A little bit of a change of pace this week with the video being solely on the events unfolding around removing content, people and even entire platforms from the internet. These are significant events in history, regardless of your political persuasion, and they're likely to have a very long-lasting impact on the way we communicate online. It also raises some fascinating engineering challenges; could Parler have survived by building out their own physical infrastructure? Will Gab survive having done just that? Or is the whole house of cards ultimately dependent on Cloudflare's, a company that may well be the death knell for Gab as have been for other sites in the past? Time will tell on that one.
This was the highest-attended live stream I've done and there's some really interesting comments in the chat so it's well clicking the YouTube icon and popping it out into a new window to read them.
- Free speech is not absolute - anywhere - and in the US there are numerous exceptions where free speech is not protected (and nor should it be)
- The more mainstream tech platforms have a history of banning all sorts of accounts for violating their terms of service, for example Twitter deleted hundreds of thousands of ISIS accounts in 2015/2016
- Tech platforms have also banned individuals spouting dangerous rhetoric around topics like COVID-19, for example booting Pete Evans of Facebook in December
- On the more white supremacists end of the scale, the Daily Stormer was booted off the internet in 2017 with the final blow coming when Cloudflare dropped support
- Cloudflare also killed off 8chan in 2019 after several mass shootings which featured prominently on the platform (including the El Paso shooter posting a manifesto there just before the massacre)
- The Okta CEO described Parler as "not even trying to suppress the threats of terrorism and incitement of violence" before cancelling their service
- I've got a whole thread running on the history of Gab bans although oddly, Gab has deleted a couple of the embedded tweets (they also disallow responses to their tweets which says something interesting about their views on the free speech of others 🤷♂️)
- Jack Dorsey from Twitter has an interesting thread on the removal of content and platforms from the web, with his most poignant observation being "companies came to their own conclusions or were emboldened by the actions of others"
- There is still content on the mainstream platforms that for the life of me, I cannot understand why they have not been deleted, namely a whole bunch of outrageous comments about Israel from Iran's Ayatollah Khamenei
- Sponsored by 1Password, the secure password manager and digital wallet that keeps you safe online
As a senior executive or CIO, how can you assure yourself that the artificial intelligence or machine learning-derived recommendations are reasonable and flow logically from the project work that has been performed?The post Skeptical about data used for AI-derived recommendations? first appeared on IT World Canada.
Many of the insurrectionists who marched on the Capitol on Jan. 6 and violently forced their way into the building livestreamed their activities or boasted about them via social media. Those self-identifying actions have helped law enforcement authorities identify some of the more than 70 individuals charged.
As thousands of National Guard troops pour into Washington to provide security for the Jan. 20 inauguration of Joe Biden as president, cybersecurity analysts are calling attention to the need to defend against cyber incidents as well.
The 6 large-scale squid jigging vessels are normally operating vessels that returned to China earlier this year from the waters of Southwest Atlantic Ocean for maintenance and repair. These vessels left the port of Mawei on December 17, 2020 and are sailing to the fishing grounds in the international waters of the Southeast Pacific Ocean for operation.
I wonder if the company will include this blog post in its PR roundup.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
The popular signal messaging app Signal is currently facing issues around the world, users are not able to make calls and send/receive messages.
At the time of this writing, it is not possible to make calls and send/receive messages.
Users that attempted to send messages via the messaging app were seeing loading screen and after it displayed an error message “502”.
As usual, in order to verify the availability of the service, it is possible to visit the Downdetector website.
Some users also claim problems while logging in.
“Signal is experiencing technical difficulties. We are working hard to restore service as quickly as possible.” read a message posted by Signal on Twitter.
Signal announced it is adding new servers and extra capacity at a record pace every single day this week to provide the service to a growing number of users.
“A recent data point from Sensor Tower claimed that Signal app was downloaded by 17.8 million users in almost a week. On Thursday, the messaging app announced that it touched 50 million downloads on the Android platform.” wrote BusinessInsider. “Signal has already got plenty of marketing thanks to Elon Musk, Edward Snowden, and more prominent people worldwide.”
The company is still working to resolve the issue, you can follow the progresses on the service status page.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, instant messaging)
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between January 8 and January 15. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
20210115-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
Because 2020 wasn't already exciting enough, now we have to worry about being hunted by adversaries wielding FireEye's penetration testing tools, thanks to the company having suffered a big, bad breach. Here's a list of targeted flaws that every organization should ensure they've patched.
In light of the widespread apparent impact of the hack of SolarWinds' network management tools, it's time for a frank assessment of the lack of cybersecurity progress in recent years. Consider a "60 Minutes" report from 2015 - and where we're at today.
Following the discovery that attackers Trojanized SolarWinds' Orion software, expect the list of organizations that were running the backdoored network-monitoring tool to keep increasing. But with this being a suspected cyberespionage operation, attackers likely focused on only the juiciest targets.
In light of calls from some quarters for the U.S. to launch online attacks in reprisal for the SolarWinds supply chain campaign - allegedly carried out by Russia's foreign intelligence service - it's time to pause and remember: Spies are going to spy.
Organizations with largely remote workforces must strengthen their dynamic authentication processes to enhance security, says Sridhar Sidhu, senior vice president and head of the information security services group at Wells Fargo.
The Scottish Environment Protection Agency says a ransomware attack last month continues to cause serious outages and warns that ransom-demanding attackers also stole some data. The Conti ransomware-as-a-service operation has claimed credit for the attack and begun to leak the stolen data.
The NSA has released guidance on how organizations can adopt encrypted domain name system protocols to prevent eavesdropping and manipulation of DNS traffic. Although the agency's report is geared toward the military and defense contractors, its recommendations can be adopted in all sectors.
A Russian-speaking "scam-as-a-service" operation dubbed "Classiscam" is expanding globally, with 40 interconnected gangs in about a dozen countries using fake product advertisements to launch phishing schemes, the security firm Group-IB reports.
Florida Man Cyberstalked Survivor of Murder Attempt
A man from Florida has admitted cyberstalking a woman who survived a violent attack in her childhood that left another young girl dead.
Alvin Willie George of Cross City pleaded guilty to two counts of cyberstalking related to the online harassment of the survivor and her sisters.
According to court records, the victim was in a Texas bedroom with another girl in December 1999 when an assailant entered and attacked the two friends. Both girls had their throats slit.
One girl died from the attack, while her friend survived. The perpetrator of this vicious assault was later caught and convicted.
George, who has no connection to the surviving victim or her family, began harassing the victim and her family 17 years after the attack took place.
In or around November 2016, George started researching the deadly crime on the internet. The 25-year-old then created various Facebook accounts that he used to send harassing messages to the victim and her sisters, all of whom live in Idaho. In the messages, George threatened to rape and kill the women.
The case was investigated by the Federal Bureau of Investigation and the Boise Police Department.
A federal grand jury in Boise indicted George on December 11, 2019. On Thursday, the US Attorney's Office in Boise, Idaho, announced George's guilty plea.
Sentencing is scheduled to take place on April 8, 2021, before US District Judge B. Lynn Winmill at the federal courthouse in Boise.
In Idaho, the crime of cyberstalking is punishable by up to five years in prison, a maximum fine of $250,000, and a supervised release period of up to three years, per charge.
According to the Stalking Prevention, Awareness and Resource Center, an estimated 6 to 7.5 million people are stalked annually in the United States.
The majority of stalking victims are stalked by someone they know; just one in five stalking victims are stalked by a stranger.
A quarter of stalking victims report being stalked through the use of some form of technology such as e-mail or instant messaging. While 10% of victims report being monitored with global positioning systems, 8% report being monitored through video or digital cameras, or listening devices.
Depending on your life experiences, the phrase (or country song by Eric Church) “two pink lines” may bring up a wide range of powerful emotions. I suspect, like many fathers and expecting fathers, I will never forget the moment I found out my wife was pregnant. You might recall what you were doing, or where you were and maybe even what you were thinking. As a professional ethical hacker, I have been told many times – “You just think a little differently about things.” I sure hope so, since that’s my day job and sure enough this experience wasn’t any different. My brain immediately asked the question, “How am I going to ensure my family is protected from a wide range of cyberthreats?” Having a newborn opens the door to all sorts of new technology and I would be a fool not to take advantage of all devices that makes parenting easier. So how do we do this safely?
The A-B -C ‘s
The security industry has a well-known concept called the “principle of least privilege. “This simply means that you don’t give a piece of technology more permissions or access than it needs to perform its primary function. This can be applied well beyond just technology that helps parents; however, for me it’s of extra importance when we talk about our kids. One of the parenting classes I took preparing for our newborn suggested we use a baby tracking phone app. This was an excellent idea, since I hate keeping track of anything on paper. So I started looking at a few different apps for my phone and discovered one of them asked for permission to use “location services,” also known as GPS, along with access to my phone contacts. This caused me to pause and ask: Why does an app to track my baby’s feeding schedule need to know where I am? Why does it need to know who my friends are? These are the types of questions parents should consider before just jumping into the hottest new app. For me, I found a different, less popular app which has the same features, just with a little less access.
It’s not always as easy to just “find something else.” In my house, “if momma ain’t happy, nobody is happy.” So, when my wife decided on a specific breast pump that came with Bluetooth and is internet enabled, that’s the one she is going to use. The app backs up all the usage data to a server in the cloud. There are many ways that this can be accomplished securely, and it is not necessary a bad feature, but I didn’t feel this device benefited from being internet connected. Therefore, I simply lowered its privileges by not allowing it internet access in the settings on her phone. The device works perfectly fine, she can show the doctor the data from her phone, yet we have limited our online exposure and footprint just a little more. This simple concept of least privilege can be applied almost everywhere and goes a long way to limiting your exposure to cyber threats.
I think one of the most sought after and used products for new parents is the baby monitor or baby camera. As someone who has spent a fair amount of time hacking cameras (or cameras on wheels) this was a large area of concern for me. Most cameras these days are internet connected and if not, you often lose the ability to view the feed on your phone, which is a huge benefit to parents. So how, as parents, do we navigate this securely? While there is no silver bullet here, there are a few things to consider. For starters, there are still many baby cameras on the market that come with their own independent video screen. They generally use Wi-Fi and are only accessible from home. If this system works for you, use it. It is always more secure to have a video system which is not externally accessible. If you really want to be able to use your phone, consider the below.
- Where is the recorded video and audio data being stored? This may not seem important if the device is internet connected anyway, but it can be. If your camera data is being stored locally (DVR, SD card, network storage, etc.), then an attacker would need to hack your specific device to obtain this information. If you combine this with good security hygiene such as a strong password and keeping your device updated, an attacker has to work very hard to access your camera data. If we look at the alternative where your footage is stored in the cloud, and it becomes subject to a security breach, now your camera’s video content is collateral damage. Large corporations are specifically targeted by cybercriminals because they provide a high ROI for the time spent on the attack; an individual practicing good cybersecurity hygiene becomes a much more difficult target providing less incentive for the attacker, thus becoming a less likely target.
- Is the camera on the same network as the rest of your home? An often-overlooked security implication to many IoT devices, but especially cameras, is outside of the threat of spying, but rather the threat of a network entry point. If the camera itself is compromised it can be used as a pivot point to attack other devices on your network. A simple way to reduce this risk is to utilize the “guest” network feature that comes by default on almost all home routers. These guest networks are preset to be isolated from your main network and generally require little to no setup. By simply attaching your cameras to your guest network, you can reduce the risk of a compromised camera leading a cybercriminal to the banking info on your laptop.
Background checks – Not only for babysitters
Most parents, especially new ones, like to ensure that anyone that watches their children is thoroughly vetted. There are a ton of services out there to do this for babysitters and nannies, however it’s not always as easy for vetting the companies that create the devices we put in our homes. So how do we determine what is safe? My father used to tell me: “It’s how we respond to our mistakes that makes the difference.” When researching a company or device, should you find that the device has been found to have a vulnerability, often the response time and accountability from the vendor can tell you if it’s a company you should be investing in. Some things to look for include:
- Was the vulnerability quickly patched?
- Are there unpatched bugs still?
- Has a vendor self-reported flaws, fixed them and reported to the public they have been fixed?
- Are there numerous outstanding bugs filed against a company or device?
- Does the company not recognize the possibility of bugs in their products?
These answers can often be discovered on a company’s website or in release notes, which are generally attached to an update of a piece of software. Take a minute to read the notes and see if the company is making security updates. You don’t need to understand all the details, just knowing they take security seriously enough to update frequently is important. This can help tip the scales when deciding between devices or apps.
Remember, you can do this!
Through my preparation for becoming a new parent, I constantly read in books and was told by professionals, “Remember, you can do this!” Cybersecurity in the context of being a parent is no different. Every situation is different, and it is important to do what works with you and your family. As parents, we shouldn’t be afraid to use all the cool new gadgets that are emerging on the market, but instead educate ourselves on how to limit our risk. Which features do I need, which ones can I do without? Remember always follow a vendor’s recommendations and best practices, and of course remember to breathe!
Extended detection and response (XDR) is gaining momentum as the next big thing to simplify and improve security. The term, coined by Gartner, refers to a platform that provides unified visibility across all security products to make it easier to quickly spot and resolve threats. Security leaders say they’re overwhelmed with managing the myriad of…The post Is XDR the answer to simplify security? first appeared on IT World Canada.
Software is becoming an increasingly pivotal part of modern business and society. In turn, consumers have come to expect instant gratification. This has driven businesses to concentrate on innovation and speed to market. Businesses that can???t keep up with the hyper-competitive market of speed-to-value are falling behind.
But with rapid software deliveries comes increased risk. Businesses are shortening time to market, which, for many, has meant moving from a waterfall approach to a DevOps approach. Security in this model can???t be a gate at the end of the development process, but rather needs to be part of the development process, or ???security as code.??? Security as code is when you move security into the development stage and automate security scans at every code commit. It helps to ensure that security scans aren???t missed, and it shortens deployment times. As the world continues to prioritize speed, security as code will be increasingly critical.
What are the implications of security in the development phase?
By moving security to the development phase and making security scans the responsibility of the developers, it???s not uncommon for developers to raise concerns. They are oftentimes concerned that security scans will add extra work and slow down deployments. But with security as code, you can ease those concerns because the security scans are integrated and automated into the developer???s existing tools and processes. This means there is no interruption to the developer???s day-to-day activities.
That said, it???s still important to provide developers with security training to prevent flaws and aid remediation. According to the Modern Application and Development Security report by Enterprise Strategy Group, 35 percent of organizations reported that less than half of their development teams participate in formal security training. Without this knowledge, flaws will be identified from scans, but they will not be properly remediated, leaving applications vulnerable to attack.
At Veracode, we offer in-person, virtual, and hands-on training to get developers up to speed on securing code and remediating security flaws. With our hands-on training, Veracode Security Labs, developers can work on securing real-world code vulnerabilities in the language of their choice while receiving real-time feedback.
We also encourage organizations to implement a security champions program. Security champions are elected or self-nominated developers with an interest in learning more about security. They receive a higher level of security training than other developers so that they can be the voice of security on their scrum team. They???re essentially the conduit between security professionals and developers.
For a security champions program to be successful, the ???champions??? need to be invited to security meetings ??? including sprint planning ??? on a consistent basis. By including them in these meetings, they can help get their scrum team on board with security initiatives. The program should also be engaging and rewarding for participants. If developers feel like the program is a waste of time, they won???t attend security meetings and they won???t encourage other developers to join.
Data around security as code
Security as code isn???t just presumed to be effective, it is proven effective. According to findings from our recent State of Software Security (SOSS) report, scanning for security via API cuts the time to remediate 50 percent of security flaws by six days. And the faster you remediate security flaws, the fewer opportunities there are for a cyberattack.
The Modern Application and Development Security report also establishes the importance of automating and integrating security scans, citing it as the number one element of effective application security programs.
The bottom line is that speed-to-market is only going to increase, and security as code is ??? and will continue to be ??? the way of the future. To learn more about the current security landscape and recent trends, check out our State of Software Security report.ﾂ?
Women in Cybersecurity Mid-Atlantic Partners with CMMC COE
The executed MOU creates a cooperative agreement between the two parties to partner in the furthering of their missions and objectives around the adoption, use, and expansion of CMMC-based cybersecurity practices for the US Department of Defense (DoD) global Defense Industrial Base (DIB) contractor community and the information and communication technology community.
Objectives of the new partnership include a desire to aid efforts to advance the goals for improving the cyber and supply-chain security and resilience of the DIB network of contractors, suppliers, and vendors.
Among the specific actions planned is the co-development of CMMC advisory services, cyber education and training programs to increase cyber adoption, accelerating CMMC certification, and improving cyber protection and resilience.
The partners also want to expand and drive diversity across the cybersecurity workforce, which in 2019 was 80% male.
“The WiCyS Mid-Atlantic is excited to team with the CMMC COE in efforts to enhance the overall security of the defense industrial base supply chain," said Diane Janosek, founder and senior advisor of Women in Cybersecurity Mid-Atlantic.
"This partnership clearly demonstrates the CMMC COE’s commitment to a diverse cybersecurity workforce, which is key to defending the nation’s cyber critical infrastructure. Creative and inclusive teaming is essential to the CMMC’s success."
Further actions planned by the partnership are the co-sponsorship of symposiums, training programs, and podcasts, leveraging their combined cyber and IT expertise, and the hosting of regular working groups, along with additional partners, to allow collaboration and communication.
The establishment of an independent Industry Cyber Security Advisory Council is also planned, with peer organizations brought in to advise and educate leaders across government and industry on the effectiveness and continued evolution of CMMC.
“This is exciting opportunity for us,” said John Weiler, chairman of the board at CMMC Center of Excellence. “This new partnership will further help advance the goals and objectives for improving the supply chain security and resilience of the US Department of Defense.”
Two screens in a still portable form factor?The post Asus announces new dual-screen ZenBook laptops at CES 2021 first appeared on IT World Canada.
For a limited time, I am selling signed copies of Click Here to Kill Everybody in hardcover for just $6, plus shipping.
Note that I have had occasional problems with international shipping. The book just disappears somewhere in the process. At this price, international orders are at the buyer’s risk. Also, the USPS keeps reminding us that shipping — both US and international — may be delayed during the pandemic.
