Researchers at the cybersecurity firm Eclypsium, which focuses on firmware, reported today that they have found a secret backdoor in the firmware of motherboards manufactured by the Taiwanese manufacturer Gigabyte. Gigabyte’s components are often used in gaming PCs and other high-performance systems. Eclypsium discovered that whenever a computer with the affected Gigabyte motherboard restarts, code inside the motherboard’s firmware silently triggers the launch of an updater application, which then downloads and runs another piece of software on the machine. Researchers discovered that the hidden code was built in an unsafe manner, making it possible for the mechanism to be hijacked and used to install malware rather than Gigabyte’s intended software.
Despite the fact that Eclypsium claims the hidden code is intended to be a harmless utility to keep the motherboard’s firmware updated, researchers determined that the implementation was vulnerable. And since the updater application is activated from the computer’s firmware rather than the operating system, it is difficult for users to either delete it or even detect it on their own. In the blog post, the company details the 271 different versions of Gigabyte motherboards that the researchers think are vulnerable. According to experts, individuals who are interested in discovering the motherboard that is used by their computer may do so by selecting “Start” in Windows and then selecting “System Information.”
Users who don’t trust Gigabyte to silently install code on their machine with a nearly invisible tool may have been concerned by Gigabyte’s updater alone. Other users may have been concerned that Gigabyte’s mechanism could be exploited by hackers who compromise the motherboard manufacturer to exploit its hidden access in a software supply chain attack. The update process was designed and built with obvious flaws that left it susceptible to being exploited in the following ways: It downloads code to the user’s workstation without properly authenticating it, and in certain cases, it even does it through an unsecured HTTP connection rather than an HTTPS one. This would make it possible for a man-in-the-middle attack to be carried out by anybody who is able to intercept the user’s internet connection, such as a malicious Wi-Fi network. The attack would enable the installation source to be faked.
Even if Gigabyte does release a fix for its firmware issue—after all, the problem stems from a Gigabyte tool that was intended to automate firmware updates—experts points out that firmware updates frequently fail silently on users’ machines, in many cases due to the complexity of the updates themselves and the difficulty of matching the firmware with the hardware.
In other instances, the updater that is installed by the mechanism in Gigabyte’s firmware is configured to be downloaded from a local network-attached storage device (NAS). This is a feature that appears to be designed for business networks to administer updates without all of their machines reaching out to the internet. Under such circumstances, a malicious actor on the same network might potentially fake the location of the NAS in order to covertly install their own malware in its place.
The company has said that it has been collaborating with Gigabyte in order to report its results to the motherboard maker, and that Gigabyte has indicated that it intends to solve the concerns.
Researchers from Tsinghua University and George Mason University have discovered a significant weakness in the NPU chipset. By exploiting this flaw, attackers are able to eavesdrop on data being broadcast across 89% of real-world Wi-Fi networks.
Hardware acceleration, such as the use of NPU chipsets in Wi-Fi networks, increases the data transmission rate and decreases latency. However, it also creates security problems owing to the direct transmission of wireless frames by Access Point (AP) routers.
Researchers from Tsinghua University and George Mason University have recently found a security weakness in the wireless frame forwarding mechanism used by the NPU. Attackers may take use of the vulnerability to conduct a Man-in-the-Middle attack (MITM) on Wi-Fi networks by circumventing the need for rogue access points (APs). Intercepting a victim’s plaintext communication while avoiding link layer security methods such as WPA3 is possible with this technique. The research paper that team wrote has been approved for presentation at the 2023 IEEE Symposium on Security and Privacy.
The scenario shown in Figure depicts a situation in which an attacker and a victim supplicant are both connected to the same Wi-Fi network in order to access Internet services. Imagine that you have successfully completed the phone authentication process and are now able to access the Wi-Fi network at Starbucks. Each session to the AP router is protected by a Pairwise Transient Key (PTK) session key, and the Wi-Fi network that you are trying to connect to has WPA2 or WPA3 installed to provide security.
They made the discovery that the security methods, such as WPA2 and WPA3, may be readily evaded, giving attackers the ability to read the plaintext of the victim supplicant’s communication. An impersonation of the access point (AP) is created by the attacker via the use of spoofing the source IP address. The attacker then sends a victim supplicant an ICMP redirect message, which is an ICMP error message with a type value of 5.
Because of the need to maximize performance, the NPU in the AP router (for example, Qualcomm IPQ5018 and HiSilicon Gigahome Quad-core) would immediately transfer the bogus message of ICMP redirection that it has received to the victim supplicant. After receiving the message, the victim supplicant will be deceived into changing its routing cache and substituting the next hop to the server with the IP address of the attacker. This will allow the attacker to get access to the server. Because of this, future IP packets that were supposed to be sent to the server are instead routed to the attacker at the IP layer. This gives the attacker the ability to send the packets to their intended destination. The MITM attack is successfully carried out by the attacker, who does not make use of any rogue AP in the process. This allows the attacker to intercept and change the traffic of the victim supplicant invisibly.
Both Qualcomm and Hisilicon have verified that their NPUs are susceptible to the vulnerability that prohibits AP devices from successfully blocking faked ICMP redirect packets. This vulnerability has been given the identifier CVE-2022-25667 by Qualcomm.
Adding features to access points that will slow down maliciously constructed ICMP redirection. If the message has clear unlawful features (for instance, the source IP address of the message is provided with the AP’s IP address, and the message can only be created by the AP itself), then the AP should block and discard the message as soon as it is detected. This strategy depends on the participation of both the NPU chip makers and the AP suppliers in a collaborative effort. Improving the ability of supplicants to check the ICMP packets that they have received. The supplicant has the ability to successfully detect bogus ICMP messages and mount a defense against this attack provided it ensures that the source IP address and source MAC address of the received ICMP message are consistent with one another.
The widespread adoption of remote and hybrid working practices in recent years has brought numerous benefits to various industries, but has also introduced new cyber threats, particularly in the critical infrastructure sector.
These threats extend not only to IT networks but also to operational technology (OT) and cyber-physical systems, which can directly influence crucial physical processes.
In response to these risks, the US government reinforced critical infrastructure security by introducing Cross-Sector Cybersecurity Performance Goals (CPGs) mandated by the US Cybersecurity Infrastructure & Security Agency (CISA).
Recently, CISA updated the CPGs to align with NIST’s standard cybersecurity framework, establishing each of the five goals as a prioritized subset of IT and OT cybersecurity practices.
In this article, we will look in more detail at CISA’s revamped CPGs and discuss the potential solutions available to help organizations achieve these critical goals.
CPG 1.0 Identify: Scoping out the vulnerabilities in the OT environment
CISA’s first CPG is “Identify”, which includes identifying the vulnerabilities in the IT and OT assets inventory, establishing supply chain incident reporting and vulnerability disclosure program, validating the effectiveness of third-party security controls across your IT and OT networks, establishing OT security leadership, and mitigating known vulnerabilities. Critical infrastructure organizations must address all these sub-categories exclusively to achieve the first CPG.
Addressing these responsibilities requires a dynamic effort. Firstly, organizations must strengthen their IT and OT relationship by fostering more effective collaboration between the security teams of both departments. But, most importantly, IT and OT teams must come together to understand the potential cyber threats and risks of each environment and how it affects the other. To achieve the first CPG, it is critical that these departments are not kept in isolation but rather collaborate and communicate frequently.
