Sep 13 2023

vCISO services solve the CISO talent shortage

Category: vCISOdisc7 @ 9:35 pm

vCISO services solve the CISO talent shortage:

Instead of hiring full time CISO, many organizations are hiring vCISO on subscription basis or on a retainer to gain access to expert cyber security advice in form of a virtual CISO when required.  vCISO offer C level strategic assistance and tactical level guidance in devising and implementing strategy to build a security program, to assess security program, to reduce risk and to prevent or mitigate the impact of the attacks. 

What may be the primary concern for an organization to seek vCISO services: The primary concern for an organization seeking Information Security (InfoSec) services is the protection of their sensitive data and digital assets. They are deeply concerned about potential cyber threats and vulnerabilities that could compromise the confidentiality, integrity and availability of their information systems. These concerns often stem from the increasing frequency and sophistications of cyberattacks, as well as the potential legal and reputational consequences of data breaches.

Organizations may also worry about compliance and industry regulations and data protection laws, as failing to meet these requirements can result in severe penalties and damage to their reputation. Moreover, organizations frequently express worries regarding the expenses associated with Information Security services and their ability to seamlessly integrate these services into their current IT infrastructure without causing disruptions. The aim of an organization is to find a harmonious equilibrium between security and operational effectiveness while adhering to budget limitations. 

A Virtual CISO can effectively address primary concerns for organizations seeking information security services by providing expert guidance and support without the need for a full-time in-house CISO. They assist in identifying and mitigating security risks, ensuring cost-effectiveness, seamless integration into existing IT infrastructure and finding the right balance between security and operational efficiency, all while staying within budget constraints.

In what situations would a vCISO Service be appropriate?


Checkout our previous posts on vCISO topic

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISO talent shortage

Jul 18 2023

Stabilizing The Cybersecurity Landscape: The CISO Exodus And The Rise Of VCISOs

Category: CISO,vCISOdisc7 @ 10:50 pm

In today’s evolving digital landscape, the role of a chief information security officer (CISO) is critical. These professionals defend against the rising tide of daily cyberthreats. Yet we’re seeing a trend: Many CISOs are leaving or considering leaving their jobs, a phenomenon coined the “Great CISO Resignation.”

This trend seems to reflect the intense pressure CISOs endure. They face a constant stream of complex cyberthreats, manage compliance issues and struggle with a talent deficit in cybersecurity. Paired with high expectations, many reconsider their roles, which can lead to a leadership gap.

However, this situation opens a strategic opportunity for innovation. As the founder and president of a company that offers virtual chief information security officer (vCISO) services, I’ve seen this model gaining momentum.

Understanding The vCISO Model

A vCISO is an outsourced security practitioner or provider who offers their expertise to businesses on a part-time or contractual basis. These professionals provide many of the same services as a traditional CISO, such as developing and implementing security strategies, ensuring compliance with regulations, training staff and managing a company’s cybersecurity posture. The key difference is that vCISOs offer these services remotely and often to multiple companies at once.

This model brings flexibility and scalability, allowing businesses to tailor cybersecurity leadership to their specific needs. It also provides access to a breadth of expertise that is often unaffordable in a full-time, in-house CISO.

Leveraging The vCISO Model Amid The CISO Exodus

With the current trend of CISOs leaving their positions, the vCISO model offers a practical solution to maintain cybersecurity leadership. Here are some ways businesses can take advantage of this model:

Plug Leadership Gaps Quickly

When a CISO departs, they leave a leadership void that’s hard to fill quickly, especially considering the shortage of cybersecurity talent. By leveraging a vCISO, businesses can plug this gap swiftly, ensuring continued oversight and direction in their cybersecurity efforts.

Access A Broader Skill Set

vCISOs, often being part of a larger team, can bring a wide range of experiences and skills. They are exposed to diverse security landscapes across industries, which can provide a fresh perspective and innovative solutions to your security challenges.

Cost Efficiency

Hiring a full-time CISO can be prohibitively expensive for some companies. vCISO services, on the other hand, can be scaled to fit budgetary constraints, giving businesses access to top-tier security leadership without as much of a hefty price tag.

Flexibility And Scalability

As your business grows and evolves, so too can your cybersecurity needs. A vCISO’s flexible engagement model means you can scale cybersecurity leadership to match your changing requirements.

Deciphering The vCISO Selection: A Strategic Perspective

Selecting the right virtual chief information security officer is pivotal to the success of your cybersecurity strategy, especially in the wake of the “Great CISO Resignation.” You’re essentially recruiting an outsourced leader who can help guide your organization’s information security infrastructure and strategy, so you need to ensure that they not only have the expertise but that they also align with your organization’s culture and values. Here are some strategic suggestions for identifying the perfect vCISO for your business:

Evaluate Their Background And Experience

Start by examining the vCISO’s professional background. This includes their level of experience in your specific industry, as well as their familiarity with the size and type of businesses like yours. Their past roles and achievements can provide valuable insight into their ability to handle the unique cybersecurity threats and risks your business may face. Don’t hesitate to ask for a detailed track record of their experience and successes.

Assess Their Expertise

Probe into their knowledge of current cybersecurity trends, their ability to create a cybersecurity strategy, their understanding of regulatory requirements that are relevant to your industry and their experience in managing security incidents. You should also ask about their experience with various cybersecurity tools and technologies. A vCISO’s expertise should encompass not only tactical but also strategic thinking and planning.

Understand Their Approach

Get a sense of their management style, communication skills and approach to problem-solving. Cybersecurity is a team effort, so the vCISO needs to effectively work with and guide your in-house team. Are they able to communicate complex security concepts in a way that everyone in your organization can understand? Can they foster a security-first culture within the company?

Determine Alignment With Business Goals

The right vCISO should understand your business strategy and align security strategies to business objectives. They should be able to strike a balance between the necessary security measures and the operational needs of your company.

In what situations would a vCISO or CISOaaS Service be appropriate?


Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

Cybersecurity: The CISO’s View

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (, or through our website’s contact form.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services


Mar 02 2023

In what situations would a vCISO or CISOaaS Service be appropriate?