I have 500 copies of the book available. When they’re gone, the sale is over and the price will revert to normal.
EDITED TO ADD: I was able to get another 500 from the publisher, since the first 500 sold out so quickly.
Please be patient on delivery. There are already 550 orders, and that’s a lot of work to sign and mail. I’m going to be doing them a few at a time over the next several weeks. So all of you people reading this paragraph before ordering, understand that there are a lot of people ahead of you in line.
Today, we celebrate the life and legacy of Dr. Martin Luther King Jr. Dr. King diligently dedicated his life to dismantling systemic racism affecting marginalized groups and leading a peaceful movement to promote equality for all Americans, irrespective of color and creed. He leaves behind a legacy of courage, strength, perseverance, and a life-long dedication to pursuing a fair and just world.
At McAfee, we honor the diverse voices which make up our company and encourage every team member to bring their authentic selves to the workplace. We believe that our collective voice and action can make a difference in creating a more equal and unified world.
On this day, we commemorate MLK by honoring the man behind the message of equality. Members of the McAfee African Heritage Community share their perspectives on the impact that Martin Luther King Jr. has had on their lives and what this day means to them.
Alexus, Software Sales Engineer
When I think about what Martin Luther King Jr. Day means to me, I think of it as a time to reflect and think about the progress we have made as citizens of this country. We have made great strides, but there is much more that needs to be done for equality and justice.
I honor Martin Luther King Jr. by being of service to others around me.
I celebrate Martin Luther King Jr. Day by using my voice to uplift others.
Martin Luther King Jr. inspires me to be a man of excellence and courage.
Denise, People Operations Program Manager
For me, Martin Luther King Jr. Day is a reminder of how far we’ve come, and how far we still have to go as a society – especially in today’s time of social unrest. Some of Dr. King’s most poignant quotes are still so applicable and impactful today.
For example – “People fail to get along because they fear each other; they fear each other because they don’t know each other; they don’t know each other because they have not communicated with each other.”
I honor Martin Luther King Jr. by doing what I can to have a positive impact on the lives of others.
I celebrate Martin Luther King Jr. Day by looking for areas to give back and serve.
Martin Luther King Jr. inspires me to do better, be better and influence the world around me accordingly.
Kristol, Global Sales Operations Manager
MLK Jr. Day is a reminder of the influence ONE person can have on people, perspectives, and shaping a platform. It means that my voice matters and that I have a right to live my dream—a dream that we continue to fight for today.
I honor Martin Luther King Jr. by never giving up on my dreams.
I celebrate Martin Luther King Jr. Day by freely bringing my authentic self to work, home and the community every day.
Martin Luther King Jr. inspires me to be a courageous, strategic and compassionate leader.
Le Var, Customer Success Manager
MLK Day always drives me to think about Dr. King’s dream and the work of the civil rights movement. I then look for ways I can make an impact in my local community to continue the work of those before me.
I honor Martin Luther King Jr. by passing the baton and sharing his dream to the next generation, molding my children to understand the past, and continuing to push Dr. King’s dream for future decades.
I celebrate Martin Luther King Jr. Day by researching African American history in an effort to broaden my own knowledge and share information I’ve learned with my peers.
Martin Luther King Jr. inspires me to make a positive impact on the community I live in. Much like Dr. King, I am one man who strives to be the dream of my ancestors. Individually, I can move boulders, but collectively, we can move mountains.
Lynne, EVP of Enterprise Global Sales and Marketing and Executive Sponsor
Martin Luther King Jr. Day means a chance to celebrate the legacy of a man who was a pivotal leader of the civil rights movement, hope and healing. Though his life was a short one, his impact was great, and there are so many lessons to learn from the words that MLK Jr. has left with us.
I honor Martin Luther King Jr. by showing up as an ally who’s ready to listen and take action.
I celebrate Martin Luther King Jr. Day by reflecting on the wise lessons shared by Martin Luther King Jr. and making it a point to have conversations about his impact.
Martin Luther King Jr. inspires me to use my voice to encourage conversation, connection and community.
Learn More About Dr. King’s Mark on the World
The post Honoring Martin Luther King Jr.’s Legacy with McAfee’s African Heritage Community appeared first on McAfee Blogs.
The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes.
The security expert John Page (aka hyp3rlinx) launched malvuln.com, the first platform exclusively dedicated to the research of security flaws in malware codes.
The news was first announced by SecurityWeek, the researcher explained that Malvuln is the first website dedicated to research and analysis of vulnerabilities in malware samples.
“malvuln.com is the first website exclusively dedicated to the research of security vulnerabilities within Malware itself.” wrote the expert. “There are many websites already offering information about Malware like Hashes, IOC, Reversing etc. However, none dedicated to research and analysis of vulnerabilities within Malware samples… until now. Long Live MALVULN.”
Sharing the knowledge of vulnerabilities affecting malware could allow incident response teams to neutralize the threat in case of infections, but could also help vxers to address them end improve their malware. For this reason, it is likely that Page will regulate the vulnerability disclosure process in the future.
This is a great initiative, we have to support it, everyone can get in contact with the expert via Twitter (@malvuln) or Email (malvuln13[at]gmail.com).
Currently, Page is the unique contributor of the Malvuln service, but he could start accepting third-party contributions in the future.
Clearly, the initiative is born for educational and research purposes only.
At the time of writing the site already includes 26 entries related to remotely exploitable buffer overflow flaws and privilege escalation issues. Most of the buffer overflow vulnerabilities could be exploited for remote code execution.
For each flaw reported through the website, the record includes multiple information such as the name of the malware, the MD5 hash, the type of vulnerability, a description of the vulnerability, dropped files, a memory dump, and proof-of-concept (PoC) exploit code.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Golang-based worm)
UK Accidentally Deletes 150k Arrest Records
The UK government is investigating a technical issue that led to 150,000 arrest records' being accidentally wiped from nationwide police databases.
Over 150,000 fingerprint records, DNA records, and arrest history records were lost as a result of the glitch. One source told The Times that the error could potentially allow offenders to escape justice as biometric evidence captured from crime scenes will no longer be flagged on the Police National Computer (PNC).
The error also impacted Britain's visa system, causing the processing of applications to be suspended for two days.
Sources told The Times that the records were accidentally wiped during one of the weekly data expunging acts known as "weeding" sessions.
The newspaper reported that “crucial intelligence about suspects” had vanished as a result of the incident. However, the Home Office said that no records of criminals or dangerous persons had been deleted and that the lost data related to individuals who had been arrested and then released without charge.
UK Minister for Policing Kit Malthouse said officials were “working at pace” to attempt the recovery of the lost records.
He said: “A fast time review has identified the problem and corrected the process so it cannot happen again. The Home Office, NPCC [National Police Chiefs’ Council] and other law enforcement partners are working at pace to recover the data.
“While the loss relates to individuals who were arrested and then released with no further action, I have asked officials and the police to confirm their initial assessment that there is no threat to public safety. I will provide further updates as we conclude our work.”
Shadow Home Secretary Nick Thomas-Symonds said: “This is an extraordinarily serious security breach that presents huge dangers for public safety. The incompetence of this shambolic government cannot be allowed to put people at risk, let criminals go free and deny victims justice.”
The loss of the data follows the removal of 40,000 alerts regarding European criminals from the PNC with the UK's Brexit departure from the European Union.
Organizations need to make better-informed and faster decisions with a focus on automation, real-time risk assessment and mitigation, continuous value delivery and agility. Here's how you can get there.The post Deliver data and analytics business value with DataOps first appeared on IT World Canada.
NCSC Reveals New Solution to Protect Remote Public Sector Workers
The UK’s National Cyber Security Center (NCSC) has outlined the creation of a new protective domain name service (PDNS) solution in partnership with Nominet, the official registry for UK domain names.
The service, named PDNS Digital Roaming, is designed to enhance the security of public sector staff working from home as a result of the COVID-19 pandemic. The free at the point of use app will extend the protection offered by the original PDNS solution, which is delivered by Nominet, to remote networks.
PDNS has been in place since 2017, and helps keeps public sector organizations secure by hampering the use of DNS for malware distribution and operation. Last year, it was being used by over 760 public sector organizations, protecting an estimated 2.8 million staff.
PDNS Digital Roaming enables these protections to extend to employees working from home by detecting when a device is outside of its enterprise network and redirecting DNS traffic to PDNS, using the encrypted DNS over HTTPS (DoH) protocol. This applies from whichever network employees connect to the internet from.
David Carroll, MD of Nominet’s cybersecurity arm commented: “The NCSC reacted quickly to the challenges that coronavirus presented to the cyber-defense of the nation. For example, elements of the Active Cyber Defense program – including the PDNS, which is delivered by Nominet on behalf of the NCSC – were made available to many more organizations in the past year, including over 200 frontline public health bodies.
“Without a fixed IP address, staff needed another option for accessing the protections of the PDNS – PDNS Digital Roaming has been the answer. This app was launched in September to all those currently eligible to use the PDNS. By installing it on their device, staff can ensure that their DNS traffic is being directed to the PDNS and is thus protected by this innovative service.
“Keeping critical services secure has never been so important. As we position our country as a global digital leader for the future, it will be important to devise solutions that are adaptable as well as highly resilient and secure.”
At the end of last year, Infosecurity spoke to Russell Haworth, CEO of Nominet, about how the company is combatting the rise in malicious domain names since the start of the COVID-19 pandemic.
We’re all familiar with terms such as “threat-hunting”, “boots on the ground Intelligence” or “DNS traffic filtering.” Going back to one’s roots is always a good idea and today I’ll do just that. This article is dedicated to malicious applications. Indeed, we are going to talk about the malicious app definition, what makes an app […]
Experts maintain that organizations that mandate multifactor authentication as an extra step to protect logins greatly improves their defences. However, it’s not fail-proof.
The latest example is this week’s warning from the U.S. government’s cyber expert that successful hacks have been reported on cloud services, including one that got around MFA, possibly by stealing browser cookies.
The report from the Cybersecurity and Infrastructure Security Agency (CISA) also makes it clear that firms thinking cloud services alone improve security are wrong: “Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” the report says.
“Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”
One thing many cloud attacks have in common, the report adds, is that victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access the cloud services.
Threat actors often use phishing emails with malicious links to harvest credentials for users’ cloud service accounts. Some included a link to what appeared to be a secure message, while others looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain to the user’s cloud service account. The attackers then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within the organization’s file hosting service.
Port 80 open
In one case, the report says an organization didn’t require a virtual private network (VPN) for accessing the corporate network. Although their terminal server was located within their firewall due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organization’s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts.
Abuse of email forwarding
In several cases, threat actors collected sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.
In one case the attackers modified an existing email rule on a user’s account — originally set by the user to forward emails sent from a certain sender to a personal account — to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts. Attackers sometimes modified existing rules to search users’ email messages (subject and body) for several finance-related keywords and then and forward the emails to the hackers.
In other cases the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.
CISA verified that in one case a threat actor successfully signed into one user’s account with proper multi-factor authentication (MFA). CISA believes the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack.
On the other hand the agency admits MFA did thwart attempted brute force attacks on some accounts.
The report “is a rude awakening that attackers are seeing personal email accounts as the soft underbelly to corporate environments and are starting to use “pass-the-cookie” techniques to successfully bypass multi-factor authentication,” said Ed Bishop, CTO of security firm Tessian. “While phishing is a persistent threat to company security, the risk posed by people sending emails to personal accounts is often overlooked, and it’s a risk that’s been heightened as people work remotely.”He added that personal accounts are easier to compromise because they are typically only protected by home routers often have remote management APId. Companies should only allow access to corporate cloud infrastructure from known IP addresses, ideally via a corporate VPN endpoint with separate strong authentication or MFA in place.
In addition, businesses must treat remote home networks as untrusted, in the same way they do for airports or coffee shops, and require remote workers to use a VPN for any work-related task. Lastly, it’s important that companies monitor when new forwarding rules are created, and in some cases even disable auto-forwarding rules altogether.
Christian Espinosa, managing director at Cerberus Sentinel, noted that pass-the-cookie attacks aren’t new.
Cookies establish session persistence for web applications, he said in an email, and are placed on a computer whether MFA is used or not. The cookie contains the session ID and access tokens to the web application to avoid constant re-authentication. “This is an inherent flaw in the HTTP protocol and how web applications work. HTTP is a stateless protocol and relies on cookies to maintain state.”
He said the way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training. Cookies should be set with a short lifespan and for a single session, so when the browser is closed, the cookie is made void. Users should be trained to logoff the web application and close their browser after they are done using the web application. Many users never logoff or close a browser, he noted, which increases risk.
The CISA report includes a long list of recommendations for better security cloud applications. For those using Microsoft Office 365, it specifically recommends:
- Assigning a few (one to three) trusted users as electronic discovery (or eDiscovery) managers to conduct forensic content searches across the entire environment (Mailboxes, Teams, SharePoint, and OneDrive) for evidence of malicious activity.
- Disabling PowerShell remoting to Exchange Online for regular users. Disabling for non-administrative users will lower the likelihood of a compromised user account being used to programmatically access tenant configurations for reconnaissance.
- Don’t allow an unlimited amount of unsuccessful login attempts.
- And consider using a tool such as Sparrow or Hawk, which are open-source PowerShell-based tools used to gather information related to Office 365, to investigate and audit intrusions and potential breaches.
The post Weak cyber hygiene behind many successful cloud attacks, warns US agency first appeared on IT World Canada.
#CES2021: AI and Quantum Technologies Set to Disrupt Cybersecurity Industry
Artificial intelligence (AI) and quantum are set to be the next major technology disruptors and will have a profound impact on the cybersecurity sector, according to speakers in a session at the Consumer Electronics Show (CES) 2021.
Advancements in these areas are likely to lead to new opportunities for cyber-criminals to leverage attacks, but conversely, can also enable the development of stronger cybersecurity defenses.
Vikram Sharma, founder and CEO at QuintessenceLabs, explained that these technologies form part of the predicted “fourth industrial revolution,“ which will radically enhance our technological capabilities. “The fourth industrial revolution is really a confluence of a number of technologies, so alongside AI, 5G, robotics, 3D printing and IoT, quantum is one of these very important technologies of our time.”
He said it is critical organizations now look at how they can leverage quantum for cybersecurity purposes. This is because of its potential to provide a “robust” protection of data as well as to counter the threats this tech could pose in the hands of attackers. Sharma added: “The general consensus is we may see an adversary who has a quantum computer at the right scale to impact cybersecurity within the next five to 10 years.”
Similarly, it is critical that proactive steps are taken to tackle the use of AI by threat actors to launch attacks. Pete Tortorici, director, Joint Information Warfare at the Department of Defense (DOD) Joint Artificial Intelligence Center, outlined a number of considerations in this regard: “How are we going to understand what network incident detection is going to look like in the world of AI? How do we leverage AI to secure network capabilities? How do we build robust analytics to let us know when things have happened inside of a network?”
For organizations to successfully implement AI solutions, underlying issues first need to be resolved. Tortorici said: “A lot of organizations haven’t solved the data problem that underlies being able to get after an AI solution.” He added this can be as simple as collecting and keeping the data needed to feed their algorithm.
Another issue is meeting the demand for AI specialists and data engineers from a security standpoint. Tortorici commented: “I wonder if we have the required incentives, both educational and professional, to grow this skillset over the next several decades.” He added that at the Department of Defense there is now a strong emphasis on “cultivating and retaining talent” in this area.
In regard to quantum, Sharma said that his company has observed organizations becoming increasingly aware of the transformative potential of quantum, and “a number of them have started the process of building internal subject matter expertise within their engineering and development groups around quantum.”
However, much more focus needs to be placed on its potential impact on cybersecurity. Part of this is ensuring organizations are better educated on how to adapt their security posture. Sharma added: “While awareness of quantum is developing and generally people have some conception that there is a risk to cybersecurity, there isn’t a proper understanding of what this means in terms of implications for the cyber-technologies that are deployed today.”
It is therefore critical that organizations prepare for the expected growth in AI and quantum, both to improve their productivity and enhance their cybersecurity. Two key factors in ensuring this is the case that were emphasized by Sharma and Tortorici were general awareness and developing the right skillsets.
Next week we will publish our third annual “Defending Against Critical Threats” report; a roundup of some the most impactful cyber attacks from the past 12 months.
Included in the publication are articles about how cyber criminals sought to take advantage of the COVID-19 pandemic. We also cover Big Game Hunting attacks, whereby cyber criminals seek to monopolize a ransomware deployment in a ‘post compromise’ phase.
Of course, last year saw one of the most momentous general elections in United States history, and Cisco Talos have spent the last four and a half years conducting hands on research into election security. In the publication coming next week, we have an interview with the leader of that research, Matt Olney, to capture his thoughts post-election.
We didn’t have room for the interview in its entirety however, so whilst we’re dotting the i’s and crossing the t’s on the final report, we thought we would bring you some extracts from my conversation with Matt, as a bit of an aperitif of what’s to come next week:
Four and a half years ago you and the team decided to put a large amount of resource into researching and investigating election security. What triggered this decision?
The inciting event was the 2016 breach of the Democratic National Committee servers. The news first emerged in the Washington Post, and was quickly confirmed by the New York Times.
We started gathering information, and it soon became clear that this was a case of a foreign adversary orchestrating an attack on our elections. The decision part was easy: I wanted our team to be able to help fight against this.
At that point, did you know how much research you were going to undertake? How did you start your investigation?
I had a sense, yes. But at that point in 2016, I also didn’t know what I didn’t know.
To start things off, I called David Liebenberg, who is still on my team and now heads my strategic analysis team. I asked him, “Could you call all 50 secretaries of states and ask them how they handle security?”
The secretary’s offices weren’t super enthusiastic about someone who cold called them out of the blue, wanting them to answer questions about the security of their system. But that’s what we did, and thanks to David’s efforts we got several breakthroughs.
For example, the Georgia Secretary of State’s office redirected us to an expert at Kennesaw State University, where they had a research organization into elections.
They were the first people to talk to us about the uniqueness of the economy that surrounds election security, and the relationship between vendors and the Secretary of State’s office and how conscious of mitigations they are.
What was the political context at the time, and what was the overall process for election security in 2016?
