Supply chain risks are compounded for organizations that must protect both their IT and the OT from cyber-attacks. What technologies and approaches should they consider implementing? What specific pitfalls should they avoid, and how?

Most third party risk programs are IT-focused – including suppliers that have access to the organization’s intellectual property or network. But some OT suppliers have access – physical and remote – to the OT environment, for troubleshooting, maintenance, etc., and it’s important that the risk posed by those suppliers is included in the enterprise third party risk program, since remote access to OT poses obvious security risks, and on-site access often involves USB drives and other direct electronic access which also can introduce malware into the OT environment. The good news is that these vendors can simply be included in existing third party risk programs.

On the other hand, more and more suppliers are being impacted by ransomware hitting their OT environment. This impacts their ability to provide their products and services to their customers, which can in turn impact their customers’ operations. Therefore, the scope of third party risk programs needs to be broadened once again to include critical suppliers in OT – those whose products or services are critical to the organization’s own OT operations. Now the bad news: existing third party risk programs typically do not assess security risk in OT environments. In fact, although frameworks and best practices are emerging in OT security, organizations usually need to rely on OT security experts to assist in these assessments and remediation recommendations.

Finally, we have seen increasing cyber attacks against the software supply chain, as well as attacks targeting vulnerabilities in critical OT products. When choosing suppliers of critical OT products, it is important to determine whether the vendor is certified to ISA/IEC 62443 – the leading security certification in OT. Those certifications should be an important factor in choosing products for the OT environment.

How can IT and OT Sec teams improve their cooperation towards their common goal (of keeping all systems working to support the company in achieving its business objectives)?

Industrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment

Practical Industrial Cybersecurity: ICS, Industry 4.0, and IIoT

Another day, another De-Fi (decentralised finance) attack.

This time, online smart contract company Harmony, which pitches itself as an “open and fast blockchain”, has been robbed of more than $80,000,000’s worth of Ether cryptocoins.

Surprisingly (or unsurprisingly, depending on your point of view), if visit Harmony’s website, you’ll probably end up totally unware of the massive loss that the business just suffered.

Even the business’s official blog, linked to from the website, doesn’t mention it.

The most recent blog article dates to the very start of 2022, and is entitled Lost Funds Investigation Report.

Unfortunately, those lost funds aren’t these lost funds.

Apparently, at the start of the year, those lost funds happened when five individuals were ripped off to the tune of just over 19 million of Harmony’s ONE tokens, then apparently worth about 25 US cents each.

Harmony made an offer, back on 04 January 2022, stating that:

We wish to provide the suspect an opportunity to communicate with the Harmony Foundation and return all funds. Harmony will not pursue further legal action or dox your identity so long as we receive your full cooperation. The team will offer you a bounty to reveal how this theft was performed so long as it can be validated.

We’re not sure whether it’s legal for a company to offer to rewrite history to pretend that an unauthorised and probably illegal hack was actually legitimate research, though it did seem to work in the infamous $600 million hack of Poly Networks.

The perpetrator in that case made a flurry of curious pseudo-political blockchain announcements ALL IN CAPS, written in artifically poor English, to claim that money wasn’t the motivator behind the crime.

Ultimately, after currying favour with the cracker by adopting the nickname Mr White Hat, Poly Networks (to many people’s astonishment, including our own) got most of their funds back.

We’re also not sure just how much insulation from prosecution any offer from the victim not to “press charges” is likely to provide, given that in many countries, it’s the state that usually takes the decision to investigate, charge and prosecute suspects for criminal offences.

Some countries, such as England, do give private individuals (including professional bodies or charities) the right to conduct a private prosecution if the state doesn’t want to do it, but they don’t give crime victims a “corollary right” to prevent the state from prosecuting a case if it does want to do so.

Nevertheless, Poly Networks’ unexpected success in recovering more than half-a-billion dollars has encouraged other cryptocurrency businesses to try this “wipe the slate clean” approach, presumably on the grounds that there’s often not much else they can do.

But it doesn’t seem to work terribly often.

It certainly didn’t seem to work for Harmony in January 2022, though if the perpetrator hasn’t yet been able to cash out their ill-gotten gains, they might regret not taking up the offer.

By 15 January 2022, when Harmony’s fake “bug bounty offer” expired, ONE tokens peaked at $0.35, but have since sunk to below 2.5 cents each, according to CoinGecko.