Category: CISO,vCISODISC @ 12:06 am
5 Reasons Why a Virtual CISO (vCISO) May Be Right for Your Business - Pratum

A virtual Chief Information Security Officer (vCISO) service or (CISOaaS) may be appropriate for a variety of scenarios, including:

Your clients, collaborators (partners) and some regulatory requirements anticipate the presence of an individual fulfilling the position of Chief Information Security Officer (CISO).
  1. Companies without an in-house CISO: Small and medium-sized companies may not have the budget or need for a full-time CISO. A vCISO service can provide these companies with access to a seasoned cybersecurity professional without having to hire a full-time employee.
  1. Companies experiencing rapid growth or change: Companies that are growing quickly or undergoing significant changes, such as mergers or acquisitions, may benefit from the expertise of a vCISO to help them navigate the cybersecurity implications of these changes.
  1. Companies with limited cybersecurity resources: Some companies may have an IT team but lack dedicated cybersecurity resources. A vCISO can help fill this gap by providing strategic guidance and oversight of the company’s cybersecurity program.
  1. Compliance requirements: Companies in regulated industries, such as healthcare or financial services, may require a CISO to meet regulatory requirements. A vCISO can help these companies meet compliance requirements with standards (ISO 27001) and regulations (PCI, HIPAA, NIST CSF, etc.) without having to hire a full-time CISO.
  1. Cybersecurity incident response: In the event of a cybersecurity incident, a vCISO can provide expertise and guidance to help the company respond effectively and minimize the impact of the incident.

Overall, a vCISO service can be a cost-effective way for companies to gain access to the expertise of a seasoned cybersecurity professional without having to hire a full-time employee.


Organizations committed to prioritizing security encounter the difficulty of locating a Chief Information Security Officer (CISO) possessing the appropriate skills and knowledge. It becomes necessary for someone to take charge of the security and compliance strategy, but this requirement often surpasses the expertise possessed by operational IT/CIO.

What is CISOaaS?
Chief Information Security Officer-as-a-Service (CISOaaS) provides information security leadership from an appropriate pool of expertise. CISOaaS provides security guidance to senior management and drives the organization’s information security program.

Cert-In issues new guidelines for government bodies, mandates appointment of CISO, Read more at:


Scoping -> Assessment (business, legal and contractual reqs) -> Gap analysis (based on stds and regulations) -> provide a roadmap to-be state -> implementation of roadmap -> Evaluation and Continual improvement (of security program)

The benefits of our CISOaaS

  • Gain access to a diverse pool of highly experienced and specialized senior cyber security professionals.
  • Rapidly access valuable resources and eliminate the necessity of retaining talent.
  • Reduce your expenses by paying solely for the necessary support, effectively minimizing costs.
  • Based on CISOaaS being engaged for four days a month annually at current prices. ($37,000 per year)
  • Based on your requirements, you can hire a vCISO 5-10 hours a week or per month. ($125 per hour)
  • Mitigate your risk by strengthening your cyber and information strategy through the implementation of a clearly defined roadmap, thereby enhancing your overall security posture.
  • Acquire valuable experience in effectively educating and presenting to board members, and non-technical senior staff across functional diverse backgrounds.
  • Leverage our independent perspective and established credibility to secure comprehensive cross-business support and successfully accomplish your information security objectives.

Collaborate with government authorities

Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

Cybersecurity: The CISO’s View

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (, or through our website’s contact form.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: CISOaaS, FractionalCISO, vCISO

Jan 12 2023

vCISO Services – value added benefits of vCISO

Category: CISO,vCISODISC @ 3:37 pm

Most small-to medium-sized business (SMBs) hiring a CISO may be challenging business decision to find a suitable and affordablee candidate and the impacts of cyber breach to the SMBs can be devastating since many of those businesses are unable to sustain the costs of breach. A vCISO can provide the expertise needed to ensure your information security, privacy programs are succeeding and your company is prepared to assess and analyze an incident, all at cost-effective price.

DISC’s Virtual CISO (vCISO) service assists organizations to design, develop and implement information security programs based on various standards and regulations. We provide professional security services which includes but not limited to leadership team (strategic) but also a support team of security analysts (tactical) to solve distinct cybersecurity challenges to every organization.

Reasons to Consider a Virtual CISO (vCISO)

Expertise covering Industries:
vCISOs work with various clients across industries, opening them to events not attainable to CISOs experience in an isolated industry. The security knowledge gained by a vCISO from each client environment is different which ensures an improved expertise to assess the next organization, which positively impacts on the next client project.

Flexibility in Unique Business Environments:
vCISOs first gain a thorough understanding of each organization’s business model, company culture, risk tolerance, and objectives. From there, they gain an understanding of security risks faced by the organization. With a full view of the security landscape, the vCISO will communicate the findings to help clients make the appropriate security decisions for their environment.

Efficiency with Core Competencies:
A virtual CISO fills will prioritize security findings where organizations need it most. By focusing on cybersecurity strategy and implementation, vCISOs helps internal security team with control understanding and implementation responsibility. This enables both staff and cybersecurity leadership to remain dedicated to their respective core competencies.

Objective Independence:
vCISOs are an independent third party with an objective viewpoint and goals of helping clients make the best security decisions for their business.

DISC’s vCISO programs generally cost a fraction of a full-time CISO and supporting security team. According to report, the average salary for a CISO is $260,000 per year in California. On average, DISC’s vCISO clients pay a fraction of what it would cost to hire an in-house CISO.

Most important skills of vCISO: is to translate between business and IT as a facilitator

vCISO risk remediation solution:

  1. What is risk to business
  2. Likelihood of occurrence and what will be the risk to business
  3. Impact of occurring and what will be the risk to business
  4. Cost of fixing, implementing or remediating and what will be the residual risk

Infosec books | InfoSec tools | InfoSec services

Tags: vCISO, Virtual CISOs

Nov 10 2021

vCISO as a service

Category: Information Security,vCISODISC @ 10:05 pm

Virtual CISO

Ransomware's Silver Bullet - The Virtual CISO Publication Series: Cybersecurity: Publication #1 Ransomware by [Virtual CISO]

Tags: vCISO as a service

Nov 18 2019

CISO or vCISO? The Benefits of a Contractor C-level Security Role

Category: CISODISC @ 12:40 pm

Read how a virtual chief information security officer (vCISO) can help you uplift a struggling information security program.

Source: CISO or vCISO? The Benefits of a Contractor C-level Security Role

Webinar: vCISO vs CISO – Which is the right path for you?

CISO as a Service or Virtual CISO

The Benefits of a vCISO

Subscribe to DISC InfoSec blog by Email

Tags: vCISO

Sep 29 2023


Category: Security vulnerabilities,Smart Phone,Zero daydisc7 @ 9:22 am

Google has designated a brand new CVE number for a major security vulnerability that has been discovered in the libwebp image library, which is used for displaying pictures in the WebP format. This flaw has been found to be exploited in the wild by malicious users. A major vulnerability that existed in Google Chrome for Windows, macOS, and Linux was addressed by a security update that was provided by Google. A CVE ID of CVE-2023-4863 has been assigned to the security flaw, and the vulnerability has been rated as having a severity of 8.8 (High).

