Sep 26 2023

HOW THIS ISRAELI BACKDOOR WRITTEN IN C#/.NET CAN BE USED TO HACK INTO ANY COMPANY

Category: Backdoordisc7 @ 9:04 am
How this Israeli Backdoor written in C#/.NET can be used to hack into any company

As part of an ongoing cyber espionage effort, the Iranian nation-state hacking group known as OilRig has continued to target government entities in the Middle East. This cyber espionage campaign makes use of a newly discovered backdoor in order to exfiltrate data. OilRig (APT34) is an Iranian cyberespionage gang that has been active since 2014 and has been targeting different sectors and governments in the Middle East, including Chemical, Energy,Finance and Telecom.

Following the commencement of the DNSpionage operation in 2018-2019 targeting Lebanon and the UAE, OilRig began the HardPass operation in 2019-2020 utilizing LinkedIn to target individuals in the energy and government sectors.

In recent weeks, the experts in charge of cybersecurity at trendmicro have discovered and assessed two campaigns run by the OilRig APT group:

Outer Space (2021)

Juicy Mix (2022)

Due to the operations’ concentration on the Middle East, Israeli organizations were the only ones targeted by these cyberespionage efforts. They gained access to the network by posing as genuine businesses using VBS droppers to plant C# and.NET backdoors and post-compromise data mining tools.

An Overview of the Campaign

Outer Space: It was an OilRig campaign from the year 2021 that employed an Israeli HR website as a command and control server for the Solar backdoor. . Here, with just the most fundamental functionalities, the Solar linked to the SC5k downloader, while the MKG was utilized for data exfiltration from browsers.

OilRig started a new campaign in 2022 called “Juicy Mix.” It targeted Israeli organizations with improved tools, compromised a job site for command and control, and then attacked an Israeli healthcare organization with a Mango backdoor, two hidden browser-data dumpers, and a Credential Manager stealer. Juicy Mix was a hit.

In order to get access to the target system, both attacks used VBS droppers, which were most likely distributed using spear phishing emails.

Iranian hackers broke into Israeli security agency to steal surveillance footage of twin bombings in Jerusalem

These droppers distributed Mango, made sure the infection would remain, and linked to the command and control server. Concealing the base64 encoding and basic string deobfuscation that the embedded backdoor employed at the same time was accomplished using these methods.

After inserting the backdoor, the dropper transmits the compromised computer’s name to the command and control server in the form of a base64-encoded POST request. This is done after it has scheduled Mango (or Solar) to run every 14 minutes.

During the Outer Space campaign, OilRig launches Solar, a backdoor that is both simple and flexible. It is able to download and run files, as well as independently exfiltrate prepared data.

Mango, which had previously been known as Solar, has been replaced in Juicy Mix by OilRig’s Mango, which, although having similar features and a workflow, has substantial differences.

In the same way as Solar did, Mango starts an in-memory job that runs every 32 seconds, talks with the C&C server, and carries out orders. Mango, on the other hand, is distinct in that it replaces Solar’s Venus assignment with a whole new exfiltration command.

Post-compromise tools

The following post-compromise tools are included below for your convenience:

Downloader for SampleCheck5000, often known as SC5k

Data scrapers for browsers

Windows Credential Manager stealer

OilRig makes its way from Solar to Mango via implants that function similarly to backdoors. While they do make use of specialized technology for data collecting, they nevertheless rely on more traditional methods to get user information.

The parallels between the first-stage dropper and Saitama, the victimology patterns, and the usage of internet-facing exchange servers as a communication technique were identified in the case of Karkoff, which is how the campaign is connected to APT34.

If anything, the rising number of malicious tools connected with OilRig illustrates the threat actor’s “flexibility” to come up with new malware depending on the targeted environments and the privileges held at a particular stage of the assault. This “flexibility” may be inferred from the fact that the threat actor has created a growing number of harmful tools linked with OilRig.

Backdoor – Bypassing the gatekeepers in CyberSecurity

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ISRAELI BACKDOOR

Sep 25 2023

MOVEit fallout continues as National Student Clearinghouse says nearly 900 schools affected

Category: Cyber Attack,Information Securitydisc7 @ 2:18 pm

https://therecord.media/moveit-fallout-continues-nsc-schools

The National Student Clearinghouse (NSC) reported that nearly 900 colleges and universities across the U.S. had data stolen during attacks by a Russia-based ransomware gang exploiting the popular MOVEit file-sharing tool.

The nonprofit manages educational reporting, data exchange, verification, and research services for 3,600 colleges and universities as well as 22,000 high schools.

In June, the organization first confirmed that it was affected by exploitation of the tool, which was targeted via several critical vulnerabilities by the ransomware gang Clop.

Dozens of schools published notices confirming that student and alumni data was accessed in the breach but it was never clear just how many colleges or universities were affected.

In filings with California regulators last week, the National Student Clearinghouse provided a list of affected schools totalling nearly 890 — covering almost every state and including several of the largest, most prominent universities in the U.S.

The U.S. Department of Education requires 3,600 colleges and universities nationwide to use the MOVEit tool to share information with the NSC, which provides this data to the National Student Loan Data System (NSLDS) on behalf of the schools.

The stolen information includes personally identifiable information such as Social Security numbers and dates of birth.

NSC says it notified law enforcement after discovering the incident and told regulators in Maine on August 31 that it is sending breach notification letters to 51,689 people. NSC also sent letters to each school affected by the breach.

“The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students,” NSC said in an advisory released this summer. “We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”

The attack on NSC was one of several involving MOVEit that had wide-ranging downstream effects. The Clop ransomware gang targeted several organizations with connections to other companies or businesses, including PBI Research Services and the Teachers Insurance and Annuity Association of America (TIAA).

Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. Several class action lawsuits have been filed against Progress Software, the company behind MOVEit.

Sean Matt, one of the lawyers behind the lawsuits, called it a “cybersecurity disaster of staggering proportions.”

“Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software. The data compromised in this incident — social security numbers, banking information and even the names of people’s children — will undoubtedly lead to years of strife and concern,” he said.

“This is not just a data breach, but an unacceptable breach of the public’s trust in Progress and other companies that have a responsibility to protect the private data they collect.”

North of the border

UnitedHealthcare Student Resources Notifies Individuals of Data Security Incident

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MOVEit, supply chain attack

Sep 25 2023

Hands-on threat simulations: Empower cybersecurity teams to confidently combat threats

Category: Threat detection,Threat Modelingdisc7 @ 11:37 am
Hands-on threat simulations: Empower cybersecurity teams to confidently combat threats

With the rising number of cyber-attacks, organizations must make sure they are ready to defend themselves. That means equipping cybersecurity teams with sufficient skills to identify and effectively stop an attack in its tracks. Worryingly, only 17% of tech workers are completely confident in their cybersecurity skills, while 21% have no confidence at all. Given that 74% of data breaches are caused by human error, it is crucial that upskilling practices are in place.

One of the best ways to develop the necessary skills is through hands-on learning which allows employees to practice in a low-risk environment and better understand the methods used by cyber-attackers. This kind of experience is vital for security teams to be able to anticipate threats and capably protect the business.

The importance of testing security teams’ skills

Automated defense technologies are highly effective for commodity threats – those which are based on programs that are readily available and require no customization to launch an attack. But integrating AI/ML capabilities into security operations can generate a false sense of security. Attackers can still create the exact same program with millions of different file hashes or apply human ingenuity to evade known defenses.