Cryptography for Secure Encryption

The MITRE shared the list of the 2022 top 25 most common and dangerous weaknesses, it could help organizations to assess internal infrastructure and determine their surface of attack.

The presence of these vulnerabilities within the infrastructure of an organization could potentially expose it to a broad range of attacks.

“Welcome to the 2022 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses list (CWE™ Top 25). This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.” reads the announcement published by Mitre.

“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).”

Mitre created the 2022 CWE Top 25 list leveraging Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each vulnerability. The organization also used CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog and applied a formula to score each weakness based on prevalence and severity.

The dataset analyzed by Mitre researchers to calculate the 2022 Top 25 contained a total of 37,899 CVE Records from the previous two calendar years.

Below is a list of the weaknesses in the 2022 CWE Top 25:

RANK	ID	NAME	SCORE	KEV COUNT (CVES)	RANK CHANGE VS. 2021
1	CWE-787	Out-of-bounds Write	64.20	62	0
2	CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	45.97	2	0
3	CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	22.11	7	+3
4	CWE-20	Improper Input Validation	20.63	20	0
5	CWE-125	Out-of-bounds Read	17.67	1	-2
6	CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	17.53	32	-1
7	CWE-416	Use After Free	15.50	28	0
8	CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	14.08	19	0
9	CWE-352	Cross-Site Request Forgery (CSRF)	11.53	1	0
10	CWE-434	Unrestricted Upload of File with Dangerous Type	9.56	6	0
11	CWE-476	NULL Pointer Dereference	7.15	0	+4
12	CWE-502	Deserialization of Untrusted Data	6.68	7	+1
13	CWE-190	Integer Overflow or Wraparound	6.53	2	-1
14	CWE-287	Improper Authentication	6.35	4	0
15	CWE-798	Use of Hard-coded Credentials	5.66	0	+1
16	CWE-862	Missing Authorization	5.53	1	+2
17	CWE-77	Improper Neutralization of Special Elements used in a Command (‘Command Injection’)	5.42	5	+8
18	CWE-306	Missing Authentication for Critical Function	5.15	6	-7
19	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	4.85	6	-2
20	CWE-276	Incorrect Default Permissions	4.84	0	-1
21	CWE-918	Server-Side Request Forgery (SSRF)	4.27	8	+3
22	CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)	3.57	6	+11
23	CWE-400	Uncontrolled Resource Consumption	3.56	2	+4
24	CWE-611	Improper Restriction of XML External Entity Reference	3.38	0	-1
25	CWE-94	Improper Control of Generation of Code (‘Code Injection’)	3.32	4	+3

Mitre also shared trends Year-over-Year: 2019 to 2022 Lists; the first trend is a significant changes from the 2019 Top 25 to the 2022 Top 25. Drops in high-level classes such as CWE-119 and CWE-200 are steep, while the shift and increase to Base-level weaknesses is most apparent for weaknesses such as CWE-787 and CWE-502.

The second trend in year-over-year changes from 2019 to 2022 is a relative ve stability in the top 10 from 2021 to 2022, along with the steady rise of CWE-502: “Deserialization of Untrusted Data” over all four years.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Improving threat readiness

When your company’s data is leveraged in a cyber extortion attack, a quick determination must be made about the nature and extent of the attack, followed by the execution of plans to respond to and mitigate the attack. Because the longer a ransomware attack remains unaddressed, the more potential damage there could be to your organization’s ability to conduct business as usual.

While an organization’s ultimate goal is the total prevention of an attack, mitigation is a likelier (and perhaps more reasonable) goal, and organizations should prioritize preparedness just as much as prevention. Prevention includes the implementation of best practices and measures that can stop ransomware events from happening while also positioning the organization to sustain as little as damage as possible, should an attack occur.

Ransomware readiness can be divided into three major components: preparation, detection and isolation.

Preparation

Your organization’s ability to respond to a ransomware event is directly affected by the tools you have readily available to you in the moment, which makes preparation a key part of successfully navigating an attack. Good preparation works twofold to educate your teams on how to prevent attacks, and to provide guidance on what to do in case you are targeted.

The following are some of the components you may wish to include as you map out your organization’s planning around cyber extortion attacks.