As a result of the analysis of the vulnerability, it was found that the libwebp library included a heap buffer overflow vulnerability. This vulnerability allows a threat actor to conduct an out-of-bounds memory write by using a crafted HTML page to trigger the issue.

However, Google has once again reported this vulnerability, which is now known as CVE-2023-5129 and is being monitored. After further investigation, it was discovered that the vulnerability known as CVE-2023-41064 and this one also impacted the same libwebp library. The development comes after Apple, Google, and Mozilla provided remedies to address a flaw that may enable arbitrary code execution when processing a carefully designed picture. The bug is tracked separately as CVE-2023-41064 and CVE-2023-4863. The execution of arbitrary code might lead to a security breach. It is likely that both problems are solutions to the same fundamental issue that exists in the library. CVE-2023-41064 is claimed to have been linked with CVE-2023-41061 as part of a zero-click iMessage attack chain termed BLASTPASS to deliver a mercenary malware known as Pegasus, as stated by the Citizen Lab. At this time, we do not have access to any other technical specifics.

But the choice to “wrongly scope” CVE-2023-4863 as a vulnerability in Google Chrome belied the reality that it also affects practically every other program that depends on the libwebp library to handle WebP pictures, showing that it had a wider effect than was originally supposed. CVE-2023-4863 was discovered by Google security researchers and is tracked by the CVE identifier.

An investigation carried out by Rezillion over the last week has uncovered a comprehensive list of frequently used software programs, code libraries, frameworks, and operating systems that are susceptible to the CVE-2023-4863 vulnerability.

Additionally, the security researcher who found the vulnerabilities CVE-2023-41064 and CVE-2023-4863 reported both of them. This indicates that the researcher brought this issue to the attention of both firms, which led to the creation of two distinct CVEs in the past.

ZIYUETEK USB Data Blocker, Charge-Only Adapter USB Blocker(2PCS), Provide Safe and high-Speed Charging, Protect Against Juice Jacking, Hacking

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Sep 28 2023

5 free vulnerability scanners you should check out

Category: Security vulnerabilitiesdisc7 @ 9:39 am

Vulnerability scanners delve into systems to uncover security gaps. The primary mission? To fortify organizations against breaches and shield sensitive data from exposure.

Beyond merely pinpointing weaknesses, vulnerability scanning is a proactive measure to anticipate potential attacker entry points. The essence of this process lies not just in detection but in remediation and refining strategies, ensuring that vulnerabilities are prioritized.

Here’s a list of 5 free, open-source vulnerability scanners you can try today.


Nuclei is a scanner designed to probe modern applications, infrastructure, cloud settings, and networks, assisting in identifying and correcting vulnerabilities. Internally, Nuclei relies on the principle of templates. These YAML files detail how to identify, rank, and fix specific security threats. A global community of security professionals and researchers actively contributes to the template library. This ecosystem, continuously updated within the Nuclei tool, has received over 5000 templates.


Nikto is a web server scanning tool that conducts in-depth tests on web servers. It checks for over 6700 potentially dangerous files/programs, including certain files or programs, inspects for outdated versions of more than 1250 servers, and looks for particular issues in over 270 server versions. Nikto isn’t crafted for discreet operations. It aims to assess a web server as swiftly as possible, leaving evident traces in log files or being detectable by IPS/IDS systems. Nevertheless, it supports LibWhisker’s methods to counteract IDS, whether to experiment with or evaluate an IDS setup.

free vulnerability scanners


Cariddi enables you to take a list of domains, crawl URLs, and scan for endpoints, secrets, API keys, file extensions, tokens, and more.


OpenVAS is a comprehensive vulnerability scanning tool. It offers both unauthenticated and authenticated testing, supports a range of high-level and low-level internet and industrial protocols, provides performance optimization for large-scale scans, and features a robust internal scripting language to design any vulnerability test.

free vulnerability scanners


Wapiti is a tool designed to assess the security of your websites or web applications. It conducts “black-box” scans, meaning it doesn’t analyze the source code. Instead, it navigates through the webpages of the live web application, searching for scripts and forms to input data. After identifying the list of URLs, forms, and their respective inputs, Wapiti functions like a fuzzer, introducing payloads to determine if a script is susceptible to vulnerabilities.

More resources:

Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: free vulnerability scanners

Sep 27 2023

It’s Time to Do Better as an Industry with MITRE Evaluations

Category: Attack Matrixdisc7 @ 12:37 pm

CrowdStrike achieved the highest coverage across the last two consecutive MITRE Engenuity ATT&CK® Evaluations. We achieved 100% protection, 100% visibility and 100% analytic detection coverage in the Enterprise Round 5 evaluation — which equates to 100% prevention and stopping the breach. We also achieved the highest detection coverage in the Managed Security Services Providers testing. 

However, interpreting the results of the Round 5 test can quickly become very confusing, with endless representations of test results from every provider. Unlike other third-party analysts, MITRE doesn’t place vendors on a quadrant or graph, or provide a comparative score. It leaves interpretation up to each vendor and customers themselves — meaning you’ll be flooded with claims of “winning” the evaluation. 

In MITRE, there are no winners or leaders, only raw data on a vendor’s coverage against either a known or unknown adversary. Without better guidelines and enforcement from MITRE, the results will continue to confuse customers, given the wildly different solutions being tested and approaches to the evaluation.

Evaluations like MITRE can help clarify your choice. We use the evaluations to further sharpen the capabilities of the CrowdStrike Falcon® platform, as well as ensure our customers understand our point of view on cybersecurity: Stopping the breach requires complete visibility, detection and protection that you can actually use in a real-world scenario.

How Should You Interpret the Results?

First, it’s important to understand the nuances of the two types of evaluations run by MITRE: open-book and closed-book tests.

Open-book testing for known attackers: The MITRE ATT&CK Enterprise Evaluations, such as the recent Round 5, give vendors months of advance notice on the adversary being emulated and their tactics, techniques and procedures (TTPs), and then measure for coverage in a noiseless lab environment. 

Figure 1. CrowdStrike detects 143 (100%) steps during the MITRE Engenuity ATT&CK Evaluation: Enterprise Round 5 with high-quality analytics (Tactic and Technique)

Not all results are equal, which is hard to see in a comparative chart like this, as vendors have the opportunity to tune their systems in advance and apply configuration changes on-the-fly with teams of experts who may be working behind the scenes 24/7 during the testing period. For instance, we’ve seen vendors make updates to operating systems for the test, while others manually fix verdicts or add new context and detections.