At the same time, organizations must establish OT leadership by clearly identifying a single leader who will be responsible and accountable for OT-specific cybersecurity. From there, organizations must create an asset inventory or glossary that clearly identifies and tracks all OT and IT assets across the entire ecosystem. These assets should be regularly audited based on their vulnerability management program. It’s also highly critical to have an open, public, and easily accessible communication channel where vendors, third parties, or employees can disclose any potential vulnerability in relation to the OT and IT assets.
CPG 2.0 Protect: Safeguarding privileged access to OT assets
CISA’s second CPG is “Protect”, which emphasizes the account security aspects of OT assets. To achieve this goal, critical infrastructure organizations are required to strengthen their password policies, change default credentials across OT remote access systems, apply network segmentation to segregate OT and IT networks, and separate general user and privileged accounts.
Addressing all these aspects of account security can be a chore for most organizations, but they can turn to unified secure remote access (SRA) solutions that can extend multiple account-level security controls to OT remote users via enforcement of multi-factor authentication (MFA), least privilege policies, and role-based access. Such solutions can also support advanced credential policies to further reduce the risk of unauthorized access and denial of service attacks.
It’s also important that organizations only leverage SRA solutions that are based on zero trust policies. This will help organizations establish effective network segmentation that eliminates direct, unfettered remote connectivity to OT assets, and to continuously monitor personnel activity during all remote OT connections.
CPG 3.0 Detect: Awareness of critical threats and potential attack vectors across your OT environment
CISA’s third CPG emphasizes the detection of relevant threats and knowledge of potential attack vectors and TTPs (tactics, techniques, and procedures) that can compromise OT security and potentially disrupt critical services.
Detecting relevant threats and TTPs across OT assets and networks requires a proactive approach that combines advanced monitoring and analysis. Real-time monitoring solution should be complemented with comprehensive network visibility, allowing for the swift detection of anomalies and unusual patterns.
A critical aspect of threat detection in OT environments — and meeting the CPG mandate — is the sharing of information and collaboration between various stakeholders. Threat intelligence platforms play an essential role in gathering and disseminating information about current and emerging threats. By leveraging this valuable data, organizations can stay ahead of potential risks, fine-tune their defenses, and ensure the safety and security of their OT assets. Additionally, conducting regular security assessments, penetration testing, and vulnerability scanning will help uncover any weaknesses in the infrastructure, allowing for timely remediation and improved resilience against cyberattacks.
CPG 4.0 and 5.0: Respond and Recover
The final two CISA’s CPGs stress the importance of incident reporting and planning. Regardless of how robust your OT security practices are, cyber threats are almost inevitable in today’s interconnected and increasingly remote networking era. So, while proactive security solutions are necessary, attacks still are unavoidable, especially in a highly targeted sector like critical infrastructure.
Therefore, CISA stresses that organizations must have a comprehensive plan and process outlined for reporting security incidents and effectively recovering their affected systems or services upon a breach.
Advanced SRA solutions can help organizations to achieve these goals through automated recording of user activities and asset-related data, as well as creating automated backups of critical data. More specifically, they can log all user sessions, encrypt all user- and asset-related data, and retain logs of OT remote user activity. These measures help to ensure that critical information is stored in accordance with all relevant regulatory requirements and backup and recovery needs.
Conclusion
Overall, the vulnerabilities of ageing OT assets and siloed OT and IT networks have created a significant threat to critical infrastructure entities, which has been further exacerbated by the prevalence of remote access.
CISA’s OT-specific goals and actions within the CPGs provide a much-needed set of guidelines for CNI organizations to strengthen their security posture and increase cyber resilience. By following CISA’s recommendations and employing innovative security technologies, organizations can minimize the risk of cyberattacks affecting the physical world and public safety.
Integrating proprietary and open-source code, APIs, user interfaces, application behavior, and deployment workflows creates an intricate composition in modern applications. Any vulnerabilities within this software supply chain can jeopardize your and your customers’ safety. In this Help Net Security video, Tim Mackey, Head of Software Supply Chain Risk Strategy at Synopsys, discusses supply chain security practices and approaches.
The research that was published in the German daily Handelsblatt said that customers of Tesla Inc. lodged over 2,400 complaints about difficulties with self-acceleration and 1,500 complaints regarding issues with brakes between the years of 2015 and March 2022.
According to reports, a big data dump that was based on a whistleblower’s breach of internal Tesla papers suggests that problems with Tesla’s autonomous driving system may be considerably more frequent than authorities and the media have suggested. This was discovered after the whistleblower gained unauthorized access to internal Tesla documents.
According to information that was taken from Tesla’s information technology (IT) system, complaints against these Full Self Driving (FSD) capabilities originated from all over the globe, including the United States of America, Europe, and Asia.
Particularly, in an article titled “My autopilot almost killed me,” Handelsblatt reported receiving 100 terabytes of data and 23,000 files. Within those files were 3,000 entries highlighting consumers’ safety concerns and tales of more than 1,000 crashes.
The publisher included a note stating that the data includes the phone numbers of customers.
According to the hundreds of clients that Handelsblatt is claimed to have contacted, the fears were quite serious.
According to one man from Michigan, his Tesla “suddenly braked hard, as hard as you can imagine.” When I was ordered to fasten my seatbelt, the vehicle was on the verge of coming to a complete halt. I was then struck by a second car.
The files were shown to the Fraunhofer Institute for Secure Information Technology by Handelsblatt. The institute concluded that there is no reason to presume that “the data set does not come from IT systems belonging to or in the environment of Tesla.”
Employees are instructed that, unless lawyers are involved, they should not deliver written comments but rather should convey them “VERBALLY to the customer.” Unless attorneys are involved, written critiques should not be given.
The post quotes the instructions as saying, “Do not copy and paste the report below into an email, text message, or leave it in a voicemail to the customer,” and it is clear that this is a requirement.
An report featured a doctor from California who said that her Tesla accelerated on its own in the autumn of 2021 and smashed into two concrete pillars. She noted that the company never sent emails and that everything was always communicated verbally.
According to the attorneys for Tesla, the news organization is required to provide a copy of the data to Tesla, and all other copies of the data must be destroyed. The attorneys for Tesla also warned legal action “for the theft of confidential and personal data.”
According to reports, the alleged papers would undoubtedly be important to current wrongful death lawsuits made against Tesla. These claims assert that the company’s technology has significant safety faults. Additionally, they may compel local, state, and federal authorities to take action.
The state’s data protection officer, Dagmar Hartge, recognized the seriousness of the allegations and pointed out that, should the allegations prove to be accurate, the data breach would have significant repercussions on a worldwide scale. The situation has been sent to privacy advocates in the Netherlands so that additional investigation might be conducted.
“Tesla takes the protection of its proprietary and confidential information, as well as the privacy of its employees and customers, very seriously.” “We intend to initiate legal proceedings against this individual for his theft of Tesla’s confidential information and employees’ personal data,” Tesla stated in a response that was reported by the publication. The statement was made in reaction to the theft of sensitive information and personal data pertaining to Tesla employees.
The Chinese regulatory authorities have already started to take action. Approximately two weeks ago, Tesla was forced to provide an emergency software update for the majority of the automobiles it has sold in China as a direct result of problems with unexpected and sudden acceleration.
Since 2016, Musk has made many claims that his self-driving vehicles would be really autonomous, but he has not delivered on those claims.
The presence of each third-party application increases the potential for attacks, particularly when end users install them without proper oversight or approval. IT security teams face challenges in obtaining comprehensive knowledge about the apps connected to their corporate SaaS platforms, including their permissions and activities.
In this Help Net Security video, Matt Radolec, Senior Director, Incident Response and Cloud Operations at Varonis, offers advice for CISO-level executives to enhance the security of corporate cloud data.