• Create an Incident Response playbook that contains all relevant information related to responding to a ransomware attack.
• Regularly hold mandatory training sessions for employees to educate them on how to prevent giving threat actors access to company systems to carry out an attack. The importance of password hygiene, warning signs of email phishing, and best practices for online safety may be among the topics covered.
• Empower employees to help prevent attacks by providing them with protocols and resources to report suspicious activity and voice their concerns if they feel there is a risk that needs to be addressed.

Detection

Detection refers to the tools, technology, people, and processes in place to notice that attack is happening or has occured, and to identify its source within the network. Specific subcomponents of detection include:

• Having a robust system of platforms configured to monitor your networks and alert you if suspicious activity occurs, such as the appearance of a known ransomware file extension or the rapid renaming of a large volume of files, which can signal that they’re being encrypted.
• Fueling your threat intelligence program with easily accessible and updated knowledge about specific ransomware actors/groups and tactics, techniques, and procedures (TTPs)—including technical intelligence—to better anticipate potential risk apertures and attacks.
• Implement multi-factor authentication to reduce the likelihood of ransomers gaining unauthorized access to your systems.

Isolation

To limit its spread, isolation should be your organization’s first priority after you realize a ransomware attack is targeting your organization. Designing your systems in a way that separates different networks can be very impactful when every second counts. Specific subcomponents of isolation include:

• Limiting any individual employee’s access to only the files and data they must have to do their jobs.
• Shutting down infected systems and completely disconnecting them from your organization’s network as quickly as possible.
• Disabling means of spreading potentially harmful data among devices, including VPN, NAC, and AD-user.

Responding to an ransomware attack

Once you have successfully caught and halted a ransomware attack’s progression, it is critical to have a response plan already in place to help you save time making decisions and keep emotional reactions in check, which can occur during a potential emergency. It can be difficult to determine the full scope of a ransomware attack, and the more data that the threat actor extorts or encrypts, the longer it may take to understand the nature of the breach.

Ransomware Protection Playbook

Expert discovered a remote memory-corruption vulnerability affecting the latest version of the OpenSSL library.

Security expert Guido Vranken discovered a remote memory-corruption vulnerability in the recently released OpenSSL version 3.0.4. The library was released on June 21, 2022, and affects x64 systems with the AVX-512 instruction set.

“OpenSSL version 3.0.4, released on June 21th 2022, is susceptible to remote memory corruption which can be triggered trivially by an attacker. BoringSSL, LibreSSL and the OpenSSL 1.1.1 branch are not affected. Furthermore, only x64 systems with AVX512 support are affected. The bug is fixed in the repository but a new release is still pending.” reads the post published by Vranken.

The issue can be easily exploited by threat actors and it will be addressed with the next release.

Google researcher David Benjamin that has analyzed the vulnerability argues that the bug does not constitute a security risk. Benjamin also found an apparent bug in the paper by Shay Gueron upon which the RSAZ code is based.

A Concise Guide to SSL/TLS for DevOps

Sonatype researchers have discovered Python packages that contain malicious code that peek into and expose secret AWS credentials, network interface information, and environment variables.

All those credentials and metadata then get uploaded to one or more endpoints, and anyone on the web can see this. Going up a directory level showed hundreds of TXT files containing sensitive information and secret.

In this Help Net Security video, Ax Sharma, Senior Security Researcher at Sonatype, explains the situation in more detail.

Python – How to access DB credentials from AWS Secrets Manager? 

Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Hospitals hold a lot of sensitive data. When they are hacked, patient information is exposed, putting patients at risk because the hackers can use stolen personal information in several identity theft schemes. The Department of Health and Human Services (HHS) has been working hard to protect hospitals from cyberattacks, but the fact is that while they do the best they can, there will always be breaches and more work to be done. The government is trying everything to ensure that hospitals are protected and that patients are aware of any breaches as quickly as possible when they do occur.

Table of Contents

1. Hospitals as an important part of the critical infrastructure
2. Hospitals need special protection to keep patients safe.
3. Some Of the Specific Things That Can Be Done to Protect Hospitals Against Cyberattacks
4. There are various practices and systems in place to protect critical infrastructure and hospitals.
5. Is there anything hospital patients can do to reduce their risk?
6. Conclusion

Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Google: Seven zero-days in 2021 developed commercially and sold to governments

Google’s Threat Analysis Group (TAG) released a new report on Thursday chronicling an Italian spyware vendor selling technology used on victims in Italy and Kazakhstan.