Round 5 emulated Turla, which CrowdStrike classifies as VENOMOUS BEAR, a sophisticated Russia-based adversary. Given their advanced tactics, few vendors were able to identify all of their tradecraft, with the average visibility being 83%. High-quality analytic detection of Tactic and Technique were even less, with the average dropping to 66% — with CrowdStrike achieving full 100% coverage with analytic detections.

High-quality analytics are extremely important, as they provide insight into what an adversary is attempting to achieve and how they are attempting to achieve it. High-quality analytic detection provides the context that analysts need, letting them spend less time trying to determine if the alert is a true or false positive, and also provides insight into what an adversary is trying to do. With tactic and technique detections, security analysts can spend more doing what matters: stopping breaches.  

In a comparative chart like the one above, it isn’t possible to see if the capability provided is noisy annotated telemetry or important context added to a high-fidelity alert.

Closed-book testing for unknown attackers: MITRE’s Managed Security Services Providers test is a truer measure of how vendors will protect a customer in the real world, with no do-overs or chances to hunt for additional evidence. The only notification vendors receive in advance is a start date, with no visibility into the adversary being emulated or their TTPs. MITRE runs the test, and you get a coverage score.

Figure 2. CrowdStrike detected 99% of adversary techniques during MITRE ATT&CK Evaluations for Managed Security Services Providers.

To find the cybersecurity partner for you, it’s worth reviewing and correlating performance across many different tests that use different TTPs and force products to behave differently to find the true outcome of the platform. Ensure you look at the results of both open-book and closed-book tests, including those that measure false positives and performance, and know exactly what vendors did to achieve their results. Most importantly, make sure you can achieve those same outcomes in your enterprise. Sophisticated adversaries don’t provide the luxury of a heads-up, and customers won’t have potentially dozens of people working behind the scenes on their deployment in the real world.

Stopping Breaches Matters

Next, it’s critical to evaluate how effectively a vendor can stop adversaries without manual intervention. In the open-book Round 5 test, the average blocking rate was 86%, compared to CrowdStrike’s 100% protection. Even more important than the coverage is understanding how the scores were achieved.

When digesting the MITRE results, ask vendors these three questions, and ask them to prove it:

  1. Did they use easily bypassed signatures or custom detections requiring prior knowledge?
  2. Are the analytic detections and protections high-fidelity and suitable at enterprise scale? 
  3. How can I reproduce this result in my own environment?

For comparison, the CrowdStrike Falcon platform stopped 13 of the 13 scenarios with no prior knowledge, using advanced AI and behavior detection. Our AI-powered prevention will be just as effective in your environment as in MITRE’s testing, against both known and unknown adversaries in the real world.

How Do You Bring It All Together?

At the end of the day, how a platform achieved its results matters as much as coverage itself. With open-book tests like the Enterprise Evaluation Round 5, you could hire enough experts to manually add custom tags, detections and context to achieve perfect coverage. That’s why you’ll see vendors shouting their coverage from the rooftops — as at face value many did well.

All comparative charts, including the ones we’ve shown above, only tell part of the story. What’s important is looking at the details: how you do it matters as much as what you do. If you can’t actually achieve the results in your environment, it’s simply a number on a comparative chart. It can’t stop adversaries and it can’t stop breaches. 

Ask your provider, including us, how they achieved their scores — and ensure it wasn’t a herculean manual effort that could never work in the real world. It’s also important to understand exactly what the full bill-of-materials looks like to reproduce the results. Some vendors require a complex point product deployment, others an expensive combination of software and network security hardware, and others a significant headcount investment to operate. 

The factor to consider most carefully are vendors that use custom test configurations that are impossible to reproduce in a real-world production environment. With CrowdStrike, our platform will always be delivered via our single lightweight agent that’s easy to deploy, easy to manage and never requires a reboot. We consolidate cybersecurity, with better outcomes, at a much better ROI.

We stand behind our platform and the way we delivered our superior coverage across both MITRE’s open-book and closed-book testing for known and unknown adversaries — providing true breach prevention for the real world. 

We encourage everyone in the industry to follow MITRE’s intention: Its testing yields valuable raw data that needs to be applied in your environment — with the context around how a vendor achieved its results — to be meaningful. And to our friends at MITRE, the time is now to shut down the endless noise and ensure customers understand your purpose: to make the world safer with better-informed decisions.

If you want to learn more about using MITRE for your organization, register for our virtual event: MITRE Engenuity ATT&CK Evaluations: Inside the Enterprise Round 5 Results.


DISC InfoSec previous posts on MITRE ATT&CK

Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CrowdStrike Falcon, MITRE ATTACK MATRIX, MITRE Engenuity ATT&CK Evaluations

Sep 27 2023

The Rise of Automotive Hacking: How to Secure Your Vehicles Against Hacking

Category: Hackingdisc7 @ 9:16 am

Though we can’t see it, the world brims with more technology than ever. These days, devices with internet connectivity live within the ever-growing Internet of Things (IoT)—a worldwide “web” where wireless communication and information technology work together. Since the early 2000s, smart cars have appeared within the IoT, sporting more comfortable, efficient, and safer rides. Despite their advancements, they remain constant targets for cyberattacks and hacking.

What is Automotive Hacking?

Functionally, automotive hacking is like traditional cyberattacks; the actor breaks into the system, gaining abilities to change files, open doors to other networks, or harvest unused resources. Automotive hacking occurs similarly, but the target is a car rather than a home computer or business database.

The target is the car’s electronic control unit (ECU), which connects to many communication channels and networks. The ECU is also intimately related to the car itself; hackers can do anything with this access, from changing the radio to steering takeovers. Some may outright steal the vehicle.

What are the Risks of Automotive Hacking?

A stolen car is a problem, but hackers aren’t typically interested in committing glaring crime sprees. They’re more concerned with insidious results. For example, a hacker could break into a car’s ECU to jump to another network. Then, they could access databases or servers as they please. Before jumping to a better vantage point, they could unleash a long list of problems for the car owner:

  • Broken or destroyed cybersecurity functions: making the car even more vulnerable.
  • Programmed behaviors: some may remove alarms and notifications from activation.
  • Data and personal information theft: opening owners to financial issues and fraud.
  • Forced temperature conditions: causing cars to shut down in high-temp states.

How Hackers Can Gain Access to Vehicles?

A smart car is under threat from many angles. Depending on the end goal of the assailant, the attack may take various forms, from over the internet to physical interaction with the car. Those wanting to access the ECU to jump away are less likely to come in contact with the vehicle. The hacker’s available technology limits their access gateways:

Forced Access

Hackers can break into an ECU by plugging an infected USB data port into the car. Like other computers, cars can suffer from malware and viruses, but their consequences may be more deadly. For this reason, owners of modern cars must be vigilant of what and who is plugging things into their cars.