After the 2016 DNS breach, the Department of Homeland Security became the critical infrastructure touch point from the federal government for election security. But that wasn’t without pushback.
This was at point when Barack Obama was still President. There were very strong counters, primarily from Republican states, against federal intrusion into state elections.
That was a very difficult time, because the United States is made up of counties, and the states themselves run the elections. The federal government had no real role in the administration of them. So there was a lot of challenges there.
At the time I remember thinking that this was crazy, and that there really should be more federal involvement in election security. But I came to acknowledge that it was going to be a very challenging ask in 2016 to have the federal government provide any real value (in terms of assistance into election security) before the elections that happened in November of that year.
Amongst those challenges, what was your next step?
The Mississippi Secretary of State’s office invited us to come on site for a week to dig into how their systems are built, and learn what mitigations they have in place. We were also able to share our insights into adversary behavior, and how attackers might target election infrastructure.
We learned an incredible amount about how election administrators think about elections because of that experience.
We also had had a really useful ally at the Cyber Threat Alliance, Neil Jenkins, who is the Head of Data Analysis and Intelligence. In 2016, he was the point person at the Department of Homeland Security for election security issues.
We sat down with him and had a conversation, and he was the first person to point out that the people behind running elections are absolutely outstanding. They think in terms of contingencies, because they know that they have one chance to run an election on one day. They therefore anticipate thousands of different scenarios, from everything down to the whole county being flooded.
I think that’s one of the things that’s hard for a lot of people to understand. When you run an election in a country with 328 million people in it, there’s inevitably going to be problems that come up. But those problems aren’t an indication of malicious behavior necessarily. And so how you handle the situation is what determines your success. That’s why election officials are so outstanding – because they have so many standards and procedures in place.
This became very apparent in our conversations in Mississippi. We were constantly asking, “What if this happens?” or “How do you control for this?” And every single time they had an answer, no matter what we threw at them. There was never a point where they said, “Oh, we never thought of that.”
I think about this a lot when I see all the election security conspiracy theories. When someone can think of something that would cause that system problems, they immediately assume that they’ve found some nefarious backdoor. But the system is built to handle things like this.
There’s a great example from Ohio. Ohio was the second state we visited and I remember sitting down with the election officials team, discussing how they handled disinformation campaigns.
They told us a story about how they were monitoring Twitter. They had a system with a whole bunch of keywords set up, and any time a keyword showed up they would get an alert. And they found a gentleman in Ohio who was going from precinct to precinct, voting at each of them. He then went onto Twitter and YouTube and videoed himself saying, “Look, I can vote multiple times and they’re letting me do it. This election is a sham.”
The team in Ohio reached out to this gentleman and said, “A couple things: One, the first time you cast your vote it was counted, but every subsequent time you cast your vote, you actually cast what’s called a provisional ballot, because you were at the wrong precinct. So before that ballot is counted, you’re going to be checked to see if you voted previously. Also, you’re kind of committing a felony here.”
From the outside, the story is that this guy voted 10 times, but that’s not how the system works. It’s built, as per federal law, from the Help America Vote Act, where provisional ballots help to assure Americans that, even if there’s a small hiccup in the process, that there’s a chance for their vote to be counted. And that vote will be validated and then counted.
It’s all part of the controls that the system has in place to protect the franchise of American voters. Yes, it’s a complicated system, and it’s different in every state, but there are controls at every point along the way.
What would you say is the greatest challenge that you came up against during the course of your research over the four and a half years?
There isn’t a huge amount of transparency about election security, for obvious reasons. But it’s also partly because, in the past, certain security researchers have taken a very antagonistic approach to talking about these issues.
There was one example which I can recall from a presentation at DEF CON. It was by a security researcher who shall remain nameless. The National Association of the Secretary of States came back after the presentation and said it didn’t fully represent the defensive state of elections.
The response of the researcher was to turn around and say, “Well, you’re just a bunch of ******* luddites.”
A few years later I sat in a meeting with the National Association of the Security of States, and the Director just so happened to be sitting next to me.
I said to her, “I’m here to learn about what makes your systems unique, and to share my expertise in this space. I’m here to be a partner, I’m not here to tell you what to do or to cause problems. I would never, for example, call you a luddite.”
She turned to me with a grin and said, “A ******* luddite.”
The insult, quite understandably, had stayed with her all this time.
Because of that type of behavior from others in our field, for every interaction we had with the Secretary of State’s offices, we had to get over that hurdle of, “We’re not here to be that person. That’s not the kind of experience we want you to have.”
I’m not overstretching this by saying that election security officials had a PTSD mentality with threat researchers. Those researchers weren’t looking for a partnership, they were looking for notoriety.
We were very clear that we wanted to be a partner in this process, because we understood that they are the people who specialise in elections. We specialise in nation state actors. Between the two of us, we could come out of the other side of this with a better outcome.
Don’t miss the full interview with Matt in next week’s publication of ‘Defending Against Critical Threats: A 12 month roundup’.
In the meantime, you can subscribe to the Security Stories podcast to hear more about the topics in the report in the next episode out on Tuesday.
And be sure to check out Talos’ election coverage at https://blog.talosintelligence.com/2020/10/what-to-expect-when-youre-electing-recap.html.
A Chinese Threat actor targeted organizations in Russia and Hong Kong with a previously undocumented backdoor, experts warn.
Cybersecurity researchers from Positive Technologies have uncovered a series of attacks conducted by a Chinese threat actor that aimed at organizations in Russia and Hong Kong. Experts attribute the attacks to the China-linked Winnti APT group (aka APT41) and reported that the attackers used a previously undocumented backdoor in the attacks.
The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.
The experts believe that under the Winnti umbrella there are several APT groups, including Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.
The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.
The recent attacks documented by Positive Technologies were first spotted on May 12, 2020, at the time the experts detected several samples of the new malware that were initially incorrectly attributed to the Higaisa threat actors. Investigating the attack, the experts discover a number of new malware samples used by the attackers, including various droppers, loaders, and injectors. The attackers also used Crosswalk, ShadowPad, and PlugX backdoors, but security researchers also noticed a sample of a previously undocumented backdoor that they dubbed FunnySwitch.
In the first attack, the threat actors used LNK shortcuts to extract and run the malware payload, while in the second attack detected on May 30, the threat actor used a malicious archive (CV_Colliers.rar) containing the shortcuts to two bait PDF documents with a CV and IELTS certificate.
The LNK files contain links to target pages hosted on Zeplin, a legitimate collaboration services between designers and developers.
The payload consists of two files, the svchast.exe that acts as a simple local shellcode loader, and ‘3t54dE3r.tmp’ that is the shellcode containing the main payload (the Crosswalk malware).
The Crosswalk was first spotted by researchers from FireEye in 2017 Crosswalk and included in an analysis of the activities associated with the APT41 (Winnti) group. The malware is a modular backdoor that implements system reconnaissance capabilities and is able to deliver additional payloads.
Experts also discovered a significant overlap of the network infrastructure with the APT41’s infrastructure.
“The network infrastructure of the samples overlaps with previously known APT41 infrastructure: at the IP address of one of the C2 servers, we find an SSL certificate with SHA-1 value of b8cff709950cfa86665363d9553532db9922265c, which is also found at IP address 67.229.97[.]229, referenced in a 2018 CrowdStrike report. Going further, we can find domains from a Kaspersky report written in 2013.” reads the report published by Positive Technologies. “All this leads us to conclude that these LNK file attacks were performed by Winnti (APT41), which “borrowed” this shortcut technique from Higaisa.”
The Winnti group focus on computer game industry, in the past they targeted game developers and recently they hit Russian companies in the same industry. The targets of the recent attacks include Battlestate Games, a Unity3D game developer from St. Petersburg.
On June, the researchers detected an active HttpFileServer on one of the active C2 servers. The HFS was containing an email icon, screenshot from a game with Russian text, screenshot of the site of a game development company, and a screenshot of information about vulnerability CVE-2020-0796 from the Microsoft website. The files were used two months later, on August 20, 2020, in attacks that also leveraged a self-contained loader for Cobalt Strike Beacon PL shellcode.
The discovery lead the experts into believing that they detected traces of preparation for, and subsequent successful implementation of, an attack on Battlestate Games.
“Winnti continues to pursue game developers and publishers in Russia and elsewhere. Small studios tend to neglect information security, making them a tempting target. Attacks on software developers are especially dangerous for the risk they pose to end users, as already happened in the well-known cases of CCleaner and ASUS. By ensuring timely detection and investigation of breaches, companies can avoid becoming victims of such a scenario.” concludes the report.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Winnti APT)
The cyber kill chain model offers a detailed perspective and the appropriate methods to recognize incidents surrounding an attack against an organization. This model allows security teams to impede the assault during a certain stage and consequently design stronger security and enhance their incident response and analysis capabilities. Throughout the past couple of decades, cyber […]
Typically, the International Consumer Electronics Show (CES) gives us a sense of where technology is going in the future. However, this year’s show was arguably more about technology catching up with how the COVID-19 pandemic has reshaped our lives. While gathering in person was not an option, we still had the opportunity to witness incredible technological feats virtually – primarily those meant to help us better adapt to the new normal.
From devices aimed at making the world more sanitary to new work-from-home solutions, here are some of the highlights from this year’s first ever virtual CES:
Extreme Home Makeover: Digital Edition
Every year, CES introduces a plethora of smart home devices aimed at making our lives easier. But now that our homes have expanded beyond where we live to function as a workplace and classroom, companies have developed new gadgets to improve our lives while we stay at home. In fact, the smart home market grew 6.7% from 2019 to 2020 to $88 billion and is expected to reach $246.42 billion by 2025.
This year, Kohler showed off voice control features for its sinks and other fixtures, so homeowners can turn on faucets without touching them. And while every CES is paved with an array of flashy new TVs, LG drummed up lots of excitement with its new 55-inch transparent TV that you can see through when it’s turned off.
From monitors to keyboards and Wi-Fi upgrades to charging stations, plenty of the gadgets coming out of this year’s show were designed to improve the remote work experience. Take Dell’s UltraSharp 40-inch Curved Ultrawide U4021QW Monitor, for example. Ultrawide is the functional equivalent of two 4K monitors side-by-side, but without the seam. Belkin and Satechi also brought their latest charging stations to CES 2021 to improve the home office, allowing users to charge multiple devices at once. With so many companies creating innovative devices to make our work-from-home lives more manageable in the long run, it’s clear that remote work is likely here to stay.
Staying Healthy at Home in Global Health Crisis
CES 2021 also brought us a whole new lineup of technology designed to help us monitor our health at home. Fluo Labs debuted Flō, a device that stops your body from releasing histamines when pollen, dust, and other allergens enter your body. HD Medical also introduced HealthyU, a device smaller than a GoPro that includes a seven-lead ECG, a temperature sensor, a pulse oximeter, microphones to record heart and lung sounds, a heart rate monitor, and a blood pressure sensor. HealthyU is designed for people with heart issues to keep tabs on their health every day and send that information to their doctors remotely. Not only will these devices enable us to take better care of ourselves if we can’t physically go to a doctor’s office, but they will also enhance our awareness of ourselves and our loved ones.
Touchless Tech is on the Rise
In 2020, we became hyper-aware of germs and how they can easily spread – one of those ways being on digital devices. While disinfecting these surfaces with an alcohol solution can help, many look to taking a different approach to avoid germ-spreading: touchless technology.
While no one technology can win the battle against the virus, many companies are doing their part to promote a cleaner, healthier future. For example, Plott built a doorbell called the Ettie that can take people’s temperature before they’re allowed to enter. Another company, Alarm.com, created a Touchless Video Doorbell to cut down on the transmission of bacteria and viruses that we otherwise often leave on places we touch. Kohler also built a toilet that flushes with the wave of a hand. As we head further into 2021 and beyond, be on the lookout for more voice-activated and touchless devices to help slow the spread of germs and help us live our lives free from worry.
Adapt to the Cybersecurity Landscape in a Hyper-Connected World
We’ve become more reliant on technology than ever before to stay connected with loved ones from afar, work from home without missing a beat, participate in distance learning, and find new forms of digital entertainment. But with this increase in time spent online comes a greater risk of cyberthreats, and we must stay vigilant when it comes to protecting our online safety. Hackers continue to adapt their techniques to take advantage of users spending more time online, so we must educate and protect ourselves and our devices from emerging threats. This way, we can continue to embrace new technologies, while we live our digital lives free from worry.
The post CES 2021: Highlights From the “Cleanest” Show Yet! appeared first on McAfee Blogs.
Edmonton Mayor Don Iveson, Winnipeg Mayor Brian Bowman, Surrey, BC Mayor Doug McCallum, BC’s Chief Digital Officer Jaime Boyd, Calgary CIO Jan Bradley, and Vancouver CIO, Catherine Chick, headline the participants for the three-hour virtual event.The post Technicity West: What’s next for digital government? first appeared on IT World Canada.
We all know that our cell phones constantly give our location away to our mobile network operators; that’s how they work. A group of researchers has figured out a way to fix that. “Pretty Good Phone Privacy” (PGPP) protects both user identity and user location using the existing cellular networks. It protects users from fake cell phone towers (IMSI-catchers) and surveillance by cell providers.
It’s a clever system. The players are the user, a traditional mobile network operator (MNO) like AT&T or Verizon, and a new mobile virtual network operator (MVNO). MVNOs aren’t new. They’re intermediaries like Cricket and Boost.
Here’s how it works:
- One-time setup: The user’s phone gets a new SIM from the MVNO. All MVNO SIMs are identical.
- Monthly: The user pays their bill to the MVNO (credit card or otherwise) and the phone gets anonymous authentication (using Chaum blind signatures) tokens for each time slice (e.g., hour) in the coming month.
- Ongoing: When the phone talks to a tower (run by the MNO), it sends a token for the current time slice. This is relayed to a MVNO backend server, which checks the Chaum blind signature of the token. If it’s valid, the MVNO tells the MNO that the user is authenticated, and the user receives a temporary random ID and an IP address. (Again, this is now MVNOs like Boost already work.)
- On demand: The user uses the phone normally.
The MNO doesn’t have to modify its system in any way. The PGPP MVNO implementation is in software. The user’s traffic is sent to the MVNO gateway and then out onto the Internet, potentially even using a VPN.
All connectivity is data connectivity in cell networks today. The user can choose to be data-only (e.g., use Signal for voice), or use the MVNO or a third party for VoIP service that will look just like normal telephony.
The group prototyped and tested everything with real phones in the lab. Their approach adds essentially zero latency, and doesn’t introduce any new bottlenecks, so it doesn’t have performance/scalability problems like most anonymity networks. The service could handle tens of millions of users on a single server, because it only has to do infrequent authentication, though for resilience you’d probably run more.
The paper is here.
NSA: DNS over HTTPS Provides “False Sense of Security”
The US National Security Agency (NSA) has warned enterprises that adoption of encrypted DNS services can lead to a false sense of security and even disrupt their own DNS-monitoring tools.
DNS over HTTPS (DoH) has become an increasingly popular way to improve privacy and integrity by protecting DNS traffic between a client and a DNS resolver from unauthorized access. This can help to prevent eavesdropping and manipulation of DNS traffic.
However, although such services are useful for home and mobile users and networks not using DNS controls, they are not recommended for most enterprises, the US security agency claimed in a new report.
DoH is “not a panacea,” as it doesn’t guarantee that threat actors can’t see where a client is going on the web, said the NSA.
“DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied,” the report noted.
“While this allows clients to privately obtain an IP address based on a domain name, there are other ways cyber-threat actors can determine information without reading the DNS request directly, such as monitoring the connection a client makes after the DNS request.”
Moreover, DoH can actually impair network monitoring tools designed to spot suspicious activity in DNS traffic.
“DoH encrypts the DNS traffic, which prevents enterprises from monitoring DNS with these network-based tools unless they are breaking and inspecting TLS traffic. If DoH is used with the enterprise resolver, then inspection can still occur at the resolver or using resolver logs,” the report continued.
“However, if external DoH resolvers are not blocked and DoH is enabled on the user’s browser or OS to use a different resolver, there could be issues gaining visibility into that encrypted DNS traffic.”
Malware can also use DoH to hide its C&C communications traffic, the NSA warned.
The agency urged enterprises that use monitoring tools to avoid using DoH inside their networks.
This morning's podcast looks at marketplace scams, why vulnerabilities are increasing, vulnerability reports climbing, an update for an F5 Network controller and moreThe post Cyber Security Today – Watch out for marketplace scams, why vulnerabilities are increasing and more first appeared on IT World Canada.
Facebook Sues Devs of Alleged Data-Scraping Chrome Extensions
Facebook is suing two European developers for allegedly violating its terms of service by scraping user data.
Legal action has been filed in Portugal by Facebook and Facebook Ireland against two individuals working for application/extension development company Oink and Stuff.
The firm claims its software products, available for Chrome, Firefox, Edge, Opera and Android, have over one million active users.
She highlighted four extensions, Web for Instagram plus DM, Blue Messenger, Emoji keyboard and Green Messenger, that contained code which Facebook claims are malicious and effectively act like spyware.
“When people installed these extensions on their browsers, they were installing concealed code designed to scrape their information from the Facebook website, but also information from the users’ browsers unrelated to Facebook — all without their knowledge,” argued Romero.
“If the user visited the Facebook website, the browser extensions were programmed to scrape their name, user ID, gender, relationship status, age group and other information related to their account. The defendants did not compromise Facebook’s security systems. Instead, they used the extensions on the users’ devices to collect information.”
Facebook is seeking a permanent injunction against the defendants, demanding they delete all Facebook data in their possession.
This is just one of many cases brought by the social network against third parties it accuses of impacting user privacy, a push that began in earnest following the Cambridge Analytica scandal.
In September 2019, the firm revealed it had filed suits against LionMobi and JediMobi, two companies that used apps to infect users’ devices with click injection fraud malware, South Korean data analytics firm Rankwave and Ukrainians Gleb Sluchevsky and Andrey Gorbachov, who used quiz apps to scrape user data.
Automated “Classiscam” Operation Made $6.5m in 2020
An e-commerce “scam-as-a-service” operation tried-and-tested in Russia has expanded to multiple European countries in 2020, making cybercrime groups over $6.5m in the process, Group-IB has warned.