Anti-virus is built on a massive signature-database-shaped house of cards that easily crumbles by changing text within programs. The same applies for network signatures, endpoint detection and response. There are certain behaviors that traditional defense technologies focus on, but ultimately, malware is just software. The more it can blend into common software activity, the less likely it is that an attack will be detected. And this is easier than it seems.

Security teams need easily replicable techniques to emulate threat scenarios to test their defense skills against the skill level of cyber-attackers. Testing is how businesses find out the cybersecurity teams’ skill level without waiting for a breach.

At least yearly, there should be a full red team assessment; the red team is made up of offensive security professionals whose role is to exploit the company’s vulnerabilities and overcome cybersecurity controls. But given attackers always operate in real time, there should be a weekly exercise for individual tactics, techniques and procedures (TTPs).

Start with the basics

Even the most advanced cyberattacks leverage basic techniques that have been around for years. Businesses need to focus on fully leveraging the tools they have to detect even the most basic of techniques and then move their way up to more advanced techniques from there. That will remove the most common threat from the equation first. This allows them time to identify and build the expertise and infrastructure required to be mature enough to defend against the most advanced or dangerous threats.

Anticipate the risk by using threat simulation learning models

One example of such an exercise is a blue team friendly attack simulation. The blue team here refers to security experts who are aware of the organization’s objectives and security strategy and are trying to defend and respond to attacks performed by the red team. One group poses as the opposing force, or in this case, cyber criminals, while testing the ability of the defenders to detect and protect against such attacks.

However, these types of simulations are performed on extensive cyber ranges that take a lot of time and effort to create, and don’t always accurately reflect the enterprise environment. In addition, it requires security teams to take several days off to play through the exercise. The quality of these simulations depends on the team that developed it and the complexity of the available cyber range resources. The rapid evolution of threats means that the work cyber teams do can have a short shelf life, as does the ability to properly prepare defenders.

Defenders need to be able to rapidly test against new tactics and techniques in their everyday environment. This allows them to quickly check the efficacy of their monitoring tools, as well as their people and processes, on an ongoing basis, that is accurate to current threats. This is important to the concept of ‘becoming the threat’. What cybersecurity teams really need is the ability to test individual tactics in their organization’s live environment, without the overhead of a full red team exercise.

Hone skills and build confidence through hands-on learning

Simulations are a good way to understand how to best defend and respond against different attacks and determine whether employees need to upskill. At its basic level, if the blue team wins, they can be confident when it comes to a cybersecurity threat. But if they lose, the organization still has work to improve their defense strategy.

When simulating various TTPs, you can categories them two ways. First by level of expertise required to perform the specific attack. Second, by the area, or type of data in which the attack should be detected.

The concept of defense in depth is that even if you miss one component of an attack, you can ideally catch others so that you can prevent the attackers achieving their goal. Measurement is based on the time it takes for a team to detect and respond to a particular TTP once launched, by category of the technique. Skill, process, and technology gaps can then be mapped by identifying where response times were low, or there was no response time at all.

Up to date skills central to staying ahead of the hackers

Cyber teams play a constant cat and mouse game to keep up with the evolving threat landscape. However, organizations can adopt specific practices to ensure teams have built in skills to defend against cyber-attacks and protect the business.

Providing employees with first-hand experiences of how a cyber-attack plays out can break down the barrier between the defender and the attacker to better understand the threat and anticipate the risks. This type of learning pathway is crucial for an organization who needs to know how well equipped their teams are for when a cyber-attack inevitably occurs. Only then can decisions be made to fill skills gaps with additional training or if their current level of expertise is enough to protect the business.

When it comes to cyber-attacks, security teams must act extremely quickly to minimize the impact in stressful environments. Hands-on threat simulations will arm cybersecurity experts with the skills and confidence necessary to react to a cyber-attack calmly and efficiently, whilst protecting the company’s sensitive data and avoiding costly damages.

CYBERSECURITY INCIDENT MANAGEMENT MASTERS GUIDE

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CYBERSECURITY INCIDENT MANAGEMENT MASTERS GUIDE, threat simulations

Sep 25 2023

BIND DNS System Flaws Let Attackers Launch DoS Attacks

Category: DDoS,DNS Attacksdisc7 @ 9:28 am
BIND DNS System Flaws Let Attackers Launch DoS Attacks

In a recent disclosure, BIND 9, a widely-used DNS (Domain Name System) server software, has been found vulnerable to two critical security flaws, labeled CVE-2023-4236 and CVE-2023-3341. 

These vulnerabilities, if exploited, could have serious consequences, making it imperative for users to take swift action.

CVE-2023-4236: DNS-over-TLS Query Load Vulnerability

This vulnerability arises from a flaw in the networking code responsible for handling DNS-over-TLS queries in BIND 9. 

Under high DNS-over-TLS query load, an internal data structure is incorrectly reused, leading to an assertion failure. Consequently, a vulnerable named instance may terminate unexpectedly.

Thankfully, this flaw does not affect DNS-over-HTTPS code, as it employs a distinct TLS implementation. However, for those relying on DNS-over-TLS, the impact can be severe.

CVE-2023-3341: Control Channel Stack Exhaustion

The second critical vulnerability, CVE-2023-3341, relates to the control channel code within BIND 9. 

This flaw allows attackers to exploit a stack exhaustion issue by sending specially crafted messages over the control channel. 

This can lead to names unexpectedly terminating, causing potential disruption.

Notably, the attack is effective in environments with limited stack memory available to each process or thread, making it difficult to predict its impact.

For users of BIND 9, immediate action is necessary to address these vulnerabilities. ISC (Internet Systems Consortium), the organization behind BIND, has provided solutions to mitigate these risks.

For CVE-2023-4236:

– Upgrade to BIND 9.18.19 or BIND Supported Preview Edition 9.18.19-S1.

– Consider disabling DNS-over-TLS connections if not required.

For CVE-2023-3341:

– Upgrade to BIND 9.16.44, 9.18.19, or 9.19.17, depending on your current version.

– Ensure that control-channel connections are limited to trusted IP ranges when enabling remote access.

No active exploits have been reported for these vulnerabilities. However, proactive measures are crucial to safeguard your systems against potential threats.

ISC extends its gratitude to the individuals who responsibly reported these vulnerabilities. 

Robert Story from the USC/ISI DNS root server operations team brought CVE-2023-4236 to ISC’s attention, while Eric Sesterhenn from X41 D-Sec GmbH identified CVE-2023-3341.

The Hidden Potential of DNS In Security: Combating Malware, Data Exfiltration, and more – The Guide for Security Professionals

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: BIND DNS System Flaws, DNS In Security

Sep 23 2023

Ransomware cyber insurance claims up by 27%

Category: Cyber Insurance,Ransomwaredisc7 @ 2:45 pm
Ransomware cyber insurance claims up by 27%

Increase in ransomware claims frequency

Coalition found that both claims frequency and severity rose for businesses in early 2023 across all revenue bands. Companies with over $100 million in revenue saw the largest increase (20%) in the number of claims as well as more substantial losses from attacks – with a 72% increase in claims severity from 2H 2022.