Extended Key Fob Range

Although fobs are a common feature of many cars, they are also a significant system weakness in smart cars. The more utility the car fob has, the more access the hacker could gain by breaking into it. A hacker’s access lets them start or stop the car, open the windows and doors, and even trigger alarms.

Smartphone Access

Hackers can get smartphone access in many ways; regarding vehicles, hackers can attack from the internet, over applications, or through a network. A corrupt smartphone exposes more than personal and financial information; it also opens any connected devices and networks to the threat. Connected automotive applications are another common access point for skilled hackers.


Another weakness is the technology used to gather and analyze data from fleet vehicles. Telematic tech allows for seamless information interaction from any location but is readily exploitable for hackers. Those with a successful attack have network access, organization data, and personal client or consumer information.

How to Prevent Automotive Hacking?

Smart cars, despite being giant, rolling targets, have come a long way since their inception. Car manufacturers invest in more cybersecurity every year. The manufacturers and application developers are only part of the solution, however. Car owners must take proactive steps to help defend their property and network.

Manufacturer-Endorsed Software Only

One can rarely trust third-party applications. Devices that connect to them (or accept their Terms and Conditions) can quickly become infected with problems. Only use reputable applications; Google and Apple Maps are good examples, though cautious consumers may want to read their policies before agreeing.

Smart cars and internet connectivity will further entwine in the coming decades. As fast as cybersecurity tech advances, the faster hackers evolve their attacks. Smart cars and everything they interact with are at risk of falling victim to cyber threats. Taking necessary precautions on time can protect against identity theft and prevent becoming a victim of cyberattacks.

Up-to-Date Software

Gone are the days when consumers could ignore their system updates for weeks (or years). These days, software updates are the most significant protection individuals have against cyber threats. Car owners should check their systems regularly for compliance.

Password Protect

Like cellphones, many smart cars have “About” information that may provide access to the ECU. The only way to prevent its use is by routinely monitoring the accounts and properly configuring access. Administration passwords are not permanent solutions.

Internet Access via VPN

Virtual private networks (VPNs) mask a device’s IP address with an alternative. It allows consumers to have another layer of protection between themselves and the internet. VPNs are crucial to securing vehicle gadgets, engines, and internal components.

Strictly Need-Basis GPS

The Global Positioning System (GPS) of a modern car is one of the car’s most significant weaknesses. GPS opens the system to transmissions, which can lead to direct attacks. Hackers could also target their internal connections if the GPS works through a third party.

Install a Firewall

Removing the connectivity from a modern car is impossible. Consumers must protect the connection to prevent successful cyberattacks. Installing the proper firewall will do more than alert the owner to threats; it will also restrict communications from all unauthorized parties. Firewalls are considered a necessary line of defense.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Automotive Hacking

Sep 26 2023


Category: Backdoordisc7 @ 9:04 am

As part of an ongoing cyber espionage effort, the Iranian nation-state hacking group known as OilRig has continued to target government entities in the Middle East. This cyber espionage campaign makes use of a newly discovered backdoor in order to exfiltrate data. OilRig (APT34) is an Iranian cyberespionage gang that has been active since 2014 and has been targeting different sectors and governments in the Middle East, including Chemical, Energy,Finance and Telecom.

Following the commencement of the DNSpionage operation in 2018-2019 targeting Lebanon and the UAE, OilRig began the HardPass operation in 2019-2020 utilizing LinkedIn to target individuals in the energy and government sectors.

In recent weeks, the experts in charge of cybersecurity at trendmicro have discovered and assessed two campaigns run by the OilRig APT group:

Outer Space (2021)

Juicy Mix (2022)

Due to the operations’ concentration on the Middle East, Israeli organizations were the only ones targeted by these cyberespionage efforts. They gained access to the network by posing as genuine businesses using VBS droppers to plant C# and.NET backdoors and post-compromise data mining tools.

An Overview of the Campaign

Outer Space: It was an OilRig campaign from the year 2021 that employed an Israeli HR website as a command and control server for the Solar backdoor. . Here, with just the most fundamental functionalities, the Solar linked to the SC5k downloader, while the MKG was utilized for data exfiltration from browsers.

OilRig started a new campaign in 2022 called “Juicy Mix.” It targeted Israeli organizations with improved tools, compromised a job site for command and control, and then attacked an Israeli healthcare organization with a Mango backdoor, two hidden browser-data dumpers, and a Credential Manager stealer. Juicy Mix was a hit.

In order to get access to the target system, both attacks used VBS droppers, which were most likely distributed using spear phishing emails.

These droppers distributed Mango, made sure the infection would remain, and linked to the command and control server. Concealing the base64 encoding and basic string deobfuscation that the embedded backdoor employed at the same time was accomplished using these methods.

After inserting the backdoor, the dropper transmits the compromised computer’s name to the command and control server in the form of a base64-encoded POST request. This is done after it has scheduled Mango (or Solar) to run every 14 minutes.

During the Outer Space campaign, OilRig launches Solar, a backdoor that is both simple and flexible. It is able to download and run files, as well as independently exfiltrate prepared data.

Mango, which had previously been known as Solar, has been replaced in Juicy Mix by OilRig’s Mango, which, although having similar features and a workflow, has substantial differences.

In the same way as Solar did, Mango starts an in-memory job that runs every 32 seconds, talks with the C&C server, and carries out orders. Mango, on the other hand, is distinct in that it replaces Solar’s Venus assignment with a whole new exfiltration command.

Post-compromise tools

The following post-compromise tools are included below for your convenience:

Downloader for SampleCheck5000, often known as SC5k

Data scrapers for browsers

Windows Credential Manager stealer

OilRig makes its way from Solar to Mango via implants that function similarly to backdoors. While they do make use of specialized technology for data collecting, they nevertheless rely on more traditional methods to get user information.

The parallels between the first-stage dropper and Saitama, the victimology patterns, and the usage of internet-facing exchange servers as a communication technique were identified in the case of Karkoff, which is how the campaign is connected to APT34.

If anything, the rising number of malicious tools connected with OilRig illustrates the threat actor’s “flexibility” to come up with new malware depending on the targeted environments and the privileges held at a particular stage of the assault. This “flexibility” may be inferred from the fact that the threat actor has created a growing number of harmful tools linked with OilRig.

Backdoor – Bypassing the gatekeepers in CyberSecurity

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Sep 25 2023

MOVEit fallout continues as National Student Clearinghouse says nearly 900 schools affected

Category: Cyber Attack,Information Securitydisc7 @ 2:18 pm

The National Student Clearinghouse (NSC) reported that nearly 900 colleges and universities across the U.S. had data stolen during attacks by a Russia-based ransomware gang exploiting the popular MOVEit file-sharing tool.