The Singapore-based cybersecurity company claimed in a new report that “Classiscam” first appeared in Russia in the summer of 2019, but soon migrated west and hit a peak of activity over 2020 as remote workers surged online to shop.
There are now at least 40 active groups using the scam packages to con internet users out of their hard-earned cash.
“In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3000 pages,” said Yaroslav Kargalev, deputy head of CERT-GIB.
“We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time that Russia has served as a testing ground for cyber-criminals with global ambitions.”
The groups publish ads for popular products on marketplaces and classified websites, with prices marked down to spark interest from buyers. Consumer electronics such as cameras, game consoles, laptops and smartphones are often listed.
Once the buyer gets in touch, the scammer typically takes the conversation off the marketplace to WhatsApp or other messenger channels, using local phone numbers to add authenticity.
The fraudster then asks for the victim’s delivery and contact information and sends a phishing link mimicking the real marketplace, which takes the user to a fake payment page.
Telegram bots are used to generate the ready-to-use phishing pages, streamlining the process and lowering the bar to entry for non-techie cyber-criminals.
Cybercrime groups using the service typically include three types of operative: admins, workers and callers.
Admins are responsible for recruiting new members, creating the scam pages and taking action when a bank blocks the victim’s transaction. Workers communicate directly with victims, while callers pretend to be tech support specialists.
Group-IB estimated that the most active groups make as much as $522,000 per month.
“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing our stolen money abroad,” said Dmitriy Tiunkin, head of Group-IB Digital Risk Protection Department, Europe.
“Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it.”
Samsung removes the charger from its phones after making fun of Apple for doing the same, the San Francisco office market is collapsing as tech workers stay home, and a closer look at the tech firms that are hiring in Canada.The post Hashtag Trending – Samsung Unpacked; San Francisco office market in jeopardy; Who’s hiring in Canada? first appeared on IT World Canada.
Fujitsu: High Risk of #COVID19 Vaccine Disinformation Campaigns
There is a high risk of disinformation campaigns designed to spread panic and fear about the COVID-19 crisis, according to IT firm Fujitsu. In particular, it expects social engineering attacks to focus on fuelling uncertainty and doubt surrounding the effectiveness of COVID-19 vaccines as they begin to be rolled out across the world.
The company said that both criminal gangs and nation state actors will focus on controversial aspects of vaccine programs, including mandatory vaccination, health passports, mass immunity testing and lockdowns in these campaigns. These will target both businesses and individuals through a range of attack vectors, with phishing the most prominent.
There has been a huge rise in phishing campaigns observed since the start of the pandemic last year, with cyber-villains frequently using COVID-19 topics as lures.
The most sophisticated of these attacks will sow division between opposing sides, leading to more polarization and mistrust of information sources. This has been evident during recent elections such as the Brexit referendum in 2016 and the US elections last year.
Fujitsu added that it is already seeing malicious actors leverage issues around personal liberty linked to the pandemic, such as restrictions on movements and requirements to wear a facemask.
Paul McEvatt, head of cybersecurity innovation at Fujitsu, commented: “Phishing is at the heart of these attacks – the targeting of individuals based on their beliefs, or their circumstances, to socially engineer them into a compromised situation. People are more likely to fall for a phish when related to a topic they believe in or identify with. Today, the coronavirus pandemic is a global issue and a highly-emotional one, too, especially since it involves personal liberties and factors such as restriction on movement. There has probably never been a bigger topic for a disinformation attack.”
Earlier today, the European Medicines Agency revealed that documents related to COVID-19 medicines and vaccines have been leaked online following a cyber-attack on the regulator in December.
Have you ever wondered what intelligence means? This characteristic of humans encompasses – but it’s not limited to – learning, reasoning, problem-solving, perception and the use of language. These are also the characteristics that AI researchers have focused on, in order to find solutions for various aspects of our society today. The one we’ll focus […]
The post Artificial Intelligence in Cybersecurity: The Culture of the Future appeared first on Heimdal Security Blog.
Cisco announced it will no longer release firmware updates to fix 74 vulnerabilities affecting its RV routers, which reached end-of-life (EOL).
Cisco will no longer release firmware updates to address 74 vulnerabilities affecting some of its RV routers that reached end-of-life (EOL).
The vendor will not release updates for RV110W, RV130, RV130W, and RV215W devices the reached EOL in 2017 and 2018, but Cisco provided paid support until December 1, 2020.
The list of flaws affecting the devices includes RCEs, DoS issues, command injection vulnerabilities and XSS bugs.
Below the advisories published by the IT giant:
- Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution and Denial of Service Vulnerabilities;
- Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Command Injection Vulnerabilities;
- Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Stored Cross-Site Scripting Vulnerabilities;
“Cisco has not released and will not release software updates to address the vulnerabilities described in this advisory.” reads the advisory. “The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products:
In order to exploit the flaws, the attackers need to have credentials for the device.
The company is encouraging its customers to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.
Cisco is not aware of attacks exploiting the vulnerabilities in the above advisories, it also added that the flaws are not simply exploitable.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.” concludes Cisco.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Cisco RV routers)
25% of internet traffic on any given day is made up of bots, the Kasada Research Team has found. In fact, there is a synthetic counterpart for almost every human interaction online. Bot mitigation tactics These bots work to expose and take advantage of vulnerabilities at a rapid pace, stealing critical personal and financial data, scraping intellectual property, installing malware, contributing to DDoS attacks, distorting web analytics and damaging SEO. Luckily, tools, approaches, solutions and … More
The post What analytics can unveil about bot mitigation tactics appeared first on Help Net Security.
In the aftermath of the SolarWinds hack, a better understanding of third-party hacks in any update that you provide to your colleagues, bosses, and even the board of directors may be warranted. Any such update that you provide on SolarWinds should certainly cover whether or not your organization is one of the 300,000 SolarWinds customers and whether or not you were one of the 18,000 or so that were using the specific version of Orion … More
The post Understanding third-party hacks in the aftermath of the SolarWinds breach appeared first on Help Net Security.
Loading remotely hosted images instead of embeedding them directly into emails is one of the latest tricks employed by phishers to bypass email filters. Phishers are always finding new ways trick defenses Phishing emails – especially when impersonating popular brands – contain widely known brand logos and other images to give the illusion of having been sent by legitimate organizations. Images have also been used for ages as a way to circumvent an email’s textual … More
The post Phishers count on remotely hosted images to bypass email filters appeared first on Help Net Security.
There has been a 24 percent increase in eCommerce transactions globally in December 2020 compared to December 2019, ACI Worldwide reveals. In particular, eCommerce transactions in the retail sector increased 31 percent and the gaming sector increased 90 percent, comparing December 2020 with December 2019. BOPIS fraud also seeing a significant increase While many merchants initially implemented the buy online, pick up in store (BOPIS) delivery channel during the pandemic, those that already had this … More
The post Fraudulent attempt purchase value decreased by $10 in 2020 compared to 2019 appeared first on Help Net Security.
Mega trends across the government and public sector, healthcare, manufacturing, and telecommunications are posing new challenges to end users in vertical industries in the Asia-Pacific region, Frost & Sullivan finds. These changes are pushing enterprises to transform and enable new use cases that are critical in supporting and optimizing enterprise business processes to improve business efficiency. In addition to impacting mega trends, the COVID-19 pandemic is driving the need for critical and vital broadband, remote … More
The post Revenue for 5G enterprises in the Asia-Pacific region to reach $13.9B by 2024 appeared first on Help Net Security.
With an inherent emphasis in “privacy-by-default”, Hoplite Technology announced the new launch of a free anti-phishing solution named Anti-Phishing Bot (APBot) to protect everyday users against phishing attacks. A phishing email is a form of cyberattacks where cybercriminals impersonate a trusted party to gain access to sensitive information. Due to the lack of ways to verify the identity of the senders, everyday users without technical trainings will often find it difficult to distinguish a phishing … More
The post Hoplite Technology Anti-Phishing Bot: Protecting everyday users against phishing attacks appeared first on Help Net Security.
Ring announced the launch of video End-to-End Encryption for compatible Ring Doorbells and Cams, providing an advanced, opt-in security feature for customers who want to add an additional layer of security to their videos. Ring is the first major smart home security provider to offer customers this advanced security option. The feature began rolling out to customers today as a technical preview and Ring is soliciting feedback from its customers on their experience with the … More
The post Ring launches video End-to-End Encryption for compatible Ring Doorbells and Cams appeared first on Help Net Security.
Twenty20 Solutions announces its launch of enhanced Artificial Intelligence (AI) technology with advanced visual detection and classification capabilities designed to maximize operational efficiency for its customers. In addition, the company unveiled an expanded technology roadmap that includes new AI-enabled analytics to drive higher levels of visibility, security and automation. “Developing AI-enabled technology that helps customers automate their day-to-day on-site activities and keep their assets, people and businesses safe and compliant is our company’s main focus,” … More
The post Twenty20 Solutions’ enhanced AI technology drives visibility, security and automation appeared first on Help Net Security.
Oracle is making its APEX low-code development platform available as a managed cloud service that developers can use to build data-driven enterprise applications quickly and easily. Oracle APEX Application Development expands on two decades of APEX functionality already used by 500,000 developers as an easy-to-use, browser-based service for creating modern Web and mobile apps. While the original APEX platform was only available as part of the Oracle Database, APEX Application Development is available as a … More
The post Oracle APEX low-code application development platform now available as a standalone OCI service appeared first on Help Net Security.
Skyworks Solutions announced a significant milestone with the shipment of over 1 million of its SKY66318-21 power amplifier (PA), the industry’s first high efficiency small cell PA with a bandwidth of 200 MHz at +28 dBm. This achievement highlights Skyworks accelerating the adoption of 5G by enabling enhanced 5G connections and powering more efficient range extension for small cells. To demonstrate the benefits of this exciting new technology, Skyworks also collaborated with Xilinx, Inc. to … More
The post Skyworks Solutions ships its high efficiency small cell PA with a bandwidth of 200 MHz at +28 dBm appeared first on Help Net Security.
With repeated studies showing that customer service is more important than price when it comes to purchases, many organizations are ramping up their call centre technology to better connect with customers. Here’s a quick look at the top trends: AI and Analytics Corporate contact centres are going all-in with big data in pursuit of better…The post Top three trends driving customer-first call centres first appeared on IT World Canada.
IBM Canada Claude Guay took over as the head of IBM's Canadian business in the middle of a global pandemic in 2020. He sat down with ITWC president Fawn Annan to discuss the changes he's seeing from clients both culturally and digitally.The post President to President with IBM Canada president, Claude Guay first appeared on IT World Canada.
The Kanata North Business Association (KNBA) announced today that it is opening a global technology centre for Canada’s largest tech park – Hub350 – in 2021.
Located at 350 Legget Drive, at the core of Ottawa’s special economic zone development project, KNBA says this new space will better facilitate introductions for its member companies to funding resources, research, and new talent, representing the creation of a physical community to support members and their employees, community partners and sponsors. The goal is to bring together industry, academia and finance professionals in Kanata North to further support its member companies.
Since the Ontario province is still facing restrictions due to the pandemic, Hub350 won’t be open to the public until the summer. Once the centre is fully operative, KNBA says it will implement and adhere to all the safety protocols dictated by the authorities.
The centre will serve as the “gateway to Canada’s largest technology park”, said Jamie Petten, the president and executive director of KNBA, in a press release. “The Hub350 space will be the truest intersection of nature and technology – a trendy, natural atmosphere to attract world-class talent and companies, while showcasing Kanata North as Canada’s destination to live, work, play and learn.”
The future for the next 25 years
The Hub350 is being launched with the aim to better support KNBA’s member companies and further the Ottawa region as one of the world’s leading tech capital, says Vicki Coughey, KNBA chair.
The new hub furthers this aim by serving as a foundation for the technology park’s special economic district designation, a concept developed and co-led by KNBA and City of Ottawa long term planning, economic development teams in support of the national capital region’s new Official Plan. The City of Ottawa’s next Official Plan will support future development across the city and within the technology park over the next 25 years, according to the press release.
“With support from Hub350, teams like ours will be able to set up more meetings with post-secondary institutions, corporate partners and investors in the future. Having these resources available all in one collaborative and dynamic community workspace at the heart of the technology park will be invaluable,” said Tracy King, vice-president of marketing at Martello Technologies. “It’s great to see that, in many ways, we will now have a town hall for the hundreds of tech companies located in Kanata.”
Hub350 will also be the physical home of Canada’s largest aggregated tech job board Discover Technata which seeks to attract job seekers from around the world to Ottawa’s Kanata North as part of the business association’s economic recovery plan to accelerate innovation through the pandemic, according to the announcement.
The 350 Legget location is home to the original Mitel Networks campus, and will be designed by Linebox studios, designers of the Shopify offices. The new hub will be supported by a series of Canadian and multinational enterprise sponsors, which KNBA will announce in the coming weeks.
The post KNBA to open global technology centre Hub350 this year first appeared on IT World Canada.
American-Japanese multinational cybersecurity software company Trend Micro says it will be expanding its education partnerships across Canada this year.The post Trend Micro to expand their education partnerships across Canada in 2021 first appeared on IT World Canada.
A security researcher discovered a flaw in the F5 BIG-IP product that can be exploited to conduct denial-of-service (DoS) attacks.
The F5 BIG-IP Access Policy Manager is a secure, flexible, high-performance access management proxy solution that delivers unified global access control for your users, devices, applications, and application programming interfaces (APIs).
The vulnerability resides in the Traffic Management Microkernel (TMM) component which processes all load-balanced traffic on BIG-IP devices.
“When a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts. (CVE-2020-27716)” reads the advisory published by F5. “Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.”
An attacker could trigger the flaw by simply sending a specially crafted HTTP request to the server hosting the BIG-IP configuration utility, and that would be enough to block access to the controller for a while (until it automatically restarts).
“Vulnerabilities like this one are quite commonly found in code. They can occur for different reasons, for example unconsciously neglected bydevelopers or due to insufficient additional checks being carried out. I discovered this vulnerability during binary analysis. Flaws like this one can be detected using non-standard requests and by analyzing logic and logical inconsistencies.” Nikita Abramov researcher at Positive Technologies explains.
The flaw impacts versions 14.x and 15.x, the vendor already released security updates that address it.
In June, researchers at F5 Networks addressed another flaw, tracked as CVE-2020-5902, which resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.
The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device
The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.
Immediately after the public disclosure of the flaw, that several proof-of-concept (PoC) exploits have been released, some of them are very easy to use.
A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product threat actors started exploiting it in attacks in the wild. Threat actors exploited the CVE-2020-5902 flaw to obtain passwords, create web shells, and infect systems with various malware.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, F5 BIG-IP)
The post Expert discovered a DoS vulnerability in F5 BIG-IP systems appeared first on Security Affairs.
Whether you are managing cybersecurity, information security, operations security, or physical security, the sense of urgency to address the potential of attack or breach will continue to rise in 2021. With each year, the number of attacks, the amount of successful breaches, and the loss of important data only increase. The reason for this is there is no shortage of “malicious actors” out there—whether it’s organized crime, general criminal activity, or nation state-sponsored activities. Plus, the level of sophistication, the aggressive nature of the attacks, and the ever-increasing capabilities of tools and techniques make keeping pace with threats nearly impossible. It may seem like the attackers are always two or three steps ahead—because, unfortunately, they are. The challenge we all face is how to provide a comprehensive capability involving people, process, and technology to effectively protect, detect, and react against all forms of attack.
As an information security and risk owner, you have to identify and thwart every attack thrown your way. An attack happens every 39 seconds on the Internet, and while most of them fail, only one has to work. Phishing attacks, specifically, have increased 600% since February 2020, as malicious actors attempt to take advantage of new remote workers. And again, an attacker only has to trick one of your employees to gain access to your infrastructure.
Where the Industry Is Heading
More and more services and workloads are moving into the cloud. This is logical, as the scale and flexibility that cloud service providers (CSP) have available make for a very smart business decision. As you move more of your workloads to the cloud, security must be a key consideration. Building a strategy that focuses on business analysis and requirement for workload migration selection is key. Review of documented security policies and controls and assurance that they are applied to the migration process is essential.
Maintaining compliance is, of course, critical to your business, whether it be with external laws such as GDPR, or CCPA, with the NIST standards, or your own internal security standards. Most importantly, performing the proper security analysis and validation testing is a key part of the formula for success.
Gartner is now talking about the concept of cybersecurity mesh that governs the approach to architecture and controls. There are no longer well-defined physical security boundaries. Personnel accessing cloud services can be doing so from any device, anytime, and from anywhere. Traditional physical network access control is being replaced by access based on the user identity. This can be a person or device. Uniquely identifying every individual, or individual device, is paramount prior to granting access to services, applications or data. Using strong multi-factor authentication is critical to reducing the threat of credential stealing attacks. This is now the world we live in.
Identity and Access Control
As mentioned above, the world is moving to an identity-based access model. Employees want state-of-the-art devices to perform their jobs. Organizations want to enable users to connect from any device, anytime, and from anywhere. In order to support this securely, strong identity and access control systems will be required. Gartner refers to this segment as identity access governance (IAG). 2021 will see the demand for IAG grow significantly, as companies realize that once a user is on the corporate network, it may be too late to ensure effective IAG management. You must be able to ensure that every user and every user system are securely validated, and that access to applications or data is controlled at the individual user access level. Also, multi-factor authentication can significantly reduce the impact on user credential theft.
“Zero trust” has been the new buzzword for the last several years, but it will become more prevalent in 2021. Zero trust means that you can no longer simply trust the users and resources that are within your security perimeter. This ties very closely back to comprehensive identity and access management, as well as proper authentication management before users, services, or resources are granted system access. There are several vendors that advertise their ability to perform in a zero-trust architecture, but the most important part prior to implementing any solutions is to determine your requirements, policies, and controls. Then focus on people, process, and technology together to ensure your architecture will meet your requirements. Any technology must work well within your operational parameters, meet your security requirements, and have the proper capability in concert with your security resources in order to provide protection, detection, and reaction capabilities when a breach occurs.