The report mirrors another from cybersecurity company Lookout that was published last week covering “Hermit” – a brand of surveillanceware developed by spyware vendor RCS Labs and telecoms company Tykelab Srl.

The Google report examined the spyware from RCS Labs, noting that the Italian vendor “uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android.”

Google TAG researchers Benoit Sevens and Clement Lecigne also touch on the wider commercial spyware industry, noting that Google continues to track the activities of vendors and recently testified at the EU Parliamentary hearing on “Big Tech and Spyware” about the work they’re doing “to monitor and disrupt this thriving industry.”

“Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors,” Sevens and Lecigne explained. 

“TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.”

iOS and Android versions

https://therecord.media/google-seven-zero-days-in-2021-developed-commercially-and-sold-to-governments/

The Israeli surveillance firm NSO Group revealed that its Pegasus spyware was used by at least five European countries.

The controversial Israeli surveillance vendor NSO Group told the European Union lawmakers that its Pegasus spyware was used by at least five countries in the region.

NSO Group’s General Counsel Chaim Gelfand admitted that the company had “made mistakes,” but that after the abuses of its software made the headlines it has canceled several contracts.

“We’re trying to do the right thing and that’s more than other companies working in the industry,” Gelfand told members of the PEGA committee. “Every customer we sell to, we do due diligence on in advance in order to assess the rule of law in that country. But working on publicly available information is never going to be enough.”

In April, the Parliament set up a new inquiry committee investigating the use of Pegaus spyware and equivalent surveillance software used to spy of phones belonging to politicians, diplomats, and civil society members. The spyware was used to target several European leaders, including Spain’s Prime Minister Pedro Sánchez, and Spanish political groups, Hungary, and Poland.

In February, the European Data Protection Supervisor (EDPS) authority called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.

The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection. 

“It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.” states the European Data Protection Supervisor (EDPS). 

“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.”

Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.

The bad news is that the business of digital surveillance is growing in scaring and uncontrolled way. Recently, experts spotted other surveillance malware infecting systems worldwide, such as the HERMIT spyware that was linked to an Italian firm.

If you want to read more info on the Pegasus spyware give a look at a report investigating Pegasus spyware impacts on human rights has been launched by the Council of Europe on the occasion of the summer session of the Parliamentary Assembly.

The report was prepared by the Information Society Department with contributions from Tamar Kaldani the former Personal Data Protection Inspector and the State Inspector of Georgia, currently serving as the first Vice-chair of the Consultative Committee of Convention 108 and Zeev Prokopets – an Israeli executive, product designer, software developer and entrepreneur.

“An investigation report released by a global consortium26 revealed that 200 journalists worldwide had been targeted using Pegasus spyware. The Office of the UN Special Rapporteur for Freedom of Expression also noted the number of victims of attempted spying through Pegasus, including Mexican journalists, human rights defenders and opposition leaders.27 “The numbers vividly show the abuse is widespread, placing journalists’ lives, those of their families and associates in danger, undermining freedom of the press and shutting down critical media,” – said Secretary-general of Amnesty International.” concludes the report. “The right to freedom of expression and information, as guaranteed by Article 10 of the Convention, constitutes one of the essential foundations of a democratic society and one of the basic conditions for its progress and the development of every individual.”

And it’s like, what … 12, 13,000 total targets a year max, exec says

Pegasus Spyware – ‘A Privacy Killer’ 

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

https://www.bleepingcomputer.com/news/software/privacy-focused-brave-search-grew-by-5-000-percent-in-a-year/

Brave Search, the browser developer’s privacy-centric Internet search engine, is celebrating its first anniversary after surpassing 2.5 billion queries and seeing almost 5,000% growth in a year.

To celebrate this success, Brave Software announced that Brave Search is finally exiting its beta phase and will become the default search engine for all users of the Brave browser.

Additionally, a new search results curation feature called “Goggles” will be released in beta and made available to those who wish to test it.

Brave Search grows by almost 5,000%

Since launching in June 2021, Brave Search grew by almost 5,000%, starting with 8.1 Million search queries in June 2021 and growing to 411.7 million by the end of May 2022.

Brave says it grew its current query volume four times quicker than DuckDuckGo, likely assisted by its large community of Brave Browser users.