“The cyber threat landscape has become more volatile, and, as a result, we’ve seen claims become more severe and more common than ever,” said Chris Hendricks, Head of Coalition Incident Response.

“To help prevent these costly and disruptive incidents, organizations need to take an active role in improving their security defenses and make risk management a top priority,” added Hendricks.

Coalition’s report also saw a resounding increase in ransomware claims frequency in 1H 2023, which grew by 27% from 2H 2022. Claims severity also reached a record high, increasing 61% from the previous half and 117% over last year.

Moreover, cybercriminals increased their demands: the average ransom demand was $1.62 million, a 47% increase over the previous six months and a 74% increase over the past year.

Email security remained critical to claims reduction

The company also recovered an unprecedented $23 million in stolen funds — all of which went directly back to policyholders. Notably, Coalition’s total FTF (funds transfer fraud) recovery amount was nearly three times greater than 2H 2022. The average recovery amount was $612,000 per FTF claim, representing 79% of all FTF losses in instances where recovery was possible.

FTF claims frequency increased by 15% in 1H 2023, and FTF severity increased by 39% to an average loss of more than $297,000. This half, Coalition negotiated ransomware payments down to an average of 44% of the initial amount demanded.

Businesses using Google Workspace for email were markedly more secure than those using Microsoft Office 365 (M365) and on-premises Microsoft Exchange. M365 users were more than twice as likely to experience a claim compared to Google Workspace users. On-premises Microsoft Exchange users were nearly three times more likely to experience a claim than businesses using Google Workspace.

Overall, companies using Google Workspace experienced a 25% risk reduction for FTF or BEC claims and a 10% risk reduction for ransomware claims.

Cyber Insurance – The Cyber Insurance Survival Guide: : Expert Strategies for Preparing and Responding To Cyber Insurance Applications

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cyber insurance claims

Sep 22 2023

HOW TO SEND PHISHING OR MALWARE TO TEAMS USERS EVADING TEAMS SECURITY FEATURES

Category: Malware,Phishingdisc7 @ 9:25 am
How to send phishing or malware to Teams users evading Teams security features

TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of one’s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.

Hacking Microsoft teams by simply using a GIF image

TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.

TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.

You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.

First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.

The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.

After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.

This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.

Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.

In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:

To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the –sharepoint mytest option.

Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.

By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.

TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.

The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.

You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.

TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.

TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.

If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.

Mitigation
By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.

Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: EVADING TEAMS SECURITY FEATURES

Sep 21 2023

APPLE ROLLED OUT EMERGENCY UPDATES TO ADDRESS 3 NEW ACTIVELY EXPLOITED ZERO-DAY FLAWS

Category: Zero daydisc7 @ 3:53 pm
Apple rolled out emergency updates to address 3 new actively exploited zero-day flaws

Apple released emergency security updates to address three new actively exploited zero-day vulnerabilities.

Apple released emergency security updates to address three new zero-day vulnerabilities (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) that have been exploited in attacks in the wild.

The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. The two research teams have already discovered multiple actively exploited zero-days in Apple products that were exploited in targeted attacks against high-profile individuals, such as opposition politicians, dissidents, and journalists.

CVE-2023-41993 is an arbitrary code execution issue that resides in the Webkit.

An attacker can trigger the flaw by tricking the victim into visiting specially crafted web content that may lead to arbitrary code execution. The IT giant addressed the flaw with improved checks.

The second zero-day flaw, tracked as CVE-2023-41991, resides in the Security framework. An attacker can exploit this vulnerability to bypass signature validation using malicious apps. The company fixed the vulnerability by fixing a certificate validation issue.

The third zero-day, tracked as CVE-2023-41992, resides in the Kernel Framework. A local attacker can trigger the flaws to elevate their privileges. Apple fixed the flaw with improved checks.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.” reads the advisory published by the company.

The company fixed the three zero-day vulnerabilities with the release of macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1.

Fixes are available for iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later

Apple has already patched 16 actively exploited zero-day vulnerabilities in 2023, below is the list of the flaws fixed by the company:

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: emergency updates

Sep 21 2023

Shadow IT: Security policies may be a problem

Category: Security policydisc7 @ 3:13 pm
Shadow IT: Security policies may be a problem

Shadow IT A Clear and Concise Reference

A recent report by Kolide and Dimensional Research has disclosed that three-quarters of employees resort to utilizing their personal and often unmanaged mobile devices and laptops for work purposes, with nearly half of the surveyed companies permitting such unmanaged devices to access secure resources. The report, based on responses from 334 IT, security, and business professionals, highlights the diverse motivations behind this practice, with three specific reasons indicating that a substantial number of employees use personal devices as a means to circumvent their organization’s security policies.

The dangers of shadow IT

The prevalence of shadow IT in enterprise environments is a well established fact.

When the organization’s IT department refuses to sign off on a needed solution or they drag their feet when asked to approve it, workers in other departments are tempted to deploy it without the IT workers’ knowledge.

The problem is compounded by the widespread use of personal/unmanaged devices, as the IT department has no way of knowing what’s happening on them, whether they are regularly patched/upgraded or whether they have been compromised.

“When engineers do production-level work on personal devices, an organization’s risk of a breach skyrockets. A bad actor can use a security flaw in an unmanaged device to break into the production environment, as in the LastPass breach. Even a simple smash-and-grab of a laptop can turn into a nightmare if that laptop is full of PII, and IT has no way to remotely wipe it,” Kolide researchers noted.

Employees shouldn’t be blamed for flawed security policies

Workers use their personal devices for work to (among other things) access websites and applications that have been restricted by the IT department, and because getting through security measures is frustrating.

This, and the fact that only 47% of the pollees said that they always follow all the cybersecurity policies, shows that the security policies in place are not working for all.

“Unfortunately, we don’t have data on which specific policies respondents felt justified in going around, but we can make two inferences from this response: Any security policy that workers can ignore at will does not have adequate safeguards around it, and if workers who generally try to follow the rules ignore a security policy, either they don’t understand the risks associated with a specific behavior, or the policy itself is flawed,” the researchers said.

Employers and workers need more open, honest dialogue about security, they pointed out. Security and IT professionals must make an effort to understand why workers feel they have to go around policies.

Finally, the results of the survey also debunk the myth that security training is useless and a despised nuisance.

“In the strongest data point of our survey, 96% of workers (across teams and seniority) reported that training was either helpful, or would be helpful if it were better designed. The message here is that people want to be educated on how to behave safely,” the researchers concluded.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

 

Tags: Shadow IT

Sep 21 2023

MOVEit Transfer SQL Injection Let the Attacker Gain Unauthorized Access to the Database

Category: Authentication,data securitydisc7 @ 9:17 am
MOVEit Transfer SQL Injection Let the Attacker Gain Unauthorized Access to the Database

MOVEit transfer service pack has been discovered with three vulnerabilities associated with SQL injections (2) and a Reflected Cross-Site Scripted (XSS). The severity for these vulnerabilities ranges between 6.1 (Medium) and 8.8 (High).

Progress-owned MOVEit transfer was popularly exploited by threat actors who attacked several organizations as part of a ransomware campaign. The organizations previously reported to be affected by MOVEit vulnerability include ShellBBC, British AirwaysCalPERSHoneywell, and US government agencies.

