).
Microsoft Cloud App Security is Microsoft’s CASB. This essential productivity and security enabler helps organizations gain visibility into their cloud apps and services. It provides sophisticated analytics to identify and combat cyberthreats and control the travel of sensitive information to equally support Microsoft’s native cloud services, as well as numerous third party cloud apps and services, such as Dropbox, Salesforce, and others.
Our vision for the CASB category is to push beyond just controlling SaaS apps and into IaaS and PaaS posture recommendations and management. We believe it is incumbent on us to provide our customers with a holistic security solution that acknowledges their security estate across platforms and clouds. We deliver this vision through five key capabilities:
Shadow IT Discovery enables customers to see clearly into the opaque space of cloud usage; in addition to traditional proxy and firewall logs, we extend this discovery to the endpoint with an integration with Microsoft Defender for Endpoint. This integration also powers Endpoint CASB capabilities, allowing Cloud App Security to enforce threat protection and information protection policies on every supported endpoint. Once visibility into cloud resource usage is in place, customers can start applying control and management policies.
Information Protection capabilities, identifying the most critical information, and applying policy and access controls, are significant investments for customers. Through deep integration with Microsoft Information Protection, together with the reverse proxy capabilities of Cloud App Security, customers have the power to enforce complex information and DLP (Data Loss Prevention) policies across Microsoft and 3rd party enterprise apps.
Threat Protection leverages Microsoft Defender for Identity to provide a unified view into the identities of an organization across on-premises and cloud resources and monitor behaviors and highlight abnormalities, in addition to blocking nefarious content and malicious payloads.
Secure Access capabilities provided by Cloud App Security are deeply connected with Azure Active Directory (Azure AD) allowing customers to enforce and monitor access and session policies across all managed cloud resources.
Cloud Security Posture Management (CSPM) assessment and governance, which is founded in close collaboration with Azure Security Center, providing Multi-Cloud security posture (AWS, GCP, and more) to customers.
Microsoft remains committed to Cloud App Security and we are actively looking at which areas of investment are the most beneficial to our customers. For example, we will extend multi-application SaaS Security Posture Management (SSPM) capabilities as a core scenario across our security offerings, and we will continue to listen to our customers on how we can best help them in their efforts to maintain a strong security posture.
* Gartner Magic Quadrant for Cloud Access Security Brokers, Craig Lawson, Steve Riley, October 28, 2020.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.
Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
What's better than a clean install? How about a clean installation that includes all required drivers and utility programs? Here's how to locate a free Windows 10, Windows 7, or even Linux recovery image for your Dell, HP, Lenovo, or Surface PC.
#DxPsummit: Use Quarantine in Your Ransomware Recovery
Consider using a strategy of quarantine when implementing a ransomware recovery strategy, as reinfection can easily occur.
Speaking as part of Druva’s Cloud Data Protection Summit, Charles Green, sales engineer at Druva, said the shift of data outside the company perimeter and firewalls led to an increase in ransomware payments, as well as more cyber insurance options to cover those payments.
He explained that there are a number of challenges when dealing with a ransomware event, and he said anything you can do “that could be automated should be automated,” including:
Respond – quickly via automated or orchestrated response
Prevent – download of infected snapshots
Identify – last known good copy to recover from
Recover – with confidence
That last point, he claimed, requires air gaps, as data protection is “a last line of defense when all your other preventative controls have failed.” He said that your data protection solution should be able to provide automated anomaly detection, especially where there is a large number of files added or deleted from a backup set. “This will all enable an administrator to identify a last known good copy that they can recover from,” he said.
“Also, while you’re working through your environment, you should be able to quarantine backups and prevent users from reinfecting the environment.”
He recommended using a more granular quarantine approach, rather than having to quarantine all data. If you are also able to quarantine by a specific date range, you will be able to restore from snapshots that are “known good” and you can continue to function as a business whilst this is going on.
Also, remote wipe devices, to prevent further malware spread. This he called “defensible deletion,” as it deletes from devices and backups, and is something that is very critical when you’re dealing with ransomware.
He said ransomware recovery tools, such as one provided by Druva, can be used “to quarantine snapshots, know where your data is being accessed from and also leverage things like our federated search and defensible deletion process” to deal with ransomware attacks.
Green said ransomware prevention is reliant on backup, which he said was critical, and should be “secure by design; it should not be an add on or an option.” He also said you should know that a backup set is protected “and to get more from your backup, look for things like detective controls and anomaly detection that will alert you to a challenge to your environment.” He concluded by saying this will help you recover successfully and securely.
#ISC2Congress: Building a Resilient Cybersecurity Industry from #COVID19
Learning lessons from the COVID-19 pandemic is vital to growing resiliency in the cybersecurity industry, according to Juliette Kayyem, former assistant secretary at the Department of Homeland Security, speaking during a keynote session at the virtual (ISC)2 Security Congress.