Brave says that independence has remained at the epicenter of the company’s focus, with Brave Search users receiving 92% of their queries directly from Brave’s independent search index rather than through Bing and Google indexes. 

“Search engines that depend too much or exclusively on Big Tech are subject to censorship, biases, and editorial decisions,” explains Brave in the blog post.

“Brave Search is committed to openness in search. It does not manipulate its algorithm to bias, filter, or down-rank results (unless it’s compelled by law to do so).”

Besides focusing on privacy and independence, Brave also strived to offer new mechanisms that would enrich the experience of using Brave Search.

Discussions were introduced this April as a new feature on Brave Search to draw results from social media platforms like Reddit.

Sick of the unending stream of email and phone calls you receive from scammers claiming to represent your bank? Amazon? Microsoft? The tax office? The police?

We sympathise – we’re sick of them too, especially landline calls that could be a loved one calling for help or advice, and thus need to be answered…

…but that rarely, if ever, turn out to have a familiar voice at the other end.

Perhaps you’re one of the 40,000,000 or so viewers of famous science-and-engineering YouTuber Mark Rober’s video entitled Pranks Destroy Scam Callers – GlitterBomb Payback?

Rober makes some alarming but entirely believable claims of just how much money [a] a top call-centre scammer can make if they hit their on-target earnings and [b] just how much a typical call centre of this sort turns over each day.

If you haven’t seen it, the video starts with the words, “I have 100 cockroaches here, and I placed them in this James Bond-style contraption,” so you can probably imagine how things end.

Despite the not-very-threatening outcome when Rober later releases the insects inside a scam call centre where he has access to footage from the CCTV feed, the video gives a good visual indication of just how industriously and unrelentingly these scammers operate. (When not driven from their work pods by roaches, that is.)

Fake refund scams

The scammers in Rober’s video seem to go in mainly for what are known as “fake refund” tricks, which go something like this:

• Scammers “refund” you an impressive but believable amount, say $2000, for an “over-billing” for a product or service you actually use.
• They then “help” you login to your bank account to ensure that the transaction went through.
• They sneakily edit the HTML in your browser so the page shows a transaction for ten times the amount originally mentioned.
• They cry out in alarm, claiming they themselves must have typed in an extra zero and that they’ve accidentally refunded too much.
• Then they burst into tears, or turn on the emotional blackmail, claiming they (or you!) will be liable for the massive difference, so please, oh! please! won’t you help?

Their goal is to lure, browbeat, wheedle, threaten, cajole, beg and convince you to refund the “extra” money out of your own account.

After all, you can see the giant refund is there… except that it isn’t, because the item on the page is fake, with the HTML modified in memory to show a huge deposit and a vastly increased balance.

You’re scammed into thinking that they’ve made a mistake that will definitely get them in trouble, and could get you into trouble, too.

The crooks therefore hope to persuade you to help them “cover up” their mistake by withdrawing the “excess” from your own account and paying the non-existent “difference” back to them via some other channel.

While you might be sure that no criminal would ever catch you out with an apparently obvious trick like this, you’ll probably admit that, like most things, this sort of scam is only truly obvious the second time you see it or hear about it.

Scams 2022: An Exposition to Scams and How Not to be the Next Victim: Protecting Yourself From Every Type of Fraud

https://portswigger.net/daily-swig/internet-scans-find-1-6-million-secrets-leaked-by-websites

Security researchers have apparently discovered more than 1.6 million secrets leaked by websites, including more than 395,000 exposed by the one million most popular domains.

Modern web applications typically embed API keys, cryptographic secrets, and other credentials within JavaScript files in client-side source code.

Aided by a tool developed specifically for the task, researchers from RedHunt Labs sought information disclosure vulnerabilities via a “non-intrusive” probe of millions of website home pages and exceptions thrown by debug pages used in popular frameworks.

DON’T MISS Email platform Zimbra patches memcached injection flaw that imperils user credentials

“The number of secrets exposed via the front end of hosts is alarmingly huge,” said Pinaki Mondal, security researcher at RedHunt Labs, in a blog post.

“Once a valid secret gets leaked, it paves the path for lateral movement amongst attackers, who may decide to abuse the business service account leading to financial losses or total compromise.”

Millions of secrets

The first of two mammoth scans focused on the one million most heavily trafficked websites. It yielded 395,713 secrets, three quarters of which (77%) were related to Google services reCAPTCHA, Google Cloud, or Google OAuth.