Phishers are using encrypted restricted-permission messages (.rpmsg) attached in phishing emails to steal Microsoft 365 account credentials.
“[The campaigns] are low volume, targeted, and use trusted cloud services to send emails and host content (Microsoft and Adobe),” say Trustwave researchers Phil Hay and Rodel Mendrez. “The initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar.”
Phishing emails with Microsoft Encrypted Restricted Permission Messages
The phishing emails are sent from a compromised Microsoft 365 account to individuals working in the billing department of the recipient company.
Phishing email with a encrypted restricted-permission message (Source: Trustwave)
The emails contain a .rpmsg (restricted permission message) attachment and a “Read the message” button with a long URL that leads to office365.com for message viewing.
To see the message, the victims are asked to sign in with their Microsoft 365 email account or to request a one-time passcode.
After using the received passcode, the victims are first shown a message with a fake SharePoint theme and are asked to click on a button to continue. They are then redirected to a document that looks like it’s hosted on SharePoint but it’s actually hosted on the Adobe’s InDesign service.
They are again asked to click on a button to view the document, and are taken to a domain that looks like the one from the original sender (e.g., Talus Pay), featuring a progress bar.
In the background, the open source FingerprintJS library collects the user’s system and browser information and, finally, the victim is shown a spoofed Microsoft 365 login page and is asked to sign in with their credentials.
Hiding from security solutions
“The use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways. The only URL link in the body of the message points to a Microsoft Encryption service,” Hay and Mendez noted.
“The only clue that something might be amiss is the URL has a specified sender address (chambless-math.com) unrelated to the From: address of the email. The link was likely generated from yet another compromised Microsoft account.”
They advise organizations to:
Block, flag or manually inspect .rpmsg attachments
Monitor incoming email streams for emails originating from MicrosoftOffice365@messaging.microsoft.com and having the subject line “Your one-time passcode to view the message”
Educate users about the consequences of decrypting or unlocking content from unsolicited emails
Although iSpoof advertised openly for business on a non-darkweb site, reachable with a regular browser via a non-onion domain name, and even though using its services might technically have been legal in your country (if you’re a lawyer, we’d love to hear your opinion on that issue once you’ve seen the historical website screenshots below)…
…a UK court had no doubt that the iSpoof system was implemented with life-ruining, money-draining malfeasance in mind.
The site’s kingpin, Tejay Fletcher, 35, of London, was given a prison sentence of well over a decade to reflect that fact.
Show any number you like
Until November 2022, when the domain was taken down after a seizure warrant was issued to US law enforcement, the site’s main page looked something like this:
You can show any number you wish on call display, essentially faking your caller ID.
And an explanatory section further down the page made it pretty clear that the service wasn’t merely there to enhance your own privacy, but to help you mislead the people you were calling:
Get the ability to change what someone sees on their caller ID display when they receive a phone call from you. They’ll never know it was you! You can pick any number you want before you call. Your opposite will be thinking you’re someone else. It’s easy and works on every phone worldwide!
In case you were still in any doubt about how you could use iSpoof to help you rip off unsuspecting victims, here’s the site’s own marketing video, provided courtesy of the Metropolitan Police (better known as “the Met”) in London, UK:
As you will see below, and in our previous coverage of this story, iSpoof users weren’t actually anonymous at all.
More than 50,000 users of the service have been identified already, with close to 200 people already arrested and under investigation in the UK alone.
Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.
As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.
These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.
The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.
This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.
By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.
Who is a CISO?
Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.
A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.
They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.
CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.
They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.
In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.
They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.
The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.
CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.
What are all the Roles and Responsibilities of CISO?
Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organization’s business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organization’s assets.
Risk Management: The CISO is responsible for identifying and assessing security risks to the organization’s information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
Security Incident Response: The CISO leads the organization’s response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
Security Governance and Reporting: The CISO provides regular reports and updates on the organization’s security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.
Security Challenges CISOs Face
CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:
Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industry’s rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.
What are the Security Compliance CISO Should Follow
As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:
General Data Protection Regulation (GDPR): If your organization deals with the personal data of individuals in the European Union (EU), GDPR sets requirements for the protection, processing, and transfer of personal data. It includes principles for data minimization, consent, data breach notification, and the rights of individuals.
Payment Card Industry Data Security Standard (PCI DSS): PCI DSS applies to organizations that handle credit card information. It sets requirements for securing payment card data, including network security, encryption, access controls, and regular vulnerability assessments.
Health Insurance Portability and Accountability Act (HIPAA): HIPAA applies to organizations in the healthcare industry that handle protected health information (PHI). It establishes requirements for the privacy and security of PHI, including access controls, encryption, risk assessments, and breach notification.
Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It sets requirements for financial reporting and establishes controls and processes to ensure the accuracy and integrity of financial statements. While not solely focused on security, it includes provisions for protecting financial data.
National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. It covers risk assessment, security controls, incident response, and continuous monitoring.
ISO 27001: ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It covers various aspects of information security, including risk management, access controls, incident management, and security awareness.
Federal Information Security Management Act (FISMA): FISMA applies to U.S. federal agencies and sets requirements for securing federal information and systems. It mandates risk assessments, security controls, incident response planning, and continuous monitoring.
Security Challenges CISOs Face to Manage Security Team
Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:
Establish Clear Roles and Responsibilities: Clearly define the roles and responsibilities of each team member to ensure everyone understands their specific duties and areas of expertise. This clarity helps streamline operations and avoid confusion.
Set Goals and Objectives: Define strategic goals and objectives for the security team aligned with the organization’s overall security strategy. Communicate these goals to the team and regularly track progress to ensure everyone is working towards the same objectives.
Provide Guidance and Mentorship: Offer team members guidance, mentorship, and professional development opportunities. Encourage skill development, certifications, and staying up-to-date with the latest security trends and technologies—support team members in their career growth.
Foster Collaboration and Communication: Promote a collaborative and open communication culture within the team. Encourage knowledge sharing, cross-functional collaboration, and effective communication channels. Regular team meetings, brainstorming sessions, and updates are valuable for aligning efforts.
Support Decision-Making: Empower team members to make decisions within their areas of responsibility. Provide guidance and support when needed, but encourage autonomy and ownership in decision-making. Foster an environment where team members feel comfortable taking calculated risks.
Establish Incident Response Procedures: Develop clear incident response procedures and ensure the team is well-prepared to handle security incidents effectively. Conduct regular drills, tabletop exercises, and simulations to test and improve the team’s incident response capabilities.
Stay Informed and Adapt: Stay up-to-date with the latest security threats, industry trends, and best practices. Encourage continuous learning and professional development for the team. Adapt security strategies and measures as the threat landscape evolves.
Collaborate with Other Departments: Work closely with other departments, such as IT, legal, HR, and executive management, to ensure security initiatives are aligned with business objectives and integrated into overall organizational operations. Build relationships and foster a culture of security awareness throughout the organization.
Regularly Evaluate and Improve: Regularly evaluate the team’s performance, processes, and procedures. Collect feedback from team members and stakeholders to identify areas for improvement. Implement changes and adjustments as necessary to enhance the team’s effectiveness and efficiency.
Lead by Example: Demonstrate strong leadership skills, integrity, and a commitment to security best practices. Lead by example in adhering to security policies and procedures. Encourage a positive and supportive work environment.
Final Thoughts
CISOs face many common security challenges as protectors of their organization’s digital assets and information.
From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.
CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.
To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.
They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.
While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.
By effectively addressing these challenges, CISOs can enhance their organizations’ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.
Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.
By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.
In the wake of the ex-Uber CISO verdict, CISOs ask for clearer rules and less uncertainty in managing disclosures, amid jail-time fears.
Getting cybersecurity incident disclosure right can mean the difference between prison and freedom. But the rules remain woefully vague.
Chief information security officers (CISOs) and their teams know there’s a certain amount of risk intrinsically baked into the job. But the recent sentencing of former Uber CISO Joseph Sullivan for his role in covering up a 2016 data breach at the company has significantly upped the ante.
SolarWinds CISO Tim Brown survived one of the most spectacular security breaches in history in 2020 inan epic supply chain attack, and emerged on the other side with the business — and his professional reputation — intact. In an interview with Dark Reading, he explained that CISOs are asking for clarity on rules around disclosures. The Federal Trade Commission (FTC) has rules, and beyond that, there is a vast and evolving mousetrap of rules, regulations, executive orders, and case law dictating how and when disclosures need to occur, and that’s before anyone considers the impact of an incident on the business.
“Liability is something that has CISOs concerned,” Brown says. “It’s a concerning time and creates stress and angst for teams. We want to be covered.”
A court found Uber’s Sullivan guilty of working to cover up the breach from FTC investigators, as well as trying to keep the breach secret from other Uber executives. Brown acknowledges that Sullivan made the mistake, in the view of the court, of trying to make disclosure decisions unilaterally, without legal guidance, which left him open to prosecution.
Sarbanes-Oxley Act for CISOs?
To avoid making such mistakes, CISOs need something in the mold of the 2002 Sarbanes-Oxley Act, which details financial reporting regulations for chief financial officers (CFOs), Brown says.
In the same way Sarbanes-Oxley prescribes steps that CFOs are expected to take to prevent financial fraud, Brown says that he would like to see new federal regulations that outline CISO requirements for preventing and responding to cybercrime on their watch.
The stakes are high: While Sullivan was only sentenced to three years’ probation for his role in attempting to bury Uber’s data breach, Judge William Orrick used Sullivan’s hearing as an opportunity to send a chilling warning to the next CISO unfortunate enough to find themselves in his court.
“If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison,” Judge Orrick said to Sullivan. “When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”
Disclosure Maze
The litany of hazy rules and emerging guidelines doesn’t provide CISOs and cybersecurity teams with a clear path to compliance, meaning in-house counsel and outside legal advisers have become essential in helping organizations navigate the disclosure process maze.
“Enterprise security teams do not exist in a vacuum when it comes to evaluating disclosure of data breaches and security incidents,” says Melissa Bischoping, director of endpoint security research at Tanium, on the current disclosure landscape. “Their responses must be coordinated with legal and communications stakeholders to ensure they are meeting regulatory and legal requirements, and providing the appropriate level of information to the right consumers of the information.”
Beth Waller, an attorney and chair of cybersecurity and data privacy at Woods Rogers Vandeventer Black, says oversight bodies as well as consumers are driving cybersecurity incident transparency — and shrinking acceptable disclosure windows.
Waller points to a grab bag of regulations pushing disclosures, such as the Security and Exchange Commission’s demand for immediate data incident disclosure for publicly traded companies, as well as federal regulations on sectors like banking, healthcare, and critical infrastructure demanding disclosures within days of its discovery. Department of Defense contractors must notify the DoD of an incident within 72 hours, she points out.
“For international companies, regulations like the Europe’s General Data Protection Regulation (GDPR) drive similar timelines,” Waller says. “More and more, a company that wants to keep a data incident quiet cannot do so from a regulatory or legal standpoint.”
Disclosure Dangers
As pressure mounts on enterprise cybersecurity teams to disclose quickly, Dave Gerry, CEO of Bugcrowd, acknowledges the value of transparency for trust and the flow of information, but explains he is also concerned that rapid disclosure could rob security teams of priceless time to respond properly to cyberattacks.
“Incident disclosure needs to allow for the opportunity for the security organization to rapidly patch systems, fix code-level vulnerabilities, eject attackers, and generally mitigate their systems prior to publicly disclosing details ensure additional security incidents don’t come as a result of the disclosure,” Gerry adds. “Identifying the root cause and magnitude of the incident to avoid adding additional fear and confusion to the situation takes time, which is an additional consideration.”
Data ‘Duty of Care’ Defined
Making things more confusing, US state attorneys general are pushing for tougher regulations around cybersecurity incident disclosures, leaving each state with its own unique disclosure landscape riddled with broad, ill-defined requirements like taking “reasonable” actions to protect data.
Veteran CISO and VMware cyber strategist Karen Worstell notes that Colorado AG Philip Weiser took an important step toward clarifying CISO obligations last January, when he offered a definition of “Duty of Care” rules under the Colorado Privacy Act requiring reasonable action be taken to protect personal data.
According to Weiser, the definition was informed by actual cases that have come through his office, meaning it reflected how prosecutors viewed specific data breaches under their jurisdiction.
“First, we will evaluate whether a company has identified the types of data it collects and has established a system for how storing and managing that data — including ensuring regularly disposing of data it no longer needs,” Weiser said in prepared remarks regarding data breach rules. “Second, we will consider whether a company has a written information security policy. For companies that have no such policies or have ones that are outdated or exist only in theory with no attempt to train employees or comply with the policy, we will view more skeptically claims that their conduct is reasonable.”
Waller applauds Weiser’s move to clarify disclosure rules in his state. In Colorado, as well as Virginia, the attorney general has the sole authority to hold someone liable for breaking state privacy laws.
“Colorado Attorney General Weiser’s comments provide helpful background on the security considerations state attorney generals will consider in looking at bringing violations under these new data privacy laws,” Waller says.
Despite such strides forward, for now the rules still leave plenty of room for enterprise cybersecurity teams to get it wrong.
“The current emerging cacophony of new state privacy regulations, coupled with a hodgepodge of state data breach laws, means that we can hope a federal privacy law would eventually address the need for uniform guidance for entities experiencing a data breach,” Waller says.
“In the absence of federal guidance, the legal landscape remains simply complex,” Waller adds.
The slow churning of courts, regulatory bodies, and legislatures means it’s going to take time for all parties to get on the same page. But SolarWinds’ Brown expects more standardized rules for CISOs and their organizations to likely emerge over the next five or so years. In the meantime, he suggests keeping legal teams closely involved in all cyber incident responses.
“It will be evolving, and we will get crisper,” Brown says. “I’m hopeful.”
CERT-UA has identified and addressed a cyber attack on the government information systems of Ukrainian governmental state bodies.
Through investigation, it was discovered that the department’s email address received communications on April 18, 2023, and April 20, 2023, appearing to originate from the authentic email account of the Embassy from Tajikistan (In Ukraine).
Weaponized DOCX File
Suspected to be a result of the compromised state of the embassy, these emails comprised an attachment in the form of a document that contained a macro in the initial case while referring to the same document in the later incident.
When the document is downloaded, and its macro is activated, it creates and opens a DOCX file called “SvcRestartTaskLogon” with a macro that generates another file with the “WsSwapAssessmentTask” macro.
While it also includes a “SoftwareProtectionPlatform” file categorized as HATVIBE, which can load and execute additional files.
During the course of technical investigation, it was documented that on April 25, 2023, supplementary programs were generated on the computer, possibly facilitated by HATVIBE, under uncertain circumstances.
Here below, we have mentioned those additional generated apps:-
LOGPIE keylogger
CHERRYSPY backdoor
The files are created with Python and secured with PyArmor, while the “pytransform” module, providing encryption and code obfuscation, is further safeguarded with Themida.