She began by outlining the five stages of crises management, noting that COVID-19 bears many similarities with other crises. These consist of two prior to the “boom,” which are protection and prevention, and three after: response, adaptive recovery and resiliency.
What differentiates COVID-19 from other crises, however, is the sustained focus on “adaptive recovery” with minimized contact intensity set to be in place for the foreseeable future. This is opposed to other crises which generally allow life to return to normal quickly. “This period is going to exist until further notice,” said Kayyem.
This adaptive stage does provide a unique opportunity for lasting resiliency to be achieved. This means that through learning the lessons of the pandemic, in many ways, life will not simply return to normal. In the context of the workplace, she anticipated that the experiences of the pandemic will lead to numerous permanent changes including much more remote working, a greater focus on employee health, including the rise of the chief health officer and better protections for gig and contract workers.
Kayyem stated: “COVID-19 has laid bare some necessary conversations that we’ve only been whispering about in the last couple of years, and just like so many other major crises that have happened in our past, they open up an important conversation about what kind of nations and what kind of world we want to be.”
This new landscape is going to heavily affect the cybersecurity sector and industry leaders need to now plan ahead rather than constantly introduce patchwork solutions, according to Kayyem. “Do you accept that you need to think about what it’s like to manage a security team through to the end of 2021?” she asked.
This includes anticipating early investments needed in technology systems, the kinds of security threats that may exist going forward and ways of communicating in this “new normal.” To do so, she advised: “You need to set an implementation plan that gets you to the end of 2021 in terms of needs, employees, workforce development, hiring and budget, and you need to make that case loud and clear.”
Another area Kayyem highlighted the importance of is working out how security teams can maintain some form of physical contact, which is likely to be a challenge in the current adaptive phase. “What combination of your security team will need to meet, who within the security team, how will you on-board and how employees will learn what the corporate culture is” she outlined.
Ensuring security stays a key focus throughout their organization over the coming 18 months also must be a key focus of security leaders, with complacency easy to set in. Kayyem commented: “It may be that you need to build new resources, do retraining and remind people… you’ve got to reiterate those security needs.”
She concluded: “We are in a time in which we are going to have to adapt and learn to live in the now normal and that means protecting yourselves, your family and continuing to protect your employees, teams and institutions through 2021.”
A Chinese state-sponsored hacking group has been observed while attempting to exploit the Windows Zerologon vulnerability in attacks against Japanese companies and subsidiaries from multiple industry sectors in 17 regions around the globe. [...]
President Trump on Tuesday fired his top election security official Christopher Krebs (no relation). The dismissal came via Twitter two weeks to the day after Trump lost an election he baselessly claims was stolen by widespread voting fraud.
Chris Krebs. Image: CISA.
Krebs, 43, is a former Microsoft executive appointed by Trump to head the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security. As part of that role, Krebs organized federal and state efforts to improve election security, and to dispel disinformation about the integrity of the voting process.
Krebs’ dismissal was hardly unexpected. Last week, in the face of repeated statements by Trump that the president was robbed of re-election by buggy voting machines and millions of fraudulently cast ballots, Krebs’ agency rejected the claims as “unfounded,” asserting that “the November 3rd election was the most secure in American history.”
In a statement on Nov. 12, CISA declared “there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
But in a tweet Tuesday evening, Trump called that assessment “highly inaccurate,” alleging there were “massive improprieties and fraud — including dead people voting, Poll watchers not allowed into polling locations, ‘glitches’ in the voting machines that changed votes from Trump to Biden, late voting, and many more.”
Twitter, as it has done with a remarkable number of the president’s tweets lately, flagged the statements as disputed.
By most accounts, Krebs was one of the more competent and transparent leaders in the Trump administration. But that same transparency may have cost him his job: Krebs’ agency earlier this year launched “Rumor Control,” a blog that sought to address many of the conspiracy theories the president has perpetuated in recent days.
Sen. Richard Burr, a Republican from North Carolina, said Krebs had done “a remarkable job during a challenging time,” and that the “creative and innovative campaign CISA developed to promote cybersecurity should serve as a model for other government agencies.”
Sen. Angus King, an Independent from Maine and co-chair of a commission to improve the nation’s cyber defense posture, called Krebs “an incredibly bright, high-performing, and dedicated public servant who has helped build up new cyber capabilities in the face of swiftly-evolving dangers.”
“By firing Mr. Krebs for simply doing his job, President Trump is inflicting severe damage on all Americans – who rely on CISA’s defenses, even if they don’t know it,” King said in a written statement. “If there’s any silver lining in this unjust decision, it’s this: I hope that President-elect Biden will recognize Chris’s contributions, and consult with him as the Biden administration charts the future of this critically important agency.”