Google’s reCAPTCHA alone accounted for more than half (212,127) of these secrets – and the top five exposed secret types was completed by messaging app LINE and Amazon Web Services (AWS).

Phase two, which involved scanning around 500 million hosts, surfaced 1,280,920 secrets, most commonly pertaining to Stripe, followed by Google reCAPTCHA, Google Cloud API, AWS, and Facebook.

Read more of the latest cybersecurity research news and analysis

A majority of exposures across both phases – 77% – occurred in frontend JavaScript files.

Most JavaScript was served through content delivery networks (CDNs), with the Squarespace CDN leading the way with over 197,000 exposures.

Mondal blamed the “decades”-old problem of leaked secrets on the “complexities of the software development lifecycle”, adding: “As the code-base enlarges, developers often fail to redact the sensitive data before deploying it to production.”

‘Non-intrusive’ research

The RedHunt Labs research team told The Daily Swig that they are still “continuously reporting the secrets through automation to their source domains provided they have an email [address] mentioned on their home page”.

The researchers said they had encountered no legal problems related to the research so far.

“We received a few abuse reports against the boxes on which the scan was run and we have handled them,” they said.

The “extremely non-intrusive” process involved no “more than a few HTTP requests per domain” and no written actions – “only read requests to HTTP URLs and JavaScript files were sent”.

The captured secrets, meanwhile, are “stored on an encrypted volume with access to very limited folks” and “will be disposed of after a month”, added the researchers.

Red Hunt Labs has open-sourced the tool developed for the research and created a demonstration video:

Called HTTPLoot, it can crawl and scrape URLs asynchronously, check for leaked secrets in JavaScript files, find and complete forms to trigger error/debug pages, extract secrets from debug pages, and automatically detect tech stacks.

Redhunt Labs has set out four best practices for preventing and mitigating leaked secrets, including setting restrictions on access keys, centrally managing secrets in a restricted environment or config file, setting up alerts for leaked secrets, and continuously monitoring source code for information leakage issues.

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Google Project Zero experts disclosed details of a 5-Year-Old Apple Safari flaw actively exploited in the wild.

Researchers from the Google Project Zero team have disclosed details of a vulnerability in Apple Safari that was actively exploited in the wild.

The vulnerability, tracked as CVE-2022-22620, was fixed for the first time in 2013, but in 2016 experts discovered a way to bypass the fix.

“Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations.” reads the post published by Google Project Zero. “This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022.”

Apple has addressed a zero-day vulnerability, tracked as CVE-2022-22620  (CVSS score: 8.8), in the WebKit affecting iOS, iPadOS, macOS, and Safari that may have been actively exploited in the wild.

The zero-day vulnerability was fixed by Apple in February, it is a use-after-free issue that could be exploited by processing maliciously crafted web content, leading to arbitrary code execution

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads the security advisory published by Apple. “A use after free issue was addressed with improved memory management.” the google researcher Maddie Stone added. “The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild 0-day in January 2022.”

The vulnerability was reported by an anonymous researcher and the company addressed it by improving memory management.

Stone analyzed the changes to the software over the years, she started by analyzing the code of the patch shared by Apple and the description of the issue from the security bulletin stating that the vulnerability is a use-after-free.

“Whenever I’m doing a root cause analysis on a browser in-the-wild 0-day, along with studying the code, I also usually search through commit history and bug trackers to see if I can find anything related. I do this to try and understand when the bug was introduced, but also to try and save time.” she said.

The researcher noticed that the commits dated October 2016 and December 2016 were very large, she discovered that the commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions.

“Usually when we talk about variants, they exist due to incomplete patches: the vendor doesn’t correctly and completely fix the reported vulnerability. However, for CVE-2022-22620 the vulnerability was correctly and completely fixed in 2013. Its fix was just regressed in 2016 during refactoring. We don’t know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for 5 years: December 2016 until January 2022.” concludes the expert. “There’s no easy answer for what should have been done differently. The developers responding to the initial bug report in 2013 followed a lot of best-practices.”

The Art of Mac Malware: The Guide to Analyzing Malicious Software

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

If you have planned an ISO 27001 implementation, but you are unsure of whether you should go with the 2013 revision or wait for the 2022 revision to be published, we have a solution for you.

