Prevent and Detect Lateral Movement

Security and Privacy Preserving for IoT and 5G Networks: Techniques, Challenges, and New Directions 

2022 is going to be a year of building greater resiliency and integrating this into all aspects of business operations. This will require organizations of all levels to review how they are responding to a larger scale of sophisticated threats. To build on the efforts of 2021, CISOs need to address how they can implement innovation into their business without making themselves more vulnerable to damaging attacks.

There are five big trends that I see defining the market in 2022 that security professionals should pay attention to:

. The rise of the “assume-breach” mindset

Zero trust applies the principle of fundamentally not trusting anything on or off your network and deploys a “assume-breach” mindset. 

. Innovation and new risk in 5G

. Customization, personalization and getting personal with phishing tactics

. Hackers will go for gold at the Beijing Olympics

. The enterprise API ecosystem will show its vulnerabilities

The Ransomware Threat Landscape: Prepare for, recognize and survive ransomware attacks

Hackers are targeting printers of businesses around the world to print ‘anti-work’ slogans pushing workers to demand better pay.

Multiple employees are sharing on Twitter and Reddit the images of anti-work messages sent to the printers of their organizations. The messages encourage workers to protect their rights and discuss their pay with coworkers and demand better pay.

“The posts were made on the r/Antiwork subreddit which describes itself as a community ‘for those who want to end work, are curious about ending work, want to get the most out of a work-free life, want more information on anti-work ideas

“ARE YOU BEING UNDERPAID? You have a protected LEGAL RIGHT to discuss your pay with your coworkers. […] POVERTY WAGES only exist because people are ‘willing’ to work for them.” reads the message.

“How can the McDonald’s in Denmark pay their staff $22 an hour and still manage to sell a Big Mac for less than in America?” reads one of the receipts.

The printed receipt encouraged employees to form unions because ‘Unions’ are the only organizations that could “easily align everyone’s goals.”

Official (ISC)2® Study Guides 

Cybersecurity Incident & Vulnerability Response Playbooks – Audiobook

The Current Authentication Landscape

To authenticate a user means to verify that the user is genuine. Classically, the way to authenticate a user is to request their login credentials and ensure those credentials match the credentials stored in your directory service or authentication server. The full history and background of authentication is more complex, but that’s the gist of it. 

The need to ensure users are who they claim to be is critical in the context of today’s hybrid IT infrastructures. Organizational data and apps often exist outside the traditional corporate network perimeter in public cloud services. Furthermore, employees, business partners and contractors are accessing IT resources from home or public locations.

Many security professionals say that identity is the new perimeter. This claim about identity extends to devices and applications, but securing machine identities is another topic altogether. If identity is the new perimeter, then making authentication as secure as possible is paramount to protect your critical assets, including sensitive data about customers and intellectual property. 

Why Passwords Aren’t Enough

In an ideal world, passwords would be sufficient to authenticate users and ensure that they are genuine. Unfortunately, passwords are susceptible to theft, often through poor password hygiene. Whether it’s reusing multiple passwords across different applications or not creating secure enough passwords to begin with, password theft is rife. 

To understand how easy it is to steal a password, consider a study that looked at over 15 billion passwords. The results of this study revealed that the top four most commonly used passwords were:

1. 123456
2. 123456789
3. qwerty
4. Password

These passwords are all incredibly easy to guess even for a beginner cybercriminal looking to access a corporate network. This is confirmed by the fact that 80% of hacking incidents stem from stolen credentials or passwords guessed using brute force tactics. 

How MFA Can Help Prevent Data Breaches

Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers

Top 5 Cloud security challenges, risks and threats

Cloud services are an integral part of modern business. They provide a cost-effective way to store data; and with the rise in hybrid workforces, they deliver a reliable way for employees to access information remotely.

But as is often the case with technological solutions, the benefits of convenience comes with security risks. In this blog, we look at the top five Cloud security challenges that organisations face, and provide tips on how to overcome them.

1. Data breaches

A Gartner study found that 95% of Cloud breaches are the result of the result of misconfigurations.

2. Phishing scams

3. Insider threats

Insider Threats (Cornell Studies in Security Affairs) 

4. Regulatory non-compliance

the risk of a data breach and create GDPR (General Data Protection Regulation) headaches.

5. Insecure UIs and APIs

Design secure network and API endpoint security for Microservices applications

Secure your Cloud services

You can find more tips like the ones in this blog by reading Securing Cloud Services: A pragmatic guide.

This book, written by security architect Lee Newcombe, explains everything you need to know about Cloud security. It covers the key concepts of Cloud computing and the its security architectures, and then looks at the security considerations you must acknowledge.