KrebsOnSecurity has received more than a few messages these past two weeks from readers who wondered why the much-anticipated threat from Russian or other state-sponsored hackers never appeared to materialize in this election cycle.
That seems a bit like asking why the year 2000 came to pass with very few meaningful disruptions from the Y2K computer date rollover problem. After all, in advance of the new millennium, the federal government organized a series of task forces that helped coordinate readiness for the changeover, and to minimize the impact of any disruptions.
But the question also ignores a key goal of previous foreign election interference attempts leading up to the 2016 U.S. presidential and 2018 mid-term elections. Namely, to sow fear, uncertainty, doubt, distrust and animosity among the electorate about the democratic process and its outcomes.
To that end, it’s difficult to see how anyone has done more to advance that agenda than President Trump himself, who has yet to concede the race and continues to challenge the result in state courts and in his public statements.
Truebill, Chargebee, Fusebill and other financial apps have been inundating my social feeds and until recently I didn’t understand why I would need one of these apps. I’m the type that knows her bank account balance to the penny and I was shocked to discover that many of my co-workers and, of course, my college kid had no idea their balance was low until they tried to use their debit card and got declined. What also surprises me is how many people don’t know what is coming out of their bank account. I may not realize precisely how much my Starbucks addiction costs but I’m in security and I need my caffeine! Keeping up with the latest ways cyber criminals can infiltrate an organization or sneak past endpoint solution takes a lot of energy.
Then I got to thinking about these new apps that I can’t imagine why anyone would need to use – UNTIL I decided to try one….and then I discovered I too had been compromised by subscriptions and fees I had no idea I was being charged for. This led me to think about my false sense of security and how I felt I was protected because I checked my account and tracked what came in and out. I use my debit card a lot, I use it constantly for purchases and have it attached to Apple Pay, Pay Pal and you name it, it is linked.
So why am I bringing this up? Well, in your job you might have responsibility for corporate security…and you might be feeling pretty comfortable that you have everything under control, a bit like I did with my finances – but you don’t know what you don’t know. It’s all well and good (and indeed highly advisable) having an endpoint protection product in place but is it possible that this is giving you a feeling of security beyond the true situation? Could there be sneaky activity happening at a really low level that is getting past those solutions? I didn’t think so, until I installed the app and I discovered exactly what I didn’t know.
And that’s where EDR comes in – because EDR is designed to monitor what is happening on your endpoint devices, to track and trace activity, consolidate it and identify potential risks – the really good EDR solutions will also group related items into threads to speed up investigations, prioritize which groups should be examined first and even automate some of the investigation processes.
The Importance of Automation
And don’t overlook the importance of that automation – when I was looking at my finances if the app I tried had simply overwhelmed me with massive amounts of information (some of which I knew, some of which was a surprise, all of which was mixed up together), I’d have likely looked once, and decided that I was right all along…everything was probably under control, and the effort involved in digging deeper was likely to be greater than any return I might have got back. But, it was automated, it consolidated the information, it simplified things…and ultimately it showed me exactly what I needed to know with minimal effort on my part. The net effect of that was a positive result. EDR is the same – I’ve spoken with customers who have tried it and simply given up because it’s proven to be too complicated. It can feel easier not to find out what you don’t know – but it won’t be as secure!
That’s what security analysts are loving about MVISION EDR. MVISION EDR helps find what is hidden and lifts it to the surface where it can be examined and then either allowed or blocked. But unlike my bank account, we’re not talking about 5 or 10 things you may not have been aware of, we’re talking about potentially tens of thousands each and every day. And that’s the other thing they love about MVISION EDR – not only does it make identifying these potential risks easier to identify, but it groups them together into a much smaller number of potential incidents, prioritizes those incidents so they know which ones to investigate first and even uses AI to guide those investigations and make suggestions as to how they can reach a resolution quickly and accurately. What’s not to love?
If you want to see what you have been missing check out MVISION EDR.
Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems attempting to infect new systems with Emotet to continue growing the size of the botnets associated with this threat. Emotet is often the initial malware that is delivered as part of a multi-stage infection process and is not targeted in nature. Emotet has impacted systems in virtually every country on the planet over the past several years and often leads to high impact security incidents as the network access it provides to adversaries enables further attacks, such as big-game hunting and double-extortion ransomware attacks.
Cisco Talos obtained ownership of several domains that Emotet uses to send SMTP communications. We leveraged these domains to sinkhole email communications originating from the Emotet botnets for the purposes of observing the characteristics of these email campaigns over time and to gain additional insight into the scope and profile of Emotet infections and the organizations being impacted by this threat. Emotet has been observed taking extended breaks over the past few years, and 2020 was no exception. Let’s take a look at what Emotet has been up to in 2020 and the effect it’s had on the internet as a whole.