The nonprofit manages educational reporting, data exchange, verification, and research services for 3,600 colleges and universities as well as 22,000 high schools.

In June, the organization first confirmed that it was affected by exploitation of the tool, which was targeted via several critical vulnerabilities by the ransomware gang Clop.

Dozens of schools published notices confirming that student and alumni data was accessed in the breach but it was never clear just how many colleges or universities were affected.

In filings with California regulators last week, the National Student Clearinghouse provided a list of affected schools totalling nearly 890 — covering almost every state and including several of the largest, most prominent universities in the U.S.

The U.S. Department of Education requires 3,600 colleges and universities nationwide to use the MOVEit tool to share information with the NSC, which provides this data to the National Student Loan Data System (NSLDS) on behalf of the schools.

The stolen information includes personally identifiable information such as Social Security numbers and dates of birth.

NSC says it notified law enforcement after discovering the incident and told regulators in Maine on August 31 that it is sending breach notification letters to 51,689 people. NSC also sent letters to each school affected by the breach.

“The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students,” NSC said in an advisory released this summer. “We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”

The attack on NSC was one of several involving MOVEit that had wide-ranging downstream effects. The Clop ransomware gang targeted several organizations with connections to other companies or businesses, including PBI Research Services and the Teachers Insurance and Annuity Association of America (TIAA).

Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. Several class action lawsuits have been filed against Progress Software, the company behind MOVEit.

Sean Matt, one of the lawyers behind the lawsuits, called it a “cybersecurity disaster of staggering proportions.”

“Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software. The data compromised in this incident — social security numbers, banking information and even the names of people’s children — will undoubtedly lead to years of strife and concern,” he said.

“This is not just a data breach, but an unacceptable breach of the public’s trust in Progress and other companies that have a responsibility to protect the private data they collect.”

North of the border

UnitedHealthcare Student Resources Notifies Individuals of Data Security Incident

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MOVEit, supply chain attack

Sep 25 2023

Hands-on threat simulations: Empower cybersecurity teams to confidently combat threats

Category: Threat detection,Threat Modelingdisc7 @ 11:37 am

With the rising number of cyber-attacks, organizations must make sure they are ready to defend themselves. That means equipping cybersecurity teams with sufficient skills to identify and effectively stop an attack in its tracks. Worryingly, only 17% of tech workers are completely confident in their cybersecurity skills, while 21% have no confidence at all. Given that 74% of data breaches are caused by human error, it is crucial that upskilling practices are in place.

One of the best ways to develop the necessary skills is through hands-on learning which allows employees to practice in a low-risk environment and better understand the methods used by cyber-attackers. This kind of experience is vital for security teams to be able to anticipate threats and capably protect the business.

The importance of testing security teams’ skills

Automated defense technologies are highly effective for commodity threats – those which are based on programs that are readily available and require no customization to launch an attack. But integrating AI/ML capabilities into security operations can generate a false sense of security. Attackers can still create the exact same program with millions of different file hashes or apply human ingenuity to evade known defenses.

Anti-virus is built on a massive signature-database-shaped house of cards that easily crumbles by changing text within programs. The same applies for network signatures, endpoint detection and response. There are certain behaviors that traditional defense technologies focus on, but ultimately, malware is just software. The more it can blend into common software activity, the less likely it is that an attack will be detected. And this is easier than it seems.

Security teams need easily replicable techniques to emulate threat scenarios to test their defense skills against the skill level of cyber-attackers. Testing is how businesses find out the cybersecurity teams’ skill level without waiting for a breach.

At least yearly, there should be a full red team assessment; the red team is made up of offensive security professionals whose role is to exploit the company’s vulnerabilities and overcome cybersecurity controls. But given attackers always operate in real time, there should be a weekly exercise for individual tactics, techniques and procedures (TTPs).

Start with the basics

Even the most advanced cyberattacks leverage basic techniques that have been around for years. Businesses need to focus on fully leveraging the tools they have to detect even the most basic of techniques and then move their way up to more advanced techniques from there. That will remove the most common threat from the equation first. This allows them time to identify and build the expertise and infrastructure required to be mature enough to defend against the most advanced or dangerous threats.

Anticipate the risk by using threat simulation learning models

One example of such an exercise is a blue team friendly attack simulation. The blue team here refers to security experts who are aware of the organization’s objectives and security strategy and are trying to defend and respond to attacks performed by the red team. One group poses as the opposing force, or in this case, cyber criminals, while testing the ability of the defenders to detect and protect against such attacks.

However, these types of simulations are performed on extensive cyber ranges that take a lot of time and effort to create, and don’t always accurately reflect the enterprise environment. In addition, it requires security teams to take several days off to play through the exercise. The quality of these simulations depends on the team that developed it and the complexity of the available cyber range resources. The rapid evolution of threats means that the work cyber teams do can have a short shelf life, as does the ability to properly prepare defenders.

Defenders need to be able to rapidly test against new tactics and techniques in their everyday environment. This allows them to quickly check the efficacy of their monitoring tools, as well as their people and processes, on an ongoing basis, that is accurate to current threats. This is important to the concept of ‘becoming the threat’. What cybersecurity teams really need is the ability to test individual tactics in their organization’s live environment, without the overhead of a full red team exercise.

Hone skills and build confidence through hands-on learning

Simulations are a good way to understand how to best defend and respond against different attacks and determine whether employees need to upskill. At its basic level, if the blue team wins, they can be confident when it comes to a cybersecurity threat. But if they lose, the organization still has work to improve their defense strategy.

When simulating various TTPs, you can categories them two ways. First by level of expertise required to perform the specific attack. Second, by the area, or type of data in which the attack should be detected.

The concept of defense in depth is that even if you miss one component of an attack, you can ideally catch others so that you can prevent the attackers achieving their goal. Measurement is based on the time it takes for a team to detect and respond to a particular TTP once launched, by category of the technique. Skill, process, and technology gaps can then be mapped by identifying where response times were low, or there was no response time at all.

Up to date skills central to staying ahead of the hackers

Cyber teams play a constant cat and mouse game to keep up with the evolving threat landscape. However, organizations can adopt specific practices to ensure teams have built in skills to defend against cyber-attacks and protect the business.

Providing employees with first-hand experiences of how a cyber-attack plays out can break down the barrier between the defender and the attacker to better understand the threat and anticipate the risks. This type of learning pathway is crucial for an organization who needs to know how well equipped their teams are for when a cyber-attack inevitably occurs. Only then can decisions be made to fill skills gaps with additional training or if their current level of expertise is enough to protect the business.

