Jun 13 2024

Microsoft President Admits to Major Security Failures

Category: Security Breachdisc7 @ 3:25 pm

Brad Smith Says the Tech Giant ‘Accepts Responsibility’ for Cyber Breaches

https://www.databreachtoday.co.uk/microsoft-president-admits-to-major-security-failures-a-25515

Microsoft President Brad Smith during a tense U.S. congressional hearing Thursday acknowledged responsibility for a series of security failures that facilitated multiple high-profile state-sponsored cyberattacks targeting government institutions and the company itself.

Lawmakers on the House Committee on Homeland Security grilled Smith over Microsoft’s failure to address critical vulnerabilities and its mishandling of whistleblower warnings, which they argued led to the SolarWinds attack and other major breaches that federal cyber authorities say could have been avoided.

Rep. Mark Green, R-Tenn., who chairs the committee, described recent federal findings about Microsoft’s security blunders as “extremely concerning” and said the company’s “underinvestment in essential security measures exposed critical vulnerabilities.”

“Microsoft is deeply integrated into our nation’s digital infrastructure,” Green said, adding that the company has a “heightened responsibility” to ensure federal systems are protected from intrusion.

The hearing took place the same day ProPublica released a bombshell report alleging Microsoft ignored warnings from a whistleblower about a critical vulnerability that left the company susceptible to Russian hackers for several years. The whistleblower left the company in August 2020 out of frustration with its handling of the security flaw that ultimately facilitated Russia’s attack against SolarWinds just months later.

The federally empaneled Cyber Safety Review Board in a report published following a seven-month probe of the company’s security practices blamed Microsoft’s corporate culture for deprioritizing enterprise security investments and allowing preventable security breaches.

“Before I say anything else, I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith said in his prepared opening remarks, adding: “Without equivocation or hesitation.”

The Russian state hacking group tracked as Midnight Blizzard, also known as APT29 and CozyBear, breached senior Microsoft executives’ email inboxes after using an unsophisticated hacking technique (see: Microsoft’s Latest Hack Sparks Major Security Concerns). The incident came less than a year after Microsoft disclosed that a group of Chinese hackers breached customers’ email systems as part of a cyberespionage campaign targeting federal agencies and other major organizations.

Lawmakers on both sides of the political aisle expressed doubts over whether Microsoft has been fully transparent with its customers and the federal government in the wake of recent security breaches. The ProPublica report published Thursday says that Smith testified to the Senate Intelligence Committee in 2017 that Microsoft became aware of the flaw leading to the SolarWinds attack only after the cybersecurity firm CyberArk published a blog post describing the exploit, known as Golden SAML.

“My concerns about whether we can rely on Microsoft to be transparent were heightened this morning when I read a ProPublica article about how an employee alerted Microsoft’s leadership to a vulnerability,” said ranking member Rep. Bennie Thompson, D-Mo. “That vulnerability was ultimately used by Russian hackers to carry out secondary phases of the SolarWinds attack in 2020.”

“Transparency is the foundation of trust, and Microsoft needs to be more transparent,” he said.

In response, Smith testified that Microsoft has made changes to its corporate governance structure to improve enterprisewide cybersecurity efforts and “integrate security into every process.” The company has added deputy CISOs to each of its components as part of its Secure Future Initiative, Smith said. The company launched the initiative in November 2023 (see: Microsoft Overhauls Security Practices After Major Breaches).

Smith also told lawmakers he is not aware of any vulnerabilities within Microsoft’s operating system that could affect government networks and said the company was “focused on identifying every vulnerability our employees can find.”

AJ Grotto, director of Stanford University’s geopolitics, technology and governance program and former senior White House director for cyber policy, said Microsoft “uses restrictive licensing to dominate the public sector” despite repeatedly putting federal networks in harm’s way.

“We’ve become accustomed to security flaws in Microsoft’s products, followed by promises from Microsoft to improve security, only to have the cycle repeat – with no consequences for Microsoft,” Grotto said in a statement sent to Information Security Media Group. Grotto urged lawmakers to demand the company “develop and share with Congress a plan for diversifying its exposure to cybersecurity risk.”

Smith told the House committee Microsoft has begun implementing 16 of the CSRB’s recommendations that apply directly to the company and added an additional 18 security measures to help improve its overall cyber posture.

Asked directly about the risk associated with the federal government’s reliance on a single technology vendor, Smith acknowledged potential concerns but said a network with too many players could be equally problematic.

“Just as there is risk relying on one vendor, there are risks in relying on multiple vendors,” Smith said. “Fundamentally, whether you have one vendor or multiple, the problem is similar – we all need to work together and just keep making progress.”

Microsoft President Brad Smith testifies before the House Committee on Homeland Security on June 13, 2024.

Big Breaches: Cybersecurity Lessons for Everyone

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Major Security Failures, Microsoft


Jun 12 2024

20,000 FortiGate appliances compromised by Chinese hackers

Category: Hacking,Security Breachdisc7 @ 7:43 am

How Coathanger persists on FortiGate devices

In February 2024, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) made it known that Chinese state-sponsored hackers breached the Dutch Ministry of Defense in 2023 by exploiting a known FortiOS pre-auth RCE vulnerability (CVE-2022-42475), and used novel remote access trojan malware to create a persistent backdoor.

The RAT was dubbed Coathanger and found to be capable of surviving reboots and firmware upgrades. It’s also difficult to detect its presence by using FortiGate CLI commands, and to remove it from compromised devices.

The security services shared indicators of compromise and a variety of detection methods in an advisory, and explained that “the only currently identified way of removing [it] from an infected FortiGate device involves formatting the device and reinstalling and reconfiguring the device.”

They also attributed the intrusion and the malware to a Chinese cyber-espionage group.

A widespread campaign

On Monday, the Dutch National Cyber Security Center said that the MIVD continued to investigate the campaign, and found that:

  • The threat actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023
  • They exploited the FortiOS vulnerability (CVE-2022-42475) as a zero-day, at least two months before Fortinet announced it

“During this so-called ‘zero-day’ period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” the NCSC said.

The threat actor installed the Coathanger malware at a later time, on devices of relevant targets.

“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data,” they said, and added that given the difficult discovery and clean-up process, “it is likely that the state actor still has access to systems of a significant number of victims.”

Another problem is that the Coathanger malware can be used in combination with any present or future vulnerability in FortiGate devices – whether zero- or N-day.

Advice for organizations

“Initial compromise of an IT network is difficult to prevent if the attacker uses a zero-day. It is therefore important that organizations apply the ‘assume breach’ principle,” the NCSC opined.

“This principle states that a successful digital attack has already taken place or will soon take place. Based on this, measures are taken to limit the damage and impact. This includes taking mitigating measures in the areas of segmentation, detection, incident response plans and forensic readiness.”

(In the attack targeting the Dutch MoD, the effects of the intrusion were limited due to effective network segmentation.)

Finally, the NCSC noted that the problem is not specifically Fortinet appliances, but “edge” devices – firewalls, VPN servers, routers, SMTP servers, etc. – in general.

“Recent incidents and identified vulnerabilities within various edge devices show that these products are often not designed according to modern security-by-design principles,” they said. Because almost every organization has one or more edge devices deployed, they added, it pays for threat actors to look for vulnerabilities affecting them.

The NCSC has, therefore, published helpful advice on how organizations should deal with using edge devices.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Chinese hackers, FortiGate appliances, The Hacker and the State


Jun 11 2024

YOUR AZURE SECURITY AT RISK? HOW HACKERS ARE EXPLOITING AZURE SERVICE TAGS (AND HOW TO STOP THEM)?

Category: Hacking,Risk Assessmentdisc7 @ 8:24 am

A significant security vulnerability has been discovered by Tenable Research that affects Azure customers relying on Service Tags for their firewall rules. This vulnerability allows attackers to bypass Azure firewall rules, posing a substantial risk to organizations using these configurations. Here’s an in-depth look at the vulnerability, how it can be exploited, and crucial defensive measures to mitigate the risk.

Azure Security

INITIAL DISCOVERY IN AZURE APPLICATION INSIGHTS

Tenable Research initially uncovered the vulnerability within Azure Application Insights, a service designed to monitor and analyze web applications’ performance and availability. The Availability Tests feature of Azure Application Insights, intended to check the accessibility and performance of applications, was found to be susceptible to abuse. Users can control server-side requests in these tests, including adding custom headers and changing HTTP methods. This control can be exploited by attackers to forge requests from trusted services, mimicking a server-side request forgery (SSRF) attack.

EXPANSION TO MORE THAN 10 OTHER AZURE SERVICES

Upon further investigation, Tenable Research found that the vulnerability extends beyond Azure Application Insights to more than 10 other Azure services. These include:

  • Azure DevOps
  • Azure Machine Learning
  • Azure Logic Apps
  • Azure Container Registry
  • Azure Load Testing
  • Azure API Management
  • Azure Data Factory
  • Azure Action Group
  • Azure AI Video Indexer
  • Azure Chaos Studio

Each of these services allows users to control server-side requests and has an associated Service Tag, creating potential security risks if not properly mitigated.

HOW ATTACKERS CAN EXPLOIT THE VULNERABILITY

Attackers can exploit the vulnerability in Azure Service Tags by abusing the Availability Tests feature in Azure Application Insights. Below are detailed steps and examples to illustrate how an attacker can exploit this vulnerability:

1. Setting Up the Availability Test:

  • Example Scenario: An attacker identifies an internal web service within a victim’s Azure environment that is protected by a firewall rule allowing traffic only from Azure Application Insights.
  • Action: The attacker sets up an Availability Test in Azure Application Insights, configuring it to target the internal web service.

2. Customizing the Request:

  • Manipulating Headers: The attacker customizes the HTTP request headers to include authorization tokens or other headers that may be expected by the target service.
  • Changing HTTP Methods: The attacker can change the HTTP method (e.g., from GET to POST) to perform actions such as submitting data or invoking actions on the target service.
  • Example Customization: The attacker configures the test to send a POST request with a custom header “Authorization: Bearer <malicious-token>”.

3. Sending the Malicious Request:

  • Firewall Bypass: The crafted request is sent through the Availability Test. Since it originates from a trusted Azure service (Application Insights), it bypasses the firewall rules based on Service Tags.
  • Example Attack: The Availability Test sends the POST request with the custom header to the internal web service, which processes the request as if it were from a legitimate source.

4. Accessing Internal Resources:

  • Unauthorized Access: The attacker now has access to internal APIs, databases, or other services that were protected by the firewall.
  • Exfiltration and Manipulation: The attacker can exfiltrate sensitive data, manipulate internal resources, or use the access to launch further attacks.
  • Example Impact: The attacker retrieves confidential data from an internal API or modifies configuration settings in an internal service.