Experts from Cybereason Nocturnus uncovered an active campaign that targets users of a large e-commerce platform in Latin America with Chaes malware.
Cybereason Nocturnus security researchers have identified an active campaign focused on the users of a large e-commerce platform in Latin America.
Experts at Cybereason Nocturnus have uncovered an active campaign targeting the users of a large e-commerce platform in Latin America with malware tracked as Chaes.
The Chaes malware was first spotted in the middle to late 2020 by Cybereason researchers, it is a multistage information stealer that focuses on Brazilian customers of MercadoLivre, the largest e-commerce company in Latin America. In 2019, over 320 million users were registered with the MercadoLivre e-commerce platform.
“Chaes specifically targets the Brazilian website of e-commerce company MercadoLivre and its payment page MercadoPago to steal its customers’ financial information. The final payload of Chaes is a Node.Js information stealer that exfiltrates data using the node process.” reads the analysis published by Cybereason.
Chaes is also able to take screenshots of the victim’s machine, and hook and monitor the Chrome web browser to collect user information from infected hosts.
The kill chain starts with phishing messages that use a .docx file that once is opened triggers a template injection attack.
Upon connecting to the command-and-control server, the malware downloads the first malicious payload in the form of a .msi file, which deploys a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin. The malware also installs three other files, hhc.exe, hha.dll and chaes1.bin, researchers also observed the use of a cryptocurrency mining module.
The attackers use Microsoft Word’s built-in feature to fetch a payload from a remote server, by changing the template target of the settings.xml file which is embedded in the document and populating this field with a download URL of the next payload.
Chaes attack chain is composed of several stages that include the use of LoLbins and other legitimate software to avoid detection by AV products.
Experts observed several variants over the recent months, it authors have improved encryption and implemented new functionality of the final Node.js module.
“Multistage malware that uses such techniques in the LATAM region and specifically in Brazil have already been observed and investigated by Cybereason in the past years. Chaes demonstrates how sophisticated and creative malware authors in the Latin America region can be when attempting to reach their goals.” concludes the report. “The malware not only serves as a warning sign to information security researchers and IT professionals not to take lightly the existence of files that are legitimate in nature, but also raises the concern of a possible future trend in using the Puppeteer library for further attacks in other major financial institutions”
CEOS and CISOs on the New Challenges to Securing Data With COVID-19 as a backdrop and 5G on the horizon, what will be 2021's top issues in identifying, protecting and defending against attacks across a dramatically expanded threat landscape? This latest CEO/CISO panel addresses the challenges of the new year.
Organizations should press forward more urgently on adopting Zero Trust because traditional approaches to cybersecurity aren’t working anymore. It’s no longer enough to protect the perimeter, said Chris Ruetz, AVP and Country Manager for CyberArk, at a CanadianCIO Virtual Roundtable. “Perimeters are falling down now due to remote work and the cloud,” he said. “Zero…
Increase in Ransomware Sophistication and Leverage of Legacy Malware Predicted for 2021
An increase in ransomware sophistication, commodity malware and abuse of legitimate tools are predicted to be the main threats for the next year.
According to the Sophos 2021 Threat Report, there will be a gap between ransomware operators at different ends of the skills and resource spectrum, with big-game hunting ransomware families continuing to refine and change their tactics, techniques and procedures to become more evasive and nation state-like in sophistication.
Sophos claimed this will involve the targeting of larger organizations with multi-million dollar ransom demands, while an increase in the number of entry level, apprentice-type attackers looking for ransomware-for-rent will also increase.
Chester Wisniewski, principal research scientist at Sophos, said: “During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative cartels.
“The cyber-threat landscape abhors a vacuum: if one threat disappears another one will quickly take its place. In many ways, it is almost impossible to predict where ransomware will go next, but the attack trends discussed in our report this year are likely to continue into 2021.”
Speaking to Infosecurity, Darren Guccione, CEO of Keeper Security, said in that 2020, cyber-criminals have taken advantage of the business disruptions caused by the global health crisis, particularly the sudden and dramatic rise in remote work. He cited statistics from Coveware which claim that the average enterprise ransomware payment increased to more than $100,000 in the first quarter of 2020, a rise of 33% from the final quarter of 2019.
“This dramatic surge is due to cyber-criminals increasingly attacking large enterprises with deep pockets and leveraging legacy systems,” he explained. “Additionally, healthcare organizations saw a 350% year-on-year increase in ransomware attacks at the end of 2019 compared to the same timeframe in 2018.”