It’s ideal for anyone looking at implementing Cloud services, whether that’s infrastructure-, platform-, software- or function-as-a-service.

KAX17 ran relay servers in various positions within the Tor network, including entry and exit nodes, researchers at the Tor Project have removed hundreds of servers set up by the threat actor in October and November 2021.

In August 2020, the security researcher that goes online with the moniker Nusenu revealed that in May 2020 a threat actor managed to control roughly 23% of the entire Tor network’s exit nodes. Experts warned that this was the first time that a single actor controlled such a large number of Tor exit nodes. A Tor exit relay is the final relay that Tor traffic passes through before it reaches the intended destination. The Tor traffic exits through these relays, this means that the IP address of the exit relay is interpreted as the source of the traffic.  Tor Exit relays advertise their presence to the entire Tor network, so they can be used by any Tor user.

Controlling these relays it is possible to see which website the user connects to and, if an insecure connection is used, it is also possible to manipulate traffic. In May 2020, the threat actor managed to control over 380 Tor exit nodes, with a peak on May 22, when he controlled the 23.95% of Tor exit relay.

Nusenu told The Record that it has observed a recrudescence of the phenomenon associated to the same attacker.

“But a security researcher and Tor node operator going by Nusenu told The Record this week that it observed a pattern in some of these Tor relays with no contact information, which he first noticed in 2019 and has eventually traced back as far as 2017.” reads the post published by The Record. “Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point.”

KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays

It’s no wonder then that so many use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase ready-made phishing kits that bundle together everything they need for a lucrative campaign.

After analyzing three months of phishing email traffic, we found that most attacks follow the money to either big tech or leading financial firms. Facebook, Apple and Amazon were the most popular tech brands being spoofed in phishing URLs. On the financial side, Charles Schwab was by far the most popular target, and was the most used brand URL overall, accounting for 13.5 percent of all cases. Chase Bank – an American subsidiary of JP Morgan Chase & Co – RBC Royal Bank and Wells Fargo were also widely used in phishing URLs.

Our investigation found that Chase has received a growing level of attention from cyber criminals over the last year, so we took a deeper dive into the tactics being used to target the bank’s customers.

The shift to mobile

One of the most prominent trends apparent in our investigation was the growing focus on mobile devices as part of phishing attacks. SMS text messages, WhatsApp and other mobile messaging services are increasingly used to launch attacks.

Attackers are adopting these methods in response to stronger email security solutions. The average mobile device is less likely to be well secured against phishing compared to a desktop endpoint. Even if the mobile device has a business email application on it, channels such as SMS and WhatsApp will bypass any anti-phishing protection it might have.

Threat actors may also mix email and mobile messaging in a single attack, for example sending a phishing email which includes a QR code that must be scanned by a smartphone, thereby jumping the attack over to the mobile endpoint. We have seen an uptick in QR-based attacks as the relatively overlooked technology became more popular during the pandemic. These attacks are again effective at evading traditional email security tools, as the QR code itself is not a malicious asset and its link destination cannot be read by detection technologies optimized for text URLs and virus signatures.

Mobile-based phishing attacks are also harder to identify due to mobile devices’ smaller screen and simplified layout, compounding the lack of security solutions on mobile.

How phishing kits mean anyone can phish like a pro

Cyber Fraud: Tactics, Techniques and Procedures

VirusTotal announced VirusTotal Collections, a new service that allows security researchers to share sets of Indicators of Compromise (IoCs).

VirusTotal announced VirusTotal Collections, a new service that allows threat researchers to share Indicators of Compromise (IoCs).

A collection is a live report that includes IoCs associated with a specific threat and it is available for VirusTotal registered users. The reports will also include up-to-date VirusTotal analysis metadata.

“A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our VirusTotal Community (registered users) and they will be enhanced with VirusTotal analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags.” reads the announcement published by Virus Total.

Registered VirusTotal users will be able to add or remove IoCs to/from the reports.

Security experts often use sharing platforms like Pastebin to share IoCs with the community, now they have a dedicated platform to do it, which is also integrated with the information from Virus Total. Users can create IoC collections in the VirusTotal home page, under the SEARCH tab.

Cyber indicators of compromise: a domain ontology for security information and event management Paperback

Luke Irwin  1st December 2021

In November, we discovered 81 publicly disclosed cyber security incidents, accounting for 223,615,390 breached records.

With one month left in 2021, the annual total running total of compromised records is to just shy of 5 billion.

Keep an eye out for our end-of-year report in the next few weeks, where we’ll break down the findings of these lists – or subscribe to our Weekly Round-up to get the latest news sent straight to your inbox.

In the meantime, you can find the full list of security incidents below, with those affecting UK organizations listed in bold.