DETAILED EXAMPLE OF EXPLOIT

Scenario: An organization uses Azure Application Insights to monitor an internal financial service. The service is protected by a firewall rule that allows access only from the ApplicationInsightsAvailability Service Tag.

  1. Deploying an Internal Azure App Service:
    • The organization has a financial application hosted on an Azure App Service with firewall rules configured to accept traffic only from the ApplicationInsightsAvailability Service Tag.
  2. Attempted Access by the Attacker:
    • The attacker discovers the endpoint of the internal financial application and attempts to access it directly. The firewall blocks this attempt, returning a forbidden response.
  3. Exploiting the Vulnerability:
    • Setting Up the Test: The attacker sets up an Availability Test in Azure Application Insights targeting the internal financial application.
    • Customizing the Request: The attacker customizes the test to send a POST request with a payload that triggers a financial transaction, adding a custom header “Authorization: Bearer <malicious-token>”.
    • Sending the Request: The Availability Test sends the POST request to the internal financial application, bypassing the firewall.
  4. Gaining Unauthorized Access:
    • The financial application processes the POST request, believing it to be from a legitimate source. The attacker successfully triggers the financial transaction.
    • Exfiltration: The attacker sets up another Availability Test to send GET requests with custom headers to extract financial records from the application.

ADVANCED EXPLOITATION TECHNIQUES

1. Chain Attacks:

  • Attackers can chain multiple vulnerabilities or services together to escalate their privileges and impact. For example, using the initial access gained from the Availability Test to find other internal services or to escalate privileges within the Azure environment.

2. Lateral Movement:

  • Once inside the network, attackers can move laterally to compromise other services or extract further data. They might use other Azure services like Azure DevOps or Azure Logic Apps to find additional entry points or sensitive data.

3. Persistent Access:

  • Attackers can set up long-term Availability Tests that periodically execute, ensuring continuous access to the internal services. They might use these persistent tests to maintain a foothold within the environment, continuously exfiltrating data or executing malicious activities.

DEFENSIVE MEASURES

To mitigate the risks associated with this vulnerability, Azure customers should implement several defensive measures:

1. Analyze and Update Network Rules:

  • Conduct a thorough review of network security rules.
  • Identify and analyze any use of Service Tags in firewall rules.
  • Assume services protected only by Service Tags may be vulnerable.

2. Implement Strong Authentication and Authorization:

  • Add robust authentication and authorization mechanisms.
  • Use Azure Active Directory (Azure AD) for managing access.
  • Enforce multi-factor authentication and least privilege principles.

3. Enhance Network Isolation:

  • Use network security groups (NSGs) and application security groups (ASGs) for granular isolation.
  • Deploy Azure Private Link to keep traffic within the Azure network.

4. Monitor and Audit Network Traffic:

  • Enable logging and monitoring of network traffic.
  • Use Azure Monitor and Azure Security Center to set up alerts for unusual activities.
  • Regularly review logs and audit trails.

5. Regularly Update and Patch Services:

  • Keep all Azure services and applications up to date with security patches.
  • Monitor security advisories from Microsoft and other sources.
  • Apply updates promptly to minimize risk.

6. Use Azure Policy to Enforce Security Configurations:

  • Deploy Azure Policy to enforce security best practices.
  • Create policies that require strong authentication and proper network configurations.
  • Use Azure Policy initiatives for consistent application across resources.

7. Conduct Security Assessments and Penetration Testing:

  • Perform regular security assessments and penetration testing.
  • Engage with security experts or third-party services for thorough reviews.
  • Use tools like Azure Security Benchmark and Azure Defender.

8. Educate and Train Staff:

  • Provide training on risks and best practices related to Azure Service Tags and network security.
  • Ensure staff understand the importance of multi-layered security.
  • Equip teams to implement and manage security measures effectively.

https://www.securitynewspaper.com/2024/05/16/how-to-implement-principle-of-least-privilegecloud-security-in-aws-azure-and-gcp-cloud/embed/#?secret=4TeHUyw59w#?secret=RHf1cNP2eR

The vulnerability discovered by Tenable Research highlights significant risks associated with relying solely on Azure Service Tags for firewall rules. By understanding the nature of the vulnerability and implementing the recommended defensive measures, Azure customers can better protect their environments and mitigate potential threats. Regular reviews, updates, and a multi-layered security approach are essential to maintaining a secure Azure environment.

Azure Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Azure Security


Jun 10 2024

Duckduckgo Launches Anonymous AI Chatbots

Category: Anonymousdisc7 @ 7:10 am

DuckDuckGo has unveiled a new feature, AI Chat, which offers users an anonymous way to access popular AI chatbots.

This innovative service includes models like OpenAI’s GPT 3.5 Turbo, Anthropic’s Claude 3 Haiku, and two open-source models, Meta Llama 3 and Mistral’s Mixtral 8x7B.

A New Era Of Private AI Interaction

DuckDuckGo’s AI Chat is designed to provide a private and anonymous experience for users who want to interact with AI chatbots.

This optional feature is free to use within a daily limit and can be easily switched off if desired.

The company emphasizes that all chats are private, anonymized, and not used for any AI model training.

According to the Spreadprivacy blog, Users can access DuckDuckGo AI Chat through various entry points, including duck.ai, duckduckgo.com/chat, the Chat tab on search results pages, or via the !ai and !chat bang shortcuts.

All these routes lead to the same destination, ensuring a seamless user experience.

Why AI Chat?

DuckDuckGo’s mission is to demonstrate that online privacy can be easily maintained.

The company believes people should be able to use the internet and digital tools without sacrificing their privacy.

This philosophy has driven the development of products that add a layer of privacy to everyday online activities, from search and browsing to email and now generative AI with AI Chat.

According to recent Pew research, many U.S. adults have concerns about AI’s impact on privacy, even as they recognize its potential benefits in other areas.

DuckDuckGo AI Chat aims to address these concerns by offering a private and anonymous way to use AI chatbots.

Enhancing The Search Experience

DuckDuckGo takes a thoughtful approach to integrating AI features in the competitive landscape of generative AI.

Before rolling out, the company carefully considers how these features can enhance the search and browsing experience.

AI Chat and search are seen as complementary tools that can help users find information more effectively, especially when exploring new topics.

For instance, users might start with AI Chat to ask a few questions and then switch to traditional search to find reviews, prices, or other primary sources.

Conversely, they might begin with a search and then use AI Chat for follow-up queries.

This flexibility allows users to choose the method that best suits their needs.

How It Works And Ensures Privacy

Users can select their preferred chat model and interact like any other chat interface when they land on the AI Chat page.

All chats are completely anonymous, with DuckDuckGo removing users’ IP addresses and using its own instead.

This ensures that requests appear from DuckDuckGo, not the individual user.

DuckDuckGo does not save or store any chats. While the underlying model providers may temporarily store chats to ensure system functionality, they cannot trace them back to individual users.

Agreements with model providers ensure that any saved chats are deleted within 30 days and are not used for model training.

AI Chat is free to use within a daily limit, maintaining strict user anonymity.

DuckDuckGo plans to keep the current level of access free while exploring a paid plan for higher usage limits and more advanced chat models.

DuckDuckGo is already working on improvements to AI Chat, including new capabilities like custom system prompts and general user experience enhancements.

The company also plans to add more chat models, potentially including DuckDuckGo– or user-hosted options.

Users are encouraged to provide feedback on desired features via the Share Feedback button on the AI Chat screen.

To experience DuckDuckGo AI Chat, visit duck.ai or duckduckgo.com/chat.

You can also find it on your search results page under the Chat tab or initiate a chat using the !ai or !chat bang shortcuts.

If AI Chat isn’t for you, it can be easily disabled in the Search settings menu.

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Chatbots, DuckDuckGo


Jun 06 2024

How to Implement ISO 27001: A 9-Step Guide

Category: Information Security,ISO 27kdisc7 @ 8:47 am
https://itgovernance.eu/blog/en/a-9-step-guide-to-implementing-iso-27001?

How to Implement ISO 27001: A 9-Step Guide

The hardest part of many projects is knowing where to start.

ISO 27001 is no exception. This standard describes best practice for an ISMS (information security management system).

In other words, it lays out the requirements you must meet, but doesn’t show you the how. How you can adopt or implement them.

With ISO 27001:2013 certification no longer available, many organisations are preparing to adopt the 2022 version of the standard – which means tackling a new Annex A control set, among other new requirements.

ISO 27k Chat bot

1. Project mandate

The implementation project should begin by appointing a project leader.

They’ll work with other members of staff to create a project mandate, which is essentially a set of answers to these questions:

  • What do we hope to achieve?
  • How long will the project take?
  • Does the project have top management support?
  • What resources – financial and otherwise – will the project need?

2. Develop the ISO 27001 implementation plan

The next step is to use your project mandate to create a more detailed outline of:

  • Your information security objectives;
  • Your project risk register;
  • Your project plan; and
  • Your project team.

Information security objectives

Your information security objectives should be more granular and specific than your answer to ‘What do we hope to achieve?’ from step 1.

They’ll inform and be included in your top-level information security policy. They’ll also shape how the ISMS is applied.

Project risk register

Your project risk register should account for risks to the project itself, which might be:

  • Managerial – will operational management continue to support the project?
  • Budgetary – will funding continue to see the project through?
  • Legal – are specific legal obligations at risk?
  • Cultural – will staff resist change?

Each risk in the register should have an assigned owner and a mitigation plan. You should also regularly review the risks throughout the project.

Project plan

The project plan should detail the actions you must take to implement the ISMS.

This should include the following information:

  • Resources required
  • Responsibilities
  • Review dates
  • Deadlines

Project team

The project team should represent the interests of every part of the organisation and include various levels of seniority.

Drawing up a RACI matrix can help with this. This identifies, for the project’s key decisions, who’s:

  • Responsible;
  • Accountable;
  • Consulted; and
  • Informed.

One critical person to appoint and include in the project team is the information security manager. They’ll have a central role in the implementation project and eventually be responsible for the day-to-day functioning of the ISMS.


3. ISMS initiation

You’re now ready to initiate your ISMS!

Documentation structure

A big part of this is establishing your documentation structure – any management system is very policy- and procedure-driven.

We recommend a four-tier approach:

A. Policies
These are at the top of the ‘pyramid’, defining your organisation’s position and requirements.

B. Procedures
These enact the requirements of your policies at a high level.

C. Work instructions
These set out how employees implement individual elements of the procedures.

D. Records
These track the procedures and work instructions, providing evidence that you’re following them consistently and correctly.