Also, commodity malware, such as loaders and botnets, which can seem like low-level malware noise but are designed to secure a foothold in a target, gather essential data and share data back to a command-and-control network, should be taken seriously.
“Commodity malware can seem like a sandstorm of low-level noise clogging up the security alert system,” said Wisniewski. “Defenders need to take these attacks seriously, because of where they might lead: they may not realize that the attack was likely against more than one machine and that seemingly common malware like Emotet and Buer Loader can lead to Ryuk, Netwalker and other advanced attacks, which IT may not notice until the ransomware deploys. Underestimating ‘minor’ infections could prove very costly.”
Guccione said the environment most businesses are operating in at the moment is extremely volatile, and now more than ever businesses should look to educate employees from the ground-up on the increasing cyber-risks and provide best practices for ensuring devices within their network are secure.
“It is the responsibility of business leaders to remind employees of the accountability they have as individuals for the safety and security of their own devices,” he said. “Only with the buy-in of all stakeholders do organizations have the best chance of securing their endpoints in the most efficient way possible.”
Wisniewski also said the abuse of everyday tools and techniques to disguise an active attack featured prominently in Sophos’ research, as this technique challenges traditional security approaches because the appearance of known tools doesn’t automatically trigger a red flag. “This is where the rapidly growing field of human-led threat hunting and managed threat response really comes into its own.”
Microsoft has resolved a known issue leading to missing system and user certificates after updating managed Windows 10 systems using outdated installation media through update management tools, physical media, or ISO images. [...]
The Jabra Elite 85t earbuds are the next evolution in Jabra's earbud lineup with powerful active noise-cancellation capability with a focus on high-quality calling. They aren't optimized for workouts and are best for commuters, travelers, and remote workers who find over or on the ear headphones uncomfortable.
Microsoft is tracking an ongoing Office 365 phishing campaign aimed at enterprises that is able to detect sandbox solutions and evade detection.
Microsoft is tracking an ongoing Office 365 phishing campaign that is targeting enterprises, the attacks are able to detect sandbox solutions and evade detection.
“We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering,” reads a message published by Microsoft via Twitter.
“The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.”
Threat actors behind the campaign leverage redirector URLs with the capability to detect incoming connections from sandbox environments.
Upon detecting connections for sandboxes the redirector will redirect them to legitimate sites to evade detection, while connections from real potential victims are redirected to phishing pages.
The phishing messages are also heavily obfuscated to bypass secure email gateways.
Microsoft experts also noticed that threat actors behind this campaign are also generating custom subdomains to use with redirector sites for each of the targets.
The subdomains always contain the target’s username and org domain name, Microsoft added.
This subdomain is unique in an attempt to evade detection and attackers add it to a set of base domains, typically compromised sites. The phishing URLs have an extra dot after the TLD, which is followed by the Base64-encoded email address of the recipient.
“The use of custom subdomains helps increase the believability of the lure. In addition, the campaign uses patterns in sender display names consistent with the social engineering lure: “Password Update”, “Exchange proteccion”, “Helpdesk-#”, “SharePoint”, “Projects_communications”.” continues Microsoft in a series of tweets published by its official account.
“The unique subdomains also mean huge volumes of phishing URLs in this campaign, an attempt at evading detection.”
Attackers used display name patterns like “Password Update”, “Exchange protection”, “Helpdesk-#”, “SharePoint”, and “Projects_communications” to trick the victims into believing that the messages are from legitimate source and clicking the phishing link embedded within each email.
Microsoft pointed out that its Defender for Office 365 product is able to detect phishing and other email threats and correlates threat data across email and data, endpoints, identities, and apps.
Recently, researchers at WMC Global have spotted a new creative Office 365 phishing campaign that has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by security solutions that scans the web for phishing sites.
In July, experts from Check Point reported that cybercriminals are increasingly leveraging public cloud services such as Google Cloud Services in phishing campaigns against Office 365 users.
Microsoft has released out-of-band optional updates to fix a known issue that causes Kerberos authentication problems on enterprise domain controllers after installing security updates released earlier this month to address CVE-2020-17049. [...]
Today’s Internet is a hectic place. A lot of different web technologies and services are “glued together” and help users shop online, watch the newest movies, or stream the newest hits while jogging. But these (paid) services are also constantly threatened by attackers – and no company, no matter how big, is completely immune. Take the recent Twitter compromise as an example: the attackers hijacked a number of influential Twitter accounts, including those belonging to … More →
From its experience running Astra, DataStax is releasing a new open source distro of Cassandra that comes with tooling and dashboards that are preconfigured for running the platform in a cloud-native K8s cluster.
Security researchers found several clues linking the WebNavigator web browser to well-known search hijackers. A Chromium-based browser, WebNavigator promises users that it’ll simplify their web browsing experience by providing “quick access” to their bookmarks. The browser also claims to yield quick search results by starting up with Windows and by constantly running in the background. […]… Read More
Are you a Heimdal Security blog reader and/or customer? Then you already know how passionate we are about cybersecurity research and education. This is why we decided to create a survey to better understand how prepared educational institutions are to face cybersecurity challenges in remote learning times. Based on your responses, we will compile the data […]
When the European Court of Justice invalidated the EU–US Privacy Shield earlier this year, organisations were left unsure about how to legally transfer personal data into and out of the EU.
The ruling was made following criticism from the Austrian privacy activist Max Schrems, who argued that the US government’s mass surveillance practices contradicted the protections that the Privacy Shield was supposed to provide.
That’s why the EDPB (European Data Protection Board) has issued guidance urging organisations to create data flow maps before transferring any personal data. It notes that although the process can be difficult, it’s “necessary to ensure that [personal data] is afforded an essentially equivalent level of protection wherever it is processed”.
The EDPB adds that organisations must verify the transfer tool that they use and check to see whether the European Commission has made an adequacy decision regarding the country where the information is being shared.
This is something that UK organisations – and those that transfer personal data into the country – must bear in mind. The UK’s Brexit transition period ends on 31 December, and an adequacy decision is still a long way off, so there will be major changes in the way data transfers work.
Creating a data flow map
Thousands of EU businesses relied on the Privacy Shield – as well as countless others outside the EU – so there are huge implications when it comes to alternative methods for data transfers.
Data flow mapping has therefore never been more important. The process helps organisations identify data items (such as names and email addresses), the format in which the data is held, the transfer method (such as by post or email) and the location of the data.
A data map also helps organisations see who has access to the data at any given time and who is accountable for it.
You can find out how to create a map with the help of our sister company Vigilant Software.
Over at Lawfare, Susan Hennessey has an excellent primer on how Trump loyalist Michael Ellis got to be the NSA General Counsel, over the objections of NSA Director Paul Nakasone, and what Biden can and should do about it.
While important details remain unclear, mediaaccounts include numerous indications of irregularity in the process by which Ellis was selected for the job, including interference by the White House. At a minimum, the evidence of possible violations of civil service rules demand immediate investigation by Congress and the inspectors general of the Department of Defense and the NSA.
The moment also poses a test for President-elect Biden’s transition, which must address the delicate balance between remedying improper politicization of the intelligence community, defending career roles against impermissible burrowing, and restoring civil service rules that prohibit both partisan favoritism and retribution. The Biden team needs to set a marker now, to clarify the situation to the public and to enable a new Pentagon general counsel to proceed with credibility and independence in investigating and potentially taking remedial action upon assuming office.
The NSA general counsel is not a Senate-confirmed role. Unlike the general counsels of the CIA, Pentagon and Office of the Director of National Intelligence (ODNI), all of which require confirmation, the NSA’s general counsel is a senior career position whose occupant is formally selected by and reports to the general counsel of the Department of Defense. It’s an odd setup — and one that obscures certain realities, like the fact that the NSA general counsel in practice reports to the NSA director. This structure is the source of a perennial legislative fight. Every few years, Congress proposes laws to impose a confirmation requirement as more appropriately befits an essential administration role, and every few years, the executive branch opposes those efforts as dangerously politicizing what should be a nonpolitical job.
While a lack of Senate confirmation reduces some accountability and legislative screening, this career selection process has the benefit of being designed to eliminate political interference and to ensure the most qualified candidate is hired. The system includes a complex set of rules governing a selection board that interviews candidates, certifies qualifications and makes recommendations guided by a set of independent merit-based principles. The Pentagon general counsel has the final call in making a selection. For example, if the panel has ranked a first-choice candidate, the general counsel is empowered to choose one of the others.
ESET: Attackers Used Hijacked Software to Target South Korean Organizations North Korean hackers are suspected of carrying out a novel-supply chain attack that targeted businesses in South Korea using stolen digital certificates, according to researchers with ESET. The analysts believe that this campaign is related to the Lazarus Group.
Capcom Says Over 350,000 Customer, Business Records Possibly Compromised Japanese computer game company Capcom acknowledged this week that a November security incident was a Ragnar Locker ransomware attack that resulted in about 350,000 customer and company records potentially compromised, including sales and shareholder data.
US cold storage firm Americold has been hit by what appears to be a ransomware attack affecting business operations.
The 117-year-old firm operates temperature-controlled warehouses and transportation to support the cold chains needed to supply, for example, vaccines like the one being developed by Pfizer and BioNTech for COVID-19.
However, in a regulatory filing with the Securities and Exchange Commission (SEC), the firm revealed that its IT network was hit by an unspecified “cybersecurity incident” on Monday.