Contents

• Cyber attacks
• Ransomware
• Data breaches
• Financial information
• Malicious insiders and miscellaneous incidents
• In other news…

Different techniques and tools used by cyberattackers to exploit a system are thoroughly discussed and analyzed in their respective chapters.

Use promo code XMASTOOLS to redeem your 10% discount on any toolkit, but hurry – this exclusive offer ends December 5.

Toolkits are sets of documents and tools that allow you to easily create and maintain up-to-date compliance documents. Each toolkit contains:

* Pre-written policies, procedures, and templates created by industry experts that will save you time and money

* Additional tools to ensure complete coverage of the relevant standard, framework, or regulation

* Work instructions and guidance

Cybersecurity researchers from F-Secure have discovered two critical vulnerabilities, collectively tracked as Printing Shellz, that impact approximately 150 multifunction printer models.

The vulnerabilities can be exploited by attackers to take control of vulnerable devices and steal sensitive information, from enterprise networks. The issues date back to 2013 and HP fixed them ([1], [2]) in November. The company acknowledged F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev for reporting the vulnerabilities on April 29, 2021.

The two vulnerabilities are:

• CVE-2021-39237 (CVSS score: 7.1) – An information disclosure vulnerability impacting certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.
• CVE-2021-39238 (CVSS score: 9.3) – A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.

“We found multiple exploitable bugs in a HP multi-function printer (MFP). The flaws are in the unit’s communications board and font parser.” reads the FAQs published by F-Secure researchers. “An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization.“

Below are the attack scenarios detailed by the researchers:

• Printing from USB drives. This is what we used during the research. In the modern firmware versions, printing from USB is disabled by default.
• Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF. The opportunities for social engineering are endless: HR printing a CV before a job interview, a receptionist printing a boarding pass, etc.
• Printing by connecting directly to the physical LAN port.
• Printing from another device that is under attacker’s control and in the same network segment. This also implies that the respective flaw (CVE-2021-39238) is wormable, i.e., the exploit can be used to create a worm that replicates itself to other vulnerable MFPs across the network.
• Cross-site printing (XSP): sending the exploit to the printer directly from the browser (by tricking a user into visiting a malicious website, for example) using an HTTP POST to JetDirect port 9100/TCP. This is probably the most attractive attack vector.
• Direct attack via exposed UART ports that are mentioned in CVE-2021-39237, if attacker has physical access to the device for a short period of time.

As a resource, the internet is a wonderful place for children to learn, explore ideas, and express themselves creatively. The internet is also key in a child’s social development, helping to strengthen communication skills, for example when playing games or chatting with friends.

However, parents should be aware that all these activities often come with risks. Kids online can be exposed to inappropriate content, cyberbullying, and even predators.

While keeping an eye on what your children see and do online helps protect them against these risks, it’s not easy monitoring your kids without feeling like you’re invading their privacy. Just asking what websites they visit may give the impression that you don’t trust your child.

The key to combatting any big risk is education. It’s important for you and your children to be aware of the dangers, how to protect against them, and how to identify the warning signs. This is why we’ve put together this guide, to help both you and your kids* understand how to navigate the internet safely.

*Look out for our “For Kids” tips below, which you can share with your kids and teens.

A 2020 study by the Pew Research Center found that:

• 86% of parents of a child under age 11 limit their child’s screen time, while 75% check what their child does online.
• 71% of parents of a child age 11 or under are concerned their child has too much screen time.
• 66% of parents think parenting is harder today than it was 20 years ago, with 21% blaming social media in general.
• 65% of parents believe it’s acceptable for a child to have their own tablet computer before age 12.

More on Online Threats to Kids…

Save 15% off books, toolkits, self-paced training courses, and selected Live Online training courses. Use code BF15 at checkout to claim your discount. But hurry, offer ends tomorrow 30 November, midnight PDT*.

This Black Friday ITG is offering you 15% off ITGP books, ITGP toolkits, self-paced training courses, and selected Live Online training courses.

Discover all resources

Bestselling books

The California Privacy Rights Act (CPRA) – An implementation and compliance guide This book gives you a comprehensive understanding of the CPRA, covering key terms, security requirements, the breach notification procedure, and the penalties for non-compliance. ISO 27001 controls – A guide to implementing and auditing The must-have book to understand the requirements of an ISMS (information security management system) based on ISO 27001. Certified ISO 27001 ISMS Foundation Self-Paced Online Training Course This course provides a complete introduction to the key elements required to achieve ISO 27001 compliance.

This is sometimes due to budgets, as many organizations have not placed a high enough priority on cybersecurity, despite the growing number of high-profile attacks. But even those who are paying high salaries are finding that generous compensation is still not enough to hire and retain talent in this field. While 33% of CISOs surveyed by ISSA said that salary was the reason they left one organization for another, that doesn’t explain most departures or job switches.