When it comes to cyber-attacks, security teams must act extremely quickly to minimize the impact in stressful environments. Hands-on threat simulations will arm cybersecurity experts with the skills and confidence necessary to react to a cyber-attack calmly and efficiently, whilst protecting the company’s sensitive data and avoiding costly damages.


InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Sep 25 2023

BIND DNS System Flaws Let Attackers Launch DoS Attacks

Category: DDoS,DNS Attacksdisc7 @ 9:28 am

In a recent disclosure, BIND 9, a widely-used DNS (Domain Name System) server software, has been found vulnerable to two critical security flaws, labeled CVE-2023-4236 and CVE-2023-3341. 

These vulnerabilities, if exploited, could have serious consequences, making it imperative for users to take swift action.

CVE-2023-4236: DNS-over-TLS Query Load Vulnerability

This vulnerability arises from a flaw in the networking code responsible for handling DNS-over-TLS queries in BIND 9. 

Under high DNS-over-TLS query load, an internal data structure is incorrectly reused, leading to an assertion failure. Consequently, a vulnerable named instance may terminate unexpectedly.

Thankfully, this flaw does not affect DNS-over-HTTPS code, as it employs a distinct TLS implementation. However, for those relying on DNS-over-TLS, the impact can be severe.

CVE-2023-3341: Control Channel Stack Exhaustion

The second critical vulnerability, CVE-2023-3341, relates to the control channel code within BIND 9. 

This flaw allows attackers to exploit a stack exhaustion issue by sending specially crafted messages over the control channel. 

This can lead to names unexpectedly terminating, causing potential disruption.

Notably, the attack is effective in environments with limited stack memory available to each process or thread, making it difficult to predict its impact.

For users of BIND 9, immediate action is necessary to address these vulnerabilities. ISC (Internet Systems Consortium), the organization behind BIND, has provided solutions to mitigate these risks.

For CVE-2023-4236:

– Upgrade to BIND 9.18.19 or BIND Supported Preview Edition 9.18.19-S1.

– Consider disabling DNS-over-TLS connections if not required.

For CVE-2023-3341:

– Upgrade to BIND 9.16.44, 9.18.19, or 9.19.17, depending on your current version.

– Ensure that control-channel connections are limited to trusted IP ranges when enabling remote access.

No active exploits have been reported for these vulnerabilities. However, proactive measures are crucial to safeguard your systems against potential threats.

ISC extends its gratitude to the individuals who responsibly reported these vulnerabilities. 

Robert Story from the USC/ISI DNS root server operations team brought CVE-2023-4236 to ISC’s attention, while Eric Sesterhenn from X41 D-Sec GmbH identified CVE-2023-3341.

The Hidden Potential of DNS In Security: Combating Malware, Data Exfiltration, and more – The Guide for Security Professionals

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: BIND DNS System Flaws, DNS In Security

Sep 23 2023

Ransomware cyber insurance claims up by 27%

Category: Cyber Insurance,Ransomwaredisc7 @ 2:45 pm

Increase in ransomware claims frequency

Coalition found that both claims frequency and severity rose for businesses in early 2023 across all revenue bands. Companies with over $100 million in revenue saw the largest increase (20%) in the number of claims as well as more substantial losses from attacks – with a 72% increase in claims severity from 2H 2022.

“The cyber threat landscape has become more volatile, and, as a result, we’ve seen claims become more severe and more common than ever,” said Chris Hendricks, Head of Coalition Incident Response.

“To help prevent these costly and disruptive incidents, organizations need to take an active role in improving their security defenses and make risk management a top priority,” added Hendricks.

Coalition’s report also saw a resounding increase in ransomware claims frequency in 1H 2023, which grew by 27% from 2H 2022. Claims severity also reached a record high, increasing 61% from the previous half and 117% over last year.

Moreover, cybercriminals increased their demands: the average ransom demand was $1.62 million, a 47% increase over the previous six months and a 74% increase over the past year.

Email security remained critical to claims reduction

The company also recovered an unprecedented $23 million in stolen funds — all of which went directly back to policyholders. Notably, Coalition’s total FTF (funds transfer fraud) recovery amount was nearly three times greater than 2H 2022. The average recovery amount was $612,000 per FTF claim, representing 79% of all FTF losses in instances where recovery was possible.

FTF claims frequency increased by 15% in 1H 2023, and FTF severity increased by 39% to an average loss of more than $297,000. This half, Coalition negotiated ransomware payments down to an average of 44% of the initial amount demanded.

Businesses using Google Workspace for email were markedly more secure than those using Microsoft Office 365 (M365) and on-premises Microsoft Exchange. M365 users were more than twice as likely to experience a claim compared to Google Workspace users. On-premises Microsoft Exchange users were nearly three times more likely to experience a claim than businesses using Google Workspace.

Overall, companies using Google Workspace experienced a 25% risk reduction for FTF or BEC claims and a 10% risk reduction for ransomware claims.

Cyber Insurance – The Cyber Insurance Survival Guide: : Expert Strategies for Preparing and Responding To Cyber Insurance Applications

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cyber insurance claims

Sep 22 2023


Category: Malware,Phishingdisc7 @ 9:25 am

TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of one’s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.

TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.

TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.

You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.

First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.

The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.

After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.

This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.

Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of or Alternatively, you could also use

In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:

To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the norm). Just the singular name should be used; for instance, if your SharePoint site is located at, you should use the –sharepoint mytest option.

Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.

By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.

TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.

The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.

You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.

TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.

TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.

If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.

By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.

Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Sep 21 2023


Category: Zero daydisc7 @ 3:53 pm

Apple released emergency security updates to address three new actively exploited zero-day vulnerabilities.

Apple released emergency security updates to address three new zero-day vulnerabilities (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) that have been exploited in attacks in the wild.

The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. The two research teams have already discovered multiple actively exploited zero-days in Apple products that were exploited in targeted attacks against high-profile individuals, such as opposition politicians, dissidents, and journalists.

CVE-2023-41993 is an arbitrary code execution issue that resides in the Webkit.

An attacker can trigger the flaw by tricking the victim into visiting specially crafted web content that may lead to arbitrary code execution. The IT giant addressed the flaw with improved checks.

The second zero-day flaw, tracked as CVE-2023-41991, resides in the Security framework. An attacker can exploit this vulnerability to bypass signature validation using malicious apps. The company fixed the vulnerability by fixing a certificate validation issue.

The third zero-day, tracked as CVE-2023-41992, resides in the Kernel Framework. A local attacker can trigger the flaws to elevate their privileges. Apple fixed the flaw with improved checks.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.” reads the advisory published by the company.

The company fixed the three zero-day vulnerabilities with the release of macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1.

Fixes are available for iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later

Apple has already patched 16 actively exploited zero-day vulnerabilities in 2023, below is the list of the flaws fixed by the company:

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: emergency updates

Sep 21 2023

Shadow IT: Security policies may be a problem

Category: Security policydisc7 @ 3:13 pm

Shadow IT A Clear and Concise Reference

A recent report by Kolide and Dimensional Research has disclosed that three-quarters of employees resort to utilizing their personal and often unmanaged mobile devices and laptops for work purposes, with nearly half of the surveyed companies permitting such unmanaged devices to access secure resources. The report, based on responses from 334 IT, security, and business professionals, highlights the diverse motivations behind this practice, with three specific reasons indicating that a substantial number of employees use personal devices as a means to circumvent their organization’s security policies.

The dangers of shadow IT

The prevalence of shadow IT in enterprise environments is a well established fact.

When the organization’s IT department refuses to sign off on a needed solution or they drag their feet when asked to approve it, workers in other departments are tempted to deploy it without the IT workers’ knowledge.

The problem is compounded by the widespread use of personal/unmanaged devices, as the IT department has no way of knowing what’s happening on them, whether they are regularly patched/upgraded or whether they have been compromised.

“When engineers do production-level work on personal devices, an organization’s risk of a breach skyrockets. A bad actor can use a security flaw in an unmanaged device to break into the production environment, as in the LastPass breach. Even a simple smash-and-grab of a laptop can turn into a nightmare if that laptop is full of PII, and IT has no way to remotely wipe it,” Kolide researchers noted.

Employees shouldn’t be blamed for flawed security policies

Workers use their personal devices for work to (among other things) access websites and applications that have been restricted by the IT department, and because getting through security measures is frustrating.

This, and the fact that only 47% of the pollees said that they always follow all the cybersecurity policies, shows that the security policies in place are not working for all.

“Unfortunately, we don’t have data on which specific policies respondents felt justified in going around, but we can make two inferences from this response: Any security policy that workers can ignore at will does not have adequate safeguards around it, and if workers who generally try to follow the rules ignore a security policy, either they don’t understand the risks associated with a specific behavior, or the policy itself is flawed,” the researchers said.

Employers and workers need more open, honest dialogue about security, they pointed out. Security and IT professionals must make an effort to understand why workers feel they have to go around policies.

Finally, the results of the survey also debunk the myth that security training is useless and a despised nuisance.

“In the strongest data point of our survey, 96% of workers (across teams and seniority) reported that training was either helpful, or would be helpful if it were better designed. The message here is that people want to be educated on how to behave safely,” the researchers concluded.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Tags: Shadow IT

Sep 21 2023

MOVEit Transfer SQL Injection Let the Attacker Gain Unauthorized Access to the Database

Category: Authentication,data securitydisc7 @ 9:17 am

MOVEit transfer service pack has been discovered with three vulnerabilities associated with SQL injections (2) and a Reflected Cross-Site Scripted (XSS). The severity for these vulnerabilities ranges between 6.1 (Medium) and 8.8 (High).

Progress-owned MOVEit transfer was popularly exploited by threat actors who attacked several organizations as part of a ransomware campaign. The organizations previously reported to be affected by MOVEit vulnerability include ShellBBC, British AirwaysCalPERSHoneywell, and US government agencies.

CVE-2023-42660: MOVEit Transfer SQL Injection

This SQL injection vulnerability was discovered on the MOVEit Transfer machine interface, which could lead to gaining unauthorized access to the MOVEit Transfer database. A threat actor could exploit this vulnerability by submitting a crafted payload to the MOVEit Transfer machine interface. 

Successful exploitation could result in the modification and disclosure of MOVEit database content. However, a threat actor must be authenticated to exploit this vulnerability. Progress has given the severity of this vulnerability as 8.8 (High).

Products affected by this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. Users are recommended to upgrade to the September Service Pack to fix this vulnerability.

CVE-2023-40043: MOVEit Transfer SQL Injection

This other SQL injection vulnerability exists in the MOVEit Transfer web interface, which could possibly lead to gaining unauthorized access to the MOVEit Transfer database. A threat actor could exploit this vulnerability by submitting a crafted payload to the MOVEit Transfer web interface.

Successful exploitation could result in the modification and disclosure of MOVEit database content. The prerequisite for a threat actor to exploit this vulnerability includes access to a MOVEit system administrator account. Progress has given the severity of this vulnerability as 7.2 (High).

Products that are affected by this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. To prevent this vulnerability, users are recommended to Upgrade to the September Service Pack and limit sysadmin account access.

CVE-2023-42656: MOVEit Transfer Reflected XSS

This Reflected XSS vulnerability was found in the MOVEit Transfer’s web interface, which a malicious payload can exploit during the package composition procedure. A threat could craft a malicious payload and target MOVEit Transfer users. When interacting with the payload, the threat actor can execute malicious JavaScript on the victim’s browser.

Progress has given the severity of this vulnerability as 6.1 (Medium). Products affected due to this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. To prevent this vulnerability, users are recommended to Upgrade to September Service Pack and limit sysadmin account access.

A comprehensive list of vulnerable product versions, documentation, release notes, and fixed versions has been given below.

Affected VersionFixed Version (Full Installer)DocumentationRelease Notes
MOVEit Transfer 2023.0.x (15.0.x)MOVEit Transfer 2023.0.6 (15.0.6)MOVEit 2023 Upgrade Documentation   MOVEit Transfer 2023.0.6 Release Notes
MOVEit Transfer 2022.1.x (14.1.x)MOVEit Transfer 2022.1.9 (14.1.9)MOVEit 2022 Upgrade Documentation  MOVEit Transfer 2022.1.9 Release Notes
MOVEit Transfer 2022.0.x (14.0.x)MOVEit Transfer 2022.0.8 (14.0.8)MOVEit 2022 Upgrade Documentation  MOVEit Transfer 2022.0.8 Release Notes
MOVEit Transfer 2021.1.x (13.1.x)MOVEit Transfer 2021.1.8 (13.1.8)MOVEit 2021 Upgrade Documentation  MOVEit Transfer 2021.1.8 Release Notes
MOVEit Transfer 2021.0.x (13.0.x) or olderMust Upgrade to a Supported VersionSee MOVEit Transfer Upgrade and N/A
Migration Guide  

A security advisory has been released by Progress which includes a comprehensive list of the affected products and the vulnerabilities that have been identified.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MOVEit, SQL injection

Sep 20 2023

The matters that may keep the Information security Officers up at night

Category: CISO,vCISOdisc7 @ 1:46 pm

DISC InfoSec previous posts on CISO topic

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISOs

Next Page »