CVE-2023-42660: MOVEit Transfer SQL Injection

This SQL injection vulnerability was discovered on the MOVEit Transfer machine interface, which could lead to gaining unauthorized access to the MOVEit Transfer database. A threat actor could exploit this vulnerability by submitting a crafted payload to the MOVEit Transfer machine interface. 

Successful exploitation could result in the modification and disclosure of MOVEit database content. However, a threat actor must be authenticated to exploit this vulnerability. Progress has given the severity of this vulnerability as 8.8 (High).

Products affected by this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. Users are recommended to upgrade to the September Service Pack to fix this vulnerability.

CVE-2023-40043: MOVEit Transfer SQL Injection

This other SQL injection vulnerability exists in the MOVEit Transfer web interface, which could possibly lead to gaining unauthorized access to the MOVEit Transfer database. A threat actor could exploit this vulnerability by submitting a crafted payload to the MOVEit Transfer web interface.

Successful exploitation could result in the modification and disclosure of MOVEit database content. The prerequisite for a threat actor to exploit this vulnerability includes access to a MOVEit system administrator account. Progress has given the severity of this vulnerability as 7.2 (High).

Products that are affected by this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. To prevent this vulnerability, users are recommended to Upgrade to the September Service Pack and limit sysadmin account access.

CVE-2023-42656: MOVEit Transfer Reflected XSS

This Reflected XSS vulnerability was found in the MOVEit Transfer’s web interface, which a malicious payload can exploit during the package composition procedure. A threat could craft a malicious payload and target MOVEit Transfer users. When interacting with the payload, the threat actor can execute malicious JavaScript on the victim’s browser.

Progress has given the severity of this vulnerability as 6.1 (Medium). Products affected due to this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. To prevent this vulnerability, users are recommended to Upgrade to September Service Pack and limit sysadmin account access.

A comprehensive list of vulnerable product versions, documentation, release notes, and fixed versions has been given below.

Affected VersionFixed Version (Full Installer)DocumentationRelease Notes
MOVEit Transfer 2023.0.x (15.0.x)MOVEit Transfer 2023.0.6 (15.0.6)MOVEit 2023 Upgrade Documentation   MOVEit Transfer 2023.0.6 Release Notes
MOVEit Transfer 2022.1.x (14.1.x)MOVEit Transfer 2022.1.9 (14.1.9)MOVEit 2022 Upgrade Documentation  MOVEit Transfer 2022.1.9 Release Notes
MOVEit Transfer 2022.0.x (14.0.x)MOVEit Transfer 2022.0.8 (14.0.8)MOVEit 2022 Upgrade Documentation  MOVEit Transfer 2022.0.8 Release Notes
MOVEit Transfer 2021.1.x (13.1.x)MOVEit Transfer 2021.1.8 (13.1.8)MOVEit 2021 Upgrade Documentation  MOVEit Transfer 2021.1.8 Release Notes
MOVEit Transfer 2021.0.x (13.0.x) or olderMust Upgrade to a Supported VersionSee MOVEit Transfer Upgrade and N/A
Migration Guide  

A security advisory has been released by Progress which includes a comprehensive list of the affected products and the vulnerabilities that have been identified.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MOVEit, SQL injection

Sep 20 2023

The matters that may keep the Information security Officers up at night

Category: CISO,vCISOdisc7 @ 1:46 pm
What-causes-Chief-Information-Security-Officers-to-lose-sleepDownload

DISC InfoSec previous posts on CISO topic

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISOs

Sep 20 2023

Balancing budget and system security: Approaches to risk tolerance

Category: Risk Assessment,Security Risk Assessmentdisc7 @ 10:56 am
Balancing budget and system security: Approaches to risk tolerance

Recently, it was revealed that Nickelodeon, an American TV channel and brand, has been the victim of a data leak. According to sources, the breach occurred at the beginning of 2023, but much of the data involved was “related to production files only, not long-form content or employee or user data, and (appeared) to be decades old.” The implication of this ambiguous statement: because the data is old and not related to individuals’ personally identifiable information (PII) or any proprietary information that hasn’t already been publicly released, this is a non-incident.

Let’s say Nickelodeon didn’t suffer any material harm because of this incident — great! It’s probable, though, that there are facts we don’t know. Any time proprietary data ends up where it shouldn’t, warning bells should go off in security professionals’ heads. What would be the outcome if the “decades old” files did contain PII? Some of the data would be irrelevant, but some could be crucial. What if the files contained other protected or private data? What if they compromised the integrity of the brand? All organizations need to think through the “what ifs” and apply the worst and base case scenarios to their current security practices.

The Nickelodeon case raises the question of whether keeping “decades old” data is necessary. While holding onto historical data can, in some cases, benefit the organization, every piece of kept data increases the company’s attack surface and increases risk. Why did Nickelodeon keep the old files in a location where it could be easily accessed? If the files were in a separate location, the security team likely did not apply adequate controls to accessing the files. Given that the cost of securing technology and all its inherent complexity is already astronomically high, CISOs need to prioritize budgetary and workforce allocation for all security projects and processes, including those for all past, present, and future data protection.

In a slow economy, balancing system security and budget requires skill and savvy. Even in boom times, though, throwing more money at the problem doesn’t always help. There is no evidence that an increase in security spending proportionately improves an organization’s security posture. In fact, some studies suggest that an overabundance of security tools leads to more confusion and complexity. CISOs should therefore focus on business risk tolerance and reduction.

Approaches to cyber risk management

Because no two organizations are alike, every CISO must find a cyber risk management approach that aligns with the goals, culture, and risk tolerance of the organization. Budget plays an important role here, too, but securing more budget will be an easier task if the security goals align with those of the business. After taking stock of these considerations, CISOs may find that their organizations fall into one or more core approaches to risk management.

Risk tolerance-based approach

Every company– and even every department within a company– has a tolerance for the amount and type of risk they’re willing to take. Security-specific tolerance levels must be based on desired business outcomes; cyber security risk cannot be determined or calculated based on cybersecurity efforts alone, rather how those efforts support the larger business.

To align cybersecurity with business risk, security teams must address business resilience by considering the following questions:

  • How would the business be impacted if a cybersecurity event were to occur?
  • What are the productivity, operational, and financial implications of a cyber event or data breach?
  • How well equipped is the business to handle an event internally?
  • What external resources would be needed to support internal capabilities?

With answers to these types of questions and metrics to support them, cyber risk levels can be appropriately set.

Maturity-based approach

Many companies today estimate their cyber risk tolerance based on how mature they perceive their cybersecurity team and controls to be. For instance, companies with an internal security operations center (SOC) that supports a full complement of experienced staff might be better equipped to handle continuous monitoring and vulnerability triage than a company just getting its security team up and running. Mature security teams are good at prioritizing and remediating critical vulnerabilities and closing the gaps on imminent threats, which generally gives them a higher security risk tolerance.

That said, many SOC teams are too overwhelmed with data, alerts, and technology maintenance to focus on risk reduction. The first thing a company must do if it decides to take on a maturity-based approach is to honestly assess its own level of security maturity, capabilities, and efficacy. A truly mature cybersecurity organization isbetter equipped to manage risk, but self-awareness is vital for security teams regardless of maturity level.

Budget-based approach

Budget constraints are prevalent in all aspects of business today, and running a fully staffed, fully equipped cybersecurity program is no bargain in terms of cost. However, organizations with an abundance of staff and technology don’t necessarily perform better security- or risk-wise. It’s all about being budget savvy for what will be a true compliment to existing systems.