Meanwhile, despite high salaries, many currently employed cybersecurity professionals are feeling overwhelmed and under intense pressure, both because they are often short on manpower and because the stakes of their jobs are even higher now with the increased number and severity of attacks. The ISSA survey showed that 62% of cybersecurity employees face a heavier workload due to their organizations not being able to hire enough workers, and 38% say they feel burnt out.

If money isn’t enough, what else can companies do to attract and keep cybersecurity talent?

Write job descriptions that show off the skills employees will gain, not just what skills they need to apply. Cybersecurity is a rapidly growing and dynamic field offering many opportunities. But the field, by its very nature, requires that the best professionals are constantly learning on the job to keep up with the latest technologies and the latest types of threats and attacks. By letting candidates know what types of things they will learn on the job and what experiences they will gain, a company can set itself apart and offer the added value of professional growth, giving it an advantage in the recruitment process.

Look beyond academic education. Academic degrees in cybersecurity and related fields are no doubt helpful, but they are not the only way to become qualified for a job in the sector. If someone does not have a degree, it does not mean that they will not be an excellent candidate, especially if they have the relevant experience. This includes those coming from military or government backgrounds. In fact, with the rise in state-backed cyberattacks, any level of cybersecurity experience in government or military organizations is a considerable advantage and may be more valuable than those with academic degrees or years of corporate experience. A number of new programs, including one backed by Microsoft, also promise to offer training without necessarily granting degrees; these are also worthwhile credentials for candidates.

Teach and mentor on the job. Organizations should realize that current employees in their IT and related departments may be able, with the right training, to learn cybersecurity skills. This can be a way to build up a cybersecurity team internally. Those receiving training in-house should also be assigned mentors who can help them along the way. Building a team internally gives employees opportunities to grow, which can also lead to increased job satisfaction and retention.

Integrate cybersecurity into the overall business strategy, and let recruits know this. Companies should involve the cybersecurity team in all steps of their business, from product development to marketing, and not just relegate them to being on call for incident responses, or when something goes wrong.

Develop Your Cybersecurity Career Path: How to Break into Cybersecurity at Any Level

Threat actors are exploiting a recently addressed server-side request forgery (SSRF) vulnerability, tracked as CVE-2021-40438, in Apache HTTP servers.

The CVE-2021-40438 flaw can be exploited against httpd web servers that have the mod_proxy module enabled. A threat actor can trigger the issue using a specially crafted request to cause the module to forward the request to an arbitrary origin server.

The vulnerability was patched in mid-September with the release of version 2.4.49, it impacts version 2.4.48 and earlier.

“A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.” reads the change log for version 2.4.49.

Since the public disclosure of the vulnerability, several PoC exploits for CVE-2021-40438 have been published.

Now experts from Germany’s Federal Office for Information Security (BSI) and Cisco are warning of ongoing attacks attempting to exploit the vulnerability.

Cisco published a security advisory to inform its customers that it is investigating the impact of the issue on its products. The issue impacts Prime Collaboration Provisioning, Security Manager, Expressway series and TelePresence Video Communication Server (VCS) products. However, the IT giant states that it is still investigating its product line.

“In November 2021, the Cisco PSIRT became aware of exploitation attempts of the vulnerability identified by CVE ID CVE-2021-40438.” reads the security advisory published by CISCO.

The German BSI agency also published an alert about this vulnerability, it is aware of at least one attack exploiting this vulnerability.

“The BSI is aware of at least one case in which an attacker was able to do so through exploitation the vulnerability to obtain hash values of user credentials from the victim’s system. The vulnerability affects all versions of Apache HTTP Server 2.4.48 or older.” reads the alert published by the BSI.

Researchers from the National University of Singapore and Yonsei University in South Korea have devised a mobile application that uses smartphones’ time-of-flight (ToF) sensor to find tiny spy cameras hidden in everyday objects.

The app is more successful at detecting hidden cams than existing state-of-the-art commercial hidden camera detectors (CC308+, K18) and much more successful than the human eye/brain.

How to find hidden spy cameras with a smartphone – How the app works

Hidden Camera Detector – Anti Spy Finder Large Infrared Viewer and 12 Super Bright Red LEDs. Travel Size Pro Security and Privacy for AirBnB, Hotels, Bathrooms. Search quickly & easily with both eyes.

Practical Cloud Security: A Guide for Secure Design and Deployment

MicroMasters® Program in Cloud Computing

The Hack-Proof Password System: Protect Yourself Online With a Memory Expert’s In-Depth Guide to Remembering Passwords