This structure is simple enough for anyone to grasp quickly. At the same time, it provides an effective way of ensuring you implement policies at each level of your organisation. Plus, that you develop well-functioning, cohesive processes.

Tips for more effective policies and procedures

Your policies and procedures must also be effective. Here are four tips:

  1. Keep them practicable by balancing aspirations against the reality. If your policies and/or procedures appear too idealised, staff will be much less likely to follow them.
  2. Keep them clear and straightforward, so staff can easily follow your procedures.
  3. Use version control, so everyone knows which is the latest document.
  4. Avoid duplication. This will also help with the version control.

Make sure you systematically communicate your documentation – particularly new or updated policies – throughout your organisation. Be sure to also communicate them to other stakeholders.

Continual improvement

As part of your ISMS initiation, you’ll need to select a continual improvement methodology.

First, understand that continual improvement might sound expensive, but is cost-effective if done well. As ISO 27001 pioneer Alan Calder explains:

Continual improvement means getting better results for your investment. That typically means one of two things:

1. Getting the same results while spending less money.
2. Getting better results while spending the same amount of money.

Yes, you need to be looking at your objectives, and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.

But many improvements have little financial cost. You can make a process more efficient – perhaps by cutting out a step, or automating some manual work.

While continual improvement is a critical element of an ISO 27001 ISMS, the Standard doesn’t specify any particular continual improvement methodology.

Instead, you can use whatever method you wish, so long as it continually improves the ISMS’s “suitability, adequacy and effectiveness” (Clause 10.1). That can include a continual improvement model you’re already using for another activity.


ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

Key strategies for ISO 27001:2022 compliance adoption

What is ISO 27002:2022

ISO 27k Chat bot

Implementation Guide ISO/IEC 27001:2022

Please send an email related to ISO27001:2022 implementation to info@DeuraInfoSec.com and we are happy to help!

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Implement ISO 27001, ISO 27001 2022


Jun 05 2024

Unauthorized AI is eating your company data, thanks to your employees

Category: AI,Data Breach,data securitydisc7 @ 8:09 am
https://www.csoonline.com/article/2138447/unauthorized-ai-is-eating-your-company-data-thanks-to-your-employees.html

Legal documents, HR data, source code, and other sensitive corporate information is being fed into unlicensed, publicly available AIs at a swift rate, leaving IT leaders with a mounting shadow AI mess.

Employees at many organizations are engaging in widespread use of unauthorized AI models behind the backs of their CIOs and CISOs, according to a recent study.

Employees are sharing company legal documents, source code, and employee information with unlicensed, non-corporate versions of AIs, including ChatGPT and Google Gemini, potentially leading to major headaches for CIOs and other IT leaders, according to research from Cyberhaven Labs.

About 74% of the ChatGPT use at work is through non-corporate accounts, potentially giving the AI the ability to use or train on that data, says the Cyberhaven Q2 2024 AI Adoption and Risk Report, based on actual AI usage patterns of 3 million workers. More than 94% of workplace use of Google AIs Gemini and Bard are from non-corporate accounts, the study reveals.

Nearly 83% of all legal documents shared with AI tools go through non-corporate accounts, the report adds, while about half of all source code, R&D materials, and HR and employee records go into unauthorized AIs.

The amount of data put into all AI tools saw nearly a five-fold increase between March 2023 and March 2024, according to the report. “End users are adopting new AI tools faster than IT can keep up, fueling continued growth in ‘shadow AI,’” the report adds.

Where does the data go?

At the same time, many users may not know what happens to their companies’ data once they share it with an unlicensed AI. ChatGPT’s terms of use, for example, say the ownership of the content entered remains with the users. However, ChatGPT may use that content to provide, maintain, develop, and improve its services, meaning it could train itself using shared employee records. Users can opt out of ChatGPT training itself on their data.

So far, there have been no high-profile reports about major company secrets spilled by large public AIs, but security experts worry about what happens to company data once an AI ingests it. On May 28, OpenAI announced a new Safety and Security Committee to address concerns.

It’s difficult to assess the risk of sharing confidential or sensitive information with publicly available AIs, says Brian Vecci, field CTO at Varonis, a cloud security firm. It seems unlikely that companies like Google or ChatGPT developer OpenAI will allow their AIs to leak sensitive business data to the public, given the headaches such disclosures would cause them, he says.

Still, there aren’t many rules governing what AI developers can do with the data users provide them, some security experts note. Many more AI models will be rolled out in the coming years, Vecci says.

“When we get outside of the realm of OpenAI and Google, there are going to be other tools that pop up,” he says. “There are going to be AI tools out there that will do something interesting but are not controlled by OpenAI or Google, which presumably have much more incentive to be held accountable and treat data with care.”

The coming wave of second- and third-tier AI developers may be fronts for hacking groups, may see profit in selling confidential company information, or may lack the cybersecurity protections that the big players have, Vecci says.

“There’s some version of an LLM tool that’s similar to ChatGPT and is free and fast and controlled by who knows who,” he says. “Your employees are using it, and they’re forking over source code and financial statements, and that could be a much higher risk.”

Risky behavior

Sharing company or customer data with any unauthorized AI creates risk, regardless of whether the AI model trains on that data or shares it with other users, because that information now exists outside company walls, adds Pranava Adduri, CEO of Bedrock Security.

Adduri recommends organizations sign licensed deals, containing data use restrictions, with AI vendors so that employees can experiment with AI.

“The problem boils down to the inability to control,” he says. “If the data is getting shipped off to a system where you don’t have that direct control, usually the risk is managed through legal contracts and legal agreements.”

AvePoint, a cloud data management company, has signed an AI contract to head off the use of shadow AI, says Dana Simberkoff, chief risk, privacy, and information security officer at the company. AvePoint thoroughly reviewed the licensing terms, including the data use restrictions, before signing.

A major problem with shadow AI is that users don’t read the privacy policy or terms of use before shoveling company data into unauthorized tools, she says.

“Where that data goes, how it’s being stored, and what it may be used for in the future is still not very transparent,” she says. “What most everyday business users don’t necessarily understand is that these open AI technologies, the ones from a whole host of different companies that you can use in your browser, actually feed themselves off of the data that they’re ingesting.”

Training and security

AvePoint has tried to discourage employees from using unauthorized AI tools through a comprehensive education program, through strict access controls on sensitive data, and through other cybersecurity protections preventing the sharing of data. AvePoint has also created an AI acceptable use policy, Simberkoff says.

Employee education focuses on common employee practices like granting wide access to a sensitive document. Even if an employee only notifies three coworkers that they can review the document, allowing general access can enable an AI to ingest the data.

“AI solutions are like this voracious, hungry beast that will take in anything that they can,” she says.

Using AI, even officially licensed ones, means organizations need to have good data management practices in place, Simberkoff adds. An organization’s access controls need to limit employees from seeing sensitive information not necessary for them to do their jobs, she says, and longstanding security and privacy best practices still apply in the age of AI.

Rolling out an AI, with its constant ingestion of data, is a stress test of a company’s security and privacy plans, she says.

“This has become my mantra: AI is either the best friend or the worst enemy of a security or privacy officer,” she adds. “It really does drive home everything that has been a best practice for 20 years.”

Simberkoff has worked with several AvePoint customers that backed away from AI projects because they didn’t have basic controls such as an acceptable use policy in place.

“They didn’t understand the consequences of what they were doing until they actually had something bad happen,” she says. “If I were to give one really important piece of advice it’s that it’s okay to pause. There’s a lot of pressure on companies to deploy AI quickly.”

Credit: Moon Safari / Shutterstock

Artificial Intelligence for Cybersecurity 

ChatGPT for Cybersecurity Cookbook: Learn practical generative AI recipes to supercharge your cybersecurity skills

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Artificial Intelligence for Cybersecurity, ChatGPT for Cybersecurity


Jun 03 2024

OpenAI, Meta, and TikTok Crack Down on Covert Influence Campaigns, Some AI-Powered

Category: AIdisc7 @ 11:13 am

https://thehackernews.com/2024/05/openai-meta-tiktok-disrupt-multiple-ai.html

OpenAI on Thursday disclosed that it took steps to cut off five covert influence operations (IO) originating from China, Iran, Israel, and Russia that sought to abuse its artificial intelligence (AI) tools to manipulate public discourse or political outcomes online while obscuring their true identity.

These activities, which were detected over the past three months, used its AI models to generate short comments and longer articles in a range of languages, cook up names and bios for social media accounts, conduct open-source research, debug simple code, and translate and proofread texts.

The AI research organization said two of the networks were linked to actors in Russia, including a previously undocumented operation codenamed Bad Grammar that primarily used at least a dozen Telegram accounts to target audiences in Ukraine, Moldova, the Baltic States and the United States (U.S.) with sloppy content in Russian and English.

Deep Disinformation: Can AI-Generated Fake News…

“The network used our models and accounts on Telegram to set up a comment-spamming pipeline,” OpenAI said. “First, the operators used our models to debug code that was apparently designed to automate posting on Telegram. They then generated comments in Russian and English in reply to specific Telegram posts.”

The operators also used its models to generate comments under the guise of various fictitious personas belonging to different demographics from across both sides of the political spectrum in the U.S.

The other Russia-linked information operation corresponded to the prolific Doppelganger network (aka Recent Reliable News), which was sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) earlier this March for engaging in cyber influence operations.

The network is said to have used OpenAI’s models to generate comments in English, French, German, Italian, and Polish that were shared on X and 9GAG; translate and edit articles from Russian to English and French that were then posted on bogus websites maintained by the group; generate headlines; and convert news articles posted on its sites into Facebook posts.

Fake News: AI & All News Requires Critical Thinking

“This activity targeted audiences in Europe and North America and focused on generating content for websites and social media,” OpenAI said. “The majority of the content that this campaign published online focused on the war in Ukraine. It portrayed Ukraine, the US, NATO and the EU in a negative light and Russia in a positive light.”

AI-Powered Disinformation Campaigns

The other three activity clusters are listed below –

  • A Chinese-origin network known as Spamouflage that used its AI models to research public social media activity; generate texts in Chinese, English, Japanese, and Korean for posting across X, Medium, and Blogger; propagate content criticizing Chinese dissidents and abuses against Native Americans in the U.S.; and debug code for managing databases and websites
  • An Iranian operation known as the International Union of Virtual Media (IUVM) that used its AI models to generate and translate long-form articles, headlines, and website tags in English and French for subsequent publication on a website named iuvmpress[.]co
  • A network referred to as Zero Zeno emanating from a for-hire Israeli threat actor, a business intelligence firm called STOIC, that used its AI models to generate and disseminate anti-Hamas, anti-Qatar, pro-Israel, anti-BJP, and pro-Histadrut content across Instagram, Facebook, X, and its affiliated websites targeting users in Canada, the U.S., India, and Ghana.