Invest in tools that move the organization toward a zero trust-based architecture, focusing on security foundation and good hygiene first. By laying the right foundations, and having competent staff to manage them, cybersecurity teams will be better off than having the latest and greatest tools implemented without mastering the top CIS Controls: Inventory and control of enterprise and software assets, basic data protection, secure configuration management, hardened access management, log management, and more.

Threat-based approach

An important aspect of a threat-based approach to risk management is understanding that vulnerabilities and threats are not the same thing. Open vulnerabilities can lead to threats (and should therefore be a standard part of every organization’s security process and program). “Threats,” however, refer to a person/persons or event in which a vulnerability has the potential to be exploited. Threats also rely on context and availability of a system or a resource.

For instance, the Log4Shell exploit took advantage of a Log4j vulnerability. The vulnerability resulted in a threat to organizations with an unpatched version of the utility running. Organizations that were not running unpatched versions — no threat.

It is therefore imperative for organizations to know concretely:

  • All assets and entities present in their IT estates
  • The security hygiene of those assets (point in time and historical)
  • Context of the assets (non-critical, business-critical; exposed to the internet or air-gapped; etc.)
  • Implemented and operational controls to secure those assets

With this information and context, security teams can start to build threat models appropriate for the organization and its risk tolerance. The threat models used will, in turn, allow teams to prioritize and manage threats and more effectively reduce risk.

People, process and technology-based approach

People, process, and technology (PPT) are often considered the “three pillars” of technology. Some security pros consider PPT to be a framework. Through whatever lens PPT is viewed, it is the most comprehensive approach to risk management.

A PPT approach has the goal of allowing security teams to holistically manage risk while incorporating an organization’s maturity, budget, threat profile, human resources, skill sets, and the entirety of the organization’s tech stack, as well as its operations and procedures, risk appetite, and more. A well-balanced PPT program is a multi-layered plan that relies evenly on all three pillars; any weakness in one of the areas tips the scales and makes it harder for security teams to achieve success — and manage risk.

The wrap up

Every organization should carefully evaluate its individual capabilities, business goals, and available resources to determine the best risk management strategy for them. Whichever path is chosen, it is imperative for security teams to align with the business and involve organizational stakeholders to ensure ongoing support.

RISK ASSESSMENT: AN INDEPTH GUIDE TO PRINCIPLES, METHODS, BEST PRACTISE, AND INTERVIEW QUESTIONS AND ANSWERS

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: risk tolerance

Sep 20 2023

Nagios Monitoring Tool Vulnerabilities Let Attackers Perform SQL Injection

Category: Security Tools,Security vulnerabilitiesdisc7 @ 9:47 am
Nagios Monitoring Tool Vulnerabilities Let Attackers Perform SQL Injection

Nagios XI is a prominent and frequently used commercial monitoring system for IT infrastructure and network monitoring. 

Vulnerability Research Engineer Astrid Tedenbrant found four distinct vulnerabilities in Nagios XI (version 5.11.1 and below) while conducting routine research.

By making use of three of these flaws classified as (CVE-2023-40931CVE-2023-40933, and CVE-2023-40934), users with various levels of access rights can get access to the database field via SQL injection.

Additionally, the vulnerability (CVE-2023-40932) permits Cross-Site Scripting through the Custom Logo component, rendering on all pages, including the login page.

Details of the Vulnerabilities

SQL Injection in Banner acknowledging endpoint (CVE-2023-40931)

“Announcement Banners” are a feature of Nagios XI that users may choose to recognize. This feature’s endpoint is susceptible to a SQL Injection attack.

When a user acknowledges a banner, a POST request is made to ‘/nagiosxi/admin/banner_message-ajaxhelper.php’ with the POST data ‘action=acknowledge banner message&id=3’.

“The ID parameter is assumed to be trusted but comes directly from the client without sanitization”, the researcher explains.

“This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data, such as from the `xi_session` and `xi_users` table containing data such as emails, usernames, hashed passwords, API tokens, and backend tickets”.

SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)

An authorized user with access to control host escalations can run any database query using Nagios XI’s Core Configuration Manager.

The same database access is possible through this vulnerability as through previous SQL Injection vulnerabilities, although it necessitates more privileges than CVE-2023-40931.

SQL Injection in Announcement Banner Settings (CVE-2023-40933)

In this case, while performing the `update_banner_message_settings` action on the affected endpoint, the `id` parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query, the researcher said.

Compared to CVE-2023-40931, successful exploitation of this vulnerability needs more privileges but provides the same database access as the other two SQL Injection Vulnerabilities.

Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)

Reports say Nagios XI may be modified to include a unique corporate logo, which will be visible across the entire product. Included in this are the login page, various administration pages, and the landing page.

A cross-site scripting flaw in this functionality allows an attacker to inject arbitrary JavaScript, which any user’s browser will be able to execute.

“This can be used to read and modify page data, as well as perform actions on behalf of the affected user. Plain-text credentials can be stolen from users’ browsers as they enter them.,” reports said.

Fix Available

All of these vulnerabilities have been fixed, and users are encouraged to update to 5.11.2 or later.

The commercial version of the open-source Nagios Core monitoring platform, Nagios XI, offers more functionality that makes managing complicated IT settings easier.

Because of the access that Nagios XI requires, it is frequently used in highly privileged instances, making it an attractive target for attackers.

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks


InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SQL injection

Sep 19 2023

What are the Common Security Challenges CISOs Face?

Category: Information Securitydisc7 @ 9:14 am
What are the Common Security Challenges CISOs Face?

Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.

As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.

These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.

The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.

This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.

By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.

Who is a CISO?

Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.

A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.

They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.

CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.

They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.

In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.

They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.

The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.

CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.

CISO Guide to Balancing Network Security Risks Offered by Perimeter 81 for free, helps to prevent your network from being at Risk.

What are all the Roles and Responsibilities of CISO?

  1. Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organization’s business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
  2. Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
  3. Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organization’s assets.
  4. Risk Management: The CISO is responsible for identifying and assessing security risks to the organization’s information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
  5. Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
  6. Security Incident Response: The CISO leads the organization’s response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
  7. Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
  8. Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
  9. Security Governance and Reporting: The CISO provides regular reports and updates on the organization’s security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
  10. Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.

Security Challenges CISOs Face

CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:

  • Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
  • Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
  • Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
  • Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
  • Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industry’s rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
  • Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
  • Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
  • Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
  • Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
  • Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.

DISC InfoSec previous posts on CISO topic

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Sep 18 2023

Steps CEOs Should Follow in Response to a Cyberattack

Category: Cyber Attack,Information Securitydisc7 @ 2:12 pm

Over the years, numerous individuals have sounded the alarm about the increasing cyber threats, and several have provided insightful guidance on enhancing an organization’s security and resilience. To gauge the adequacy of your efforts, consider the following three questions: Firstly, have you recently engaged in a cyber tabletop exercise? Secondly, is the contact information for your chief information security officer stored in a location other than your work phone or computer? (Keep in mind that if your company’s networks fall victim to a ransomware attack, your work devices might be unreachable.) Lastly, are you aware of your government liaison in the event of a cybersecurity incident?