The biggest challenge for 2021 is one of the most difficult to solve—there’s a shortage of cybersecurity professionals to meet the demands of the industry. Current figures show that approximately 3.5 million cybersecurity jobs will be left unfilled, because there simply are not the available resources to fill those positions.
What can you do about this? Certainly, training from within is a great option. Looking to third- party companies to step in and fill the void in implementation, testing, assessment, and ongoing management oversight will also be very necessary. There are many third-party companies that have expert cybersecurity professionals that can assist you in meeting your cybersecurity goals and objectives. The average cost of a security breach in the U.S is $8.6 million dollars. The average cost of a security assessment is between $15,000 and $50,000. Think about that! Connection’s Cybersecurity Solutions Practice is one such organization that can help you meet your integration, assessment, testing, compliance, and managed services needs. Reach out to a Account Manager today to find out more.
Security experts from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian government institutions and private companies.
Malware researchers from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian entities exclusively.
The attacks aimed at government institutions and private companies, most of them in the energy and metallurgical sectors. The campaign has been active at least since 2020, the attackers leverage remote access trojans to spy on their victims.
The attacks share some similarities with other campaigns targeting Colombian entities, in particular a campaign detailed in February 2019, by QiAnXin. The operations described by QiAnXin are attributed to an APT group active since at least April 2018.
Below the similarities found by ESET:
- We saw a malicious sample included in IoCs of QiAnXin’s report and a sample from the new campaign in the same government organization. These files have fewer than a dozen sightings each.
- Some of the phishing emails from the current campaign were sent from IP addresses corresponding to a range that belongs to Powerhouse Management, a VPN service. The same IP address range was used for emails sent in the earlier campaign.
- The phishing emails have similar topics and pretend to come from some of the same entities – for example, the Office of the Attorney General (Fiscalia General de la Nacion) or the National Directorate of Taxes and Customs (DIAN).
- Some of the C&C servers in Operation Spalax use linkpc.net and publicvm.com subdomains, along with IP addresses that belong to Powerhouse Management. This also happened in the earlier campaign.
However, experts found differences in the attachments used for phishing emails, the remote access trojans (RATs) used the operator’s C&C infrastructure.
The attacks start with phishing messages that lead to the download of RAR archives hosted on OneDrive or MediaFire containing a malicious executable.
“We’ve found a variety of packers used for these executables, but their purpose is always to have a remote access trojan running on the victimized computer, usually by decrypting the payload and injecting it into legitimate processes.” continues the report. “We have seen the attackers use three different RATs: Remcos, njRAT and AsyncRAT.”
The phishing messages used a wide range of topics as lures, such as notifications of driving infractions, to attend court hearings, and to take mandatory COVID-19 tests.
ESET also documented the use of heavily obfuscated AutoIt droppers, in this attack scenario the first-stage malware performs the injection and execution of the payload. The malware use two shellcodes contained in the compiled AutoIt script, the first one decrypts the payload and the second injects it into some process.
The Trojans used in Operation Spalax implements several capabilities to spy on targets, such as keylogging, screen capture, clipboard hijacking, exfiltration of files, and the ability to download and execute other payloads.
ESET pointed out that the attackers leveraged on large network C2 infrastructure, experts observed at least 24 different IP addresses in use in the second half of 2020. Attackers probably compromised devices to use them as proxies for their C2 servers. The threat actors also used dynamic DNS services to manage a pool of 70 different domain names (and also register new ones on a regular basis) that are dynamically assigned to IP addresses. In the second half of 2020 alone they used 24 IP addresses.
“Targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year,” ESET concludes. “The landscape has changed from a campaign that had a handful of C2 servers and domain names to a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Operation Spalax)
The cost of non-compliance is more than twice that of compliance costs. Non-compliance with the ever-increasing and changing regulatory requirements can have a significant impact on your organization’s brand, reputation, and revenue. According to a study by the Ponemon Institute and Globalscape, being compliant will cost you less compared to business disruptions, loss of revenue, and hefty fines.
Data explosion and regulatory environment
As organizations go through digital transformation, they are generating and consuming much more data than in the past to help them gain an edge over their competitors. This data is necessary to continue to stay relevant by empowering employees, engaging customers, and optimizing operations. Managing this data and the variety of devices on which it is created can be complicated, especially when it comes to ensuring compliance.
Not only is the amount of data IT must manage exploding, regulations on how that data can and should be handled are also increasing. Collecting customer and citizen data is often an integral part of how public and private sector organizations function. While there has been progress over the last few years, the challenge of maintaining and protecting personal data continues. Regulations are creating a need for the responsible usage of personal data, and the stakes are high. Not complying with regulations can result in significant fines and reduced credibility with regulators, customers, and citizens.
Manage compliance challenges
According to a recent report about the cost of compliance, there were more than 215 regulation updates a day from over 1,000 regulatory bodies all over the world, a slight decrease from the previous year. For example, enforcement of the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Thailand’s Personal Data Protection Act (PDPA) began in 2020.
Organizations face all kinds of risks, including financial, legal, people, IT, and cybersecurity risks. Below are some of the challenges we are seeing due to the dynamic nature of the compliance landscape.
- Keeping up with constantly changing regulations is a struggle. With all the regulatory and standards bodies creating new or revising existing requirements and guidelines, keeping up to date is time and resource-intensive.
- Point-in-time assessments create a digital blind spot. Many organizations rely on point-in-time assessments, like annual audits. Unfortunately, they can go out of date quickly and expose the organization to potential risks until the next assessment is done. Organizations are looking for ways to improve integration and create near real-time assessments to control risks caused by digital assets.
- Inefficient collaboration and siloed knowledge lead to duplication of effort. Organizations are often challenged due to siloed knowledge concerning IT risk management. IT and security admins know the technology solutions but find regulations difficult to understand. Contrast that with compliance, privacy, and legal teams who tend to be familiar with the regulations but are not experts in the technology available to help them comply. In addition, many organizations start their compliance journey using general-purpose tools like Microsoft Excel and try to track compliance manually, but quickly outgrow this approach because of the complexities of managing compliance activities.
- Complexity across IT environments hinders adoption. Understanding how to integrate the many solutions available and configure each one to minimize compliance risks can be difficult. This is especially true in organizations with solutions sourced from multiple vendors that often have overlapping functionality. Decision-makers want simple step-by-step guidance on how to make the tools work for the industry standards and regulations they are subject to.
Simplify compliance with Microsoft Compliance Manager
Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance center. It empowers organizations to simplify compliance, reduce risk, and meet global, industry, and regional compliance regulations and standards. Compliance Manager translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements. Compliance Manager helps customers prioritize work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides the following benefits:
- Pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet your unique compliance needs. Assessments are available depending on your licensing agreement.
- Workflow functionality to help you efficiently complete risk assessments.
- Detailed guidance on actions you can take to improve your level of compliance with the standards and regulations most relevant for your organization.
- Risk-based compliance score to help you understand your compliance posture by measuring your progress completing improvement actions.
For organizations running their workloads only on-premises, they are 100 percent responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared between your organization and the cloud provider, although is ultimately responsible for the security and compliance of their data.
Microsoft manages controls relating to physical infrastructure, security, and networking with a software as a service (SaaS) offering like Microsoft 365. Organizations no longer need to spend resources building datacenters or setting up network controls. With this model, organizations manage the risk for data classification and accountability. And risk management is shared in certain areas like identity and access management. The chart below is an example of how responsibility is shared between the cloud customer and cloud provider with various on-premises and online services models.
Figure 1: Shared responsibility model
Apply a shared responsibility model
Because responsibility is shared, transitioning your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your burden of complying with regulations. Take the United States National Institute of Standards and Technology’s NIST 800-53 regulation as an example. It is one of the largest and most stringent security and data protection control frameworks used by the United States government and large organizations. If your organization were adhering to this standard and using Microsoft 365, Microsoft would be responsible for managing more than 75 percent of the 500 plus controls. You would only need to focus on implementing and maintaining the controls not managed by Microsoft. Contrast that situation with one where your organization was running 100 percent on-premises. In that case, your organization would need to implement and maintain all the NIST 800-53 controls on your own. The time and cost savings managing your IT portfolio under the shared responsibility model can be substantial.
Figure 2: NIST examples of shared responsibilities
Assess your compliance with a compliance score
Compliance Manager helps you prioritize which actions to focus on to improve your overall compliance posture by calculating your compliance score. The extent to which an improvement action impacts your compliance score depends on the relative risk it represents. Points are awarded based on whether the action risk level has been identified as a combination of the following action characteristics:
- Mandatory or discretionary.
- Preventative, detective, or corrective.
Your compliance score measures your progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. Your initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards. While the Data Protection Baseline is a good starting point for assessing your compliance posture, a compliance score becomes more valuable once you add assessments relevant to the specific requirements of your organization. You can also use filters to view the portion of your compliance score based on criteria that includes one or more solutions, assessments, and regulations. More on that later.
The image below is an example of the Overall compliance score section of the Compliance Manager dashboard. Notice that even though the number under Your points achieved is zero, the Compliance Score is 75 percent. This demonstrates the value of the shared responsibility model. Since Microsoft has already implemented all the actions it is responsible for, a substantial portion of what is recommended to achieve compliance is already complete even though you have yet to take any action.
Figure 3: Compliance Score from Microsoft Compliance Manager
For more information on Microsoft Compliance Manager, please visit the Microsoft Compliance Manager documentation. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post Simplify compliance and manage risk with Microsoft Compliance Manager appeared first on Microsoft Security.
Remote work eliminated any chance encounters and in passing conversations with our teammates. With only cold assignment emails breaking long hours of dead air, remote workers are missing the reassurance of their social standing. That’s the central topic of a New York Times article. When isolated, imagination can exaggerate a banal, harmless text into a…The post Is Remote Work Making Us Paranoid? – New York Times first appeared on IT World Canada.
Convicted Hacker Allegedly Commits Fraud While Awaiting Release
A Kosovan hacker, granted compassionate release after being convicted of providing personally identifiable information of over 1,000 US government personnel to ISIS, has been charged with committing further crimes while in federal prison.
The US sentenced Ardit Ferizi to 20 years in prison in September 2016 after the hacker admitted accessing a protected computer without authorization and providing material support to a designated foreign terrorist organization.
In December 2020, Federal Judge Leonie Brinkema of the Eastern District of Virginia reduced Ferizi’s sentence to time served, plus 10 years of supervised release to be served in Kosovo after the 25-year-old submitted a handwritten motion stating that his obesity and asthma made him vulnerable to COVID-19.
According to a federal complaint filed against Ferizi and unsealed on January 12, Ferizi was awaiting deportation back to his native Kosovo when the FBI determined that he had committed multiple new federal offenses. At the time of the alleged offenses, Ferizi was incarcerated at the Federal Correctional Institute in Terre Haute, Indiana.
“We allege Ferizi provided access to personal information of US citizens, even as he was serving his prison sentence for providing similar information to ISIS,” said US Attorney David L. Anderson.
According to the FBI, in 2017 and 2018 Ferizi became involved in multiple fraudulent schemes while locked up in prison by coordinating with a family member who was operating Ferizi’s email accounts. At least one email account included large databases of stolen personally identifiable information, extensive lists of stolen email accounts, partial credit card numbers, passwords, and other confidential information, accumulated through Ferizi's criminal hacking activity.
"Based on an IP address resolving to Kosovo, login activity to Ferizi’s other e-mail accounts, and other investigative information, it was determined the family member downloaded the databases of stolen information to liquidate the proceeds of Ferizi’s previous criminal hacking activity," said the Department of Justice.
Ferizi and his family member are alleged to have used the electronic services of Google, PayPal, and Coinbase to carry out these new crimes.
Ferizi, known online as Th3Dir3ctorY, is charged with one count of aggravated identity theft and one count of wire fraud in violation. If convicted of both charges, he faces a maximum penalty of 22 years in prison and a fine of $250,000.
This is a current list of where and when I am scheduled to speak:
- I’m speaking (online) as part of Western Washington University’s Internet Studies Lecture Series on January 20, 2021.
- I’m speaking (online) at ITU Denmark on February 2, 2021. Details to come.
- I’m being interviewed by Keith Cronin as part of The Center for Innovation, Security, and New Technology’s CSINT Conversations series, February 10, 2021 from 11:00 AM – 11:30 AM CST.
- I’ll be speaking at an Informa event on February 28, 2021. Details to come.
The list is maintained on this page.
2020 Saw 6% Rise in Number of CVEs Reported
New analysis of the 2020 vulnerability and threat landscape has found that the total number of Common Vulnerabilities and Exposures (CVEs) reported last year was 6% higher than the total reported in 2019.
While the increase between 2019 and 2020 may seem slight, the team found that from 2015 to 2020, the number of CVEs reported rose 183%, from 6,487 to 18,358.
"For the last three years, we have seen over 16,000 CVEs reported annually—reflecting a new normal for vulnerability disclosures," noted researchers.
Among the 2020 vulnerabilities disclosed were 29 Tenable identified as net-new zero-day vulnerabilities. Of the 29 vulnerabilities, over 35% were browser-related vulnerabilities, while nearly 29% were within operating systems. Font libraries were also popular, accounting for nearly 15% of zero-day vulnerabilities.
Reviewing at which points in the year critical CVEs were reported, researchers uncovered what they termed a "CVE Season" that coincided with summertime.
"Summer 2020—from June to August—was particularly unique for both the sheer volume and number of critical CVE disclosures," noted researchers. "547 flaws were disclosed in the summer months, including major disclosures in F5, Palo Alto Networks, PulseSecure, vBulletin and more."
An analysis of the CVE data for breach trends found that from January through October 2020, 730 publicly disclosed events resulted in the exposure of over 22 billion records. Of the industries impacted by breaches, healthcare and education made up the largest share, accounting for 25% and 13% of the breaches.
Government and the technology industry were also popular targets, accounting for 12.5% and 15.5% of the breaches respectively.
Ransomware was found to be the most popular attack vector in 2020, being cited in 259 incidents. Email compromise was the cause of 105 breaches, while unsecured data led to 83 security incidents. For 179 data breaches, the root cause was unknown.
The coronavirus pandemic was used time and again by cyber-attackers to lure their victims. By the first two weeks of April, 41% of organizations had experienced at least one business-impacting cyber-attack resulting from COVID-19 malware or phishing schemes.
Hy-Vee Data Breach Settlement Proposed
A preliminary settlement agreement regarding a data breach that impacted customers of Iowa-based grocery store chain Hy-Vee has been proposed.
Hy-Vee launched an investigation after detecting unauthorized activity on some of its payment processing systems on July 29, 2019.
The investigation found that malware designed to access and steal payment card data from cards used on point-of-sale (POS) devices had been installed at certain Hy-Vee fuel pumps and drive-thru coffee shops.
Restaurants were also impacted, including Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses, and the Wahlburgers locations that Hy-Vee owns and operates, as well as the cafeteria at the chain's West Des Moines corporate office.
According to a statement released by Hy-Vee in October 2019, the specific timeframes when data from cards used at these locations may have been accessed varies by location. However, the company said that in general, fuel pumps were impacted from December 14, 2018, to July 29, 2019, whereas restaurants and drive-thru coffee shops were affected beginning January 15, 2019, to July 29, 2019.
"There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019," stated the company.
Hy-Vee concerns in Iowa, Illinois, Kansas, Missouri, Montana, Nebraska, South Dakota, and Wisconsin were impacted by the breach. Data stolen in the prolonged attack included customer names, credit and debit card numbers, card expiration dates, and verification codes.
In October and November 2019, lawsuits were filed over the breach by several customers in Illinois, Missouri, and Wisconsin whose data had been compromised. These customers later teamed up to file a class-action complaint against Hy-Vee at the end of November 2019.
On January 12, a settlement agreement was proposed that would allow those affected by the breach to submit reimbursement claims for a maximum of $225. The plaintiffs who are named in the suit are earmarked to receive an additional $2,000 "incentive award."
Under the proposal, customers who faced "extraordinary expenses" because of the data breach, such as hefty, unreimbursed fraudulent charges, may claim up to $5,000.
Even as investigations into the sophisticated attack known as Solorigate are still underway, details and insights about the tools, patterns, and methods used by the attackers point to steps that organizations can take to improve their defenses against similar attacks. Solorigate is a cross-domain compromise—comprehensive visibility and coordinated defense are critical in responding to the attack. The same unified end-to-end protection is key to increasing resilience and preventing such attacks.
This blog is a guide for security administrators using Microsoft 365 Defender and Azure Defender to identify and implement security configuration and posture improvements that harden enterprise environments against Solorigate’s attack patterns.
This blog will cover:
- Protecting devices and servers
- Protecting on-premises and cloud infrastructure
- Protecting Microsoft 365 cloud from on-premises attacks
- Additional recommendations and best practices
The recommendations on this blog are based on our current analysis of the Solorigate attack. While this threat continues to evolve and investigations continue to unearth more information, we’re publishing these recommendations to help customers apply improvements today. To get the latest information and guidance from Microsoft, visit https://aka.ms/solorigate. Security operations and incident response teams looking for detection coverage and hunting guidance can refer to https://aka.ms/detect_solorigate.
What the Solorigate attack tells us about the state of cyberattacks
Solorigate is a complex, multi-stage attack that involved the use of advanced attacker techniques across multiple environments and multiple domains to compromise high-profile targets. To perpetrate this sophisticated attack, the attackers performed the steps below, which are discussed in detail in this blog:
- Compromise a legitimate binary belonging to the SolarWinds Orion Platform through a supply-chain attack
- Deploy a backdoor malware on devices using the compromised binary to allow attackers to remotely control affected devices
- Use the backdoor access on compromised devices to steal credentials, escalate privileges, and move laterally across on-premises environments to gain the ability to create SAML tokens
- Access cloud resources to search for accounts of interest and exfiltrate emails
Figure 1. High-level end-to-end Solorigate attack chain
As its intricate attack chain shows, Solorigate represents a modern cyberattack conducted by highly motivated actors who have demonstrated they won’t spare resources to get to their goal. The collective intelligence about this attack shows that, while hardening individual security domains is important, defending against today’s advanced attacks necessitates a holistic understanding of the relationship between these domains and how a compromise in one environment can be a jump-off point to another.