“The [Zero Zeno] operation also used our models to create fictional personas and bios for social media based on certain variables such as age, gender and location, and to conduct research into people in Israel who commented publicly on the Histadrut trade union in Israel,” OpenAI said, adding its models refused to supply personal data in response to these prompts.

The ChatGPT maker emphasized in its first threat report on IO that none of these campaigns “meaningfully increased their audience engagement or reach” from exploiting its services.

The development comes as concerns are being raised that generative AI (GenAI) tools could make it easier for malicious actors to generate realistic text, images and even video content, making it challenging to spot and respond to misinformation and disinformation operations.

“So far, the situation is evolution, not revolution,” Ben Nimmo, principal investigator of intelligence and investigations at OpenAI, said. “That could change. It’s important to keep watching and keep sharing.”

Meta Highlights STOIC and Doppelganger#

Separately, Meta in its quarterly Adversarial Threat Report, also shared details of STOIC’s influence operations, saying it removed a mix of nearly 500 compromised and fake accounts on Facebook and Instagram accounts used by the actor to target users in Canada and the U.S.

“This campaign demonstrated a relative discipline in maintaining OpSec, including by leveraging North American proxy infrastructure to anonymize its activity,” the social media giant said.

AI-Powered Disinformation Campaigns
Meta further said it removed hundreds of accounts, comprising deceptive networks from Bangladesh, China, Croatia, Iran, and Russia, for engaging in coordinated inauthentic behavior (CIB) with the goal of influencing public opinion and pushing political narratives about topical events.
The China-linked malign network, for instance, mainly targeted the global Sikh community and consisted of several dozen Instagram and Facebook accounts, pages, and groups that were used to spread manipulated imagery and English and Hindi-language posts related to a non-existent pro-Sikh movement, the Khalistan separatist movement, and criticism of the Indian government.
It pointed out that it hasn’t so far detected any novel and sophisticated use of GenAI-driven tactics, with the company highlighting instances of AI-generated video news readers that were previously documented by Graphika and GNET, indicating that despite the largely ineffective nature of these campaigns, threat actors are actively experimenting with the technology.

Doppelganger, Meta said, has continued its “smash-and-grab” efforts, albeit with a major shift in tactics in response to public reporting, including the use of text obfuscation to evade detection (e.g., using “U. kr. ai. n. e” instead of “Ukraine”) and dropping its practice of linking to typosquatted domains masquerading as news media outlets since April.
“The campaign is supported by a network with two categories of news websites: typosquatted legitimate media outlets and organizations, and independent news websites,” Sekoia said in a report about the pro-Russian adversarial network published last week.
“Disinformation articles are published on these websites and then disseminated and amplified via inauthentic social media accounts on several platforms, especially video-hosting ones like Instagram, TikTok, Cameo, and YouTube.”

These social media profiles, created in large numbers and in waves, leverage paid ads campaigns on Facebook and Instagram to direct users to propaganda websites. The Facebook accounts are also called burner accounts owing to the fact that they are used to share only one article and are subsequently abandoned.

The French cybersecurity firm described the industrial-scale campaigns – which are geared towards both Ukraine’s allies and Russian-speaking domestic audiences on Kremlin’s behalf – as multi-layered, leveraging the social botnet to initiate a redirection chain that passes through two intermediate websites in order to lead users to the final page.Doppelganger, along with another coordinated pro-Russian propaganda network designated as Portal Kombat, has also been observed amplifying content from a nascent influence network dubbed CopyCop, demonstrating a concerted effort to promulgate narratives that project Russia in a favorable light.

Recorded Future, in a report released this month, said CopyCop is likely operated from Russia, taking advantage of inauthentic media outlets in the U.S., the U.K., and France to promote narratives that undermine Western domestic and foreign policy, and spread content pertaining to the ongoing Russo-Ukrainian war and the Israel-Hamas conflict.

“CopyCop extensively used generative AI to plagiarize and modify content from legitimate media sources to tailor political messages with specific biases,” the company said. “This included content critical of Western policies and supportive of Russian perspectives on international issues like the Ukraine conflict and the Israel-Hamas tensions.”

TikTok Disrupts Covert Influence Operations#

Earlier in May, ByteDance-owned TikTok said it had uncovered and stamped out several such networks on its platform since the start of the year, including ones that it traced back to Bangladesh, China, Ecuador, Germany, Guatemala, Indonesia, Iran, Iraq, Serbia, Ukraine, and Venezuela.

TikTok, which is currently facing scrutiny in the U.S. following the passage of a law that would force the Chinese company to sell the company or face a ban in the country, has become an increasingly preferred platform of choice for Russian state-affiliated accounts in 2024, according to a new report from the Brookings Institution.

What’s more, the social video hosting service has emerged as a breeding ground for what has been characterized as a complex influence campaign known as Emerald Divide (aka Storm-1364) that is believed to be orchestrated by Iran-aligned actors since 2021 targeting Israeli society.

AI-Powered Disinformation Campaigns

“Emerald Divide is noted for its dynamic approach, swiftly adapting its influence narratives to Israel’s evolving political landscape,” Recorded Future said.

“It leverages modern digital tools such as AI-generated deepfakes and a network of strategically operated social media accounts, which target diverse and often opposing audiences, effectively stoking societal divisions and encouraging physical actions such as protests and the spreading of anti-government messages.”

The ChatGPT Edge: Unleashing The Limitless Potential Of AI Using Simple And Creative Prompts To Boost Productivity, Maximize Efficiency

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: and TikTok, Covert Influence Campaigns, Meta, OpenAI


Jun 01 2024

6 Expert Tips for Your 2024 Security and Compliance Management Planning

Category: Security Compliancedisc7 @ 2:22 pm

Follow these six expert tips to achieve successful security and compliance management planning.

1. Identify the assets you want to protect

Maintaining a list of assets, their business criticality, and who/where they are is the first step to establishing control over your environment. To do this, start with these steps:

  • Identify the systems, data, and people assets that you need to protect.
  • Identify the threats to those assets, and prioritize them.
  • Identify what you want to do to protect your priority assets from their most significant threats. 

2. Identify the activities you need to complete 

It is important to establish a list of security activities and the cadence on which they will need to happen in order to meet your compliance requirements. Some activities only need to be done once a year, while others might need done quarterly or even monthly. For example, you may only need to do an annual penetration test, but how often do you need to perform pen testing, internal vulnerability scans? Establishing the list of compliance management activities you need to complete and when they need to be completed will be a great starting point for your 2024 compliance program.

DISC llc provides you with a full list of Information Security activities (GRC) required to achieve a successful data security program. This list includes activities such as:

  • Review policies and procedures (including Acceptable Use Policy)
  • Complete a risk assessment – this should be done annually
  • Review security training – to ensure new employees, as well as current employees, are up to date on all their training
  • Test and update your Business Continuity Plan – this should be done on an annual basis to account for any new situations that may occur
  • Review regulatory and legal compliance requirements – especially important for organizations that need to consider regulations such as ISO 27001:2022, SOC2, GDPR, CPRA, etc.
  • Conduct an inventory of your data assets – data assets change over the year so it is important this document is updated regularly.

3. Assign the right people and resources (RACI Matrix)

It is important to ensure you have the right team members in place. This means not only people qualified to be a part of the team but also team members from all departments. You will also need to select the compliance management tools that you will use to support your planning. Selecting a tool that includes risk management as well as data security will help protect your company as you grow.

4. Schedule all your meetings and tasks for the year (Audit/ Assessment planning)

It might seem a little early to schedule a meeting in July but by planning ahead of time all your key team members will have the time blocked on their calendars and available for your meetings. It will also allow you to run different assessments at different times of the year to avoid inconvenient times for other departments, such as the accounting department.

5. Document, document, (Document Management System)

If it is not documented then it didn’t happen. Make sure you have policies and procedures in place to document all your business actions. If you are not sure how to write appropriate policies and procedures, seek expert advice. Make sure all the required policies are approved and reviewed on regular basis.    

6. Plan ahead to future-proof your security program

Identify the frameworks you may want to tackle down the road and use a helpful platform that will crosswalk to get it done. This will save you time in the future when you wish to consider multiple frameworks for your organization. If you are unsure where to start, speak to a security expert for advice on the frameworks that best suit your industry and your needs. DISC llc performs Security Risk Assessments based on diverse standards and regulations, aligning them with the standard of your preference.

To learn more about compliance management you should seek expert advice from serious security professionals like the DISC Professional Services team

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Compliance Program


May 31 2024

Hackers Weaponizing MS Office-Cracked Versions to Deliver Malware

Category: Cyberweapon,Malwaredisc7 @ 9:36 am

Attackers in South Korea are distributing malware disguised as cracked software, including RATs and crypto miners, and registering themselves with the Task Scheduler to ensure persistence. 

Even after removing the initial malware, the Task Scheduler triggers PowerShell commands to download and install new variants, which persists because the PowerShell commands keep changing, leaving unpatched systems vulnerable to information theft, proxy abuse, and cryptocurrency mining.  

Attack flow
Attack flow

Malicious actors are leveraging file-sharing platforms to distribute malware disguised as cracked MS Office, which retrieves the download URL and target platform during infection, potentially enabling them to tailor attacks and evade detection.  

Cybercriminals are distributing malware disguised as cracked software. The malware, developed in.NET, uses obfuscation to hide its malicious code, and initially, it accessed Telegram to retrieve a download URL. 

Newer versions contain two Telegram URLs and a Mastodon URL, each with a string linked to a Google Drive or GitHub URL.

The threat actor hides malicious PowerShell commands within these cloud storage locations, using Base64 encoding for further obfuscation, and once executed, these commands install additional malware strains. 

Commands encrypted in Base64
Commands encrypted in Base64

The updater malware, “software_reporter_tool.exe,”  leverages a PowerShell script to download and maintain persistence, which creates a malicious executable at “C:\ProgramData\KB5026372.exe” and uses a compromised 7zip installation (“C:\ProgramData\Google\7z.exe”) to decompress a password-protected archive from GitHub or Google Drive (password: “x”) by mirroring tactics from a previous campaign. 

Malware installation using 7z and PowerShell
Malware installation using 7z and PowerShell

Additionally, the updater registers itself with the Task Scheduler to ensure continuous operation after a reboot, and the scheduled task triggers the PowerShell script for further updates and potential malware installation. 