“As a precautionary measure, the company took immediate steps to help contain the incident and implemented business continuity plans, where appropriate, to continue ongoing operations. The company has notified and is working closely with law enforcement, cybersecurity experts and legal counsel,” it said.
“Security, in all its forms, remains a top priority at Americold, and the company will continue to seek to take all appropriate measures to further safeguard the integrity of its information technology infrastructure, data and customer information.”
With total revenue in 2020 so far exceeding $1.4bn, Americold would certainly seem like a prime candidate to extort with “human-operated” ransomware. The nature of its business also means that operational outages could seriously impact customers, potentially piling on the pressure to pay in order to resume business-as-usual.
One truck driver took to Twitter on Monday to post a picture of an affected Americold depot in the mid-west.
“At a Americold and their systems are down,” they noted. “They are unable to assign me to a door. Well let the waiting begin.”
Jamie Akhtar, CEO and co-founder of CyberSmart, said the incident highlighted the importance of good cybersecurity in supply chains.
“In order to strengthen the security ecosystem, businesses should not just concern themselves with their own security practices but hold their distributors and suppliers to account,” he added. “The UK is making some headway in this direction by requiring the Cyber Essentials certification for certain sectors. Other industries would do well to follow suit."
By Julie Jeffries, Director, Microsoft 365 and Security Business Group With the ever-evolving cyber threat landscape, the need for security experts is increasing, but demand is far outstripping supply. Organizations are faced with both talent shortfall estimated at 3.5 million and the landscape changes rapidly requiring security professionals to continuously upgrade their skills. We hear…
Chinese APT FunnyDream Runs Riot in Southeast Asia
Security researchers have uncovered another Chinese APT group, this time targeting southeast Asian governments, which has compromised over 200 machines in the past two years.
Bitdefender dubbed the group “FunnyDream” after one of the backdoors used in the attacks. It appears to have been active since at least 2018.
Focused on exfiltrating sensitive information, it uses spyware tools such as Filepak for file collection, ScreenCap for taking screenshots and Keyrecord for logging keystrokes on victim machines.
Although the initial threat vector isn’t known, Bitdefender claimed it is likely to be a phishing email. Three backdoors are then used for command and control (C&C): Chinoxy to gain persistence after initial access, open source RAT PcShare for complex espionage and the custom made FunnyDream toolkit.
Controlling the three backdoors is C&C infrastructure located mainly in Hong Kong, but also elsewhere in China and Vietnam.
Although 200 systems have shown signs of infection so far, Bitdefender warned that in some victim networks the domain controllers may have been compromised, allowing attackers to move laterally and gain control over a large number of machines.
“Attributing APT style attacks to a particular group or country can be extremely difficult — as false-flag forensic artifacts can be manufactured, C&C infrastructure can reside anywhere in the world and the tools used can be repurposed from other APT groups,” the vendor said.
“However, evidence suggests a Chinese-speaking APT group using Chinese language binaries, and the Chinoxy backdoor used during the campaign is a Trojan known to have been used by Chinese-speaking threat actors.”
The specific target governments were not named in the report, although China has tense relations with many countries that border the South China Sea due to territorial claims and other geopolitical disputes.
WildWorks, the developer of Animal Jam, has confirmed that early last month a hacker broke into its systems and stole 46 million Animal Jam records.
Read more in my article on the Hot for Security blog.
Amazon Web Services announced the general availability of AWS Network Firewall, a new managed security service that makes it easier for customers to enable network protections across all of their AWS workloads. Customers can enable AWS Network Firewall in their desired Amazon Virtual Private Cloud (VPC) environments with just a few clicks in the AWS Console, and the service automatically scales with network traffic to provide high availability protections without the need to set up … More →
Trump Fires CISA Boss Who Said Election Was “Most Secure in History”
The well-respected head of a US government cybersecurity agency has been fired by Donald Trump after confirming the Presidential election was free, fair and secure.
As rumored last week and reported by Infosecurity, Christopher Krebs was on Tuesday “terminated” via a tweet from the White House, Trump’s increasingly favored way of dealing with high ranking government officials who displease him.
In it, the outgoing President repeated baseless allegations of voter fraud in the election, prompting Twitter to once again label his tweets with a warning label indicating possible misinformation.
In response, Krebs tweeted simply: “Honored to serve. We did it right. Defend Today, Secure Tomorrow.”
Trump’s ire seems to have been drawn by a recent statement from Krebs’s former employer, the Cybersecurity and Infrastructure Security Agency (CISA), and various election infrastructure agencies, that the November 3 election was “the most secure in American history.
“There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised,” it continued.
This official undermining of Trump’s narrative from the bodies whose job it is to monitor the election, proved too much for the President to take. CISA also runs a Rumor Control website to debunk mis- and disinformation circulating about the elections – many of which were promoted by Trump himself and supporters.