On May 7, 2021, Colonial Pipeline, a crucial fuel supply network for the eastern United States, suffered a ransomware attack and chose to halt its operations. This decision triggered a broader crisis, resulting in fuel shortages and skyrocketing gas prices at thousands of gas stations. The incident highlighted the intricate connection between physical and digital infrastructures.

In response, the U.S. government took action, with Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Energy Jennifer Granholm addressing the public on May 11, 2021. They reassured the American people and explained the government’s efforts to mitigate the attack’s impact, urging against panic buying of gasoline as the pipeline was expected to be operational again soon. This incident underscored the vulnerability of critical infrastructure to cyber threats and the importance of a coordinated response.

Significant Implications:

The Colonial Pipeline ransomware attack had significant geopolitical implications. It prompted direct engagement between President Biden and Russian President Vladimir Putin, highlighting the seriousness of the situation. This incident emphasized the critical need for stronger cybersecurity measures, especially for vital infrastructure like Colonial Pipeline. It served as a stark reminder that cyber threats can have far-reaching real-world consequences. The incident has had lasting effects, reshaping the roles of CEOs and industry leaders and influencing future cybersecurity considerations.

One notable outcome is the way CEOs are reevaluating their roles and responsibilities. The CEO of Colonial Pipeline, Joseph Blount, faced the difficult decision of paying a $4.3 million Bitcoin ransom to hackers, describing it as the most challenging choice in his 39-year career. This dilemma of whether to pay ransom or risk severe disruption has garnered attention from CEOs, who are keen to avoid public scrutiny and congressional hearings.

In light of this and other recent incidents, here are six recommendations for CEOs to consider:

  1. Prioritize cybersecurity as a top-level concern.
  2. Invest in robust cybersecurity measures and incident response plans.
  3. Foster a culture of cybersecurity awareness within the organization.
  4. Establish clear communication channels and relationships with relevant authorities.
  5. Assess the potential impact of cyber incidents on critical operations.
  6. Develop a strategy for handling ransomware demands that aligns with both legal and ethical considerations.

These recommendations are essential in an era where cyber incidents can quickly escalate to national security crises, demanding the attention of the U.S. president, and where the role of CEOs in responding to such threats is under increased scrutiny.

Exercise caution when communicating with the public.

A run on banks is a classic example of how public reactions and group psychology can exacerbate a crisis. Recent instances such as the rush for toilet paper during the Covid-19 pandemic and the panic at gas stations following the ransomware attack demonstrate that this issue goes beyond financial institutions.

Being cautious in how and what you communicate to the public doesn’t mean avoiding public communication altogether; it’s a necessity. However, companies must approach this with careful consideration. The Colonial Pipeline incident serves as an example, highlighting that even companies not accustomed to regular public engagement may suddenly find it necessary.

Collaborate with government authorities.

Colonial Pipeline’s swift decision to shut down its pipeline system was necessary, but it could have allowed for consultation with U.S. government experts. The shutdown, regardless of infection, would lead to days of disruption in the fuel supply chain, necessitating government intervention due to the serious consequences. Effective coordination with the government is crucial to prevent an unintentional worsening of a crisis.


Be aware of who to get in touch with. Updated Incident handling decision tree.

CEOs must have the knowledge of the appropriate government contacts to facilitate informed decision-making and effective coordination. Contacting entities like NATO or the military, as some anecdotes have indicated, is not the correct approach. However, at times, the government may not make it straightforward for external parties to determine the right person or agency to reach out to, underscoring the government’s responsibility to offer clear guidance in this regard.

Establish a Incident Handling plan and put it into practice.

This point is paramount, as it serves as the foundation for achieving other objectives. Besides creating and maintaining a plan, ideally under the CEO’s supervision, it’s crucial to conduct annual practice sessions, such as tabletop exercises. These exercises help company leaders and employees develop the necessary “muscle memory” for responding efficiently during actual crises.

Know your infrastructure.

Ideally, a CEO should possess a high-level understanding of how a company’s business IT networks and operational technology (OT) networks interact. In cases where systems are isolated (air-gapped), it may not be necessary to shut down the OT network if a compromise is limited to the IT network. However, the Colonial Pipeline ransomware attack illustrated that even the incapacitation of business IT networks can have substantial repercussions. In scenarios where a company is unable to generate invoices, identify customers, or establish contact with them, the resulting disruption can be as disruptive as a complete production halt. This was evident to anyone who has been stranded at an airport due to an airline’s IT system outage, experiencing firsthand the disruptive consequences.

Demonstrate humility and actively seek expertise from professionals.

Cybersecurity is a complex and multifaceted challenge that varies significantly across different sectors, such as pipelines, finance, healthcare, education, and transportation. Recognizing the limits of expertise, including that of cybersecurity professionals, is a crucial insight gained from years of cross-sector cyber incidents. CEOs should not hesitate to seek external assistance when developing, testing, or refining cybersecurity plans or reviewing existing processes and policies within their organizations. Additionally, there are numerous detailed resources available, including guides and checklists tailored for CEOs, board members, and Chief Information Security Officers (CISOs). The U.S. government, through agencies like the Cybersecurity and Infrastructure Security Agency (CISA), offers resources like Stopransomware.gov and Shields Up, designed to cater to companies at different levels of cybersecurity maturity. These resources are valuable tools for enhancing cybersecurity preparedness.

An Executive Self-Assessment:

In addition to the numerous warnings and valuable advice regarding the growing cyber threats, three key questions can serve as a practical self-check to assess an organization’s cybersecurity readiness:

  1. Have you recently participated in a cyber tabletop exercise?
  2. Is the contact information of your chief information security officer stored outside your work phone or computer to ensure accessibility during a network compromise?
  3. Do you have IHP one page summary and know your contact for cybersecurity incident reporting?

If the response to any of these questions is “no,” it’s essential to take action to enhance your organization’s cybersecurity preparedness. This proactive approach can significantly improve protection, prevent potential crises, and contribute to national security.

Source: https://hbr.org/2023/09/6-actions-ceos-must-take-during-a-cyberattack

Your System’s Sweetspots: CEO’s Advice on Basic Cyber Security

In what situations would a vCISO or CISOaaS Service be appropriate?

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CEO, cyberattack

Sep 18 2023

FBI HACKER USDOD LEAKS HIGHLY SENSITIVE TRANSUNION DATA

Category: Data Breach,data security,Hackingdisc7 @ 11:36 am
FBI hacker USDoD leaks highly sensitive TransUnion data

Researchers from vx-underground reported that FBI hacker ‘USDoD‘ leaked sensitive data from consumer credit reporting agency TransUnion.

TransUnion is an American consumer credit reporting agency. TransUnion collects and aggregates information on over one billion individual consumers in over thirty countries, including “200 million files profiling nearly every credit-active consumer in the United States”.

A threat actor who goes by the moniker “USDoD” announced the leak of highly sensitive data allegedly stolen from the credit reporting agency. The leaked database, over 3GB in size, contains sensitive PII of about 58,505 people, all across the globe, including the America and Europe

According to researchers vx-underground who reported the leak, the archive contains data that dates back to March 2nd, 2022, which could be the data of the data breach.

This leaked database has information on individuals all across the globe including the Americas (North and South), as well as Europe

vx-underground states that leaked data includes individual first name, last name, Internal TransUnion identifiers, sex, passport information, place of birth, date of birth, civil status, age, current employer, information on their employer, a summary of financial transactions, credit score, loans in their name, remaining balances on the loans, where they got the loan from, when TransUnion first began monitoring their information.

