Welcome to DISC InfoSec blog | Awareness and education are key in information security, we share InfoSec & compliance related information..to Learn more contact us »
Further, a recent Sophos survey found that the average post-attack remediation costs, including lost business, grew to nearly $2 million per incident in 2021, about 10 times the size of the ransom payment itself.
CISOs and hands-on security professionals are implementing several tactics to defend their organization, and these include proactive threat hunting and technical defenses like multi-factor authentication.
While these practices are helpful, they are focused on preventing attacks from happening in the first place while the harsh reality is that it’s no longer a question of if hackers are going to get in, but when. With so much at stake, why are data recovery and restoration often put on the back burner of the security conversationwhen it could be the most valuable tool in the security arsenal?
 flaw has a critical severity score of 9.9 out of 10, it was addressed by Microsoft in May.
“This issue allows a guest VM to force the Hyper-V host’s kernel to read from an arbitrary, potentially invalid address. The contents of the address read would not be returned to the guest VM. In most circumstances, this would result in a denial of service of the Hyper-V host (bugcheck) due to reading an unmapped address. It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware device specific side effects that could compromise the Hyper-V host’s security.” reads the advisory published by the company.
vmswitch fails to validate the value of an OID (object identifier) request that is intended for a network adapter.
An attacker could exploit this vulnerability by sending a specially crafted packet from a guest virtual machine to the Hyper-V host.
“Some OID requests are destined to the external network adapter, or other network adapters connected to vmswitch. Such OID requests include, for example, hardware offloading, Internet Protocol security (IPsec) and single root I/O virtualization (SR-IOV) requests.” reads the post published by Guardicore.
“While processing OID requests, vmswitch traces their content for logging and debugging purposes; this also applies to OID_SWITCH_NIC_REQUEST. However, due to its encapsulated structure, vmswitch needs to have special handling of this request and dereference OidRequest to trace the inner request as well. The bug is that vmswitch never validates the value of OidRequest and can thus dereference an invalid pointer.”
Speaking to The Guardian, WhatsApp’s chief executive, Will Cathcart, said there are “parallels” between the 2019 attacks and a recent data leak allegedly implicating NSO Group clients in widespread cybersurveillance.
Israeli vendor NSO Group has experienced bad press in recent weeks due to a damning report issued by Forbidden Stories, Amnesty International, and various media outlets worldwide.
Forbidden Stories claimed that a leaked list of over 50,000 phone numbers allegedly revealed individuals either “of interest” or selected for targeting by clients. According to the non-profit’s Pegasus project, while an appearance on the list does not mean that someone was targeted or compromised by Pegasus, infection by the firm’s spyware was confirmed in “dozens” of cases.
Pegasus spyware has capabilities including remote access, both email and browser monitoring, location checks, information exfiltration, call recording, and the extraction of conversations across messaging applications including WhatsApp and Facebook.
NSO Group markets its products for use in criminal and terrorism-related investigations.
Alongside the alleged targeting of government officials, journalists, diplomats, political dissidents, lawyers, and activists were reportedly included in the leak.
This OSINT tutorial demonstrates the “RECON-NG tool” on Kali Linux. It discovers the type of Anti-Virus software (AV) the victim is running on their internal network.
It’s impossible to circumvent every Anti-Virus, yet an experienced attacker knows it is possible to avoid a specific AV software for a sufficient period. If an attacker discovers which Anti-Virus the victim is running, the attacker develops their virus undetectable by that Anti-Virus.
The Recon-NG is a robust tool for performing automatic data collection and network footprinting. One can access a variety of websites to get passive data or aggressively investigate the victim for details. It offers several functionalities that enable the attacker to capture user data for social engineering, network traffic for network analysis, and more.
Consider it a data-gathering version of Metasploit. Anybody aware of Metasploit will feel at ease with this GUI, which looked and feel like Metasploit.
RECON-NG relies on sending repetitive requests to a DNS server to determine whether the DNS server has a cache containing the Anti-Virus supplier’s website. If that runs, it means that the victim at an organization is using that particular Anti-Virus program. As a result, viewing the website requires upgrading the antivirus signatures. When the DNS server does not have a cache of the AV company’s website, one can assume that nobody inside the company has asked for the Anti-Virus company’s website.
Experts spotted a new strain of Android banking Trojan dubbed Vultur that uses screen recording and keylogging for the capturing of login credentials.
ThreatFabric researchers discovered a new Android banking Trojan, tracked as Vultur, that uses screen recording and keylogging to capture login credentials.
Vultur was first spotted in late March 2021, it gains full visibility on victims’ devices via VNC (Virtual Network Computing) implementation taken from AlphaVNC.
“For the first time we are seeing an Android banking trojan that has screen recording and keylogging as main strategy to harvest login credentials in an automated and scalable way. The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking Trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.” reads the analysis published by ThreatFabric.
Most of the apps targeted by Vultur belong to banks in Italy, Australia and Spain, experts discovered a link with a popular dropper framework called Brunhilda.
Viruses, Hardware and Software Trojans: Attacks and Countermeasures
The ‘Cost of a Data Breach’ report commissioned by IBM Security states that the cost of a data breach exceeded $4.2 million during the COVID19 pandemic. IBM Security presented today the annual study “Cost of Data Breach,” conducted by Ponemon Institute…
Embracing new technologies lead to qualitative growth but simultaneously holds high chances of quantitative data breaches. While adopting cloud technology, it is important to see the security of cloud infrastructure as one of the crucial responsibilities. There are various organizations out there that are still unsure of the security of their data present in the cloud environment.Â
In 2019, Collection #1, a massive data breach held responsible for compromising data set of over 770 million unique email addresses and 21 million unique passwords. The collection of data files was stored on a cloud storage service and MEGA. Similarly, information of over 108 million bets’ records was leaked by an online casino group. The leaked data included details of customers’ personal information along with deposits and withdrawals.
Then the same year, a famous food delivery service providing firm was breached, compromising the data of 4.9 million users, including consumers and delivery employees.
Additionally, a post from Security Boulevard says acording to a survey almost 98% of the companies had witnessed at least one cloud data breach in the past 18 months, that is compared to 79% in 2020.
Nowadays, cloud computing servers are becoming susceptible to data breaches. Cloud infrastructure security solutions help in ensuring that data like sensitive information and transaction is protected. It also helps in preventing the third party from tampering with the data being transmitted.
DDoS Protection
Distributed denial of service, aka DDoS attacks, is infamously rising and deployed to flood the computer system with requests. As a result, the website slows down to load to a level where it starts crashing when the number of requests exceeds the limit of handling. Cloud computing security provides solutions that focus on stopping bulk traffic that targets the company’s cloud servers.
Constant Support
When it comes to the best practices of cloud infrastructure security solutions, it offers consistent support and high availability to support the company’s assets. In addition, users get to enjoy the benefit of 27/7 live monitoring all year-round. This live monitoring and constant support offer to secure data effortlessly.
Threat Detection
Infrastructure security in the cloud offers advanced threat detection strategies such as endpoint scanning techniques for threats at the device level. The endpoint scanning enhances the security of devices that are accessing your network.
Supervision of Compliance
In order to protect data, the entire infrastructure requires to be working under complaint regulations. Complaint secured cloud computing infrastructure helps in maintaining and managing the safety features of the cloud storage.
The points mentioned above are clear enough to state how beneficial and vital is cloud infrastructure security for an organization. Unfortunately, there are very many high-profile cases that have been witnessed in past years relating to data breaches.
To patch the loopholes and strengthen the IT infrastructure security, it is crucial to keep the security of cloud storage services a high priority. Engage with the top-class cloud computing security tools to get better results and have the data secured.
To achieve real cybersecurity, business leaders must implement the right solutions to protect their assets from cyber threats. Checkout Cobalt PenTest as a Service to find out how to keep your organization secure from a cyber attack with effective penetration testing, and discover:
Why even the smallest business is a potential target
What penetration testing is, and how it works
The types of vulnerabilities that can exist for months without being detected
Why penetration tests are the best solution to uncovering vulnerabilities before criminals do
Having confidential documents on a system, like a pdf of financial data or a zip including personal images and videos, ensure they’re password-protected so nobody else can access them. Encrypting documents with a password provides security that although the device is under attack, the attackers would be unable to view files while on the system.
Even so, just like everything else, when files have a password, this can be brute-forced. And here we’re trying to understand about zydra, a file brute-forcing tool, and see how it works by brute-forcing a document and inspecting the details. You will only need a Kali Linux and some encrypted files to perform this tutorial. Zydra works in two modes: brute force and dictionary. And we will try the example on each way.
What skills should aspiring information security workers possess and work on? What certifications can come in handy more than others? What strategies should organizations employ to develop a well-staffed cybersecurity team? Where should they look for talent? What advice do those already working in the field have for those who want to enter it?
(ISC)² wanted to know the answer to these and other questions, so they asked 1,024 infosec professionals and 1,010 cybersecurity job pursuers in the U.S. and Canada.
A researcher found a flaw in Windows OS, tracked as PetitPotam, that can be exploited to force remote Windows machines to share their password hashes.
Security researcher Gilles Lionel (aka Topotam) has discovered a vulnerability in the Windows operating system that allows an attacker to force remote Windows machines to authenticate and share their password hashes with him. The news of the attack was first reported by The Record.
The attack abuse the Encrypting File System Remote (EFSRPC) protocol, which is used to perform maintenance and management operations on encrypted data that is stored remotely and accessed over a network.
Lionel also published a proof-of-concept (PoC) exploit code on GitHub.
“PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function. This is possible via other protocols and functions as well  .” reads the description provided by the expert.
“The tools use the LSARPC named pipe with inteface c681d488-d850-11d0-8c52-00c04fd90f7e because it’s more prevalent. But it’s possible to trigger with the EFSRPC named pipe and interface df1941c5-fe89-4e79-bf10-463657acf44d.”
In the PetitPotam attack demonstrated by the expert, he sent SMB requests to a remote system’s MS-EFSRPC interface and forced its system to initiate an authentication procedure and share its NTLM authentication hash.
The NTLM authentication hash can be used to carry out a relay attack or can be lately cracked to obtain the victim’s password. The PetitPotam attack can be very dangerous because it allows attackers to take over a domain controller and compromise the entire organization.
Hi all, MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins on most orgz. Here is one another way we use to elicit machine account auth via MS-EFSRPC. Enjoy!! 🙂https://t.co/AGiS4f6yt8
WizCase’s team of ethical hackers, led by Ata Hakçıl, has found a major breach exposing a number of US cities, all of them using the same web service provider aimed at municipalities.
Over a 100 US cities appeared to be using the same product, mapsonline.net, provided by an American company named PeopleGIS. The data of these municipalities was stored in several misconfigured Amazon S3 buckets that were sharing similar naming conventions to MapsOnline. Due to this, we believe these cities are using the same software solution. Our team reached out to the company and the buckets have since been secured.
PeopleGIS is a Massachusetts-based company specializing in information management software. Many city municipalities in the state of Massachusetts and a few in surrounding states like Connecticut and New Hampshire use their software and platforms to manage a variety of data.
Our scanner revealed 114 Amazon Buckets that were named after the same pattern, revealing the connection to PeopleGIS. Among these, 28 appeared to be properly configured (meaning they weren’t accessible), and 86 were accessible without any password nor encryption.
This means there are 3 options:
PeopleGIS created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured;
The buckets were created and configured by different employees at PeopleGIS, and there were no clear guidelines regarding the configuration of these buckets;
The Municipalities created the buckets themselves, with PeopleGIS guidelines about the naming format but without any guidelines regarding the configuration, which would explain the difference between the municipalities whose employees knew about it or not.
The ransomware threat posed by organized crime groups is considerable, and its impact can be devastating and threaten the entire business. This makes it imperative for boards to ensure the company has taken necessary cybersecurity precautions to resist the threat. Additionally, executives have seen the value of efficient infosec firsthand over the last eighteen months. The efforts security teams have made to keep businesses safely functioning during a global pandemic have been impressive, if not heroic.
Regardless of why the C-level is focusing on IT infrastructure and strategy, this interest presents an opportunity for security teams. I know this is true because over the last few years F-Secure’s board has been refining how we cooperate to make better decisions about our security posture and risk appetite.
At the core of this process has been the creation of questions we use to make the best use of our time together. When approached holistically and answered honestly, these queries allow us to understand if we are focused on the right things, whether we are achieving our goals, and where our gaps are.
Since we would have benefited by having a list to start with, we’re sharing five of ours now to help other organizations.
Start with the easier ones
Here are the first three questions that I expect board members to ask me whenever they get a chance:
What are the key threats against your top assets?
How do you protect your assets from cybersecurity threats?
Whose responsibility is it to implement protections?
About a month ago, a security researcher revealed what turned out to be zero-day bug in Apple’s Wi-Fi software, apparently without meaning to:
After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3
Carl Schou, founder of an informal hacker collective known as Secret Club, “created originally as a gag between friends who are passionate about technical subjects”, seems to have been doing what bug-hunters do…
…and trying out a range of potentially risky values in the Wi-Fi settings on his iPhone.
Schou set up a Wi-Fi access point with a network name (ESSID) of %p%s%s%s%s%n, and then deliberately connected his iPhone to it in order to check for what are known as format string vulnerabilities.
This sort of vulnerability is considered somewhat old-school these days, but as we have had good reason to say many times on Naked Security, “never assume anything” in the world of cybersecurity, and it seems that Schou followed this advice, and unexpectedly unearthed up a genuine bug.
Check Point Research (CPR) experts have spotted a cheap malware, dubbed XLoader variant, which was upgraded to target both Windows and macOS PCs.
XLoader is a very cheap malware strain that is based on the popular Formbook Windows malware.
FormBook is a data-stealing malware that is used in cyber espionage campaigns, like other spyware it is capable of extracting data from HTTP sessions, keystroke logging, stealing clipboard contents. FormBook can also receive commands from a command-and-control (C2) server to perform many malicious activities, such as downloading more payloads. FormBook was offered for sale in the criminal underground since July, it goes for $29 a week up to a $299 full-package “pro” deal. The customers pay for access to the platform and generate their executable files as a service.