Buy the ISO 27001:2022 toolkit now, and receive the 2013 revision toolkit for free! Then you’ll have time to go over your implementation plans and decide if you should start with the project right now, or postpone it until later. With this bundle, you are covered for whatever option you choose.

Step-by-step guidance with LIVE EXPERT SUPPORT

• 45 document templates – unlimited access to all documents required for  ISO 27001 certification, plus commonly used non-mandatory documents 
• Access to video tutorials 
• Email support 
• Expert review of a document 
• One hour of live one-on-one online consultations
  with an ISO 27001 expert 
• Receive ISO 27001:2022 and ISO 27001:2013 toolkit documents. 

Information security, cybersecurity and privacy protection. Information security controls ISO/IEC 27002:2022

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Deep Instinct released the third edition of its annual Voice of SecOps Report, focused on the increasing and unsustainable stress levels among 1,000 C-suite and senior cybersecurity professionals across all industries and roles. The research found that 45% of respondents have considered quitting the industry due to stress, with the primary issues being an unrelenting threat from ransomware and the expectations to always be on call or available.

The research reinforced that paying a ransom remains a hotly debated topic. 38% of respondents admitted to paying a ransom, with 46% claiming their data was still exposed by the hackers; and 44% could not restore all their data even after a ransom was paid.

The great cybersecurity resignation

The job of defending against increasingly advanced threats on a daily and hourly basis is causing more problems than ever as 46% of respondents felt their stress had measurably increased over the last 12 months. This was especially the case for those working within critical infrastructure. These increased stress levels have led cybersecurity professionals to consider leaving the industry altogether, joining in the “Great Resignation,” rather than moving to a new cybersecurity role at a new employer.

• 45% admit to considering quitting the industry on at least one or two occasions
• 46% know at least one person who left cybersecurity altogether in the past year due to stress

Who’s stressed and why?

Stress is not only felt by SOC teams and others on the cyber frontlines but also among those in the C-Suite who are making the difficult decisions on how to use their available resources more efficiently.

Biggest stress culprit: Ransomware

45% of respondents said that ransomware was the biggest concern of their company’s C-Suite. The survey found that 38% of respondents admitted to paying up in order to receive the encryption key primarily to avoid downtime (61%) or bad publicity (53%). However, paying the ransom did not guarantee a resolution post-attack in many cases.

Of those reporting that a payment was made:

• 46% claimed to still have their data exposed by the hackers
• 44% couldn’t restore all their data
• Only 16% claimed to have no further issues to date

In response to these issues with ransomware payment, 73% of respondents claimed they would not pay a ransom in the future.

Among those who claimed they would still pay a ransomware demand in the future, widespread fear remained that they would be trouble-free in the future.

The fear of paying a ransom in the future included the following:

• 75% do not expect to have all their data restored
• 54% fear the criminals will still make the exfiltration of data public knowledge, and
• 52% fear the attackers will have installed a back door and will return

“Considering that the constant waves of cyber-attacks are likely to become more common and evasive as we move forward, it’s of the utmost importance to ensure that those who dedicate their careers and lives to defending our businesses and country don’t become overly stressed and give up,” said Guy Caspi, CEO of Deep Instinct.

“By adopting and utilizing new defensive techniques, like artificial intelligence and deep learning, we can help the cybersecurity community mitigate one of the most important issues that is often overlooked by many: the people behind the keyboard.”

Fight Fire with Fire: Proactive Cybersecurity Strategies for Today’s Leaders

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

ALPHV/BlackCat ransomware group began publishing victims’ data on the clear web to increase the pressure on them and force them to pay the ransom.

ALPHV/BlackCat ransomware group has adopted a new strategy to force victims into paying the ransom, the gang began publishing victims’ data on the clear web to increase the pressure. Publishing data online will make data indexable by search engines, increasing the potential impact on the victims due to the public availability of the stolen data.

The ALPHA/BlackCat gang has been active since at least December 2021 when malware researchers from Recorded Future and MalwareHunterTeam discovered their operation. The ALPHA/BlackCat is the first professional ransomware strain that was written in the Rust programming language.

BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.

Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.

ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.

In the past, many victims of past ransomware attacks were not concerned about the publication of their data on a leak site in the Tor network believing that dark nets are not easy to access to the masses.

The ransomware gangs set up a website on the clear web for each victims and publish the stolen data on it.