The STILLARCH malware is employed for searching and exfiltrating files, including data from the LOGPIE keylogger, with file extensions such as:-
.~tmp
.doc
Further analysis of infrastructure and associated data determined that the group’s targets include organizations from various countries engaging in espionage activities under the code name UAC-0063, which have been monitored since 2021.
To minimize the vulnerability scope, it is advisable to limit user accounts from executing “mshta.exe,” Windows Script Host (“wscript.exe,” “cscript.exe”), and the Python interpreter, thereby reducing the potential attack surface.
The vulnerability (CVE-2023-21492) affects mobile devices manufactured by Samsung and running on the following versions of the Android operating system. The vulnerability results from the accidental inclusion of sensitive data in log files.
Android 11, Android 12, Android 13
CISA has just recently issued a warning on a security hole that affects Samsung devices and makes it possible for attackers to avoid Android’s address space layout randomization (ASLR) protection while carrying out targeted attacks.
Randomization of the memory locations at which important app and operating system components are loaded into the device’s memory is made possible thanks to Android’s Address Space Layout Randomization (ASLR), which is a fundamental component of Android’s security architecture. The information that has been revealed may be used by local attackers who have elevated rights to perform an ASLR bypass, which would therefore make it easier to exploit weaknesses in memory management. Samsung has essentially remedied this issue as a part of the most recent security upgrades by adopting safeguards that prevent kernel references from being recorded in future instances. This was done as part of a larger effort to introduce new security measures.
According to the advice that was included in the May 2023 Security Maintenance Release (SMR), Samsung has admitted that it was notified of an attack that targets this specific flaw that is now active in the wild.
Despite the fact that Samsung did not provide any particular information on the exploit of CVE-2023-21492, it is essential to keep in mind that during highly focused cyberattacks, security vulnerabilities are regularly exploited as part of a sophisticated chain of exploits.
These attacks used chains of exploits that targeted the vulnerabilities to spread spyware that was driven by commercial interests. While this is going on, security researchers working for Google’s Threat Analysis Group (TAG) and Amnesty International discovered and reported on two different attack operations in the month of March. Following the recent addition of the CVE-2023-21492 vulnerability to CISA’s list of Known Exploited Vulnerabilities, the United States Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week window of time until June 9 to patch their Samsung Android devices in order to protect themselves from potential attacks that exploit this security flaw.
In accordance with BOD 22-01, government agencies have until the deadline of June 9, 2023 to fix any vulnerabilities that have been added to the CISA’s KEV list.
Insider attacks often catch organizations by surprise because they’re tricky to spot.
Banking on reactive solutions like antivirus software or a patch management solutionto avoid such attacks is not wise.
Understanding what contributes to the increasing number of insider threats and addressing these factors is the only way to secure your enterprise against such attacks.
An insider attack is often defined as an exploit by malicious intruders within an organization.
This type of attack usually targets insecure data. Insider threats might lurk within any company; in some industries, they can account for more than 70% of cyberattacks.
More often than not, insider attacks are neglected. Perhaps this is why they have been on a constant rise.
A survey by CA Technologies in 2018 found that about 90% of organizations feel vulnerable to insider attacks.
Organizations also feel that the data most vulnerable to insider attacks is sensitive personal information (49%), intellectual property (32%), employee data (31%), and privileged account information (52%).
Many insider attacks are associated with excessive access privileges. While it might be unpleasant or inconvenient not to trust employees, organizations must be vigilant.
This can be accomplished by monitoring possible sources of cyberattacks. A big problem is that many companies are unaware of how to identify and combat insider threats.
Questions then arise: Where can you find the best network security tools to gain more knowledge on combating insider attacks? What security standards should you follow to stay within your industry’s security compliance requirements and protect your digital assets better? How do you differentiate between a malicious insider and a non-malicious one?
Insider Threat Warnings That You Should Look Out For
Here are some tell-tale signs you can monitor to avoid an insider attack. Be on the lookout for anyone who:
Downloads large amounts of data on personal portable devices or attempts to access data they don’t normally use for their day-to-day work.
Requests network or data access to resources not required for their job, or searches for and tries to access confidential data.
Emails sensitive information to a personal email account or people outside your organization.
Accesses the network and corporate data outside of regular work hours.
Exhibits negative attitudes or behaviors—for instance, a disgruntled employee leaving the organization.
Ignores security awareness best practices, such as locking screens, not using USBs or external drives, not sharing passwords and user accounts, or does not take cyber threats seriously.
Once you have started monitoring, you can implement security measures to prevent attacks from occurring. We’ve put together a short list of solutions for curbing insider threats.
1. Zero Trust
Zero Trust, a new cybersecurity buzzword, is a holistic approach for tightening network security by identifying and granting access, or “trust”.
No specific tool or software is associated with this approach, but organizations must follow certain principles to stay secure.
More users, applications, and servers and embracing various IoT devices expands your network perimeter.
How do you exert control and reduce your overall attack surface in such cases?
How can you ensure that the right access is granted to each user?
IT security at some organizations reflects the age-old castle-and-moat defense mentality that everything inside an organization’s perimeter should be trusted while everything outside should not.
This concept focuses on trust too much and tends to forget that we might know little about the intentions of those we deem “insiders.”
The remedy is Zero Trust, which revokes excessive access privileges of users and devices without proper identity authentication.
By implementing Zero Trust, you can:
Understand your organization’s access needs.
Decrease risk by monitoring device and user traffic.
Lower the potential for a breach.
Profoundly increase your business’s agility.
2. Privileged access management
Privileged access management (PAM) means extending access rights to trusted individuals within an organization.
A privileged user hasadministrative access to critical systems and applications.
For example, if an IT admin can copy files from your PC to a memory stick, they are said to be privileged to access sensitive data within your network.
This also applies to accessing data via physical devices, logging in, and using different applications and accounts associated with the organization.
A privileged user with malicious intent might hijack files and demand your organization pay a ransom.
PAM takes some effort, but you can start simple. For instance, you can remove an employee’s access to the data associated with their previous role.
Consider an employee moving from finance to sales. In this case, the rights to access critical financial data must be revoked because we do not want to risk the organization’s financial security.
By implementing PAM, you can:
Make dealing with third-party devices and users safer and more accessible.
Protect your password and other sensitive credentials from falling into the wrong hands.
Eliminate excess devices and users with access to sensitive data.
Manage emergency access if and when required.
3. Mandatory Security Training for Existing & New Employees
Not all insider attacks are intentional; some happen because of negligence or lack of awareness.
Organizations should make it mandatory for all their employees to undergo basic security and privacy awareness training sessions regularly.
Employees can also be quizzed on these sessions to make the training more effective.
Ensuring employees are acquainted with the cost consequences that negligence can cause the organization can help prevent unintentional insider threats significantly.
With so much to lose, it’s a wonder more companies aren’t taking steps to reduce their chance of suffering from an insider attack.
As mentioned earlier, no particular software or tool is behind the security approaches mentioned above.
Rather, your organization must address these aspects while developing a homegrown security solution or utilizing a similar service or product from a vendor.
By doing so, you can protect your organization from bad actors within or outside of your organization.
However, to specifically tackle the threat posed by insiders who regularly misuse their access credentials or bring malicious plug-and-play devices to work, we recommend looking into other security protocols, such as identity and access management and user behavior analytics, to prevent internal security mishaps.
Predicting Insider Attacks: Using Machine Learning & Artificial Intelligence Algorithms
Zero trust adoption is beginning to accelerate as networks get more complex. Gartner predicts that by 2026, 10% of large enterprises will have a comprehensive, mature, and measurable zero-trust program in place (compared to just 1% today). But adoption has been slow; according to a 2023 PWC report, only 36% have started their journey to zero trust. What’s the hold up?