Although Krebs was a rare Trump appointee when he joined CISA as someone who enjoyed bipartisan support, there were no Republican lawmakers to speak out in support of his service.
However, Democrat senator and vice-chair of the Senate Intelligence Committee, Mark Warner, stepped up.
“Chris Krebs is an extraordinary public servant and exactly the person Americans want protecting the security of our elections,” he tweeted. “It speaks volumes that the President chose to fire him simply for telling the truth.”
Sound security budget planning and execution are essential for CIO's/CISO's success.
Now, for the first time, the Ultimate Security Budget Plan and Track Excel template (download here) provide security executives a clear and intuitive tool to keep track of planned vs. actual spend, ensuring that security needs are addressed while maintaining the budgetary frame.
The dynamic nature of the
Apple is facing the heat for a new feature in macOS Big Sur that allows many of its own apps to bypass firewalls and VPNs, thereby potentially allowing malware to exploit the same shortcoming to access sensitive data stored on users' systems and transmit them to remote servers.
The issue was first spotted last month by a Twitter user named Maxwell in a beta version of the operating system.
In the survey of 295 executives, the security firm reported it has observed a 34% year-on-year rise in vulnerabilities in 2020, which it said is a “leading indicator for the growth of future attacks.”
It highlighted that many organizations are not taking the steps needed to adequately protect their remote workforces. Over 30% of respondents revealed that software updates and BYOD policies were deprioritized since the start of the pandemic, while 42% said reporting was deprioritized.
In addition, almost a third (32%) found it difficult to validate whether network and security configurations undermine their security posture, and over half (55%) admitted it was at least moderately difficult to determine whether these configurations did not increase risk.
This is despite the fact that 70% of the security and IT executives predict that at least a third of their workforce will still be operating remotely in 18 months’ time.
The researchers also found that there was some complacency amongst the respondents in regard to their organizations’ security capabilities. Although only 11% stated they could confidently maintain a holistic security approach, 93% felt sure changes were being correctly validated.
“Traditional detect-and-respond approaches are no longer enough. A radical new approach is needed – one that is rooted in the development of preventative and prescriptive vulnerability and threat management practices,” commented Gidi Cohen, co-founder and CEO, Skybox Security. “To advance change, it is integral that everything, including data and talent, is working towards enriching the security program as a whole.”
President Trump has fired Chris Krebs, Director of the CISA, over his statement claiming the recent presidential election the most secure in US history.
Former President Trump has fired Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA), over his statement calling the 2020 presidential election the most secure in US history.
Former President Trump stated that Krebs’ statement was “highly inaccurate” in a Tweet. You can notice that the social media platform labeled the tweet with the statement “This claim about election claim is disputed.”
Chris Krebs has hardly worked to protect the election process, as a consequence, it is not possible for Trump administrators to prove fraud or interference.
Krebs and its staff have made great work ensuring that the 2020 election was not tampered with by nation-state actors, this election was called by the DHS “the most secure in election history.”
“The November 3rd election was the most secure in American history. Right now, across the country, election officials are reviewing and double checking the entire election process prior to finalizing the result.” reads the statement published by CISA.
“When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes or errors. There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.
Former President Trump, after having lost the election speculated that widespread voter fraud took place during the election, he also filed several lawsuits in several US states disavowing the result of the vote without producing evidence to support his allegations.
Krebs became the first director of the Cybersecurity and Infrastructure Security Agency (CISA) on November 16, 2018, as part of the Cybersecurity and Infrastructure Security Agency Act of 2018.
CISA set up a website dubbed “Rumor Control” to debunk misinformation about the election, a move that aroused the ire of the White House.
Kreb reiterated that there is no evidence that could demonstrate the manipulation of the election systems.
Krebs acknowledged his termination in a tweet posted on his personal account:
Let me say that Krebs and his team have done a great job, thanks to their efforts they really made this election the most secure in election history.
According to the experts, the vulnerable themes are installed on over 150,000 sites.
“On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites.” reads the analysis published by WordFence. “So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses. While we occasionally see attacks targeting a large number of sites, most of them target older vulnerabilities.”
The vulnerabilities targeted by the threat actors could allow them to takeover WordPress installs through an exploit chain ending in remote code execution (RCE). The researcher did not provide technical details on the attacks because the exploit does not yet appear to be in a mature state.
The researchers pointed out the vast majority of these attacks appear to be probing attacks aimed at determining whether a site is running a vulnerable theme.
“These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries, though they will be visible in Wordfence Live Traffic.” continues the report.
Admins of websites running vulnerable versions of the themes are recommended to update them. If no security patch is available for the installed theme, admins should switch to another theme.