The attackers deployed Orcus RAT and XMRig on the compromised system.

Orcus RAT can steal information through keylogging, webcam, and screenshot capture, while XMRig mines cryptocurrency. 

 3Proxy’s configuration file
 3Proxy’s configuration file

XMRig is configured to stop mining when resource-intensive programs are running and to terminate processes competing for resources, such as security software installers, while 3Proxy is used to turn the infected machine into a proxy server by adding a firewall rule and injecting itself into a legitimate process. 

 A Korean security program unable to operate properly due to the AntiAV malware
 A Korean security program unable to operate properly due to the AntiAV malware

According to ASEC, PureCrypter downloads and executes further payloads, and AntiAV malware disrupts security products by modifying their configuration files.  

Attackers are distributing malware disguised as popular Korean software (Windows, MS Office, Hangul) through file-sharing sites, and the malware bypasses file detection with frequent updates and utilizes the Task Scheduler for persistence, leading to repeated infections upon removal. 

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Weaponizing MS Office


May 30 2024

Meta says it removed six influence campaigns including those from Israel and China

https://www.theverge.com/2024/5/29/24167164/meta-covert-influence-campaigns-ai-china-israel

Some inauthentic networks used artificial intelligence in their campaigns to push certain political agendas, according to Meta.

Meta says it cracked down on propaganda campaigns on its platforms, including one that used AI to influence political discourse and create the illusion of wider support for certain viewpoints, according to its quarterly threat report published today. Some campaigns pushed political narratives about current events, including campaigns coming from Israel and Iran that posted in support of the Israeli government.

The networks used Facebook and Instagram accounts to try to influence political agendas around the world. The campaigns — some of which also originated in Bangladesh, China, and Croatia — used fake accounts to post in support of political movements, promote fake news outlets, or comment on the posts of legitimate news organizations.

A network originating in China, for example, consisted of several dozen Instagram and Facebook accounts, pages, and groups and was used to target global Sikh communities, Meta says. Another campaign traced to Israel used more than 500 Facebook and Instagram accounts to pose as local Jewish students, African Americans, and “concerned” citizens praising Israeli military actions and discussing campus antisemitism, among other types of content.

Some of the content shared by those two networks was likely created using generative AI tools, Meta writes. Accounts in the China-based campaign shared AI-generated images, and the Israeli campaign posted AI-generated comments, Meta found. The report says that, for now, AI-powered influence campaigns are not sophisticated enough to evade existing systems of detection.

Influence campaigns are regularly discovered on social media platforms. Earlier in May, TikTok said it had uncovered and disrupted a dozen such networks on its platform, including one that it traced to China.

Illustration: Nick Barclay / The Verge

How To Efficiently Fight By Digital Means Fake Political News and Blatant Disinformation: How to make sure that truth prevails.

EU tells Meta to crack down on Israel-Hamas disinfo

The Dozen Ds That Drive Israel’s Propaganda 

Iran and Israel Use Media and Propaganda to Try to Shape Post-Attack Reality

Pegasus is listening

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: China-based campaign, Fake Political News, israel propaganda campaign


May 29 2024

Microsoft: ‘Moonstone Sleet’ APT Melds Espionage, Financial Goals

Category: APT,Cyber Espionage,TTP, Cyber-Espionagedisc7 @ 3:59 pm
https://www.darkreading.com/threat-intelligence/microsoft-moonlight-sleet-apt-melds-espionage-financial-goals

North Korea’s newest threat actor uses every trick in the nation-state APT playbook, and most of cybercrime’s tricks, too. It also developed a whole video game company to hide malware.

Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and developers.

In the beginning, Microsoft explained in a blog post, Moonstone Sleet heavily overlapped with the known DPRK advanced persistent threat (APT) Diamond Sleet. The former copped from the latter’s malware — like the Comebacker Trojan — as well as its infrastructure and preferred techniques — such as delivering Trojanized software via social media. Moonstone Sleet has since differentiated itself, though, moving to its own infrastructure and establishing for itself a unique, if rather erratic identity.

For one thing, where some of Kim Jong-Un’s threat groups focus on espionage and others focus on stealing money, Moonstone Sleet does both. Having its hands in every pie is reflected in its tactics, techniques, and procedures (TTPs), too, which in various cases have involved fake job offers, custom ransomware, and even a fully functional fake video game.

“Moonstone Sleet’s ability to blend traditional cybercriminal methodologies with those of nation-state actors is particularly alarming,” says Adam Gavish, co-founder and CEO at DoControl. “Their multifaceted strategies — ranging from setting up fake companies to deliver custom ransomware to using compromised tools for direct infiltration — showcase a versatility that complicates defensive measures.”

Moonstone Sleet’s Grab Bag of TTPs

To Gavish, “One tactic that stands out is their utilization of trusted platforms, like LinkedIn and Telegram, and developer freelancing websites to target victims. This exploits the inherent trust associated with these platforms, making it easier for them to trick victims into interacting with malicious content.”

To add to the realism, Moonstone Sleet uses the common North Korean strategy of engaging with victims from the perspective of a seemingly legitimate company.

From January to April of this year, for example, the group masqueraded as a software development company called “StarGlow Ventures.” With a sleek custom domain, made-up employees, and social media accounts to go along with it all, StarGlow Ventures targeted thousands of organizations in the software and education sectors. In phishing emails, the faux company complemented its victims and offered to collaborate on upcoming projects.

In other cases, the group used another fake company — C.C. Waterfall — to spread an especially creative ruse.

In emails from C.C. Waterfall since February, Moonstone Sleet has been reaching out to victims with a link to download a video game. “DeTankWar” — also called DeFiTankWar, DeTankZone, or TankWarsZone — is marketed as a community-driven, play-to-earn tank combat game. It has its own websites, and X accounts for fake personas used to promote it.

Remarkably, DeTankWar is a fully functional (if atavistic) video game. When users launch it, though, they also download malicious DLLs with a custom loader called “YouieLoad.” YouieLoad loads malicious payloads to memory, and creates services that probe victim machines and collect data, and allow its owners to perform extra hands-on command execution.

Whack-a-Mole Cyber Defense

Fake companies and fake video games are just some of Moonstone Sleet’s tricks. Its members also try to get hired for remote tech jobs with real companies. It spreads malicious npm packages on LinkedIn and freelancer websites. It has its own ransomware, FakePenny, which it uses in conjunction with a ransom note ripped from NotPetya to solicit millions of dollars worth of Bitcoin.

In the face of such varied TTPs and malicious tools, Gavish says, “The answer is fundamentally the same as for any other threat: Defenders must adopt a multi-layered security posture. This involves a combination of endpoint protection, network monitoring, and threat hunting to detect and respond to anomalous activities early.” Microsoft took a similarly broad stance in its blog, highlighting network and tamper protections, endpoint detection and response (EDR), and more steps organizations can take to layer their cyber defenses.

“Ultimately,” says Gavish, “the dynamic nature of threats like Moonstone Sleet requires a holistic and adaptive approach to cybersecurity — one that balances technical defenses with strategic intelligence and continuous vigilance.”

SOURCE: PJRROCKS VIA ALAMY STOCK PHOTO

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT, Cyber-Espionage, Moonstone Sleet


May 28 2024

HACKERS’ GUIDE TO ROGUE VM DEPLOYMENT: LESSONS FROM THE MITRE HACK

Category: Attack Matrixdisc7 @ 9:22 am

THE ATTACK: A DETAILED EXAMINATION

The cyber intrusion into MITRE’s environment was a meticulously planned and executed operation, highlighting the attackers’ advanced technical capabilities and understanding of virtualized environments. The attackers exploited specific vulnerabilities in Ivanti Connect Secure (ICS), identified as CVE-2023-46805 and CVE-2024-21887. These vulnerabilities allowed unauthorized access to the VMware infrastructure, providing the attackers with a foothold within the network.

Initial Penetration and Exploitation: The attackers began by identifying and exploiting weaknesses in the Ivanti Connect Secure (ICS) infrastructure. The vulnerabilities in question were zero-day exploits, meaning they were unknown to the vendor and had no existing patches or mitigations at the time of the attack. By exploiting these vulnerabilities, the attackers could bypass authentication mechanisms and gain administrative access to the virtualized environment.

Deployment of Rogue Virtual Machines (VMs): Once inside the network, the attackers created and deployed rogue VMs. These VMs were crafted to mimic legitimate virtual machines, allowing them to blend into the existing infrastructure and evade detection. The deployment of rogue VMs served multiple purposes:

  • Persistence: Rogue VMs provided a stable and resilient presence within the network, ensuring that the attackers could maintain access over an extended period.
  • Evasion: By operating within the virtualized environment, the rogue VMs could bypass traditional security measures that focus on physical or network-based threats.
  • Expansion: The rogue VMs acted as a base for further malicious activities, including data exfiltration, lateral movement within the network, and the deployment of additional malware.

Command and Control (C2) Operations: The attackers established robust C2 channels to maintain control over the rogue VMs. These channels allowed the attackers to issue commands, receive data, and monitor the status of their malicious operations. The C2 infrastructure was designed to be resilient, utilizing techniques such as encryption and redundancy to avoid detection and disruption.

TECHNICAL DEEP DIVE: UNDERSTANDING THE ATTACK

To fully appreciate the sophistication of the attack, it is essential to delve into the technical aspects of the methodologies employed by the attackers.

  1. Vulnerability Exploitation:
    • The vulnerabilities exploited, CVE-2023-46805 and CVE-2024-21887, were critical flaws within the Ivanti Connect Secure (ICS) software. These flaws allowed the attackers to execute arbitrary code and gain administrative privileges within the virtualized environment.
    • The attackers used a combination of social engineering, phishing, and advanced scanning techniques to identify vulnerable systems. Once identified, they deployed custom exploit scripts to gain access.
  2. Rogue VM Deployment:
    • The deployment process involved creating VMs that were virtually identical to legitimate ones, making detection difficult. The attackers leveraged existing VM templates and modified them to include their malicious payloads.
    • These rogue VMs were configured to operate with minimal resource usage, further reducing the likelihood of detection through performance monitoring.
    • Rogue VMs are created and managed through service accounts directly on the hypervisor, rather than through the vCenter administrative console. As a result, these VMs do not appear in the inventory.
    • The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.
    • By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.
  3. Persistence Mechanisms:
    • To ensure persistence, the attackers implemented several techniques within the rogue VMs. These included installing rootkits and other low-level malware that could survive reboots and updates.
    • The attackers also manipulated the VM management tools to hide the presence of the rogue VMs from administrators.
  4. Evasion Tactics:
    • The attackers employed various evasion tactics to avoid detection by security tools. These included using encrypted communication channels, obfuscating malicious code, and leveraging legitimate administrative tools to carry out their activities.
    • They also frequently rotated their command and control servers to avoid being blacklisted or shut down.