Integration and configuration at scale for zero trust is no small feat. From managing user experience (UX), to resource constraints and the cultural change required for adoption, zero trust can just be challenging.
Historically, zero trust focused on networks and identity access but, over time, it has become a comprehensive approach to cybersecurity that requires a more holistic view of an organization’s IT infrastructure. Where zero trust previously rejected the notion that endpoints had a role, because the “perimeter no longer mattered,” those working through implementation now see that endpoints are a crucial component to a robust zero trust strategy.
While every enterprise is different, there are some common roadblocks that slow the adoption process. In this article, we’ll offer up some tips to overcome these challenges.
Zero trust adoption tips
Most organizations’ IT infrastructure comprises two crucial components – networks and endpoints. Think of the network as roads and the endpoints as the destination for attackers. These can include servers, virtual machines, workstations, desktops, laptops, tablets, mobile devices, and more. And they run multiple applications, store and manipulate data, connect to other data sources, etc.
Cybercriminals strive to attack and control these endpoints when diving deeper into enterprise networks. From there, they can gain additional credentials, move laterally, maintain persistence, and eventually exfiltrate data. Because these endpoints are in constant use (and their numbers are growing), it can be challenging to secure them. Layer on top misconfigurations, which accounts for approximately a quarter of endpoint compromises, and it’s clear that security teams need a more holistic security framework.
Let’s dive into the tips. While this is not a comprehensive list, hopefully it will help you and your team overcome some of the initial heartburn associated with zero trust adoption for endpoints.
1. Break down information silos and consolidate technologies where you can – Organizational structures that don’t support deep collaboration between IT and security will only exacerbate concerns about increased attack surfaces and worsen challenges around compliance requirements. For zero trust success, teams must break down information silos and share data across teams and solutions. Beyond the zero trust benefits, consolidation can significantly reduce the cost of maintaining multiple systems and greatly improve efficiency by reducing the complexity and redundancy of numerous tools for a single task.
2. Maintain a comprehensive asset inventory and get complete visibility of endpoints – You must know what you have to protect it. While this may seem unnecessary for zero trust approaches where the first rule is to not trust anything, knowing what is under management by your organization versus personal devices enables you categorize how you validate and verify the trustworthiness of the endpoint. Now, this can be difficult, with challenges around complexity, lack of integration, human factors, and cost. But with on-demand asset discovery and real-time asset inventory, you should be able to achieve comprehensive visibility, giving you a clearer idea of endpoints that are actively managed versus devices that should be vetted more carefully.
3. Utilize automated policy-based controls for detection and remediation across asset types – Using staff to manually manage and enforce controls relies on human oversight and intervention to detect and remediate security issues. This is clearly no longer sustainable (especially as an organization scales), as evidenced by the increasing number of cyber-attacks and data breaches. Policy-based rules driven by automation can ensure security controls are consistently and uniformly applied across all assets and user activities. This can also eliminate manual tasks, such as requiring end users to accept a patch or update and restart their machines.
This kind of automated policy enforcement should also help fuel the policy enforcement or trust evaluation engine needed for zero trust implementations. With trusted policy-based profiles on hand, a trust evaluation engine can “ask” questions and assess a device or asset’s security posture. For example: Does it have a firewall on? Does it have the latest approved patches installed? Have any unknown programs been installed recently that have not been scanned with a vulnerability scanner?
Conclusion
As more and more organizations move to implement zero trust, it’s crucial to understand some of the key challenges associated with endpoint security. It requires a shift in mindset, an understanding of the requirements, and a set of tools that can help achieve a successful framework.
Tailoring the zero trust principles to meet your enterprise needs will help accelerate your journey. And hopefully these tips will help. To learn more about practical zero trust implementation guidance, check out some recent research by the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence.
Researchers have identified a new sort of attack that they have given the name “Ghost Touch.” This new form of attack may access the screen of your mobile device without even requiring you to touch it.
It would seem that those who commit crimes online are constantly able to one-up themselves and surprise everyone with innovative new strategies. You are already familiar with methods such as phishing, frauds, and the use of malware to infect devices. However, researchers from the Zhejiang University in China and the Darmstadt University of Technology in Germany have now uncovered a new hardware-based way that cybercriminals may use to get their hands on your smartphone.
These are known as Ghost Touch, and they may be used to unlock a mobile device, allowing the user to get access to sensitive information like passwords or banking apps, and even install malware. According to their explanation, the attack makes advantage of “electromagnetic interference (EMI) to inject fake touch points into a touch screen without physically touching it.”
Make note of the fact that this latest attack is aimed. To put it another way, in order to adjust the gadget, it is essential to have knowledge on the make and model of the cell phone belonging to the victim. The attacker may additionally need extra knowledge about it, such as the access code, which has to be obtained via social engineering. This might be a need for the attack. The attack is effective from a distance of up to 40 mm and makes use of the sensitivity of the touch screen to electromagnetic interference (EMI). Attackers have the ability to inject electromagnetic impulses into the implanted electrodes of the screen, which will cause the screen to record these signals as touch events (a touch, exchange, press, or hold).
On a total of nine different smartphone models, including the iPhone SE (2020), the Samsung Galaxy S20 FE 5G, the Redmi 8, and the Nokia 7.2, its efficacy has been shown. If a user’s screen has been hacked, it will begin operating on its own without the user’s intervention. For instance, it will begin answering calls on the user’s behalf or it will become unblocked.
When a mobile device begins visiting arbitrary web sites, entering into the user’s bank account, opening files, playing a movie, or typing on Google without the user’s interaction, this is another clear indication that the device has been compromised.
“You can protect yourself against touchscreen attacks in a number of different ways, including adding more security to your phone and being more vigilant in public places,” the article states. They recommend that you keep your phone in your possession at all times, since this will significantly lower the likelihood that it will be hacked.
Check Point Research has been monitoring sophisticated attacks on authorities in numerous European countries since January 2023. The campaign made use of a broad number of tools, one of which was an implant, which is a tactic that is often linked with Chinese government-backed cybercriminals. This action has substantial infrastructure similarities with activities that have been previously published by Avast and ESET, which links it to the “Mustang Panda” malware family. This cluster of suspicious behavior is
being monitored by CPR as “Camaro Dragon” at the moment.
According to experts from Check Point named Itay Cohen and Radoslaw Madej, an investigation of these attacks has uncovered a bespoke firmware implant that was created specifically for TP-Link routers. “The implant features several malicious components, including a custom backdoor named ‘Horse Shell,’ that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks,” the firm claimed.
“Because of the implant’s firmware-agnostic design,” its components may be incorporated into different types of software by a variety of different manufacturers. At this time, the precise mechanism that was utilized to distribute the altered firmware images on the compromised routers is unclear. Likewise, its utilization and participation in real attacks are also unknown. It is believed that the first access may have been gained by taking advantage of security holes that were already known about or by brute-forcing devices that had passwords that were either the default or readily guessed.
According to what is currently known, the C++-based Horse Shell implant gives attackers the ability to run arbitrary shell commands, upload and download files to and from the router, and relay communication between two separate clients. However, in an intriguing turn of events, it is suspected that the router backdoor targets random devices on residential and home networks. This finding lends credence to the theory that hacked routers are being co-opted into a mesh network with the intention of establishing a “chain of nodes between main infections and real command-and-control.”
The purpose of relaying communications between infected routers by utilizing a SOCKS tunnel is to establish an extra layer of anonymity and disguise the end server. This is accomplished by the fact that each node in the chain possesses information only about the nodes that came before and after it in the chain.