The name USDoD is well known in the cyber security sector, it was also listed in the indictment for the notorious owner of the BreachForums cybercrime forum Pompompurinvx-underground pointed out that they are believed to be behind many other high-profile security breaches.

Recently, The multinational aerospace corporation Airbus announced that it is investigating a data leak after cybersecurity firm Hudson Rock reported that a hacker posted information on thousands of the company’s vendors to the dark web.

USDoD” announced he had gained access to an Airbus web portal by compromising the account of a Turkish airline employee.

The hacker claimed to have details on thousands of Airbus vendors. The threat actors obtained the personal information of 3,200 individuals associated with Airbus vendors, exposed data include names, job titles, addresses, email addresses, and phone numbers. 

In December 2022, the FBI’s InfraGard US Critical Infrastructure Intelligence portal was hacked and a database containing the contact details of more than 80,000 high-profile private sector individuals was offered for sale by USDoD on the Breached cybercrime forum.

After the law enforcement shutdown of “Breached” forum, its members, including “USDoD,” moved to other platforms such as “BreachForums.”

“USDoD” posted two threads on this new forum, one to announce they have joined the notorious ransomware group Ransomed. In the second threat, the hacker exposed the personal information of 3,200 sensitive Airbus vendors. USDoD also warned that Lockheed Martin and Raytheon might be the next targets.

“Threat actors typically refrain from revealing their intrusion techniques, however in this exceptionally rare leak, “USDoD” revealed they gained access to Airbus’s data by exploiting “employee access from a Turkish Airline”.” reported Hudson Rock. “Using this information, Hudson Rock researchers succeeded to trace the mentioned employee access — a Turkish computer infected with an info-stealing malware in August 2023.”

According to the researchers, the computer of the victim was likely infected with the RedLine stealer after he attempted to download a pirated version of the Microsoft .NET framework.

A Business Guide for Protecting Sensitive Information

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SENSITIVE TRANSUNION DATA

Sep 18 2023

Mobile Verification Toolkit: Forensic analysis of Android and iOS devices to identify compromise

Category: Forensics,Mobile Security,Security Toolsdisc7 @ 8:53 am
Mobile Verification Toolkit: Forensic analysis of Android and iOS devices to identify compromise

Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

MVT supports using public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. MVT is not intended for end-user self-assessment.

It was developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project, along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.

Mobile Verification Toolkit key features

MVT’s capabilities are continuously evolving, but some of its key features include:

  • Decrypt encrypted iOS backups.
  • Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
  • Extract installed applications from Android devices.
  • Extract diagnostic information from Android devices through the adb protocol.
  • Compare extracted records to a provided list of malicious indicators in STIX2 format.
  • Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
  • Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.

Mobile Verification Toolkit is available for download on GitHub. The developers do not want MVT to enable privacy violations of non-consenting individuals. To achieve this, MVT is released under its license.

Mobile Forensics Investigation: A Guide to Evidence Collection, Analysis, and Presentation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Mobile Verification Toolkit

Sep 18 2023

Microsoft AI researchers accidentally exposed terabytes of internal sensitive data

Category: AI,Data Breachdisc7 @ 8:46 am

Researchers find a GitHub repository belonging to Microsoft’s AI research unit that exposed 38TB of sensitive data, including secret keys and Teams chat logs — Microsoft AI researchers accidentally exposed tens of terabytes of sensitive data, including private keys and passwords …

Microsoft AI researchers accidentally exposed terabytes of internal sensitive data

Sep 17 2023

Top 10 high-paying jobs in cybersecurity industry

Category: Cyber career,Information Securitydisc7 @ 7:55 am

The need for cybersecurity professionals is at an all-time high in our rapidly evolving digital landscape. As cyber threats continue to advance and grow in frequency, businesses are showing a strong commitment to safeguarding their valuable data and networks, resulting in a significant rise in job openings within the cybersecurity field, some of which come with attractive compensation packages. In this article, author delve into the ten highest-paying positions within the cybersecurity sector, shedding light on the specific roles, duties, and salary brackets linked to each role.

10 Top-Paying Jobs in the Cybersecurity Industry

Cybersecurity Career Master Plan: Proven techniques and effective tips to help you advance in your cybersecurity career

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cybersecurity industry

Sep 15 2023

Attackers hit software firm Retool to get to crypto companies and assets

Category: App Security,Crypto,Security Toolsdisc7 @ 3:18 pm
Attackers hit software firm Retool to get to crypto companies and assets

Retool, the company behind the popular development platform for building internal business software, has suffered a breach that allowed attackers to access and take over accounts of 27 cloud customers, all in the crypto industry.

According to a CoinDesk report, one the known victims is Fortress Trust, i.e., four of its customers who accessed their crypto funds via a portal built by Retool.

It all started with an SMS

The attack started with spear phishing text messages delivered to a number of Retool employees. According to the company, only one fell for the scheme.

The phishing text message. (Source: Retool)

Spoofed to look like it was coming from the company’s IT department, the goal was to make the targets log in to a fake Retool identity portal, at which point they would receive a phone call by the attacker.

“The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code,” Snir Kodesh, Retool’s head of engineering, shared on Wednesday.

“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite [i.e., Google Workspace] session on that device.”

And because the employee’s MFA codes were synched with their Google account, the attacker now had access to all MFA tokens held within that account.

“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry),” Kodesh noted, and added that the attacker also poked around some of the Retool apps – but didn’t specify which ones.

“We have an internal Retool instance used to provide customer support; this is how the account takeovers were executed. The authentication for this instance happens through a VPN, SSO, and a final MFA system. A valid GSuite session alone would have been insufficient.”

Who’s to blame?

“Social engineering can affect anyone,” Kodesh noted, and “even with perfect training and awareness of these attacks, mistakes will happen.” He also put some on the blame for the hack on Google.

The company recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud and made it easier to activate the feature than not to.

“Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this ‘feature’. If you want to disable it, there isn’t a clear way to ‘disable syncing to the cloud’, instead there is just a “unlink Google account” option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync ‘feature’,” he explained.

“Through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.”

Of course, Google cannot be blamed for this breach entirely – Retool should have regularly reviewed the protections they’ve put in place and evaluated whether they are still adequate. After all, attackers have been finding ways around multi-factor authentication for a while now, and the threat landscape is changing quickly.

If the company had used a FIDO2-compliant hardware security key instead of one-time passwords delivered via an authenticator app, this particular social engineering attack would have failed – as a similar attack against Cloudflare employees did a year ago.

The investigation is ongoing

Retool is working with law enforcement and a third party forensics firm to investigate the breach in depth.

So far, they found that 27 cloud customers have been affected (and they notified them all), but that on-premise Retool customers remain secure.

“Retool on-prem operates in a ‘zero trust’ environment, and doesn’t trust Retool cloud. It is fully self contained, and loads nothing from the cloud environment. This meant that although an attacker had access to Retool cloud, there was nothing they could do to affect on-premise customers,” Kodesh noted.

Fortress’ customers, on the other hand, apparently lost nearly $15 million.

UPDATE (September 15, 2023, 04:35 a.m. ET):

“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies,” Google stated.

“Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”

Application Security Program Handbook: A guide for software engineers and team leaders

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Sep 14 2023

Next-Gen Email Firewalls: Beyond Spam Filters to Secure Inboxes Checklist

Category: Email Security,next generation firewalldisc7 @ 9:56 am
Next-Gen Email Firewalls: Beyond Spam Filters to Secure Inboxes Checklist

Email communication is still widely used as an attack vector despite the ever-changing nature of cyber threats.

The vast number of people who use it for communication daily, both professionally and personally, makes it a tempting target.

Cybercriminals are becoming more skilled at using malicious email campaigns in line with the growth of advanced technologies and increased security measures taken by businesses.

VIPRE Security found that 85.01% of phishing emails had harmful links inside the message body, and the volume of spam emails increased by 30.0% from the first to the second quarter of 2023.

In addition, phishing attacks against IT companies are now more common (14%) than against financial institutions (9%).

The Limitations of Traditional Spam Filters

Conventional spam filters rely on static rule-based systems with predetermined criteria or known dangerous signatures to identify emails as spam.

Their strict compliance with predetermined policies leaves companies vulnerable to ever-evolving cyberattacks. These filters rely too much on signature-based detection, making them vulnerable to zero-day threats and unable to protect against recent or modified malware. 

They can’t detect hidden risks like spear phishing since they don’t have advanced behavioral analysis. In addition, it cannot examine potentially harmful information in isolation without sandboxing characteristics.

 As a result, the ever-evolving and complicated nature of cyber threats makes their traditional approaches ineffective.

You can Understand and diagnose Email Issues using Trusitifi’s Email Header Analyzer Tool.

What are Next-Gen Email Firewalls?

Next-Generation Email Firewalls are the latest technologies for protecting against malicious emails. To quickly prevent new threats, such as zero-day vulnerabilities, these systems interact with real-time threat intelligence feeds, unlike traditional spam filters, which depend primarily on static rules. 

They scan things in-depth, including emails, embedded URLs, and attachments. Sandboxing is essential since it allows testing of potentially harmful information in a secure environment. 

Advanced systems use machine learning and behavioral analytics to identify complex phishing attacks like this. These firewalls use authentication protocols like DMARC, DKIM, and SPF to prevent spoofing and verify email senders. 

In addition, they have measures to prevent sensitive information from being accidentally leaked. These solutions, which are frequently cloud-native, provide a robust and complex approach to email security while scaling efficiently and integrating smoothly with existing security infrastructure.

How do Next-Gen Email Firewalls Protect Your Inbox?

Advanced Threat Intelligence – The use of real-time threat intelligence helps to identify and prevent emerging attacks, such as those that exploit zero-day flaws, as soon as they appear.

Deep Content Inspection – Rather than simply scanning the email’s information, these firewalls read the message in full, including any embedded URLs or files attached, to discover any hidden risks.

Sandboxing – To prevent viruses and malware from reaching their intended recipients, suspicious attachments and URLs are displayed in a safe, isolated environment.

Behavioral Analytics – These firewalls may identify spear-phishing initiatives by learning the sender’s typical activity patterns and comparing them to suspicious emails that appear to be from the same sender but act differently.

Identity Verification – Using authentication methods like DMARC, DKIM, and SPF, these tools ensure that all email arrives genuine and from a known source, protecting users from spoofing and phishing attempts.

Data Loss Prevention (DLP) – Besides inbound threats, they monitor outgoing emails to prevent sensitive material from being transmitted without authorization or violating regulations.

Machine Learning – Many modern firewalls use machine learning to “learn” from the attacks they block and better detect various threats over time.

Next-Gen Email Firewalls vs. Traditional Email Security

Next-Gen Email FirewallsTraditional email security
Quickly adapt to new threats by using real-time threat intelligence.It uses a static collection of threats and patterns to make decisions.
Emails, URLs, and attachments are all placed through an extensive content analysis.Metadata and simple patterns are the primary areas of security inspection.
Uses content isolation technologies (sandboxes) to investigate potentially harmful data.Doesn’t have a sandboxing environment.
Utilizes machine learning and behavioral analytics for real-time threat assessment.Depending on predetermined guidelines rather than monitoring user activity
Designed specifically for use in the cloud, this safeguards the present remote workforces.Less flexible with cloud integrations; works best in local installations.
The sophisticated analysis and learning capabilities have resulted in fewer false positives.There is an increase in false positives because of the inflexibility of rule-based systems.

Countering Sophisticated Email Threats with Next-Gen Email Firewalls

The importance of Next-Generation Email Firewalls in preventing modern email threats cannot be underestimated.

These modern firewalls utilize real-time threat intelligence to detect and neutralize recent security risks instead of the static rules used by older systems.

They investigate thoroughly, looking at every aspect of the email, from the subject line to the attachments. Sandboxing is a technique to test malicious code in a safe, restricted setting.

Unusual behaviors, such as those used in spear phishing or impersonation, can be detected via machine learning.

In addition, email spoofing may be prevented using sender authentication methods such as DMARC, DKIM, and SPF.

By authenticating the sender’s identity and confirming the accuracy of the received messages, these procedures act as the first line of protection against email-based threats.

SPF aims to improve email security by limiting the possibility that an unauthorized sender

In DKIM, the transmitting server gives Each email a unique DKIM signature generated using a private key. The DNS records of the sender are queried to retrieve the sender’s public key, which is then used to validate the email’s signature.

With DMARC, website administrators may specify how they want their domain’s incoming mail servers to deal with unencrypted messages that have not been authenticated. It has a policy and a statement, with three options (reject, quarantine, or do nothing). 

You can Analyze and Detect SPF Issues using Trustifi’s SPF Record Checker Tool.

Why Trustifi ? – AI-Powered Protection for Business Email Security

Next-generation email firewalls will benefit from quantum-resistant algorithms, IoT integration, and adaptive AI for threat prediction in the long run. 

Trustifi’s advanced protection uses machine learning and AI to quickly find and stop the most sophisticated email-based attacks, such as ransomware, malware, phishing attacks (malicious links), CEO impersonation protection, BEC, and account compromise, keeping hackers out of inboxes with the following email threat protection solutions.

These firewalls will prioritize cross-platform connectivity, robust data protection measures, and real-time threat sharing in response to the constantly evolving nature of cyber threats.

Trustifi Advanced Email Protection With Trusitifi Inbound Shield Offers powerful multi-layered scanning technology.

It thoroughly examines, identifies, and categorizes even the most sophisticated forms of Phishing, Malicious, SPAM, and Gray Emails. 

Modern machine learning and artificial intelligence provide comprehensive, precise threat hunting for it.

The Inbound Shield checks out and removes harmful data and for various irregularities, including the following.

  • Scammers who send emails from fake domains.
  • Money transfer and other private information requests.
  • Hyperlinks lead to malicious sites.
  • Files with potentially malicious content, such as SQL injection strings or other code snippets, are designed to execute upon download.

These filtering procedures only take milliseconds to complete and can detect previously unidentified zero-day attacks.

The Trustifi Inbound Shield is a cloud-based solution that requires no alterations to your current infrastructure to implement.

Emails could be sent and received safely without any complicated setup or concerns, and It takes minutes, not days, to set up.

The Internet and the Unregulated Space of the Scammers and Hackers: Surf the Internet Safely!

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Next-Gen Email Firewalls

Next Page »