The malware was pulled from sale in 2017, but it continued to infect systems across the world. In March 2020, MalwareHunterTeam uncovered a Coronavirus (COVID-19)-themed campaign that was distributing a malware downloader that delivers the FormBook information-stealing Trojan.
CPR team has now monitored XLoader since it first appeared in the threat landscape in February. XLoader borrows the code base with Formbook, but it also included major improvements, such as the capability of compromising macOS systems.
“On February 6, 2020 a new era began: the era of the Formbook successor called XLoader. On this day, XLoader was advertised for sale in one of the underground groups.” states the report published by CheckPoint. “On October 20, 2020, XLoader was offered for sale on the same forum which was used for selling Formbook.”
OWASP Top 10 vulnerabilities is a list of the 10 most common security vulnerabilities in applications. The Top 10 OWASP web application security vulnerabilities are updated every 3-4 years. Last updated in 2017, the vulnerabilities featuring on the list are:
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfigurations
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring
OWASP Top 10 vulnerabilities help raise awareness of the latest threats facing websites and web applications. Organizations and developers can leverage this list to ensure secure coding, tune up security and keep their security posture fortified.
Windows “hives” contain registry data, some of it secret. The nightmare is that these files aren’t properly protected against snooping.
As if one Windows Nightmare dogging all our printers were not enough…
…here’s another bug, disclosed by Microsoft on 2021-07-20, that could expose critical secrets from the Windows registry.
Denoted CVE-2021-36934, this one has variously been nicknamed HiveNightmare and SeriousSAM.
The moniker HiveNightmare comes from the fact that Windows stores its registry data in a small number of proprietary database files, known in Microsoft jargon as hives or hive files.
These hive files include a trio called SAM, SECURITY and SYSTEM, which between them include secret data including passwords and security tokens that regular users aren’t supposed to be able to access.
They’re kept in a special, and supposedly secure, folder under the Windows directory called C:\Windows\System32\config, as you see here:
C:\Windows\System32\config> dir
[. . .]
Directory of C:\Windows\System32\config
[. . .]
21/07/2021 12:57 524,288 BBI
25/06/2021 06:21 28,672 BCD-Template
21/07/2021 14:45 32,768,000 COMPONENTS
21/07/2021 12:57 786,432 DEFAULT
21/07/2021 12:32 4,194,304 DRIVERS
[. . .]
21/07/2021 12:57 65,536 SAM <--some system secrets included
21/07/2021 12:57 32,768 SECURITY <--some system secrets included
21/07/2021 12:57 87,556,096 SOFTWARE
21/07/2021 12:57 11,272,192 SYSTEM <--some system secrets included
[. . .]
The moniker SeriousSAM comes from the filename SAM, which is short for Security Account Manager, a name that sounds as serious as the file’s content’s are.
The revelation that Israeli company NSO Group’s spy software Pegasus was targeting the smartphones of activists, journalists and business executives sent a shockwave through the international press.
Simply put: if spyware can infect and infiltrate the world’s elite on every corner of the planet, that means the threat to organizations and individuals must be taken seriously. Spyware impacts everyone.
Moreover, in today’s work-from-anywhere world, mobile devices are critical to any job, and the ability to access email, customer information and proprietary data while on the go is non-negotiable.
Mobile Devices are Mission-Critical
Because of the wealth of data that can be accessed from a mobile device, companies must treat these devices as mission-critical to business continuity.
This means having control and visibility into what is happening on a mobile device, so they can prevent spyware attacks from compromising critical data.
Shawn Smith, director of infrastructure at application security provider nVisium, pointed out that the transition to a remote work style has changed the attack vector for spyware slightly.
“For example, in the past, all the networking gear in an office would be tightly controlled, monitored and patched for security issues as needed,” he said. “However, in a world where employees can work from anywhere, their home networking equipment becomes a new security issue.”
Smith said with such a wide variety of equipment that can be used, often in an unmaintained and unsecured state, this makes the issue of spyware much harder to defend against.
“You have to double your efforts on the security and encryption of the devices you can control, such as the employee’s corporate computer, and rely less on the network monitoring approach that was used in the past,” he said.
![STORING YOUR DATA IN THE CLOUD by [Lursa Muuda]](https://m.media-amazon.com/images/I/513-WmQ1xCS.jpg)
![OWASP A Complete Guide - 2021 Edition by [Gerardus Blokdyk]](https://m.media-amazon.com/images/I/515gPJ3zTgL.jpg)
![OWASP Testing Guide v4 by [OWASP OWASP]](https://m.media-amazon.com/images/I/419Ozw6vGtL.jpg)