To put it another way, the approaches obfuscate the origin and destination of the traffic in a manner that is comparable to how TOR works, which makes it far more difficult to discover the scope of the attack and disrupt it. The finding is just one more illustration of a long-standing pattern in which Chinese threat actors target internet-facing network equipment in order to manipulate the underlying software or firmware of such devices.
Cybersecurity researchers and IT admins have raised concerns over Google’s new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery.
Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses.
The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.
While the ZIP and MOV TLDs have been available since 2014, it wasn’t until this month that they became generally available, allowing anyone to purchase a domain, like bleepingcomputer.zip, for a website.
However, these domains could be perceived as risky as the TLDs are also extensions of files commonly shared in forum posts, messages, and online discussions, which will now be automatically converted into URLs by some online platforms or applications.
The concern
Two common file types seen online are ZIP archives and MPEG 4 videos, whose file names end in .zip (ZIP archive) or .mov (video file).
Therefore, it’s very common for people to post instructions containing filenames with the .zip and .mov extensions.
However, now that they are TLDs, some messaging platforms and social media sites will automatically convert file names with .zip and .mov extensions into URLs.
For example, on Twitter, if you send someone instructions on opening a zip file and accessing a MOV file, the innocuous filenames are converted into an URL, as shown below.
Twitter automatically linkifying .zip and .mov file names Source: BleepingComputer
When people see URLs in instructions, they commonly think that the URL can be used to download the associated file and may click on the link. For example, linking filenames to downloads is how we usually provide instructions on BleepingComputer in our articles, tutorials, and discussion forums.
However, if a threat actor owned a .zip domain with the same name as a linkified filename, a person may mistakenly visit the site and fall for a phishing scam or download malware, thinking the URL is safe because it came from a trusted source.
While it’s very unlikely that threat actors will register thousands of domains to capture a few victims, you only need one corporate employee to mistakenly install malware for an entire network to be affected.
Abuse of these domains is not theoretical, with cyber intel firm Silent Push Labs already discovering what appears to be a phishing page at microsoft-office[.]zip attempting to steal Microsoft Account credentials.
ZIP domain used for Microsoft Account phishing Source: Silent Push Labs
Cybersecurity researchers have also started to play with the domains, with Bobby Rauch publishing research on developing convincing phishing links using Unicode characters and the userinfo delimiter (@) in URLs.
Rauch’s research shows how threat actors can make phishing URLs that look like legitimate file download URLs at GitHub but actually take you to a website at v1.27.1[.]zip when clicked, as illustrated below.
These developments have sparked a debate among developers, security researchers, and IT admins, with some feeling the fears are not warranted and others feeling that the ZIP and MOV TLDs add unnecessary risk to an already risky online environment.
Regarding the .zip domains I complained about – I think it's dumb and unnecessarily creates confusion and will leave to various minor phishing schemes/tricks/address-confusion attacks… but it's just going to get forced into being another TLD. It just feels uniquely unneeded.
People have begun registering .zip domains that are associated with common ZIP archives, such as update.zip, financialstatement.zip, setup.zip, attachment.zip, officeupdate.zip, and backup.zip, to display information about the risks of ZIP domains, to RickRoll you, or to share harmless information.
Open source developer Matt Holt also requested that the ZIP TLD be removed from Mozilla’s Public Suffix List, a list of all public top-level domains to be incorporated in applications and browsers.
However, the PSL community quickly explained that while there may be a slight risk associated with these TLDs, they are still valid and should not be removed from the PSL as it would affect the operation of legitimate sites.
“Removing existing TLDs from the PSL for this reason would just be wrong. This list is used for many different reasons, and just because these entries are bad for one very specific use-case, they are still needed for (almost) all others,” explained software engineer Felix Fontein.
“These are legit TLDs in the ICP3 root. This will not proceed,” further shared PSL maintainer Jothan Frakes.
“Really, the expressed concerns are more of a glaring example of a disconnect between the developer and security community and domain name governance, where they would benefit from more engagement within ICANN.”
At the same time, other security researchers and developers have expressed that they believe the fears regarding these new domains are overblown.
When BleepingComputer contacted Google about these concerns, they said that the risk of confusion between file and domain names is not new, and browser mitigations are in place to protect users from abuse.
“The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows. Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip.
At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip. Google takes phishing and malware seriously and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip. We will continue to monitor the usage of .zip and other TLDs and if new threats emerge we will take appropriate action to protect users.” – Google.
What should you do?
The reality is that you do not need to do anything extra than you are already doing to protect yourself from phishing sites.
As everyone should already know, it is never safe to click on links from people or download files from sites you do not trust.
Like any link, if you see a .zip or .mov link in a message, research it before clicking on it. If you are still unsure if the link is safe, do not click on it.
By following these simple steps, the impact of the new TLDs will be minimal and not significantly increase your risk.
However, the exposure to these links will likely increase as more applications automatically turn ZIP and MOV filenames into links, giving you one more thing to be careful about when online.
KeePass is a piece of software that is both open-source and free to use. It is a trusted companion for users of Windows, Linux, and Mac OS X, as well as users of mobile devices. However, a newly found security hole has brought attention to the program, demonstrating that not even the most secure of systems are immune to the possibility of having security problems.
This security flaw, which has been given the identifier CVE-2023-32784, makes it possible for the user’s master password to be dumped from memory even when the user’s workspace is closed or the program is no longer active. The master password is the main key that may be used to unlock the user’s database of passwords. A hostile actor could be able to extract the plain text master password from a memory dump. KeePass 2.x versions previous to 2.54 include this vulnerability. This vulnerability is widespread in KeePass 2.x versions. It’s possible that this is a dump of the KeePass process, but it might also be a swap file, a hibernation file, or even a RAM dump of the whole system. The fact that the initial character of the password cannot be reconstructed is the only minor solace in this situation.
A researcher by the name of vdohney built a proof-of-concept tool and gave it the suitable moniker “KeePass Master Password Dumper” in order to draw attention to this issue. This program provides a clear demonstration of how the master password might be retrieved from KeePass’s memory with the exception of the first character. This can be done without needing code to be executed on the machine that is being targeted, and it can be done even if the workspace is locked or if KeePass is no longer operating.
When entering passwords, KeePass 2.X makes use of a text box that was built specifically for it called SecureTextBoxEx. This text box is utilized not just for the insertion of the master password, but also in other locations in KeePass, such as password edit boxes (which means that the attack may also be used to retrieve the contents of other password edit boxes).
The vulnerability that is being exploited here is the fact that a leftover string is formed in memory for each character that is entered. Because of the way that.NET operates, once an instance of it has been created, it is very difficult to delete it. For instance, when the word “Password” is entered, it will leave behind the following strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The proof-of-concept program looks through the dump to find these patterns and suggests a possible character to use for each location in the password.
The reliability of this attack is susceptible to change based on the manner in which the password was written as well as the number of passwords that were input within a single session. However, it appears that the way.NET CLR creates these strings implies that they are likely to be well ordered in memory. This is true even if there are numerous passwords used for a single session or if there are errors in the passwords. Therefore, if three distinct passwords were entered, you have a good chance of getting three options for each character place in that sequence. This enables you to recover all three passwords if they were entered.
Should You Be Concerned About This? It is dependent on the threat model you choose. This discovery does not significantly worsen your condition if your machine is already infected with malware that is operating in the background with the rights of your user. On the other hand, in contrast to KeeTheft and KeeFarce, there is no need for any kind of process injection or other code execution for the malware to be stealthy and dodge the antivirus software. This may make it simpler for the malware.
It might be a problem if you have a reasonable suspicion that someone could get access to your computer and undertake forensic examination. Even if KeePass is completely shut down or secured, it is still possible for the master password to be rediscovered. This is the worst-case situation.
If you have a clean machine and utilize full disk encryption with a strong password, you should be OK. Because to this discovery, it will be impossible for anybody to steal your credentials remotely over the internet.
Today, API security company Salt Security announced it is now an Amazon Web Service (AWS) Web Application Firewall (WAF) Ready Partner. This service helps customers discover Partner solutions validated by AWS Partner Network (APN) Solutions Architects that integrate with AWS WAF to accelerate adoption of an enhanced and holistic security approach. AWS WAF is available to all AWS customers and all AWS Regions and can be deployed directly from the AWS console.
This partnership differentiates Salt Security as an APN member with a product that works with AWS WAF and is generally available for AWS customers. AWS WAF Ready Partners help customers quickly identify easy-to-deploy solutions that can help detect, mitigate, and analyse some of the most common internet threats and vulnerabilities.
Today, businesses of all shapes and sizes are focused on ensuring that websites and applications are protected from external threats that can lead to a loss of revenue, loss of customer trust, and loss of brand reputation. Implementing a WAF can be a challenging task that requires deep security experience that can be expensive and hard to find in-house. AWS WAF Ready Partners offer customers a simpler solution to deploying and maintaining their application layer security solution through easy-to-deploy solutions in order to detect, mitigate, and analyze some of the most common internet threats and vulnerabilities.
Gilad Barzilay, head of business development, Salt Security said: “As an AWS Software Path Partner and member of AWS ISV Accelerate Program, Salt is proud to expand our existing relationship with AWS by becoming an AWS WAF Ready Partner. Many of our customers rely on Salt to secure their APIs on AWS. By achieving these designations, we make it easier and faster for businesses to protect the APIs running on their AWS environments. Our customers benefit from our unique cloud-scale API data lake architecture, which applies AI and ML for API discovery and threat protection.”
“Deploying the Salt platform took almost no effort,” said Jason Weitzman, senior application security engineer at Xolv Technology Solutions. “It integrated quickly with our existing Cloudflare, AWS, Jira and other systems. It also started identifying errors and delivering insights on how to craft better APIs within minutes.”
The Salt platform deploys out of band, to avoid any interference with application performance or availability. The Salt platform pairs with AWS WAF as an API traffic collection point and to block detected attackers. To support the seamless integration and deployment of solutions such as the Salt platform, AWS established the AWS Service Ready Program. The program helps customers identify solutions integrated with AWS services and spend less time evaluating new tools, and more time scaling their use of solutions that are integrated with AWS services.
APIs are a hot topic among cybersecurity professionals and C-suites at the moment due to their increasingly vital business roles. Earlier this year Salt released a new API report that showed a 400% Increase in Attackers, demonstrating the prevalence.
Unfortunately, some laws restrict genuine security research. As we await the findings of UK Home Office’s review of the 1990 Computer Misuse Act, it’s time to rethink traditional approaches to security testing and for the UK government to support the case for ethical hacking proactively.
Why criminals have had the upper hand
Cybercriminals have had the advantage over businesses for too long. Poorly written code in old applications, unpatched software, and forgotten digital scaffolding accidentally left up after projects were completed are a few examples of how mistakes made years ago enable fresh attacks. However, it’s not just coding errors from the past that cause issues. Software is now dominated by open-source products; at least one known open-source vulnerability was detected by Synopsis in 84% of all commercial and proprietary code bases.
Although organizations have begun designing more robust security processes and testing throughout the software development lifecycle, it is often the same people who built the systems that are checking for issues. In addition, security activities tend to be siloed (e.g., we test an application but ignore the API). This reductionist view of cybersecurity all too often misses the bigger picture, but for a cyber attacker the whole is the goal.
The case for ethical hacking
What’s needed is fresh eyes and an outsider mentality to see where issues exist. This is where ethical hacking comes in. An organization can have a legion of external researchers on their side probing continuously for any weaknesses, uncovering vulnerabilities that automated scans and internal teams miss, performing recon to discover new insecure assets.
Like cybercriminals, hackers will also be leveraging tools such as publicly available Common Vulnerabilities and Exposures (CVE) databases. They go beyond CVEs in known applications to discover and examine hidden assets that potentially pose a greater risk. One-third of organizations say they monitor less than 75% of their attack surface and 20% believe over half of their attack surface is unknown or not observable. So, it’s easy to understand why cybercriminals with significant and often cheap labor power plus an array of techniques target unknown assets and regularly uncover exploitable vulnerabilities.
The way to keep pace and avoid burnout in internal security teams is to engage hackers to work on their behalf by setting up a vulnerability disclosure program (VDP).
The value of a vulnerability disclosure program (VDP)
VDPs are structured frameworks for security researchers to help proactively and continuously test internet-facing applications and infrastructure, documenting and submitting any found vulnerabilities. Program providers have amassed communities of ethical hackers and security researchers numbering in the hundreds of thousands, all with unique skill sets and perspectives to strengthen the security of an organization’s applications. Hackers perform ongoing tests in internet-facing assets including third-party software such as open-source libraries.
When a VDP is implemented, statistics indicate that over a quarter receive a vulnerability report within the first day of a program launch and new customers are notified of four high or critical vulnerabilities within their first month of use.
Therefore, ongoing feedback from hackers regarding the potential impact of vulnerabilities effectively extends the reach and knowledge of in-house security teams. Trying to deliver, and maintain, this breadth and depth of coverage in-house simply isn’t viable for most organizations.
Ethical hacking in practice
So, what does ethical hacking look like in practice? Programs offered by vulnerability disclosure platform providers can be tailored to meet all sizes and types of requirements.
The UK’s National Cyber Security Centre is leading the way with its vulnerability disclosure reporting program that covers its own website and extends to any online government site, as necessary.
Another government example is the Ministry of Defence (MoD), which has worked with the hacking community to build out its bench of technical talent and to bring more diverse perspectives to protect and defend assets. This collaboration enabled an understanding of where their vulnerabilities were which is an essential step when working to reduce cyber risk and improve overall resilience.
Incentivizing hackers
Enterprises with large asset inventories could consider taking a further step in the form of a vulnerability rewards program (VRP) that offers financial incentives to report vulnerabilities. Businesses can invite hackers that specialize in specific technologies to participate, depending on the assets that are in scope for the program. By offering competitive rewards or bounties, companies will attract the top independent security talent worldwide.
If organizations are seen to provide more significant financial incentives for reporting vulnerabilities quickly and directly to them, then the value to cybercriminals of stockpiling vulnerabilities for future ransomware attacks will also diminish.
Reforming the law
Every digital organization operating in the UK should have a vulnerability disclosure program that can leverage the benefits of hacking.
To ensure encouragement and protection, the government needs to update the Computer Misuse Act (CMA). Currently, the CMA does not provide sufficient legal protections for good faith cyber vulnerability and threat intelligence research and investigation provided by UK-based cyber security professionals and hackers. We recommend the government revises the CMA to include a statutory defense for cyber security professionals who are acting in the public interest that defends them from prosecution by the state and from unjust civil litigation.
Tipping the balance towards safety
Outwitting cybercriminals remains a complex and burdensome task. Ethical hackers can help to tip the scales away from the bad actors for those organizations that are prepared to incorporate them into their security initiatives.
Supporting hackers financially and protecting them legally from misdirected prosecution will further increase the ever-growing community of hackers who are working to provide a safer internet for businesses and individuals.