IMPLICATIONS FOR CYBERSECURITY

The MITRE cyber intrusion serves as a stark reminder of the evolving tactics used by cybercriminals and the vulnerabilities inherent in virtualized environments. This incident highlights several critical areas for improvement in cybersecurity practices:

Enhanced Vulnerability Management: Organizations must adopt rigorous vulnerability management practices to identify and remediate vulnerabilities promptly. This includes regular patching, conducting vulnerability assessments, and staying informed about emerging threats.

Advanced Detection Mechanisms: Traditional security measures are often inadequate in virtualized environments. Organizations need to implement advanced detection mechanisms that can identify anomalous activities within virtualized infrastructures. This includes behavior-based monitoring, anomaly detection, and machine learning algorithms to identify suspicious activities.

Comprehensive Security Training: Human factors remain a significant vulnerability in cybersecurity. Comprehensive training programs for employees can help reduce the risk of social engineering and phishing attacks, which are often the initial vectors for intrusions.

Robust Incident Response Plans: Having a well-defined incident response plan is crucial for mitigating the impact of cyber intrusions. This plan should include procedures for identifying, containing, and eradicating threats, as well as recovery strategies to restore normal operations.

DETECTING ADVERSARY ACTIVITY IN VMWARE ECOSYSTEM

In VMware’s environment, spotting adversary activity demands meticulous scrutiny. For instance, adversaries might enable SSH on hypervisors and log in by routing traffic through the vCenter Server. This technique underscores the importance of monitoring SSH activity for signs of unauthorized access.

WHAT TO LOOK FOR:
  1. Anomalous SSH Enablement: Keep a close watch for unexpected occurrences of “SSH login enabled” messages. Any activation of SSH outside the normal administrative cycle could indicate malicious activity.
  2. Unusual SSH Sessions: Monitor for deviations from the expected pattern of SSH sessions being opened. Look out for instances where “SSH session was opened for” messages occur unexpectedly or at unusual times.

NOTABLE ATT&CK TECHNIQUES: DEPLOYING ROGUE VMS

Moving forward to January 7, 2024, the adversary accessed VMs and deployed malicious payloads, the BRICKSTORM backdoor and the BEEFLUSH web shell. The adversary also used a default VMware account, VPXUSER, to make seven API calls that enumerated a list of mounted and unmounted drives.

The adversary bypassed detection mechanisms by deploying rogue VMs, as VPXUSER, directly onto hypervisors using SFTP to write files then executed them with /bin/vmx. By doing this, these rogue VMs were not discoverable via vCenter, the ESXi web interface, and even some on-hypervisor command-line utilities that query the API.

These rogue VMs contained the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets within the prototyping network.

LEVERAGING THE VPXUSER ACCOUNT

Adversaries often can leverage the VPXUSER account to perform various administrative tasks, such as enumerating VMs, accessing configuration settings, and interacting with the underlying hypervisor infrastructure. Additionally, adversaries may deploy rogue VMs directly onto hypervisors to evade detection mechanisms and maintain persistence within the environment. Rogue VMs, which are created and operated without proper authorization and management by the hypervisor, provide adversaries with a stealthy foothold for conducting malicious activities. These VMs can bypass visibility controls within VMware management interfaces, making them difficult to detect and mitigate.

DETECTING ROGUE VMS

Safeguarding against rogue VMs and any ensuing persistence demands a vigilant approach. Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs. This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.

WHAT TO LOOK FOR:
  1. Command-Line Usage: Utilize the following commands on an ESXi hypervisor to identify unregistered VMs:
    • vim-cmd vmsvc/getallvms
    • esxcli vm process list | grep Display
  2. Comparison of VM Lists: Compare the output of vim-cmd (API-based VM check) with the list of running VMs obtained from esxcli. Differences in the list of VMs between the output of a vim-cmd (that will check for VMs via the API) and the list of running VMs that esxcli sees (which directly queries the host hypervisor) indicate a potential problem. A VM running on a hypervisor that is not seen via the registered VM data via API warrants further investigation as a possible unregistered/rogue VM.

DETECTING VMWARE PERSISTENCE

To address the persistence of these rogue VMs, it is crucial to scrutinize the hypervisor’s startup scripts.

WHAT TO LOOK FOR:
  1. Persistence Mechanism: Monitor for modification of the legitimate /etc/rc.local.d/local.sh file to include the following line:
    • /bin/vmx -x /vmfs/volumes/<REDACTED_VOLUME>/<REDACTED_VM_NAME>/<REDACTED_VM_NAME>.vmx 2>/dev/null 0>/dev/null &
  2. Persistence Identification: Search for invocations of the /bin/vmx binary within /etc/rc.local.d/ or more specifically by manually reviewing the local.sh startup script with the following commands:
    • grep -r \/bin\/vmx /etc/rc.local.d/
    • cat /etc/rc.local.d/local.sh

The infiltration of MITRE’s network through VMware vulnerabilities underscores the need for heightened vigilance and advanced security measures in virtualized environments. As attackers continue to refine their techniques, organizations must evolve their defenses to protect against these sophisticated threats. By adopting comprehensive security practices, staying informed about emerging vulnerabilities, and fostering a culture of cybersecurity awareness, organizations can better defend against future intrusions.

Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: MITRE ATT&CK, MITRE Att&CK Framework


May 24 2024

How the FBI built its own smartphone company to hack the criminal underworld

Category: Cyber Spy,Smart Phone,Spywaredisc7 @ 9:07 am
https://www.theverge.com/2024/5/23/24163389/joseph-cox-dark-wire-fbi-phone-startup-anom-criminals-secure-messaging-decoder-interview

Cybersecurity journalist Joseph Cox, author of the new book Dark Wire, tells us the wild, true story behind secure phone startup Anom.

On today’s episode of Decoder, I sat down with Joseph Cox, one of the best cybersecurity reporters around. Joseph spent a long time working at Vice’s tech vertical Motherboard, but last year, after Vice imploded, he and three other journalists co-founded a new site, called 404 Media, where they’re doing some really great work.

Somehow, on top of all that, Joseph also found time to write a new book coming out in June called Dark Wire: The Incredible True Story of the Largest Sting Operation Ever, and I can’t recommend it enough. It’s basically a caper, but with the FBI running a phone network. For real.

Criminals like drug traffickers represent a market for encrypted, secure communications away from the eyes of law enforcement. In the early mobile era, that gave rise to a niche industry of specialized, secured phones criminals used to conduct their business.

Joseph’s done a ton of reporting on this over the years, and the book ends up telling a truly extraordinary story: After breaking into a few of these encrypted smartphone companies, the FBI ended up running one of these secure phone services itself so it could spy on criminals around the world. And that means the FBI had to actually run a company, with all the problems of any other tech startup: cloud services, manufacturing and shipping issues, customer service, expansion, and scale. 

The company was called Anom, and for about three years, it gave law enforcement agencies around the world a crystal-clear window into the criminal underworld. In the end, the feds shut it down in large part because it was too successful — again, a truly wild story. Now, with the rise of apps like Signal, most criminals no longer need specialized hardware, but that, of course, raises a whole new set of issues. 

The book is a great read, but it also touches on a lot of things we talk about a lot here on Decoder. There really are bad people out there using tech to help them do bad things, but the same tools that keep their communications private help give everyone else their privacy, too — whistleblowers, dissenters, ordinary people like you and me.

There’s a deep tension between privacy and security that constantly runs through tech, and you’ll hear us really dig into the way tech companies and governments are forever going back and forth on it. There’s a lot here, and it’s a fun one.

Spy in our Pocket

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: criminal underworld


May 23 2024

Spyware App Found Running on Multiple US Hotel Check-In Computers

Category: Cyber Spy,Spywaredisc7 @ 7:12 am

A consumer-grade spyware app named pcTattletale has been discovered running on the check-in systems of at least three Wyndham hotels across the United States.

This alarming discovery was made by TechCrunch, which reported that the app stealthily captured screenshots of hotel booking systems, exposing sensitive guest details and customer information.

Due to a security flaw in the spyware, these screenshots were accessible to anyone on the internet, not just the intended users of the spyware.

Sensitive Guest Information Exposed

The spyware, pcTattletale, allows remote viewing of the target’s Android or Windows device and its data from anywhere in the world.

The app runs invisibly in the background, making it undetectable to the user.

However, a significant bug in the app means that anyone who understands the security flaw can download the screenshots directly from pcTattletale’s servers.

Security researcher Eric Daigle, who discovered the compromised hotel check-in systems, attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed.

Screenshots from two Wyndham hotels revealed the names and reservation details of guests on a web portal provided by travel tech giant Sabre.

Additionally, the screenshots displayed guests’ partial payment card numbers.

Another screenshot showed access to a third Wyndham hotel’s check-in system, logged into Booking.com’s administration portal used to manage guest reservations.

Hotel And Corporate Responses

The discovery has raised serious concerns about the security measures in place at these hotels.

The manager of one affected hotel expressed surprise, stating they were unaware that the spyware was taking screenshots of their check-in computer.

The managers of the other two hotels did not respond to TechCrunch’s calls or emails.

Wyndham spokesperson Rob Myers clarified that Wyndham is a franchise organization, meaning all its U.S. hotels are independently owned and operated.

However, Wyndham did not confirm whether it was aware of pcTattletale’s use on the front-desk computers of its branded hotels or if such use was approved by Wyndham’s policies.Booking.com, whose administration portal was accessed by the spyware, stated that its systems were not compromised.

Angela Cavis, a spokesperson for Booking.com, highlighted that this incident seemed to be an example of how cybercriminals target hotel systems through sophisticated phishing tactics.

These tactics often lead to unauthorized access to hotel accounts and attempts to impersonate the hotel or Booking.com to request customer payments.

This incident is the latest example of consumer-grade spyware exposing sensitive information due to security flaws. pcTattletale, marketed for child and employee monitoring, has also been promoted for use against spouses suspected of infidelity.

The app requires physical access to the target’s device for installation and offers a service to help customers install the spyware on the target’s computer.

Despite the serious implications of this security breach, Bryan Fleming, the founder of pcTattletale, did not respond to TechCrunch’s request for comment.

The exposure of sensitive guest information at these hotels underscores the urgent need for more robust cybersecurity measures and regulatory oversight to protect personal data from unauthorized access and misuse.

As investigations continue, the hospitality industry must reassess its security protocols to prevent such breaches in the future.

Spy in our Pocket

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Spyware App


May 20 2024

HOW TO IMPLEMENT PRINCIPLE OF LEAST PRIVILEGE(CLOUD SECURITY) IN AWS, AZURE, AND GCP CLOUD

Category: Least Privilegedisc7 @ 10:19 am

The Principle of Least Privilege (PoLP) is a foundational concept in cybersecurity, aimed at minimizing the risk of security breaches. By granting users and applications the minimum levels of access—or permissions—needed to perform their tasks, organizations can significantly reduce their attack surface. In the context of cloud computing, implementing PoLP is critical. This article explores how to enforce PoLP in the three major cloud platforms(cloud security): Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

AWS (AMAZON WEB SERVICES)

1. Identity and Access Management (IAM)

AWS IAM is the core service for managing permissions. To implement PoLP:

  • Create Fine-Grained Policies: Define granular IAM policies that specify exact actions allowed on specific resources. Use JSON policy documents to customize permissions precisely.
  • Use IAM Roles: Instead of assigning permissions directly to users, create roles with specific permissions and assign these roles to users or services. This reduces the risk of over-permissioning.
  • Adopt IAM Groups: Group users with similar access requirements together. Assign permissions to groups instead of individual users to simplify management.
  • Enable Multi-Factor Authentication (MFA): Require MFA for all users, especially those with elevated privileges, to add an extra layer of security.

2. AWS Organizations and Service Control Policies (SCPs)

  • Centralized Management: Use AWS Organizations to manage multiple AWS accounts. Implement SCPs at the organizational unit (OU) level to enforce PoLP across accounts.
  • Restrict Root Account Usage: Ensure the root account is used sparingly and secure it with strong MFA.

3. AWS Resource Access Manager (RAM)

  • Share Resources Securely: Use RAM to share AWS resources securely across accounts without creating redundant copies, adhering to PoLP.

AZURE (MICROSOFT AZURE)

1. Azure Role-Based Access Control (RBAC)

Azure RBAC enables fine-grained access management:

  • Define Custom Roles: Create custom roles tailored to specific job functions, limiting permissions to only what is necessary.
  • Use Built-in Roles: Start with built-in roles which already follow PoLP principles for common scenarios, then customize as needed.
  • Assign Roles at Appropriate Scope: Assign roles at the narrowest scope possible (management group, subscription, resource group, or resource).

2. Azure Active Directory (Azure AD)

  • Conditional Access Policies: Implement conditional access policies to enforce MFA and restrict access based on conditions like user location or device compliance.
  • Privileged Identity Management (PIM): Use PIM to manage, control, and monitor access to important resources within Azure AD, providing just-in-time privileged access.

3. Azure Policy

  • Policy Definitions: Create and assign policies to enforce organizational standards and PoLP. For example, a policy to restrict VM sizes to specific configurations.
  • Initiative Definitions: Group multiple policies into initiatives to ensure comprehensive compliance across resources.

GCP (GOOGLE CLOUD PLATFORM)

1. Identity and Access Management (IAM)

GCP IAM allows for detailed access control:

  • Custom Roles: Define custom roles to grant only the necessary permissions.
  • Predefined Roles: Use predefined roles which provide granular access and adhere to PoLP.
  • Least Privilege Principle in Service Accounts: Create and use service accounts with specific roles instead of using default or highly privileged accounts.

2. Resource Hierarchy

  • Organization Policies: Use organization policies to enforce constraints on resources across the organization, such as restricting who can create certain resources.
  • Folder and Project Levels: Apply IAM policies at the folder or project level to ensure permissions are inherited appropriately and follow PoLP.

3. Cloud Identity

  • Conditional Access: Implement conditional access using Cloud Identity to enforce MFA and restrict access based on user and device attributes.
  • Context-Aware Access: Use context-aware access to allow access to apps and resources based on a user’s identity and the context of their request.

IMPLEMENTING PRINCIPLE OF LEAST PRIVILEGE IN AWS, AZURE, AND GCP

As a Cloud Security Analyst, ensuring the Principle of Least Privilege (PoLP) is critical to minimizing security risks. This comprehensive guide will provide detailed steps to implement PoLP in AWS, Azure, and GCP.


AWS

STEP 1: REVIEW IAM POLICIES AND ROLES

  1. Access the IAM Console:
    • Navigate to the AWS IAM Console.
    • Review existing policies under the “Policies” section.
    • Look for policies with wildcards (*), which grant broad permissions, and replace them with more specific permissions.
  2. Audit IAM Roles:
    • In the IAM Console, go to “Roles.”
    • Check each role’s attached policies. Ensure that each role has the minimum required permissions.
    • Remove or update roles that are overly permissive.

STEP 2: USE IAM ACCESS ANALYZER

  1. Set Up Access Analyzer:
    • In the IAM Console, select “Access Analyzer.”
    • Create an analyzer and let it run. It will provide findings on resources shared with external entities.
    • Review the findings and take action to refine overly broad permissions.

STEP 3: TEST POLICIES WITH IAM POLICY SIMULATOR

  1. Simulate Policies:
    • Go to the IAM Policy Simulator.
    • Simulate the policies attached to your users, groups, and roles to understand what permissions they actually grant.
    • Adjust policies based on the simulation results to ensure they provide only the necessary permissions.

STEP 4: MONITOR AND AUDIT

  1. Enable AWS CloudTrail:
    • In the AWS Management Console, go to “CloudTrail.”
    • Create a new trail to log API calls across your AWS account.
    • Enable logging and monitor the CloudTrail logs regularly to detect any unauthorized or suspicious activity.
  2. Use AWS Config:
    • Navigate to the AWS Config Console.
    • Set up AWS Config to monitor and evaluate the configurations of your AWS resources.
    • Implement AWS Config Rules to check for compliance with your least privilege policies.

STEP 5: UTILIZE AUTOMATED TOOLS

  1. AWS Trusted Advisor:
    • Access Trusted Advisor from the AWS Management Console.
    • Review the “Security” section for recommendations on IAM security best practices.
  2. AWS Security Hub:
    • Enable Security Hub from the Security Hub Console.
    • Use Security Hub to get a comprehensive view of your security posture, including IAM-related findings.

AZURE

STEP 1: REVIEW AZURE AD ROLES AND PERMISSIONS

  1. Azure AD Roles:
    • Navigate to the Azure Active Directory.
    • Under “Roles and administrators,” review each role and its assignments.
    • Ensure users are assigned only to roles with necessary permissions.
  2. Role-Based Access Control (RBAC):
    • Go to the “Resource groups” or individual resources in the Azure portal.
    • Under “Access control (IAM),” review role assignments.
    • Remove or modify roles that provide excessive permissions.

STEP 2: CHECK RESOURCE-LEVEL PERMISSIONS

  1. Review Resource Policies:
    • For each resource (e.g., storage accounts, VMs), review the access policies to ensure they grant only necessary permissions.
  2. Network Security Groups (NSGs):
    • Navigate to “Network security groups” in the Azure portal.
    • Review inbound and outbound rules to ensure they allow only necessary traffic.

STEP 3: MONITOR AND AUDIT

  1. Azure Activity Logs:
    • Access the Activity Logs.
    • Monitor logs for changes in role assignments and access patterns.
  2. Azure Security Center:
    • Open Azure Security Center.
    • Regularly review security recommendations and alerts, especially those related to IAM.

STEP 4: UTILIZE AUTOMATED TOOLS

  1. Azure Policy:
    • Create and assign policies using the Azure Policy portal.
    • Enforce policies that require the use of least privilege access.
  2. Azure Blueprints:
    • Use Azure Blueprints to define and deploy resource configurations that comply with organizational standards.
  3. Privileged Identity Management (PIM):
    • In Azure AD, go to “Privileged Identity Management” under “Manage.”
    • Enable PIM to manage, control, and monitor privileged access.

GCP

STEP 1: REVIEW IAM POLICIES AND ROLES

  1. Review IAM Policies:
    • Access the IAM & admin console.
    • Review each policy and role for overly permissive permissions.
    • Avoid using predefined roles with broad permissions; prefer custom roles with specific permissions.
  2. Create Custom Roles:
    • In the IAM console, navigate to “Roles.”
    • Create custom roles that provide the minimum necessary permissions for specific job functions.

STEP 2: CHECK RESOURCE-BASED POLICIES

  1. Service Accounts:
    • In the IAM & admin console, go to “Service accounts.”
    • Review the permissions granted to each service account and ensure they are scoped to the least privilege.
  2. VPC Firewall Rules:
    • Navigate to the VPC network section and select “Firewall rules.”
    • Review and restrict firewall rules to allow only essential traffic.

STEP 3: MONITOR AND AUDIT

  1. Cloud Audit Logs:
    • Enable and configure Cloud Audit Logs for all services.
    • Regularly review logs to monitor access and detect unusual activities.
  2. IAM Recommender:
    • In the IAM console, use the IAM Recommender to get suggestions for refining IAM policies based on actual usage patterns.
  3. Access Transparency:
    • Enable Access Transparency to get logs of Google Cloud administrator accesses.

STEP 4: UTILIZE AUTOMATED TOOLS

  1. Security Command Center:
    • Access the Security Command Center for a centralized view of your security posture.
    • Use it to monitor and manage security findings and recommendations.
  2. Forseti Security:
    • Deploy Forseti Security for continuous monitoring and auditing of your GCP environment.
  3. Policy Intelligence:
    • Use tools like Policy Troubleshooter to debug access issues and Policy Analyzer to compare policies.

STEP 5: CONDUCT REGULAR REVIEWS

  1. Schedule Periodic Reviews:
    • Regularly review IAM roles, policies, and access patterns across your GCP projects.
    • Use the Resource Manager to organize resources and apply IAM policies efficiently.

By following these detailed steps, you can ensure that the Principle of Least Privilege is effectively implemented across AWS, Azure, and GCP, thus maintaining a secure and compliant cloud environment.

Implementing the Principle of Least Privilege in AWS, Azure, and GCP requires a strategic approach to access management. By leveraging the built-in tools and services provided by these cloud platforms, organizations can enhance their security posture, minimize risks, and ensure compliance with security policies. Regular reviews, continuous monitoring, and automation are key to maintaining an effective PoLP strategy in the dynamic cloud environment.

Securing DevOps: Security in the Cloud 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cloud security, least privilege, Security in the Cloud


May 16 2024

ISO 27001 Standard, Risk Assessment and Gap Assessment

Category: ISO 27kdisc7 @ 10:45 am

The core section of the standard retains its 11 clauses with minor modifications, while significant structural revisions have been implemented in the Annex A controls. Control categories have been rearranged, resulting in a reduction in the total number of controls. Broadly speaking, 11 new controls have been added, 57 controls have been consolidated, 23 controls have been rebranded, and three controls have been eliminated. The introduction of these 11 new controls underscores the heightened significance of Cloud, DevOps, and Personal Information, which have evolved over the past decade.

  • A.5.7 Threat intelligence 
  • A.5.23 Information security for the use of cloud services 
  • A.5.30 ICT readiness for business continuity 
  • A.7.4 Physical security monitoring 
  • A.8.9 Configuration management 
  • A.8.10 Information deletion 
  • A.8.11 Data masking 
  • A.8.12 Data leakage prevention 
  • A.14.1.4 Secure development policy 
  • A.16.2.4 Security of supplier services 
  • A.18.2.3 Protection of personal information in public clouds 

ISO 27002:2022 has three control types, #Preventive, #Corrective and #Detective. Some of these controls share more than one control types. There are total 12 Detective, 13 Corrective, and 83 Preventive controls and 15 controls (12+13+83 = 108 -15 = 93) which share more than one control type in ISO 27002:2022 latest guidance. If you like to know more about how and when to start complying with new and latest control guidance, please contact us to book an appointment to discuss the details, how DISC llc can assist your organization with ISO 27001 compliance or certification plans. 

for more details: iso-27001-assessment

To download and review the standard: COPYRIGHT PROTECTED DOCUMENT

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ISO 27001 2022


May 14 2024

Free & Downloadable Access Control Policy Template

Category: Access Control,Information Securitydisc7 @ 7:18 am
https://heimdalsecurity.com/blog/access-control-policy-template/

Ensuring the security of your organization’s information systems is crucial in today’s digital landscape.

Access Control is a fundamental aspect of cybersecurity that safeguards sensitive data and protects against unauthorized access. To assist you in establishing robust access control measures, we are pleased to offer a comprehensive Access Control Policy Template, available for download.

Download the templates

  1. Access Control Policy Template – PDF
  2. Access Control Policy Template – Word
  3. Access Control Policy Template – Google Docs.

What does the Access Control Policy template include?

Our Access Control Policy template is designed to provide a clear, structured framework for managing access to your organization’s information systems.

Here are some of the key components included in the template:

  • Document Control;
  • Purpose and Scope;
  • Policy Statement;
  • Roles & Responsibilities;
  • Access Control Principles;
  • Access Control Measures;
  • Access Control Technologies;
  • Monitoring and Auditing;
  • Incident Management;
  • Policy Compliance;
  • Policy Review.

Benefits of using our Access Control Policy template

Implementing an effective access control policy offers several key benefits:

  • Enhanced security: Protects sensitive data and systems from unauthorized access and potential breaches.
  • Regulatory compliance: Helps ensure compliance with relevant regulations and standards.
  • Operational efficiency: Clearly defined roles and responsibilities streamline access management processes.
  • Risk mitigation: Regular monitoring and auditing identify and address vulnerabilities proactively.

To take advantage of our comprehensive Access Control Policy Template, simply click on the links at the top of the article to download them. The download will start automatically.

You can then customize the template to fit the specific needs and context of your organization.

By doing so, you’ll be taking a significant step towards securing your information systems and safeguarding your valuable data.

Feel free to check out our other cybersecurity templates, such as patch management templatesincident response plan templatesemail security policy templatesthreat and vulnerability management templates, and more.

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company’s social media channels. Her contributions amplify the brand’s voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

RELATED ARTICLES

Free and Downloadable Account Management Policy Template [2024]

Free and Downloadable Email Security Policy Template [2024]

[Free & Downloadable] Cybersecurity Incident Response Plan Templates – 2024

[Free & Downloadable] Cybersecurity Risk Assessment Templates – 2024[Free & Downloadable] Threat & Vulnerability Management Templates – 2024

[Free & Downloadable] Patch Management Templates – 2024

Privacy Policy Template

Employee policy handbook template

The Complete Company Policies

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot


May 13 2024

Tycoon 2FA Attacking Microsoft 365 AND Google Users To Bypass MFA

Category: 2FAdisc7 @ 8:22 am

Tycoon 2FA, a recently emerged Phishing-as-a-Service (PhaaS) platform, targets Microsoft 365 and Gmail accounts, which leverage an Adversary-in-the-Middle (AitM) technique to steal user session cookies, bypassing multi-factor authentication (MFA) protections. 

By acting as an intermediary between the user and the legitimate login page, Tycoon 2FA captures cookies that grant attackers unauthorized access to compromised accounts and cloud services, even if additional security measures are implemented. 

The Tycoon 2FA phishing kit received an update in March 2024, specifically designed to bypass security defenses, and the update enhanced the kit’s evasion capabilities through obfuscated JavaScript and HTML code, making the code unreadable, hindering analysis.

Tycoon 2FA to facilitate MFA token theft and bypass. 

On Telegram, it sells pre-made phishing pages targeting Microsoft 365 and Gmail credentials, which lowers the technical barrier for attackers by offering easy-to-use templates. 

Proofpoint TAP Dashboard campaign snapshot from December campaigns. 

The attack works through a reverse proxy, capturing login credentials and relaying them to the real service to bypass the login page, as the attackers steal the session cookies returned during successful logins, granting unauthorized access even with MFA enabled. 

It facilitates credential theft by bypassing multi-factor authentication (MFA), and attackers use various lures such as emails with fake authentication links, voicemail-themed threats, and PDFs with QR codes leading to phishing pages. 

QR code and voicemail lure examples for the Tycoon 2FA threats that were seen in late 2023. 

The pages often include CAPTCHAs to appear legitimate and steal login credentials and MFA tokens. Security researchers at Proofpoint identified rules to detect Tycoon landing pages based on these tactics. 

AI-powered behavioral analytics and a URL sandbox are used to identify and block malicious landing pages and phishing activity associated with Tycoon 2FA and similar threats that are achieved by combining threat intelligence with machine learning to recognize suspicious behaviors. 

Global threat intelligence feeds give information about bad infrastructure, which helps defenders stop known and new threats before they happen by making it easier to find them, fix problems, and manage human risk when it comes to new phishing techniques.

The Beginner’s Guide to Cybersecurity: Master the Art of Online Safety – From Passwords to Privacy, Everything You Need to Know for a Secure Digital

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: 2FA Attacking


May 11 2024

Unlock The Power of 1000+ ChatGPT Prompts!

Category: ChatGPTdisc7 @ 12:02 pm
https://www.darksideops.com/1000-chatgpt-prompts/

Get the Most Out of Your Content Creation, Lead Generation, and Innovation Efforts!

Awesome ChatGPT Prompts

OpenAI Cookbook – Code and example prompts for accomplishing common tasks with the OpenAI API

Linus on Twitter

Barsee – ChatGPT Full Course

Rohit Ghumare on Twitter – ChatGPT for DevOps Engineers

Pratham Kumar on Github – ChatGPT Prompts

Kavir Kaycee – ChatGPT prompts for product Managers

Bink.ai – ChatGPT Copywriting Prompts

Pascio – Copywriting ChatGPT prompts

Hasan – The Ultimate ChatGPT Guide

GarryFlix – ChatGPT Business Crash Course Playbook

donbader – The Ultimate ChatGPT Business Course

Abhishek – ChatGPT All-In-One Resources

Fatih Kadir – The Art of ChatGPT Prompting: A Guide to Crafting Clear and Effective Prompts

Sushant Lakhyani – 333+ Mind-Bending ChatGPT Prompts

Martin Slaney – The Product Manager’s Prompt Book

BONUS: Awesome Innovations using ChatGPT

Curated by: Rohit Ghumare

ChatGPT jailbreak prompts proliferate on hacker forums

ChatGPT FOR CYBERSECUITY: The Ultimate Weapon Against Hackers

ChatGPT Hacking (in Portuguese)

PROMPTLY SPEAKING A COMPREHENSIVE GUIDE TO CHATGPT PROMPTS: From Basics to Brilliance, Unravel the Secrets of Effective AI Communication

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ChatGPT, ChatGPT Prompts


May 09 2024

Polish Government Under Sophisticated Cyber Attack From APT28 Hacker Group

Category: APT,Cyber Attackdisc7 @ 8:55 am

The Polish computer emergency response team CERT.pl has issued a warning about an ongoing cyberattack campaign by the notorious APT28 hacking group, also known as Fancy Bear or Sofacy. The campaign is targeting various Polish government institutions with a new strain of malware.

According to the CERT.pl analysis, the attack begins with spear-phishing emails containing malicious attachments or links.

The malware is deployed once the victim opens the attachment or clicks the link, establishing a foothold in the targeted network.

Subject: I solved your problem

Hello Paweł!
I did a little research and found this mysterious Ukrainian woman.
Now she is in Warsaw.
She runs a rather unusual company that sells used underwear.
also has clients from senior authorities in Poland and Ukraine.
All information on this subject is available at this link - ALINA-BOKLAN (Link)

Threat actors are increasingly using free, commonly-used services like run.mocky.io and webhook.site to deliver malware while evading detection.

This technique involves redirecting through these services to obfuscate the final malicious payload. The link first goes to run.mocky.io, a free API testing service, which then redirects to webhook.site for logging requests.

A ZIP archive disguised as an image file (e.g. IMG-238279780.zip) is downloaded from webhook.site.

With default Windows settings hiding extensions and hidden files, the victim sees the ZIP as an image, potentially leading them to open the malicious payload.

entire attack flow

Using free services reduces costs and makes malicious links harder to flag as they blend in with legitimate developer traffic. This stealthy approach is becoming a trend across many APT groups.

“The malware used in this campaign is a new variant of the X-Agent backdoor, which allows the attackers to execute arbitrary commands, exfiltrate data, and move laterally within the compromised network,” explained CERT.pl in their report.

CERT.pl urges all Polish government agencies and critical infrastructure operators to remain vigilant and implement security measures.

APT28 is a highly sophisticated cyber-espionage group believed to be associated with the Russian military intelligence agency GRU.

The group has been active since at least 2007 and has been linked to numerous high-profile cyberattacks, including the 2016 Democratic National Committee email leak and the 2017 NotPetya ransomware outbreak.

This latest campaign highlights the persistent threat posed by state-sponsored hacking groups and the importance of maintaining robust cybersecurity measures, especially for critical government and infrastructure systems.

The report details the attack flow, providing indicators of compromise (IOCs) and recommendations for detecting and mitigating the threat.

The Bear Roars: Russia’s Cyber Spies And Global Threat To Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT28, Hacker Group


Next Page »