The Microsoft Defender for Endpoint threat analytics reports published in Microsoft 365 security center enable customers to trace such cross-domain threats by providing end-to-end analysis of critical threats. In the case of Solorigate, Microsoft researchers have so far published two threat analytics reports, which continue to be updated as additional information becomes available:
- Sophisticated actor attacks FireEye, which provides information about the FireEye breach and compromised red-team tools
- Solorigate supply chain attack, which provides a detailed analysis of the SolarWinds supply chain compromise
In addition to providing detailed descriptions of the attack, TTPs, indicators of compromise (IoCs), and the all-up impact of the threat to the organization, the threat analytics reports empower security administrators to review organizational resilience against the attack and apply recommended mitigations. These mitigations and other recommended best practices are discussed in the succeeding sections. Customers who don’t have access to threat analytics can refer to a publicly available customer guidance.
Figure 2. Microsoft Defender for Endpoint threat analytics report on Solorigate attack
Protecting devices and servers
The attackers behind Solorigate gain initial access to target networks by activating backdoor codes inserted into the compromised SolarWinds binary. Protecting devices against this stage of the attack can help prevent the more damaging impact of the latter stages.
Ensure full visibility into your device estate by onboarding them to Microsoft Defender for Endpoint
In the ongoing comprehensive research into the complex Solorigate attack, one thing remains certain: full in-depth visibility into your devices is key to gaining insights on security posture, risk, and potential attack activity. Make sure all your devices are protected and monitored by Microsoft Defender for Endpoint.
Figure 3. Status tile in the Device configuration management tab of Microsoft Defender for Endpoint, showing onboarded devices compared to the total number of devices managed via Endpoint Manager
Identify and patch vulnerable SolarWinds Orion applications
The Solorigate attack uses vulnerable versions of the SolarWinds Orion application so we recommend that you identify devices running vulnerable versions of the application and ensure they are updated to the latest version. The threat analytics report uses insights from threat and vulnerability management to identify such devices. On the Mitigations page in Threat analytics, you can view the number of devices exposed to vulnerability ID TVM-2020-0002, which we added specifically to help with Solorigate investigations:
Figure 4. The Threat analytics Mitigations page shows information on exposed devices
The new vulnerability ID TVM-2020-0002 was added to the threat and vulnerability management Weaknesses page in Microsoft Defender for Endpoint so you can easily find exposed devices that have vulnerable SolarWinds software components installed. Additional details are available in the vulnerability details pane.
Figure 5. Threat and vulnerability management vulnerability details pane for TVM-2020-0002
Customers can also use the software inventory page in threat and vulnerability management to view the SolarWinds Orion versions present on endpoints in your environment and whether the vulnerable versions are present. Links to the threat analytics reports are provided under the Threats column. You can then assess the footprint of a specific software in your organization and identify the impacted devices without the need to run scans across the install base.
Figure 6. Threat and Vulnerability Management software inventory page displaying installed SolarWinds Orion software
Security recommendations are provided to update devices running vulnerable software versions.
Figure 7. Threat and Vulnerability Management security recommendations page
Security admins can also use advanced hunting to query, refine, and export data. The following query retrieves an inventory of the SolarWinds Orion software in your organization, organized by product name and sorted by the number of devices that have software installed:
| where SoftwareVendor == ‘solarwinds’
| where SoftwareName startswith ‘orion’
| summarize dcount(DeviceName) by SoftwareName
| sort by dcount_DeviceName desc
The following query searches threat and vulnerability management data for SolarWinds Orion software known to be affected by Solorigate:
| where CveId == ‘TVM-2020-0002’
| project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion
For each security recommendation you can submit a request to the IT administrator to remediate vulnerable devices. Doing this creates a security task in Microsoft Endpoint Manager (formerly Intune) that can be continuously tracked in the threat and vulnerability management Remediation page. To use this capability, you need to enable a Microsoft Endpoint Manager connection.
Figure 8. Threat and vulnerability management ‘Remediation options’ for security recommendations and ‘Remediation activities’ tracking
Implement recommended security configurations
In addition to providing vulnerability assessments, Threat and Vulnerability Management also provides security recommendation guidance and device posture assessment that help mitigate this attack. These recommendations use vulnerability data that is also present in the Solorigate threat analytics report.
Figure 9. Threat analytics Mitigation page shows secure configuration recommendations for devices exposed to Solorigate
The following security recommendations are provided in response to Solorigate:
|Component||Secure configuration recommendations||Attack stage|
|Security controls (Antivirus)||Turn on real-time protection||Stage 1|
|Security controls (Antivirus)||Update Microsoft Defender Antivirus definitions to version 1.329.427.0 or later||Stage 1|
|Security controls (Attack surface reduction)||Block execution of potentially obfuscated scripts||Stage 2|
|Security controls (Attack surface reduction)||Block executable files from running unless they meet a prevalence, age, or trusted list criterion||Stage 2|
|Security controls (Microsoft Defender SmartScreen)||Set Microsoft Defender SmartScreen Microsoft Edge site and download checking to block or warn||Stage 2|
Applying these security controls can be accomplished using Microsoft Endpoint Manager (Intune and Configuration Manager). Refer to the following documentation for guidance on deploying and managing policies with Endpoint Manager:
- Manage endpoint security policies in Microsoft Intune
- Windows 10 Antivirus policy settings for Microsoft Defender Antivirus in Intune
- Intune endpoint security Attack surface reduction settings
Protecting on-premises and cloud infrastructure
In addition to compromising client endpoints, attackers can also activate backdoor code via the compromised SolarWinds binary installed on cloud or on-premises servers, allowing them to gain a stronger foothold in the environment.
Protect your on-premises and cloud servers
A large part of many customers’ infrastructure are virtual machines. Azure Defender helps security professionals protect cloud workloads spanning virtual machines, SQL, storage, containers, IoT, Azure network layer, Azure Key Vault, and more.
As mentioned earlier, one of the key actions that should be taken to help prevent Solorigate and similar attacks is to ensure that all devices are protected and monitored by Microsoft Defender for Endpoint. Deploying Azure Defender for Servers enables Defender for Endpoint for your virtual machines to provide comprehensive detection coverage across the Solorigate attack chain. Azure Defender’s integrated vulnerability assessment solution for Azure and hybrid machines can also help address the Solorigate attack by providing visibility into vulnerability assessment findings in Azure Security Center.
Enable additional infrastructure protection and monitoring
To help provide additional in-depth defenses against Solorigate, Azure Defender recently introduced new protection modules for Azure resources. Enabling these protections can improve your visibility into malicious activities and increase the number of Azure resources protected by Azure Defender.
Azure Defender for Resource Manager allows you to continuously monitor all Azure resource management operations and breadth in protection, which includes the ability to detect attempts to exclude known malicious files by the VM Antimalware extension and other suspicious activities that could limit antimalware protection on Azure VMs.
In addition, Azure Defender for DNS ensures that all DNS queries from Azure resources using Azure DNS, including communication with malicious domains used in the Solorigate attack, are monitored, and helps identify Solorigate activity across any of your Azure cloud resources. This helps prevent the malicious Solorigate DLL from being able to connect to a remote network infrastructure to prepare for possible second-stage payloads.
Protect your Active Directory and AD FS infrastructure
After gaining access, attackers may attempt to steal credentials, escalate privileges, and move laterally in the environment. Having complete visibility into your Active Directory, either completely on-premises or hosted in IaaS machines, is key in detecting these attacks and identifying opportunities to harden security posture to prevent them.
In hybrid environments, make sure that Microsoft Defender for Identity sensor components are deployed on all your Domain Controllers and Active Directory Federation Services (AD FS) servers. Microsoft Defender for Identity not only detects malicious attempts to compromise your environment but also builds profiles of your on-premises identities for proactive investigations and provides you with built-in security assessments. We recommend prioritizing the deployment of Microsoft Defender for Identity sensors and using the “Unmonitored domain controllers” security assessment, which lists any detected domain controllers in your environment that are unmonitored. (Note: this capability can monitor your environment only after deploying at least one sensor on a domain controller.)
Figure 10. Unmonitored domain controllers‘ security assessment in the Microsoft Cloud App Security portal
Protecting Microsoft 365 cloud from on-premises attacks
The end goal of the attackers behind Solorigate is to gain access to a target organization’s cloud environment, search for accounts of interest, and exfiltrate emails. From a compromised device, they move laterally across the on-premises environment, stealing credentials and escalating privileges until they can gain the ability to create SAML tokens that they then use to access the cloud environment. Protecting cloud resources from on-premises attack can prevent the attackers from successfully achieving their long game.
Implement recommended security configurations to harden cloud posture
Further best practices and recommendations to reduce the attack surface and protect the cloud from on-premise compromise can be found in our protecting Microsoft 365 cloud from on-premises attacks blog.
Implement conditional access and session control to secure access to cloud resources
In addition to hardening the individual surfaces to disrupt and prevent the attack, extending policies to implement zero trust and access controls is key in preventing compromised or unhealthy devices from accessing corporate assets, as well as governing cloud access from compliant devices.
Enable conditional access policies
Conditional access helps you better protect your users and enterprise information by making sure that only secure users and devices have access. We recommend implementing the common recommended policies for securing access to Microsoft 365 cloud services, including on-premises applications published with Azure Active Directory (Azure AD) Application Proxy.
Additionally, you can configure user risk and device risk conditional access policies to enable access to enterprise information based on the risk level of a user or device, helping keep trusted users on trusted devices using trusted applications.
Enable real-time monitoring and session control
Directly integrated with conditional access, session controls in Microsoft Cloud App Security enable extending access decisions into the session, with real-time monitoring and control over user actions in your sanctioned apps. Implement policies to prevent data exfiltration in risky situations, including blocking or protecting downloads to risky or unmanaged devices, as well as for partner users.
Additional recommendations and best practices
Strengthen your security posture even further by reviewing all improvement actions available via Microsoft Secure Score. Secure Score helps operationalize security posture management and improve your organizational security hygiene for your production tenant. Below are some of the Secure Score improvement actions for Azure Active Directory that have a direct impact against Solorigate attack patterns:
- Do not allow users to grant consent to unmanaged applications
- Enable Password Hash Sync if hybrid
- Enable policy to block legacy authentication
- Enable self-service password reset
- Ensure all users can complete multi-factor authentication for secure access
- Require MFA for administrative roles
- Turn on sign-in risk policy
- Turn on user risk policy
- Use limited administrative roles
In addition, you can use the identity security posture assessment feature in Microsoft Defender for Identity to identify common protection gaps that might exist in your environment. Addressing detection gaps such as the following improves your Microsoft Secure Score and improves your overall resilience to a wide range of credential theft attacks:
- Stop entities that are exposing credentials in cleartext, including ones that are tagged as sensitive. Attackers listen to cleartext credentials being sent over the network to harvest credentials and escalate privileges. While we have no indication that this technique was used in Solorigate, this is a general attack trend that organizations must be aware of and prevent.
Figure 11. Entities exposing credentials in clear text security assessment in the Microsoft Cloud App Security portal
- Remediate accounts with unsecure attributes that could allow attackers to compromise them once an initial foothold in the environment is established.
Figure 12. Unsecure account attributes security assessment in the Microsoft Cloud App Security portal
- Reduce risky lateral movement paths to sensitive users. An attacker could move across devices to elevate to a more privileged role and operate deeper in your organization’s environment, as we’ve witnessed in the Solorigate attack.
Figure 13. Risky lateral movement paths security assessment in the Microsoft Cloud App Security portal
Multiple layers of coordinated defense against advanced cross-domain attacks
Microsoft 365 Defender and Azure Defender deliver unified, intelligent, and automated security across domains to empower organizations to gain end-to-end threat visibility, which as the Solorigate attack has shown, is a critical security capability for all organizations to have. In addition to providing comprehensive visibility and rich investigation tools, Microsoft 365 Defender and Azure Defender help you to continuously improve your security posture as a direct result of insights from collective industry research or your own investigations into attacks through configurations you can make directly in the product or in-product recommendations you can implement.
For additional information and guidance from Microsoft, refer to the following:
- Customer guidance on recent nation-state cyber attacks
- Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack
- SolarWinds post-compromise hunting with Azure Sentinel
- Advice for incident responders on recovery from systemic identity compromises
- Using Microsoft 365 Defender to protect against Solorigate
Capcom revealed that the recent ransomware attack has potentially impacted 390,000 people, an increase of approximately 40,000 people from the previous report.
The company has developed multiple multi-million-selling game franchises, including Street Fighter, Mega Man, Darkstalkers, Resident Evil, Devil May Cry, Onimusha, Dino Crisis, Dead Rising, Sengoku Basara, Ghosts ‘n Goblins, Monster Hunter, Breath of Fire, and Ace Attorney as well as games based on Disney animated properties.
At the time, the Notice Regarding Network Issues published by the company revealed that on the morning of November 2nd, 2020 is suffered a cyberattack, In response to the incident the game developer shut down portions of their corporate network to prevent the malware from spreading.
The incident has not impacted connections for its players, the company initially declared that had not found any evidence that customer data was stolen.
In Mid-November, the company confirmed that the attackers accessed the personal information of its employees, along with financial and business information. The company believes that other information potentially accessed includes sales reports, financial information, game development documents, other information related to business partners.
No credit card information was compromised in the security breach.
After the attack, the Ragnar Locker ransomware operators claimed to have stolen over 1TB of data from the company.
In an update published by the Ragnar ransomware gang on it leak site the operators leaked a collection of archives as proof of the hack.
“Unfortunately even such worldwide leading company as CAPCOM doesn’t values much privacy and security. They was notified about vulnerability and data leak numerous time.” reads the post published by Ragnar gang on its leak site. They checked our page with proofs but even this didn’t help them to make a right decision and save data from leakage. Also we would help them to decrypt and also provide with recommendations on security measures improvement, to avoid such issues in future.” reads the post published by the ransomware on its leak site.
“We are sure that everyone should know about CAPCOM’s decision and careless attitude regarding data privacy. This might seems crazy in 21st century, all corporates should work harder on their security measures, especially IT and online based companies.”
This week, Capcom provided an update on its investigation, that revealed the incident was worse than initially thought because the number of impacted people is larger than initially believed.
Capcom revealed that the personal information of 16,415 people was stolen by the ransomware gang. Impacted people includes 3,248 business partners, 9,164 former employees, and related parties, and 3,994 employees and related parties. Only 9 people were impacted.
“Further, because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time.” reads the update published by the company.
Cumulative maximum number of potentially impacted people is 390,000, an increase of approximately 40,000 people from the previous report.
1. Information verified to have been compromised (updated)
|i. Personal Information||16,406 people *cumulative total since investigation began: 16,415 peopleBusiness partners, etc.: 3,248 people|
At least one of the following: name, address, phone number, email address, etc.Former employees and related parties: 9,164 people
At least one of the following: name, email address, HR information, etc.Employees and related parties: 3,994 people
At least one of the following: name, email address, HR information, etc.
|ii. Other Information||Sales reports, financial information, game development documents, other information related to business partners|
2. Potentially compromised data (updated)
|i. Personal Information||Applicants: approx. 58,000 people|
At least one of the following: name, address, phone number, email address, etc.*Cumulative maximum number of potentially compromised data for customers,
business partners and other external parties: 390,000 people*Regarding the cumulative maximum number of potentially compromised data above: as part of its ongoing investigation, Capcom has determined that it currently does not see evidence for the possibility of data compromise for the approximate 18,000 items of personal information from North America (Capcom Store member information and esports operations website members) that the company included in its November 16, 2020 announcement. As such, these have been removed from this cumulative maximum number of potentially compromised data.
The company pointed out that the investigation is still ongoing and that new fact may come to light.
“At this point in time, Capcom’s internal systems have in large part recovered, and business operations have returned to normal.” concludes the update.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, CAPCOM)
Advice for Executives to Watch Next Year
2020 completely changed the way workforces operate. Digital transformation went from an emerging trend to a necessity for survival. Certain industries were brought to their knees: some didn’t make it, while others thrived. One of those industries that thrived was cyber crime.
As millions scrambled and were hastily deployed to work-from-home environments, organized crime, nation- states, and amateur hackers alike exploited the weaknesses. The arms race was already lopsided – the sophistication of malicious actors had accelerated even before COVID-19 struck; however, the location scramble of the Spring of 2020 exposed flaws that hackers took advantage of. ZDNet covers the worst attacks and flaws here. You can see they range from accidental data exposures (Virgin Media, Whisper) to malware infestations (UCSF, Blackbaud, Carnival), culminating with the attacks on FireEye & SolarWinds.
Your ‘networked computer on wheels’ has a privacy problem – and you may not be in the driver’s seat when it comes to your data
The post CES 2021: Car spying – your insurance company is watching you appeared first on WeLiveSecurity
At Cisco, it has long been our belief that when it comes to security, simplified and integrated is better. I’ve written a number of blogs about this lately, and I know what some of you are thinking: “Multi-product platform solution touted by multi-product platform vendor…surprise, surprise!” And that’s okay. After years of ever-increasing complexity, you have every right to be a tough crowd.
First, let me tell you that we put our money where our mouth is; last year marked a major milestone for our business and the industry. In 2020, we unveiled the result of a huge investment with the launch of our integrated platform, Cisco SecureX. By integrating both Cisco and third-party technologies, SecureX fosters greater visibility, automation, and collaboration. It protects your network, cloud, users, and applications all from a single place, boosting simplicity and efficiency.
But you’d be right to remain skeptical. While all of these capabilities sound great, do they actually result in better security? Yes, they do, but I’m not asking you to take my word for it. In our recent, worldwide, double-blind survey, over 4,800 respondents delivered a resounding ‘yes.’
Up-to-date, well-integrated tech leads to better protection
In the Cisco 2021 Security Outcomes Study, we analyzed the use of 25 security best practices to determine which ones had the greatest impact on improving organizational defenses. We surveyed more than 4,800 IT, security, and privacy professionals across 25 different countries, and from various industries and organizational sizes.
The study found that the two best practices that contribute most to overall security program success are: 1) proactively refreshing technology before it becomes outdated, and 2) making sure technology is well integrated. As can be seen in the below figure, these practices increased the probability of an organization achieving security success by an average of 12.7% and 10.5%, respectively. While we had no influence over these findings, they certainly bode well for SecureX customers.
Practices most strongly correlated with overall security program success
Cisco SecureX is embedded into every Cisco security product. At its very core is integration – not simply bringing together Cisco technologies, but also enabling security teams to integrate a wide range of third-party solutions. Its intuitive interface allows users to view security insights and analytics from multiple products all in one place, and maintain context while navigating consoles. This empowers security professionals to make faster and more informed decisions.
As for the #1 best practice in our report, proactive tech refresh, the cloud-native Cisco SecureX platform makes it easy for customers to start with just the technology they need, and add on over time – with access to new products (or product trials) in a single click. In fact, it’s been shown that organizations can get the SecureX platform up-and-running and begin to experience benefits in as little as 15 minutes.
The 2021 Security Outcomes Study also analyzed how much various security best practices increased organizations’ chances of achieving roughly a dozen specific security outcomes – for example, creating a strong overall security culture within an organization, recruiting talented security personnel, or maintaining a cost-effective security program. As seen below, the two practices of proactive tech refresh and well-integrated technology had a positive impact on every single one of these desired outcomes.
All security practices correlated with each security program outcome
Accurate detection, accelerated response, and automation are also key
Other best practices that had a positive impact on achieving many commonly desired security outcomes include: accurate threat detection, conducting timely incident response, and using automation effectively. SecureX can play a key role in helping organizations embrace all of these best practices.
Accurate detection & timely response
The foundational technology on which we built Cisco SecureX is Extended Detection and Response (XDR). Roughly 11,000 customers are already improving threat detection, investigation, and remediation with SecureX threat response.
According to Stephen Reinhard, IT Director for Ralph Sellers Automotive, “I would highly recommend SecureX threat response. It unites the ability to identify and act on actionable intelligence from multiple security products. It also reduces time to resolution for our team.”
Cisco SecureX boasts powerful XDR capabilities that help organizations fine-tune detection and IR processes. And according to our survey, this can improve many crucial security efforts including minimizing unplanned work, running cost-effectively, and garnering confidence in the security program from both peers and executives.
Using automation effectively
Automation is another important benefit driving the success of SecureX customers. SecureX orchestration allows users to take advantage of pre-built or easily customizable workflows to automate routine security tasks. Customers are saving hundreds of hours, and are reducing attack response time by as much as 85 percent.
“The bad guys are now moving at the speed of the machine, so our automation principle is to move at that same speed,” said Jesse Beauman, M.S., Assistant Vice Chancellor for Enterprise Infrastructure at UNC Charlotte. “Cisco solutions allow us to do so.”
According to our study, in addition to keeping up with the bad guys, automation can also help security groups run cost-effectively and meet the overall demands of the business, among other benefits.
Cross-team collaboration brings additional wins
Our report shows that IT and security teams working together has a positive impact on building a strong security culture and recruiting skilled security professionals – both worthy goals.
We also broke our survey data down into several specific regions and verticals. In the healthcare industry specifically, IT and security working together increased an organization’s ability to avoid major incidents by an average of nearly 16%, and increased the ability to minimize unplanned, resource-draining work by an average of roughly 20%.
By enabling teams to visualize and interact with security, networking, and IT technologies together, SecureX fosters greater collaboration between SecOps, ITOps, and NetOps groups. Based on our survey results, this can greatly improve overall security.
How can SecureX help you?
While this is far from an exhaustive list of Cisco SecureX benefits, we hope it gives you an idea of what organizations can achieve with an integrated security platform versus a plethora of disparate products. If you want to know more about our survey: 1) explore the findings for yourself with an interactive chart (in case, you know, you don’t want to take my word for it), 2) access the full Cisco 2021 Security Outcomes Study, and 3) check out our report blog series.
The nice thing about the study is that the results can be applied in a customizable way. Whether you want to improve your overall security, or achieve more specific goals, you can use the data to inform your security strategy.
Happy New Year!
Join us on January 21 for our next Cisco Secure Insights Summit, Defining the Industry Standard for XDR,
to hear about the many benefits of a platform approach to security.
Peter Thiel of Palantir Technologies and PayPal once said that every time an email is written, it gets broadcasted into the public domain, which is not as secure as people (end-users) tend, or led to – believe. This land of endless possibilities (and probabilities) which is the public domain has taken the stand more than […]
The new phones arrive with more colours and the S Pen.The post Samsung announces Galaxy S21 5G, Galaxy S21 Plus 5G, and Galaxy S21 Ultra 5G smartphones first appeared on IT World Canada.
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to companies to better protect their cloud-based accounts after several recent successful attacks. According to an advisory published by CISA, an increasing number of attacks have succeeded as more employees have begun to work remotely with a variety of […]… Read More
Canada’s telecom regulator may force internet service providers to adopt network-level botnet blocking to limit criminally-run automated systems’ ability to spread malware.
ISPs can use several techniques to fight botnets, including domain-based blocking, internet protocol (IP)-based blocking and protocol-based blocking. However, these and other strategies aren’t required by regulation or controlled for possible bias.
But on Wednesday, the Canadian Radio-Telecommunications and Telecommunications Commission (CRTC) called for comments on a proposal to require ISPs to implement strategies to fight botnets at the network level by blocking suspicious email, texts and communications by malware to command and control servers.
It would do so by approving a mandatory or voluntary network-blocking framework that carriers would follow. To meet privacy concerns, the commission says any approved framework has to be done in ways that protect internet user privacy, enable subscribers to opt into or out of message blocking, provide a mechanism to correct possible false positives of messages, ensure blocking decisions are unbiased and made in the best interest of Canadians, and minimize subscriber information monitoring, collection, and usage.
Technically, the CRTC says, any filtering or blocking affects the principle of net neutrality — the concept that all internet traffic should be given equal treatment by ISPs, with little or no prioritization. But there are exceptions, the CRTC notes. For example, blocking access to child exploitation material. If rules for network-based blocking are approved, “a limited exception to net neutrality may be warranted” to give Canadians protection from spyware, information theft and ransomware, the regulator says.
The commission also suggests that rather than leave decisions in the hands of ISPs, an independent body with expertise in cybersecurity might assess whether blocking a particular domain or IP address is justified. That body could also decide how message blocking decisions can be unbiased and accurate. The commission doesn’t suggest a body, but one possibility is the federal government’s Canadian Centre for Cyber Security.
The commission also acknowledges that any blocklist of forbidden IP addresses will need to change regularly to remain accurate. It wants to hear about worries of over-blocking and false positives and ways to take wrongly-blocked addresses off a list quickly.
“Malicious botnet attacks are a serious and recurring concern,” CRTC chair Ian Scott said in a statement. “Almost every week, we see another organization victimized by ransomware or hear of a fellow citizen lured in by a phishing scam. With the launch of this proceeding, we are aiming to better protect Canadian individuals, businesses and institutions against damaging botnet activity.”
ISPs, exchange carriers, web hosting companies, consumers, and others have until March 15th to file comments. Submissions are limited to 20 pages.
In an interview, telecommunications consultant Mark Goldberg said that by launching this consultation, the CRTC might be signaling that blocking and filtering measures ISPs already perform need formal approval of the commission under the Telecommunications Act. Section 36 of the act says a carrier shall not control content or purpose of communications it carries without permission.
In a statement the Competitive Network Operators of Canada (CNOC), which represents many independent ISPs, said the consultation may raise end-user concerns with content interference and blocking and overreach. At the same time, it added, network integrity, public safety, and user safety are crucial. “We will study this new consultation, to identify any meaningful areas requiring comment in terms of independent ISPs and concerns about how this might affect our users, and our ability to compete fairly.”
Greg Young, vice-president of cybersecurity at Trend Micro who used to work for the federal department of communications, applauded the proposal to create an anti-botnet framework. “Anything that blocks known bad traffic is a good thing,” he said in an interview.
The CRTC has the authority to fight spam by enforcing the Canadian Anti-Spam Legislation (CASL), which prevents Canadian-based companies from sending commercial email without the recipient’s consent, installing software on computers without consent, and making false or misleading representations to promote products or services online. The CRTC expects ISPs to take steps to limit such behaviour on their networks. Botnets, which are huge networks of interconnected PCs, servers and other internet-connected devices around the world that pump out spam, violate CASL.
However, most are controlled outside Canada and therefore out of the reach of the regulator. A framework would give ISPs a guide to implementing technologies to block messages from botnets to domains of their command and control (C2) servers, as well as meet privacy concerns.
No one-size-fits-all solution
The CRTC document notes that one strategy alone won’t accomplish its goals. Not all malware connects to C2 servers using domains, so that domain-based blocking won’t work for these attacks. That’s why IP-based blocking (through firewalls that block communications to suspected C2 servers) and protocol-based blocking need to be used.
The commission says if it goes ahead with mandating botnet traffic blocking, it could do many things to protect privacy. Suggested ideas include prohibiting carriers from monitoring, collecting, or disclosing content or metadata that does not contribute to blocking botnet traffic; limiting monitoring and collection to the destination domain name or IP address requested and the number of times the malicious service is requested, and restricting disclosure of monitored data to parties participating in the blocking program.
And while internet subscribers should know some information from ISPs to decide which provider to chose and whether to participate in a blocking program (such as whether a particular domain or IP address is blocked), the CRTC also says it may put limits on how much an ISP can publicly divulge about its blocking technology.
Carriers can use the consultation to list their preferred blocking techniques, listing pros and cons. If domain-based blocking is one, they can talk about which domain resolver technology they prefer. Domain resolvers translate domain names into IP addresses. Domain resolver providers include the Canadian Internet Registry Authority’s (CIRA) Canadian Shield, Quad9, OpenDNS, Comodo Secure DNS and CleanBrowsing.
(This story has been updated from the original to add statements from CNOC and Greg Young of Trend Micro)The post CRTC says Canadian ISPs may be forced to get tougher on botnets first appeared on IT World Canada.
As we gratefully move forward into the year 2021, we have to recognise that 2020 was as tumultuous in the digital realm as it has in the physical world. From low level fraudsters leveraging the pandemic as a vehicle to trick victims into parting with money for non-existent PPE, to more capable actors using malware that has considerably less prevalence in targeted campaigns. All of which has been played out at a time of immense personal and professional difficulties for millions of us across the world.
Dealing with the noise
What started as a trickle of phishing campaigns and the occasional malicious app quickly turned to thousands of malicious URLs and more-than-capable threat actors leveraging our thirst for more information as an entry mechanism into systems across the world. There is no question that COVID was the dominant theme of threats for the year, and whilst the natural inclination will be to focus entirely on such threats it is important to recognise that there were also very capable actors operating during this time.
For the first time we made available a COVID-19 dashboard to complement our threat report to track the number of malicious files leveraging COVID as a potential lure. What this allows is real time information on the prevalence of such campaigns, but also clarity about the most targeted sectors and geographies. Looking at the statistics from the year clearly demonstrates that the overarching theme is that the volume of malicious content increased.
Whilst of course this a major concern, we must recognise that there were also more capable threat actors operating during this time.
Ransomware – A boom time
The latter part of 2020 saw headlines about increasing ransom demands and continued successes from ransomware groups. An indication as to the reason why was provided in early 2020 in a blog published by Thomas Roccia that revealed “The number of RDP ports exposed to the Internet has grown quickly, from roughly three million in January 2020 to more than four and a half million in March.”
With RDP a common entry vector used predominantly by post intrusion ransomware gangs, there appears some explanation as to the reason why we are seeing more victims in the latter part of 2020. Indeed, in the same analysis from Thomas we find that the most common passwords deployed for RDP are hardly what we would regard as strong.
If we consider the broader landscape of RDP being more prevalent (we have to assume due to the immediate need for remote access due to the lockdowns across the globe), the use of weak credentials, then the success of ransomware groups become very evident. Indeed, later in the year we detailed our research into the Netwalker ransomware group that reveals the innovation, affiliate recruitment and ultimately financial success they were able to gain during the second quarter of 2020.
A year of major vulnerabilities
The year also provided us with the added gifts of major vulnerabilities. In August, for example, there was a series of zero-day vulnerabilities in a widely used, low-level TCP/IP software library developed by Treck, Inc. Known as Ripple 20, the affect to hundreds of millions of devices resulted in considerable concern related to the wider supply chain of devices that we depend upon. In collaboration with JSOF, the McAfee ATR team developed a Detection Logic and Signatures for organizations to detect these vulnerabilities.
Of course the big vulnerabilities did not end there; we had the pleasure of meeting BadNeighbour, Drovorub, and so many more. The almost seemingly endless stream of vulnerabilities with particularly high CVSS Scores has meant that the need to patch very high on the list of priorities.
The ‘sophisticated’ attacker
As we closed out 2020, we were presented with details of ‘nation states’ carrying out sophisticated attacks. Whilst under normal circumstances such terminology is something that should be avoided, there is no question that the level of capability we witness from certain threat campaigns are a world away from the noisy COVID phishing scams.
In August of 2020, we released the MVISION Insights dashboard which provides a free top list of campaigns each week. This includes, most recently, tracking against the SUNBURST trojan detailed in the SolarWinds attack, or the tools stolen in the FireEye breach. What this demonstrates is that whilst prevalence is a key talking point, there exists capable threat actors targeting organizations with real precision.
For example, the Operation North Star campaign in which the threat actors deployed an Allow and Block list of targets in order to limit those they would infect with a secondary implant.
The term sophisticated is overused, and attribution is often too quickly relegated to the category of nation state. However, the revelations have demonstrated that there are those campaigns where the attack did use capabilities not altogether common and we are no doubt witnessing a level of innovation from threat groups that is making the challenge of defence harder.
What is clear is that 2020 was a challenging year, but as we try and conclude what 2021 has in store, we have to celebrate the good news stories. From initiatives such as No More Ransom continuing to tackle ransomware, to the unprecedented accessibility of tools that we can all use to protect ourselves (e.g. please check ATR GitHub repo, but recognise there are more).
NTT DATA and Conferma Pay Partner to Deliver Secure, Virtual Payment Comms to Hotels
Global IT innovator NTT DATA and payments technology provider Conferma Pay have announced a partnership to bring secure, digital virtual payment communications to hotels.
The news comes at a time when more and more companies are seeking to implement contact-free payment processes to help reduce the spread of COVID-19 whilst also bolstering payment security and safety.
NTT DATA and Conferma Pay said they have combined to ensure virtual payments reach hotels securely in a digital manner, removing the reliance on traditional paper-based methods such as faxing.
Reception desks will be directed to a digital billing portal when confirming rooms booked with virtual payments, automating the virtual card delivery, removing the need for manual offline chargebacks, eliminating card exposure and tightening payment security.
Furthermore, hotel staff will no longer manually process payments or key card numbers into their merchant terminals. The check-in and check-out process is streamlined with a simplified, touchless experience.
Akihiro Ishizuka, head of global payments and services division at NTT DATA, said: “Payment innovation has accelerated like never before, creating the opportunity for a more efficient and highly secure virtual payment model. Partnering with Conferma Pay is a step forward in our commitment to provide travelers with a frictionless payment experience during check-in. This new integration will streamline the process considerably by reducing manual rekeying of payment data.”
Kelly Cleeton, senior director, global business development at Conferma Pay, added: “The solution we developed with the help of NTT DATA provides another layer of security and enhances the payment experience for our partner travel management companies and their clients.”
Originally aired on January 13, 2021 Articles discussed in this episode: https://www.theregister.com/2021/01/13/darkmarket_europol_shutdown/ https://www.theregister.com/2021/01/12/microsoft_linux_edr/ https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/ https://threatpost.com/hackers-leak-pfizer-covid-19-vaccine-data/163008/ https://krebsonsecurity.com/2021/01/ubiquiti-change-your-password-enable-2fa/
Russian-speaking scammers started targeting users of European marketplaces and classifieds is a criminal scheme dubbed Classiscam.
Group-IB, a global threat hunting and and adversary-centric cyber intelligence company, has discovered that Russian-speaking scammers started targeting users of European marketplaces and classifieds. The scheme, dubbed Classiscam by Group-IB, is an automated scam as a service designed to steal money and payment data. The scheme uses Telegram bots that provide scammers with ready-to-use pages mimicking popular classifieds, marketplaces and sometimes delivery services. According to Group-IB, over 20 large groups, leveraging the scheme, currently operate in Bulgaria, the Czech Republic, France, Poland, Romania, the US, and post-Soviet countries, while 20 more groups work in Russia. These 40 groups altogether made at least USD 6.5 mln in 2020. Scammers are actively abusing brands of popular international classifieds and marketplaces, such as Leboncoin, Allegro, OLX, FAN Courier, Sbazar, and etc. Group-IB has sent notifications to the affected brands so they could take the necessary steps to protect against Classiscam.
The scheme, which initially exploited delivery brands, has been tried and tested in Russia. Analysts warn that it is now growing rapidly and reaching users of European classifieds and marketplaces, which were chosen as a target by Russian-speaking scammers to increase their profits and reduce the risk of being caught. Fighting the scam requires joint efforts by classifieds, marketplaces, and delivery services. It is also key to use advanced digital risk protection technology to ensure that any brand impersonating attacks are quickly detected and taken down.
Group-IB Computer Emergency Response Team (CERT-GIB) for the first time recorded the Classiscam in Russia in the summer of 2019. Peak activity was recorded in the spring of 2020 due to the massive switch to remote working and an increase in online shopping.
“In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3,000 pages,” says Yaroslav Kargalev, the deputy head of CERT-GIB. “We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time when Russia serves as a testing ground for cybercriminals with global ambitions.”
Group-IB’s Digital Risk Protection and CERT-GIB experts have so far identified at least 40 active Classiscam gangs that use scam pages mimicking popular classified, marketplace, and delivery companies with every one of them running a separate Telegram bot. Half of the groups already operate outside of Russia. Despite that scammers are making their first attempts in Europe, an average theft costs users about USD 120. The scam was localized for the markets of Eastern and Western Europe. The brands abused by scammers include the French marketplace Leboncoin, Polish brand Allegro, Czech site Sbazar, Romanian FAN Courier, DHL and many others. An analysis of underground forums and chats revealed that scammers are getting ready to use new brands in their scams, these are FedEx and DHL Express in the US and Bulgaria.
As part of the scheme, scammers publish bait ads on popular marketplaces and classified websites. The ads usually offer cameras, game consoles, laptops, smartphones, and similar items for sale at deliberately low prices. The buyer contacts the seller, who lures the former into continuing the talk through a third party messenger, such as WhatsApp. It’s noteworthy that scammers pose as both buyers and sellers. To be more persuasive, the scammers use local phone numbers when speaking with their victims. Such services are offered in the underground.
Although many marketplaces and classifieds that sell new and used goods have an active policy of protecting users from fraudsters by posting warnings on their resources, victims continue to give away their data.
Evildoers ask victims to provide their contact information to allegedly arrange a delivery. The scammer then sends the buyer an URL to either a fake popular courier service website or a scam website mimicking a classified or a marketplace with a payment form, which turns out to be a scam page. As a result, the fraudster obtains payment data or withdraws money through a fake merchant website. Another scenario invlolves a scammer contacting a legitimate seller under the guise of a customer and sending a fake payment form mimicking a marketplace and obtained via Telegram bot, so that the seller could reportedly receive the money from the scammer.
Group-IB discovered at least 40 groups leveraging Classiscam, with each of them running a separate Telegram chat-bot. At least 20 of these groups focus on European countries. On average, they make around US $61,000 monthly, but profits may differ from group to group. It is estimated that all 40 most active criminal groups make US $522,000 per month in total.
The hierarchy of the scammer groups represents a pyramid, with the topic starters on top. They are responsible for recruiting new members, creating scam pages, registering new accounts, and providing assistance when the bank blocks the recipient’s card or the transaction. The topic starters’ share is about 20-30 percent of the stolen sum. “Workers” get 70-80 percent of the stolen sum for communicating with victims and sending them phishing URLs.
All details of deals made by workers (including the sum, payment number and username) are displayed in a Telegram bot. That’s how Group-IB experts were able to calсulate their estimated monthly haul.
Based on payment statistics, the most successful workers move to the top of the list and become influential members of the project. By doing so, they gain access to VIP options in the chats and can work on European marketplaces, which offer a higher income and involve less risks for Russian-speaking scammers. Workers’ assistants are called “callers” and “refunders.” They pretend to be tech support specialists and receive 5-10 percent of the revenue.
Phishing kit in Telegram
The scheme is simple and straightforward, which makes it all the more popular. There are more reasons behind its growing popularity, however, such as automated management and expansion through special Telegram chat bots. More than 5,000 users (scammers) were registered in 40 most popular Telegram chats by the end of 2020.
As it stands, workers just need to send a link with the bait product to the chatbot, which then generates a complete phishing kit including courier URL, payment, and refund. There are more than 10 types of Telegram bots that create scam pages for brands from Bulgaria, the Czech Republic, France, Poland, and Romania. For each brand and country, scammers write scripts that help newbie workers log in to foreign sites and communicate with victims in the local language.
Chatbots also have shops where you can purchase accounts to various marketplaces, e-wallets, targeted mailings, and manuals, or even hire a lawyer to represent you in court.
“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing our stolen money abroad,” says Dmitriy Tiunkin, Head of Group-IB Digital Risk Protection Department, Europe. “Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it.”
Fighting the Classiscam
In order to protect their brands from Classiscam, companies need to go beyond the simple monitoring and blocking approach. Instead, it is necessary to identify and block adversary infrastructure using AI-driven digital risk protection systems enriched with data about adversary infrastructure, techniques, tactics, and new fraud schemes.
The recommendations for users are quite simple and include:
· Trust only official websites. Before entering your login details and payment information, double check the URL and Google it to see when it was created. If the site is only a couple of months old, it is highly likely to be a scam or a phishing page.
· When using services for renting or selling new and used goods, do not switch to messengers. Keep all your communication in the official chat.
· Do not order goods or agree to deals involving a prepaid transaction. Pay only after you receive the goods and make sure that everything is working properly.
· Large discounts and unbelievable promotions may be just that: too good to be true. They are likely to indicate a bait product and a phishing page. Be careful.
About the author: Group-IB
Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Classiscam)
Ring Rolls-Out End-to-End Encryption to Bolster Privacy
Controversial connected device company Ring has added video end-to-end encryption (E2EE) to some of its products in a bid to boost user privacy and security.
The Amazon-owned maker of smart doorbells first flagged the move last autumn, but will begin the roll-out this week as part of a “technical preview.
“By default, Ring already encrypts videos when they are uploaded to the cloud (in transit) and stored on Ring’s servers (at rest),” the firm explained in a blog post yesterday.
“With end-to-end encryption, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer’s enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device.”
That will go some way to assuaging customer concerns over who is viewing the videos shot by their doorbell camera.
Around a year ago, four Ring employees were fired after violating company policy when they were caught watching users’ videos.
“Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions,” Amazon said at the time.
Privacy concerns have also been raised over Ring’s decision to partner with hundreds of police forces across the US — although law enforcers have to request access to users’ videos within a certain time frame and geographic area.
The new E2EE feature will be available on the: Ring Video Doorbell Pro, Ring Video Doorbell Elite, Ring Floodlight Cam, Ring Spotlight Cam Wired, Stick Up Cam Plug In, Stick Up Cam Elite and Indoor Cam.
The move follows a roll-out of two-factor authentication (2FA) to all users in early 2020, to help mitigate the risk of strangers hijacking users’ cameras.
Last month, a new legal case was formed by joining together complaints filed by over 30 users in 15 families who say that their devices were hacked and used to harass them. They’re arguing, among other things, that Ring should have mandated 2FA and the use of strong passwords out-of-the-box.
Cleantech at CES, TikTok makes accounts of users under 16 private, and the story about a hacker saving 57 terabytes of data before Parler fell off the face of the earth.The post Hashtag Trending – Cleantech at CES; TikTok makes thousands accounts private; Uncovering Parler secrets first appeared on IT World Canada.
As various private organizations and high-value government bodies figure out the blast radius of the recent state-sponsored SolarWinds attack, with Cisco Endpoint Security Analytics (CESA) in your toolkit you could quickly assess your own exposure…like the CESA customer noted below.
CESA brings together the unparalleled endpoint behavioral visibility of Cisco’s AnyConnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform to help address the endpoint visibility gap left behind by traditional EDR/EPP solutions and network security analytics platforms.
So how does CESA accomplish this for the SolarWinds breach? Well, it’s actually in its wheelhouse.
CESA’s ability to associate what endpoint accessed what domain, as well as what software processes and protocols were used, enables immediate visibility to what endpoints are exposed—for both on-net and off-net endpoints—within minutes. How do we know? Our CESA users have told us.
Here’s an excerpt from a customer email we received:
“(IR analyst) brought up a great point today while digging out of this Solarwinds mess. We were able to connect local Windows processes to domains that were reported in the IOC lists.
With this information we could quickly understand what our endpoint exposure was for all managed hosts from their NVM logs. It also gave us a view into other domains that might have been associated with this attack, but not yet publicly published.
We likely never would have seen this data and could not explain our exposure to this severe threat. (AnyConnect) NVM logs in Splunk once again helped to save the day.”
If you want to get deep on this, below is a sample CESA Splunk query tuned for this scenario that the customer used to discover stage-2 C&C activities from SolarWinds that their malware solution missed.
earliest=-365d index=anyconnect (avsvmcloud OR digitalcollege OR freescanonline OR deftsecurity OR thedoccloud OR virtualdataserver OR websitetheme OR panhardware OR zupertech.com OR highdatabase OR incomeupdate OR databasegalore) | fields *
Below is an actual sample result from this simple query showing details of an endpoint exposed:
pr=”6″ sa=”192.168.30.243″ sp=”59422″ da=”18.104.22.168″ dp=”443″ fst=”Sat May 16 19:38:31 2020″ fet=”Sat May 16 19:38:32 2020″ udid=”3AECA…<redacted>…2504C3A66″ liuid=”<REDACTED>\<redacted>” liuida=”<REDACTED>” liuidp=”<redacted>” liuat=”32770″ pa=”NT AUTHORITY\SYSTEM” paa=”NT AUTHORITY” pap=”SYSTEM” puat=”2″ pn=”SolarWinds.BusinessLayerHost.exe” ph=”A650DE5170E4A1D6EB1DADE89BDE7215A30CD4C005BEC9C3241865B40220B9D0″ ppa=”NT AUTHORITY\SYSTEM” ppuat=”2″ ppn=”services.exe” pph=”9090E0E24E14709FB09B23B98572E0E61C810189E2DE8F7156021BC81C3B1BB6″ ibc=”445″ obc=”570″ ds=”<redacted>.com” dh=”yykr55grenarianna67g.appsync-api.us-west-2.avsvmcloud.com” iid=”246″ mnl=””” mhl=”””
CESA dashboard example: Monitoring endpoint traffic going across split VPN tunnels
CESA closes the endpoint visibility gap for events like this one with SolarWinds. But there are many other bad things that happen in this endpoint gap. CESA addresses endpoint security visibility use cases such as:
- Unapproved applications and SaaS visibility
- Endpoint security evasion
- Attribution of user to device to application to traffic and destination
- Zero-trust monitoring
- Data loss detection
- Day-zero malware and threat hunting
- Asset inventory
In addition to the many benefits that CESA provides to close the endpoint visibility gap, Cisco Secure offers a platform approach with Cisco SecureX, a cloud-native, built-in platform experience. With the Cisco Secure platform approach, you will be able to provide greater visibility, faster response and more efficient security operations. Explore our integrated approach to find out how you can identify and contain 70% more malicious intent and risk exposure with 85% less dwell time.
Learn more about how CESA can protect your network and its endpoints.
Cisco addressed tens of high-severity flaws, including some flaws in the AnyConnect Secure Mobility Client and in its small business routers.
This week Cisco released security updates to address 67 high-severity vulnerabilities, including issues affecting Cisco’s AnyConnect Secure Mobility Client and small business routers (i.e. Cisco RV110W, RV130, RV130W, and RV215W). One of the flaws fixed by the tech giant, tracked as CVE-2021-1144, is a high-severity vulnerability that affects Cisco Connected Mobile Experiences (CMX), which is a smart Wi-Fi solution that uses the Cisco wireless infrastructure to provide location services and location analytics for consumers’ mobile devices. CMX supports your organization’s Wi-Fi and mobile engagement and allows them to directly deliver content to smartphones and tablets that are personalized to visitors’ preferences and pertinent to their real-time indoor locations.
The vulnerability, which received a CVSS score of 8.8 out of 10, could be exploited by a remote authenticated attacker to change the password for any account user on affected systems.
“A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.” reads the advisory published by Cisco.
“The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.”
The flaw affects Cisco CMX releases 10.6.0, 10.6.1, and 10.6.2.
The vendor addressed the flaw with the release of 10.6.3 software version, it also informed customers that are no workarounds that address this issue.
Cisco also addressed a DLL Injection flaw, tracked as CVE-2021-1237, in Cisco AnyConnect Secure Mobility Client for Windows.
The flaw received a CVSS score of 7.8, attackers could exploit it to conduct a dynamic-link library (DLL) injection attack.
“A vulnerability in the Network Access Manager and Web Security Agent components of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.” reads the advisory.
“The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.”
Cisco also fixed a series of flaws in Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface that could lead remote command execution and denial of service attacks.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, CMX)
Security researcher Ahmed Hassan has shown that spoofing the Android’s “People Nearby” feature allows him to pinpoint the physical location of Telegram users:
Using readily available software and a rooted Android device, he’s able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user’s precise location.
A proof-of-concept video the researcher sent to Telegram showed how he could discern the address of a People Nearby user when he used a free GPS spoofing app to make his phone report just three different locations. He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user’s precise location was where all three intersected.
Fixing the problem — or at least making it much harder to exploit it — wouldn’t be hard from a technical perspective. Rounding locations to the nearest mile and adding some random bits generally suffices. When the Tinder app had a similar disclosure vulnerability, developers used this kind of technique to fix it.
The US CISA revealed that several recent successful cyberattacks against various organizations’ cloud services.
The Cybersecurity and Infrastructure Security Agency (CISA) announced that several recent successful cyberattacks hit various organizations’ cloud services.
According to the agency, the attackers conducted phishing campaigns and exploited poor cyber hygiene practices of the victims in the management of cloud services configuration.
CISA has published a report that includes information collected exclusively from several CISA incident response engagements, these data are extremely precious because detail the tactics, techniques, and procedures used by threat actors and indicators of compromise (IOCs). Data in the Analysis Report is not explicitly tied to the supply chain attack on SolarWinds Orion Platform software.
“The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” reads the report published by CISA.
The US revealed that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.
Attackers may have used browser cookies to defeat MFA with a “pass-the-cookie” attack ([T1550.004]).
Government experts confirmed that the threat actors initially attempted brute force logins on some accounts without success.
At least in one case, the attackers modified or set up email forwarding rules to redirect the emails to an account under their control.
Threat actors also modified existing rules to search users’ email messages (subject and body) for keywords that could allow them to identify messages containing sensitive data (i.e. Financial information) and forward them to their accounts.
“In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” continues CISA.
The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.
Last week, Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.
CISA also added that inappropriately secured administrative credentials accessible via external remote access services were abused by the attackers.
CISA added that it is investigating incidents in which threat actors abused the Security Assertion Markup Language (SAML) tokens.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Golang-based worm)
The SUNBURST trojan and backdoor, as dubbed by FireEye researchers, that has compromised multiple U.S. Government systems recently, highlights the complexity and connectedness of the modern enterprise IT environment as a security weakness. Recent reporting makes clear that the adversary took advantage of software complexity to deliver a highly refined attack affecting thousands of organizations. Even with many top-tier security controls in place, the attack was able to go unobserved for months.
This blog is not to tell you deploy one product and job is done, you never need to worry about this class of threats again. It will never be that easy. Creating an enterprise software architecture that has defense-in-depth baked in through multiple layers of fortification including lateral movement control and least privilege, on the other hand, is a proven, repeatable, realistic, and implementable strategy.
In these attacks, there is always a chain of events, and the goal is to try cut at least one of those links to protect your organization. Apply least privilege and zero trust segmentation controls to break as many links as possible in your application environment. The trick is to do this without bringing any services down, requiring infrastructure changes, or frustrating application owners.
We will define actionable zero trust segmentation controls that can be applied by Cisco Secure Workload with immediate effect to protect your enterprise from the “SUNBURST” trojan and backdoor. We will also present advice on zero trust segmentation and least privilege models to help protect you on an on-going basis, as applying restrictions only to SolarWinds machines and their communication is not enough. If already exploited, the adversary has now moved laterally and the problem then becomes not only what SolarWinds can or cannot talk to, but how all application workloads communicate.
In your own environment, run a thought experiment and compute the possible ‘hops’ from a management or monitoring tool like SolarWinds Orion, to a monitored workload, to your most critical data. Chances are, without proper lateral movement control, the number will be uncomfortably low. Use Cisco Secure Workload to raise it.
Cisco Secure Workload Recommendations
In line with Cisco Talos recommendations, all organizations that use the SolarWinds Orion IT monitoring and management software are urged to follow the guidance from DHS and CISA along with the related guidance from SolarWinds to further secure these environments.
As highlighted above, initial steps involve:
- Identification of compromised/affected assets
- Applying primary mitigations including restricting network traffic to least privilege
Cisco Secure Workload can directly support both initial steps to assist in the identification of compromised assets and the application of network restrictions to control network traffic through central automation of distributed firewalls at the workload level. This flexible approach means a consistent firewall policy can be quickly applied to control inbound and outbound traffic at each workload without the need to re-architect the network or modify IP addressing and is compatible with any on-premises infrastructure or public cloud provider.
Identification of Compromised Assets
Cisco Secure Workload can identify compromised assets via three methods:
- Presence of installed package
- Presence of running process (either name or hash)
- Presence of loaded libraries (DLLs)
As operator, you may choose to identify based on one or more indicators. Cisco Secure Workload will dynamically compute a list of all assets that meet the criteria defined. The list will be kept up to date and refreshed every 60 seconds to account for changes in your environment.
Fig 1 – identifying workloads with affected SolarWinds processes based on published process hash signatures
Fig 2- identifying workloads with affected SolarWinds processes based on published DLL hash signatures
Fig 3 – Identifying workloads with affected SolarWinds package installed, regardless of whether it is running in memory or not
Least Privilege Network Restriction
Once compromised assets have been collated, network traffic can be restricted based on a least privilege model. As operator, you may decide how much privilege to grant. In the current situation, it may be advised to provide zero privileges to all identified Orion Platform assets. In the future, as patched versions of Orion are deployed, privileges may be slightly increased, but only to cover the exact communications Orion requires for operation, and nothing more.
Fig 4 – A Cisco Secure Workload policy includes a dynamic set of source and destinations, defined here by workloads that have been detected to have SolarWinds software and an action, which in this case is to restrict any network traffic.
Fig 5 – More surgical restrictions on trust can be applied, such as removing access to the internet, users, or critical assets.
Fig 6 – The most secure state is when zero trust policies are enacted that define the expected and allowed communication patterns of an application and block all else. Communication patterns can either be ingested as published by the vendor or discovered via machine learning analysis on historical network traffic performed by Cisco Secure Workload if not available.
In the past, we were lucky to be able to conceptualize and wrangle with the complexity of our systems, but those days are gone. The complexity of modern infrastructures, and the blind spots that creates, provides opportunity for adversaries to deliver silent and sophisticated threats. For enterprises, the need for more – more agility, more features, more integrations, more value – has left us with an interwoven web of systems that are highly connected to each other, to the point that the attack surface of any one application becomes the attack surface of all, unless we are segmenting.
The above steps will help protect your organization from the SUNBURST trojan and backdoor, but don’t stop there. The most consistent guidelines and hardening measures published by government agencies and independent research bodies that is re-iterated in almost any attack – whether ransomware or supply-chain related – to help mitigate the threat, restrict the attacker, and limit propagation is to apply zero trust segmentation controls. In addition to the many benefits of implementing a zero trust segmentation control, Cisco Secure offers Cisco SecureX, a cloud-native, built in platform experience. With the Cisco Secure platform approach, you will be able to provide greater visibility, faster response and more efficient security operations. The time to act is now.