It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.

Marion County, right in the middle of the US state of Indiana, and home to the state’s capital Indianapolis, is also currently home to a tragic court case.

(Thanks to fellow writers at The Register for that link – we couldn’t get to the official court site while we were writing this up.)

The short version of events is alleged to be as follows:

• Accused decides her partner’s cheating.
• Hides an Apple AirTag in the back of his car.
• Tells partner she’s getting ready to boot him out.
• Partner makes himself scarce.
• Texts him to say she knows where he is.
• Drives to the pub she thinks he’s in.
• Confronts him and attacks the woman he’s with.
• Gets thrown out of pub with the other two because of ruckus.
• Drives off a short way but sees partner in parking lot.
• Drives back and runs him over.
• Traps partner under car.
• Partner suffocates to death.

In the sombre and tragic words of the charge sheet, the court alleges that the accused “did knowingly kill another human being, […], all of which is contrary to statute and against the peace and dignity of the State of Indiana.”

The charge sheet makes interesting reading, and is a fascinating reminder of how old-school policing, such as promptly interviewing witnesses at the scene and securing relevant property that might be neeed in evidence…

…is mixed in with the need for today’s investigators to be familiar with modern technology and to how to involve it right from the start in the evidence they collect.

AIR TAG USER GUIDE

Nine Steps to Success – An ISO 27001 Implementation

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Experts spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses specially crafted “magic packets” to activate a dormant backdoor on the device.

Researchers from antivirus firm Avast spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses specially crafted “magic packets” to activate a dormant backdoor on the device.

The experts reported that the Syslogk rootkit is heavily based on an open-source, well-known kernel rootkit for Linux, dubbed Adore-Ng.

Experts highlighted that the kernel rootkit is hard to detect, it enables hiding processes, files, and even the kernel module. The experts pointed out that it also allows authenticated user-mode processes to interact with the rootkit to control it.

Linux rootkits are malware installed as kernel modules in the operating system. Once installed, they intercept legitimate Linux commands to filter out information that they do not want to be displayed, such as the presence of files, folders, or processes.

“The rootkit has a hide_module function which uses the list_del function of the kernel API to remove the module from the linked list of kernel modules. Next, it also accordingly updates its internal module_hidden flag.” reads the analysis published by Avast.

However, the researchers explained that the rootkit has a functionality implemented in the proc_write function that exposes an interface in the /proc file system which could be used as an indicator of compromise when the value 1 is written into the file /proc/syslogk.

Upon discovering the rootkit, it is possible to remove it from memory using the rmmod Linux command.

Syslogk is also able to hide the malicious payload by taking the following actions:

• The hk_proc_readdir function of the rootkit hides directories containing malicious files, effectively hiding them from the operating system.
• The malicious processes are hidden via hk_getpr – a mix of Adore-Ng functions for hiding processes.
• The malicious payload is hidden from tools like Netstat; when running, it will not appear in the list of services. For this purpose, the rootkit uses the function hk_t4_seq_show.
• The malicious payload is not continuously running. The attacker remotely executes it on demand when a specially crafted TCP packet (details below) is sent to the infected machine, which inspects the traffic by installing a netfilter hook.
• It is also possible for the attacker to remotely stop the payload. This requires using a hardcoded key in the rootkit and knowledge of some fields of the magic packet used for remotely starting the payload.

Avast researchers observed the Syslogk rootkit loading a Linux backdoor named Rekoobe, which will be activated on the compromised system when the rootkit receives a “magic packet” from the operators.

“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server. Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network.” continues the analysis. “Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.”

Syslogk listens for specially crafted TCP packets that include special “Reserved” field values, “Source Port” numbering between 63400 and 63411 inclusive, “Destination Port” and “Source Address” matches, and a hardcoded key.

Experts believe that the Syslogk rootkit is under development and it will likely implement new features in the next versions.

“One of the architectural advantages of security software is that it usually has components running in different privilege levels; malware running on less-privileged levels cannot easily interfere with processes running on higher privilege levels, thus allowing more straightforward dealing with malware.” concludes the report which also includes indicators of compromise. “On the other hand, kernel rootkits can be hard to detect and remove because these pieces of malware run in a privileged layer. This is why it is essential for system administrators and security companies to be aware of this kind of malware and write protections for their users as soon as possible.”

Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices