DISC InfoSec blogCyber Attack Archives

May 11 2025

Google‘s AI-Powered Countermeasures Against Cyber Scams

Category: AI,Cyber Attack,Cyber crime,Cyber Espionage,Cyber Threats — disc7 @ 10:50 am

Google recently announced a significant advancement in its fight against online scams, leveraging the power of artificial intelligence. This initiative involves deploying AI-driven countermeasures across its major platforms: Chrome, Search, and Android. The aim is to proactively identify and neutralize scam attempts before they reach users.

Key Features of Google‘s AI-Powered Defense:

Enhanced Scam Detection: The AI algorithms analyze various data points, including website content, email headers, and user behavior patterns, to identify potential scams with greater accuracy. This goes beyond simple keyword matching, delving into the nuances of deceptive tactics.
Proactive Warnings: Users are alerted to potentially harmful websites or emails before they interact with them. These warnings are context-aware, providing clear and concise explanations of why a particular site or message is flagged as suspicious.
Improved Phishing Protection: AI helps refine phishing detection by identifying subtle patterns and linguistic cues often used by scammers to trick users into revealing sensitive information.
Cross-Platform Integration: The AI-powered security measures are seamlessly integrated across Google‘s ecosystem, providing a unified defense against scams regardless of the platform being used.

Significance of this Development:

This initiative signifies a crucial step in the ongoing battle against cybercrime. AI-powered scams are becoming increasingly sophisticated, making traditional methods of detection less effective. Google‘s proactive approach using AI is a promising development that could significantly reduce the success rate of these attacks and protect users from financial and personal harm. The cross-platform integration ensures a holistic approach, maximizing the effectiveness of the countermeasures.

Looking Ahead:

While Google‘s initiative is a significant step forward, the fight against AI-powered scams is an ongoing arms race. Cybercriminals constantly adapt their techniques, requiring continuous innovation and improvement in security measures. The future likely involves further refinements of AI algorithms and potentially the integration of other advanced technologies to stay ahead of evolving threats.

This news highlights the evolving landscape of cybersecurity and the crucial role of AI in both perpetrating and preventing cyber threats.

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

NIST: AI/ML Security Still Falls Short

Trust Me – ISO 42001 AI Management System

AI Management System Certification According to the ISO/IEC 42001 Standard

Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

“AI Regulation: Global Challenges and Opportunities”

Tags: Cyber Scams

Comments (0)

Apr 09 2025

NIST: AI/ML Security Still Falls Short

Category: AI,Cyber Attack,cyber security,Cyber Threats — disc7 @ 8:47 am

The U.S. National Institute of Standards and Technology (NIST) has raised concerns about the security vulnerabilities inherent in artificial intelligence (AI) systems. In a recent report, NIST emphasizes that there is currently no foolproof method to defend AI technologies from adversarial attacks. The institute warns against accepting vendor claims of absolute AI security, noting that developers and users should be cautious of such assurances.

NIST’s research highlights several types of attacks that can compromise AI systems:

Evasion Attacks: These occur when adversaries manipulate inputs to deceive AI models, leading to incorrect outputs.
Poisoning Attacks: In these cases, attackers corrupt training data, causing the AI system to learn incorrect behaviors.
Privacy Attacks: These involve extracting sensitive information from AI models, potentially leading to data breaches.
Abuse Attacks: Here, legitimate sources of information are compromised to mislead the AI system’s operations.

NIST underscores that existing defenses against such attacks are insufficient and lack robust assurances. The agency calls on the broader tech community to develop more effective security measures to protect AI systems.

In response to these challenges, NIST has launched the Cybersecurity, Privacy, and AI Program. This initiative aims to support organizations in adapting their risk management strategies to address the evolving landscape of AI-related cybersecurity and privacy risks.

Overall, NIST’s findings serve as a cautionary reminder of the current limitations in AI security and the pressing need for continued research and development of robust defense mechanisms.

For further details, access the article here

While no AI system is fully immune, several practical strategies can reduce the risk of evasion, poisoning, privacy, and abuse attacks:

🔐 1. Evasion Attacks

(Manipulating inputs to fool the model)

Adversarial Training: Include adversarial examples in training data to improve robustness.
Input Validation: Use preprocessing techniques to sanitize or detect manipulated inputs.
Model Explainability: Apply tools like SHAP or LIME to understand decision logic and spot anomalies.

🧪 2. Poisoning Attacks

(Injecting malicious data into training sets)

Data Provenance & Validation: Track and vet data sources to prevent tampered datasets.
Anomaly Detection: Use statistical analysis to spot outliers in the training set.
Robust Learning Algorithms: Choose models that are more resistant to noise and outliers (e.g., RANSAC, robust SVM).

🔍 3. Privacy Attacks

(Extracting sensitive data from the model)

Differential Privacy: Add noise during training or inference to protect individual data points.
Federated Learning: Train models across multiple devices without centralizing data.
Access Controls: Limit who can query or download the model.

🎭 4. Abuse Attacks

(Misusing models in unintended ways)

Usage Monitoring: Log and audit usage patterns for unusual behavior.
Rate Limiting: Throttle access to prevent large-scale probing or abuse.
Red Teaming: Regularly simulate attacks to identify weaknesses.

📘 Bonus Best Practices

Threat Modeling: Apply STRIDE or similar frameworks focused on AI.
Model Watermarking: Identify ownership and detect unauthorized use.
Continuous Monitoring & Patching: Keep models and pipelines under review and updated.

STRIDE stands for a threat modeling methodology that categorizes security threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

DISC InfoSec’s earlier post on the AI topic

Trust Me – ISO 42001 AI Management System

Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

Tags: AI security, ML Security

Comments (1)

Mar 12 2025

How an attacker progress toward valuable assets

Category: Cyber Attack,Hacking — disc7 @ 8:24 am

Many people frequently repeat the phrase, “The good guys have to be right all the time, but the bad guys only have to be right once,” without grasping its true meaning. This oversimplified view distorts the reality of cyberattacks. Attackers don’t succeed with a single stroke of luck; they must overcome multiple security layers while avoiding detection.

To reach their objective, attackers must circumvent various security defenses, often exploiting several vulnerabilities in a sequence. A robust security infrastructure should not collapse due to a single flaw. If one vulnerability leads to a complete compromise, it signals critical weaknesses that require immediate remediation.

Attack path analysis provides insight into how adversaries advance toward high-value assets. By studying these pathways, defenders can identify the most effective points for detection and mitigation, significantly reducing the likelihood of a successful attack.

Even if attackers make progress at multiple stages, well-implemented security measures can obstruct or stop them. By strategically allocating security resources, organizations can increase the complexity and cost of an attack, discouraging potential threats.

An attacker’s progression toward valuable assets follows a structured, multi-step process, often referred to as the Cyber Kill Chain or attack path analysis. This process involves reconnaissance, initial access, privilege escalation, lateral movement, and ultimately, achieving their goal—whether data exfiltration, system disruption, or financial fraud. Each step requires careful planning, evasion techniques, and exploitation of security gaps.

1. Reconnaissance & Initial Access

Attackers start by gathering information about their target, using publicly available data, scanning tools, or social engineering. They identify exposed assets, weak credentials, unpatched vulnerabilities, or employees who might be susceptible to phishing. Once they find an entry point, they exploit it to gain an initial foothold—this could be via phishing emails, misconfigured cloud services, or exploiting software vulnerabilities.

2. Privilege Escalation & Persistence

After gaining initial access, attackers work to increase their privileges, allowing deeper control over the environment. This might involve exploiting misconfigured permissions, stealing admin credentials, or abusing system vulnerabilities. Simultaneously, they establish persistence through backdoors, scheduled tasks, or rootkits, ensuring they can maintain access even if detected at a later stage.

3. Lateral Movement & Discovery

With elevated privileges, attackers move laterally across the network, looking for valuable data and critical systems. They might pivot from one compromised machine to another, exploiting weak authentication mechanisms or using legitimate administrative tools like PowerShell or PsExec. Their goal is to map the infrastructure, identify high-value assets, and locate sensitive data.

4. Data Exfiltration, Impact, or Exploitation

Once attackers reach their target, they execute their final objective. This could involve exfiltrating sensitive data for financial gain, deploying ransomware to disrupt operations, or modifying critical configurations to maintain long-term access. At this stage, defenders who lack proper monitoring, anomaly detection, or incident response capabilities may struggle to prevent damage.

By understanding this attack progression, security teams can focus on key detection points, implement segmentation, and optimize defenses to disrupt the attack before it reaches critical assets.

Cyber Security Kill Chain – Tactics and Strategies: Breaking down the cyberattack process and responding to threats

Tags: attack path analysis, attacker progress, Cyber Security Kill Chain

Comments (0)

Oct 08 2024

American Water shut down some of its systems following a cyberattack

Category: Cyber Attack,OT/ICS — disc7 @ 11:29 am

American Water shut down some of its systems following a cyberattack

American Water, the largest water and wastewater utility company in the U.S., experienced a cyberattack that prompted the shutdown of specific systems. The company took immediate action to secure its infrastructure, and an investigation is ongoing to determine the extent of the breach. The attack has raised concerns about the vulnerability of critical infrastructure to cyber threats.

While the affected systems were isolated to mitigate damage, it is unclear if any customer or operational data was compromised. American Water has stated that service to customers was not disrupted during the incident.

The breach highlights the growing risks faced by essential services and critical infrastructure sectors. This event underscores the importance of robust cybersecurity measures, particularly for utilities that deliver essential public services like water and power.

Homeland Security and Critical Infrastructure Protection

OT, ICS & SCADA Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: critical infrastructure protection, ICS & SCADA Security, OT

Comments (0)

Oct 05 2024

Pager attacks will trigger tighter security at airports, schools, and even hospitals

Category: Cyber Attack,Security Incident — disc7 @ 10:54 pm

The Cybernews article discusses a groundbreaking cyberattack orchestrated by Israel’s Mossad using analog devices, such as pagers and walkie-talkies, to target Hezbollah members in Lebanon and Syria. The attacks occurred on September 17-18, 2024, resulting in over 4,000 injuries and nearly two dozen deaths. The devices were reportedly rigged with explosives and detonated remotely, marking the first time such devices were weaponized in a cyberattack. Hezbollah had previously switched to analog communication methods after Israel had infiltrated their mobile networks, but Mossad exploited this by using a supply chain strategy to distribute compromised devices through a fake company.

Mossad’s complex plan involved creating a shell company that supplied pagers and other devices to Hezbollah, which were secretly manufactured with explosives. The devices were later activated remotely, demonstrating the vulnerability of even low-tech solutions in modern warfare. This supply chain attack highlighted the risks of relying on unverified communication devices and prompted immediate security changes in Lebanon, such as a ban on pagers and walkie-talkies on flights. Iran’s Revolutionary Guard also stopped using communication devices in response to the incident.

Security experts predict that this attack will have far-reaching implications for global security, particularly in the West. The use of handheld devices as weapons could lead to stricter scrutiny of all electronic devices with batteries and communication links, especially in industries like healthcare, where pagers are still in use. Manufacturers are expected to strengthen their supply chain security to prevent such vulnerabilities from being exploited again. There is also concern that security measures in airports, government buildings, and other sensitive locations will be tightened, possibly leading to longer lines and more stringent screening processes.

The implications for security are profound, as this incident demonstrates the potential for even basic technology to be weaponized. Security systems and detection technologies may need to be enhanced to catch these types of attacks in the future. The use of analog devices in high-security environments, such as hospitals and government facilities, may also come under review, with industries either moving away from these tools or enforcing stricter security protocols. This attack underscores the evolving nature of cyber threats and the importance of securing both digital and physical supply chains to prevent similar incidents.

For more information, you can visit here

How will the TSA respond to exploding pagers

What the Exploding Pager Attack Means for Air Travel

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Pager attacks

Comments (0)

Jul 10 2024

Attackers Already Exploiting Flaws in Microsoft’s July Security Update

Category: Cyber Attack,Security vulnerabilities — disc7 @ 10:12 am

Microsoft has given administrators plenty of work to do with July’s security update that contains patches for a brutal 139 unique CVEs, including two that attackers are actively exploiting and one that’s publicly known but remains unexploited for the moment.

The July update contains fixes for more vulnerabilities than the previous two monthly releases combined and addresses issues that left unmitigated could enable remote code execution, privilege escalation, data theft, security feature bypass, and other malicious activities. The update included patches for four non-Microsoft CVEs, one of which is a publicly known Intel microprocessor vulnerability.

Lack of Details Heighten Urgency to Fix Zero-Days

One of the zero-day vulnerabilities (CVE-2024-38080) affects Microsoft’s Windows Hyper-V virtualization technology and allows an authenticated attacker to execute code with system-level privileges on affected systems. Though Microsoft has assessed the vulnerability as being easy to exploit and requiring no special privileges or user interaction to exploit, the company has given it only a moderate — or important — severity rating of 6.8 on the 10-point CVSS scale.

As is typical, Microsoft provided scant information on the flaw in its release notes. But the fact that attackers are already actively exploiting the flaw is reason enough to patch now, said Kev Breen, senior director threat research at Immersive Labs, in an emailed comment. “Threat hunters would benefit from additional details, so that they can determine if they have already been compromised by this vulnerability,” he said.

The other zero-day bug, tracked as CVE-2024-38112, affects the Windows MSHTML Platform (aka Trident browser engine) and has a similarly moderate CVSS severity rating of 7.0. Microsoft described the bug as a spoofing vulnerability that an attacker could exploit only by convincing a user to click on a malicious link.

That description left some wondering about the actual nature of the threat it represented. “This bug is listed as ‘spoofing’ for the impact, but it’s not clear exactly what is being spoofed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), wrote in a blog post. “Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here.”

Rob Reeves, principal cybersecurity engineer at Immersive Labs, viewed the vulnerability as likely enabling remote code execution but potentially complex to exploit, based on Microsoft’s sparse description. “Exploitation also likely requires the use of an ‘attack chain’ of exploits or programmatic changes on the target host,” he said in prepared comments. “But without further information from Microsoft or the original reporter … it is difficult to give specific guidance.”

Other High-Priority Bugs

The two bugs that were publicly known prior to Microsoft’s July update — and hence are also technically zero-day flaws — are CVE-2024-35264, a remote code execution vulnerability in .Net and Visual Studio, and CVE-2024-37985, which actually is a third-party (Intel) CVE that Microsoft has integrated into its release.

In all, Microsoft rated just four of the flaws in its enormous update as being of critical severity. Three are of them, each with a near maximum severity rating of 9.8 on 10, affect the Windows Remote Desktop Licensing Service component that manages client access licenses (CALs) for remote desktop services. The vulnerabilities, identified as CVE-2024-38076, CVE-2024-38077, and CVE-2024-38089, all enable remote code execution and should be on the top of the list of bugs to prioritize this month. “Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server,” Child said in his post.

Microsoft wants organizations to disable the Remote Desktop Licensing Service if they are not using it. The company also recommends organizations immediately install the patches for the three vulnerabilities even if they plan to disable the service.

One eyebrow-raising aspect in this month’s Microsoft security update is the number of unique CVEs that affect Microsoft SQL Server — some 39, or more than a quarter of the 139 disclosed vulnerabilities. “Thankfully, none of them are critical based on their CVSS scores and they’re all listed as ‘Exploitation Less Likely,'” saysTyler Reguly, associate director of security R&D at Fortra. “Even with those saving graces, there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will be looking to patch,” he noted.

As has been the trend in recent months, there were 20 elevation of privilege (EoP) bugs in this month’s update, slightly outnumbering remote code execution vulnerabilities (18). Though Microsoft and other software vendors often tend to rate EoP bugs overall as being less severe than remote code execution vulnerabilities, security researchers have advocated that security teams pay equal attention to both. That’s because privilege escalation bugs often allow attackers to take complete admin control of affected systems and wreak the same kind of havoc as they would by running arbitrary code on it remotely.

https://www.darkreading.com/application-security/attackers-already-exploiting-flaws-in-microsofts-july-security-update

SOURCE: ANUCHA CHEECHANG VIA SHUTTERSTOCK

Zero Day: Novice No More: Expose Software Vulnerabilities And Eliminate Bugs

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Microsoft's Security Update

Comments (0)

Jul 09 2024

How nation-state cyber attacks disrupt public services and undermine citizen trust

Category: APT,Cyber Attack — disc7 @ 11:25 am

In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure.

Greer also discusses common vulnerabilities in government IT systems and the potential of AI and public-private collaborations to enhance cybersecurity defenses.

How nation-state cyber attacks disrupt public services and undermine citizen trust

How do nation-state attacks affect the public sector and services provided to citizens?

All attacks, nation-state or not, have the potential to impact public sector services and the citizens who rely on them.

Just recently on June 3, 2024, Synnovis, a provider to the UK National Health Service (NHS), suffered a cyber attack preventing the processing of blood test results and impacting thousands of patient appointments and surgeries. In 2017, the WannaCry attack, which spread to 150 countries across the world, disrupted the UK NHS, limiting ambulance service, patient appointments, medical tests and results, and forcing the closure of various facilities.

In the United States, many private sector organizations that provide public or critical infrastructure services have been significantly affected by cyberattacks. In 2021, JBS Foods, the largest US meat processor, was breached, forcing it to cease operations at 13 of its meat processing plants, impacting the US meat supply. One month prior, Colonial Pipeline was hit with a ransomware cyberattack, causing a run on gas in the eastern seaboard and requiring a presidential executive order to allow gas transport via semi-trucks.

A cyber attack in the Ukraine in 2015 brought down power for 230,000 customers, and such attacks have continued to disrupt the Ukrainian power grid since then.

In the US, we have seen the same nation-states employ less aggressive but potentially more disruptive strategies of espionage and misinformation in an effort to undermine the public’s trust in the electoral system.

While these are just a few notable examples, the impact ranges from delays and inconveniences to more significant repercussions like reduced capacity of healthcare services and other critical infrastructure. What’s harder to calculate is the degradation of trust when the public sector is compromised due to a cyber attack.

What are the most common vulnerabilities within government IT systems that cyber attackers exploit?

Many of the attack techniques that we see nation-states use are picked up by more common cyber criminals shortly after. While nation-states do have advanced capabilities and visibility that are hard or impossible for cyber criminals to replicate, the general strategy for attackers is to target vulnerable perimeter devices such as VPNs or firewalls as an entry point to the network. Next they focus on obtaining privileged credentials while leveraging legitimate software to masquerade as normal activity while they scout the environments for valuable data or large repositories to disrupt.

It’s important to note that the commonly exploited vulnerabilities in government IT systems are not distinctly different from the vulnerabilities exploited more broadly. Government IT systems are often extremely diverse and thus, subject to a variety of exploits. CISA actively maintains a Known Exploited Vulnerabilities (KEV) Catalog. These are vulnerabilities known to be exploited in the wild and pose an increased risk of exploitation for government organizations using any of the technologies cataloged.

How can governments use AI to strengthen cybersecurity defenses against sophisticated attacks?

AI has been in use for more than a decade in state-of-the-art security technologies, primarily to detect novel and constantly evolving attacks. Detecting the sheer volume of attacks today, as well as finding the singular “needle in a haystack” cannot be done by classic technologies, but is possible with sophisticated AI techniques. As a baseline, governments should evaluate their security technology to understand how effective AI and machine learning are at detecting the latest threats.

The more advanced capabilities can analyze the infrastructure to determine typical behavior and usage patterns and auto-configure security settings and policies, providing adaptive security that is even more efficient at detecting anomalous activities.

The latest generative AI technologies are also helping drive efficiency in the Security Operations Center (SOC). GenAI can help SOC analysts more quickly and fully understand attacks, and provide guidance to analysts using natural language. This is especially important as we face continued challenges staffing security professionals.

Are there any specific regulatory frameworks or policies that must be implemented or improved?

Currently, there are numerous policies and regulations, both domestically and internationally, which are inconsistent and vary in their requirements. These administrative requirements take significant resources which could otherwise be used to strengthen a company’s cybersecurity program. Therefore, it is imperative that existing and forthcoming cybersecurity regulations be harmonized and policies be considered comprehensively.

The recent summary from the Office of the National Cyber Director (ONCD) on the 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI) shows that the U.S. Government understands this problem. The report finds that the “lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.” The ONCD is working with other federal agencies as well as the private sector to address these issues by seeking to “simplify oversight and regulatory responsibilities of cyber regulators” and “substantially reduce the administrative burden and cost on regulated entities.”

This is a much-needed exercise and it’s encouraging to see steps being taken to ensure that cybersecurity regulations are comprehensive, effective, and efficient.

What role should the private sector play in supporting government cybersecurity efforts?

The private sector has threat intelligence that the government often doesn’t have. This makes the bidirectional sharing of information between the private and public sectors essential in combating bad actors. Partnerships between leading cybersecurity research groups and vendors like the Cyber Threat Alliance (CTA), as well as public and private sector partnerships like the Joint Cyber Defense Collaborative (JCDC), help the cybersecurity community at large bring its combined intelligence to bear to help defend our global digital ecosystem.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: nation-state cyber attacks

Comments (0)

May 09 2024

Polish Government Under Sophisticated Cyber Attack From APT28 Hacker Group

Category: APT,Cyber Attack — disc7 @ 8:55 am

Polish Government Under Sophisticated Cyber Attack From APT28 Hacker Group

The Polish computer emergency response team CERT.pl has issued a warning about an ongoing cyberattack campaign by the notorious APT28 hacking group, also known as Fancy Bear or Sofacy. The campaign is targeting various Polish government institutions with a new strain of malware.

According to the CERT.pl analysis, the attack begins with spear-phishing emails containing malicious attachments or links.

The malware is deployed once the victim opens the attachment or clicks the link, establishing a foothold in the targeted network.

Subject: I solved your problem

Hello Paweł!
I did a little research and found this mysterious Ukrainian woman.
Now she is in Warsaw.
She runs a rather unusual company that sells used underwear.
also has clients from senior authorities in Poland and Ukraine.
All information on this subject is available at this link - ALINA-BOKLAN (Link)

Threat actors are increasingly using free, commonly-used services like run.mocky.io and webhook.site to deliver malware while evading detection.

This technique involves redirecting through these services to obfuscate the final malicious payload. The link first goes to run.mocky.io, a free API testing service, which then redirects to webhook.site for logging requests.

A ZIP archive disguised as an image file (e.g. IMG-238279780.zip) is downloaded from webhook.site.

With default Windows settings hiding extensions and hidden files, the victim sees the ZIP as an image, potentially leading them to open the malicious payload.

Using free services reduces costs and makes malicious links harder to flag as they blend in with legitimate developer traffic. This stealthy approach is becoming a trend across many APT groups.

“The malware used in this campaign is a new variant of the X-Agent backdoor, which allows the attackers to execute arbitrary commands, exfiltrate data, and move laterally within the compromised network,” explained CERT.pl in their report.

CERT.pl urges all Polish government agencies and critical infrastructure operators to remain vigilant and implement security measures.

‼️This week we observed a large-scale malware campaign targeting Polish government institutions. Based on technical indicators and similarity to attacks described in the past, the campaign can be associated with the APT28 activity set. More➡️ https://t.co/Szv62K060q
— CERT Polska (@CERT_Polska_en) May 8, 2024

APT28 is a highly sophisticated cyber-espionage group believed to be associated with the Russian military intelligence agency GRU.

The group has been active since at least 2007 and has been linked to numerous high-profile cyberattacks, including the 2016 Democratic National Committee email leak and the 2017 NotPetya ransomware outbreak.

This latest campaign highlights the persistent threat posed by state-sponsored hacking groups and the importance of maintaining robust cybersecurity measures, especially for critical government and infrastructure systems.

The report details the attack flow, providing indicators of compromise (IOCs) and recommendations for detecting and mitigating the threat.

The Bear Roars: Russia’s Cyber Spies And Global Threat To Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT28, Hacker Group

Comments (0)

Apr 05 2024

Attempted hack on NYC continues wave of cyberattacks against municipal governments

Category: Cyber Attack — disc7 @ 6:08 pm

https://therecord.media/new-york-city-government-smishing-attack

2024 has already seen dozens of local governments slammed by ransomware incidents and cyberattacks, limiting services for millions of people across the United States.

The latest high-profile incident involves New York City, which was forced to take a city payroll website offline and remove it from public view after dealing with a phishing incident.

The incident was first reported by Politico, which spoke to city workers who complained of the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) being offline right as many tried to file their taxes.

New York City’s Office of Technology and Innovation and told Recorded Future News that NYC Cyber Command “was made aware of a smishing campaign targeting NYCAPS users.” Smishing is essentially phishing via text messages instead of emails.

“NYC Cyber Command has been advising and working with FISA-OPA and DCAS to implement enhancements to security measures,” the office said. “City employees have been advised to remain vigilant and confirm the legitimacy of any NYCAPS and payroll-related communications and activity.”

A city official reiterated that the NYCAPS website is still online and accessible to all employees through the city’s secure internal network.

The smishing campaign allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain.

Shashi Prakash, CTO at security firm Bolster.AI, told Recorded Future News that his team saw the domain “essnyc{.}online” the day it was registered. Other researchers said the domain was registered in Lithuania.

Prakash explained that his team’s data shows it has been live since December 9 and shared a screenshot of the page, which looks exactly like the NYCAPS website.

“There is one additional domain cityofanaheim{.}online on the same infrastructure which does make it look like they were targeting other cities,” Prakash said.

Keeper Security’s Teresa Rothaar said more than 80 percent of breaches happen because of weak or stolen passwords, credentials and secrets, much of which is acquired through the kind of phishing and smishing attacks New York City is currently dealing with.

To make matters worse, the New York City attackers clearly knew that multi-factor authentication is a critical layer of security and played on that concept while trying to steal credentials.

“Often, innocent people who are not trained on phishing prevention will focus on the ‘pinstripes’ of the email or illegitimate site, meaning the aesthetics that they are familiar with, such as the logo or colors of their banking site,” she said.

“Cybercriminals spend a lot of time making ‘lookalike’ sites appear authentic so that users are tricked into entering login credentials. Employees should always err on the side of caution and assume that all of their work-related (and even personal) passwords have been compromised – especially if they reuse the same passwords across accounts (a big no-no, and this situation illustrates why).”

Countrywide problem

The campaign targeting New York City is one of many specifically going after city, county and state-level governments across the United States.

Just in the last week, the cities of Birmingham, Alabama, and East Baton Rouge, Louisiana, have announced security incidents affecting public services. Jackson County in Missouri was forced to declare a state of emergency after discovering a ransomware attack last month.

On Thursday, the Florida Department of Juvenile Justice in Tallahassee admitted to local news outlets that it was dealing with a cyberattack that forced some systems offline.

Florida’s Hernando County similarly announced a cyberattack on Thursday, warning that while 911, police and EMS systems were still operational, several other government services would be down for an unknown amount of time. Local news outlets reported that the FBI is involved in the response to the incident.

Rebecca Moody, head of data research at Comparitech, has been looking into ransomware attacks on U.S. government offices and said she has found 18 confirmed ransomware attacks so far this year.

Other researchers have tracked at least 25 ransomware attacks on U.S. government offices.

While several states have banned government organizations from paying ransoms to groups, the offices continue to be ripe targets for ransomware gangs and hackers. Washington County in Pennsylvania recently revealed that it paid a $350,000 ransom to hackers following a January ransomware attack.

James Turgal, who spent 22 years working at the FBI, told Recorded Future News that attacks against state, local and tribal governments have accelerated over the last year.

“From the threat actors’ point of view, these municipalities are a target-rich environment with an abundant source of victims. By my estimation, with just around 95,000 soft targets nationwide, there are 40,000 cities, towns and municipalities, approximately 50,000 special government districts nationwide, and then the additional tribal governments that round out the numbers,” he said.

“There needs to be a sense of urgency on the part of state and local governments and municipalities to get ahead of the threat, as these local entities have the most direct impact on our citizens, and a cyber focused disruption can be potentially life-threatening when considering the health and public safety services our local governments control.”

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: municipal governments, NYC

Comments (0)

Mar 29 2024

Compromised SaaS Supply Chain Apps: 97% Of Organizations At Risk Of Cyber Attacks

Category: Cloud computing,Cyber Attack,Information Security — disc7 @ 7:55 am

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth.

However, this shift towards a more interconnected digital ecosystem has not come without its risks.

According to the “2024 State of SaaS Security Report” by Wing Security, a staggering 97% of organizations faced exposure to attacks through compromised SaaS supply chain applications in 2023, highlighting a critical vulnerability in the digital infrastructure of modern businesses.

The report, which analyzed data from 493 companies in the fourth quarter of 2023, illuminates the multifaceted nature of SaaS security threats.

From supply chain attacks taking center stage to the alarming trend of exploiting exposed credentials, the findings underscore the urgent need for robust security measures.

Supply Chain Attacks: A Domino Effect

Supply chain attacks have emerged as a significant threat, with 96.7% of organizations using at least one app that had a security incident in the past year.

The MOVEit breach, which directly and indirectly impacted over 2,500 organizations, and North Korean actors’ targeted attack on JumpCloud’s clients are stark reminders of the cascading effects a single vulnerability can have across the supply chain.

The simplicity of credential stuffing attacks and the widespread issue of unsecured credentials continue to pose a significant risk.

The report highlights several high-profile incidents, including breaches affecting Norton LifeLock and PayPal customers, where attackers exploited stolen credentials to gain unauthorized access to sensitive information.

MFA Bypassing And Token Theft

Despite adopting Multi-Factor Authentication (MFA) as a security measure, attackers have found ways to bypass these defenses, targeting high-ranking executives in sophisticated phishing campaigns.

Additionally, the report points to a concerning trend of token theft, with many unused tokens creating unnecessary risk exposure for many organizations.

Looking Ahead: SaaS Threat Forecast For 2024

As we move into 2024, the SaaS threat landscape is expected to evolve, with AI posing a new threat.

The report identifies two primary risks associated with AI in the SaaS domain: the vast volume of AI models in SaaS applications and the potential for data mismanagement.

Furthermore, the persistence of credential-based attacks and the rise of interconnected threats across different domains underscore the need for a holistic cybersecurity approach.

Practical Tips For Enhancing SaaS Security

The report offers eight practical tips for organizations to combat these growing threats, including discovering and managing the risk of third-party applications, leveraging threat intelligence, and enforcing MFA.

Additionally, regaining control of the AI-SaaS landscape and establishing an effective offboarding procedure are crucial steps in bolstering an organization’s SaaS security.

The “2024 State of SaaS Security Report” by Wing Security serves as a wake-up call for businesses to reassess their SaaS security strategies.

With 97% of organizations exposed to attacks via compromised SaaS supply chain apps, the need for vigilance and proactive security measures has never been more critical.

As the digital landscape continues to evolve, so must our approaches to protect it.

Mitigating Supply Chain Attacks in the Digital Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: supply chain attacks

Comments (0)

Mar 27 2024

SOCIAL MEDIA CONSPIRACY THEORY: WAS THE BALTIMORE BRIDGE COLLISION A RESULT OF CYBER ATTACK?

Category: Cyber Attack — disc7 @ 9:44 am

Social Media Conspiracy Theory: Was the Baltimore Bridge Collision a Result of Cyber Attack?

On an unexpected Tuesday, the collision of a container ship with the Francis Scott Key Bridge in Baltimore not only disrupted the normal flow of traffic and commerce but also sparked a vigorous debate on the potential causes of this incident. Among the various theories proposed, the role of cybersecurity—or the lack thereof—has emerged as a focal point of discussion. This event has served as a catalyst for a broader examination of cybersecurity practices within the maritime industry, revealing both vulnerabilities and the sometimes-overlooked factors that suggest other causes for such incidents. In the digital age, the maritime industry’s reliance on technology for navigation, communication, and operational functions has grown exponentially. This shift towards digitalization, while beneficial in terms of efficiency and connectivity, has also increased the sector’s exposure to cyber threats. Systems that control navigation, cargo handling, and engine operations are all potential targets for cyberattacks, which can lead to severe safety and financial risks.

EVALUATING THE POTENTIAL FOR A CYBERSECURITY BREACH

In recent years, the maritime industry has increasingly embraced technology, relying on digital systems for navigation, communication, and operational functions. This digital transformation has enhanced efficiency and connectivity but has also exposed the sector to cyber threats. Cyberattacks can target systems controlling navigation, cargo handling, and even the engines of these colossal vessels, posing a significant risk to safety and commerce.

Could Cybersecurity Have Been a Factor in the Baltimore Incident?

To understand whether a cybersecurity breach could have led to the collision with the Francis Scott Key Bridge, it is essential to consider several factors:

Navigation Systems Vulnerability: Modern ships use sophisticated navigation systems like the Automatic Identification System (AIS) and the Electronic Chart Display and Information System (ECDIS). If these systems were compromised, it could lead to inaccurate positioning information or erroneous navigational instructions.
Operational Control Systems: Beyond navigation, ships rely on complex systems for operational control, including engine management and steering control. A cyberattack on these systems could impair a vessel’s ability to maneuver, potentially leading to accidents.
Human Error vs. Cyber Intrusion: Distinguishing between human error and the consequences of a cyberattack can be challenging. Incidents might initially appear as operational or navigational errors but later investigations could uncover tampering with digital systems.
Historical Precedents: The maritime industry has witnessed cyberattacks before, such as the 2017 cyberattack on the shipping giant Maersk, which led to significant operational disruptions. These precedents highlight the plausibility of cybersecurity breaches leading to physical incidents.

World largest logistic company suffers massive cyber attack

ARGUMENTS AGAINST CYBERSECURITY BEING A FACTOR

While the possibility of a cybersecurity breach cannot be dismissed outright, several arguments suggest that other factors could be more plausible:

Technical Safeguards and Redundancies

Maritime vessels are equipped with numerous technical safeguards and redundant systems designed to prevent total system failure in case of a cyber intrusion. These include manual overrides for navigation and control systems, allowing crew members to maintain control over the vessel even if digital systems are compromised. Such safeguards can mitigate the impact of a cyber attack on a ship’s operational capabilities.

Cybersecurity Protocols and Training

The maritime industry has been increasingly aware of the potential cyber threats and has implemented stringent cybersecurity protocols and training for crew members. These measures are aimed at preventing unauthorized access and ensuring the integrity of the ship’s systems. Crews are trained to recognize and respond to cybersecurity threats, reducing the likelihood of a successful cyber attack impacting vessel navigation or control systems.

Physical Factors and Human Error

Many maritime incidents are the result of physical factors or human error rather than cyber attacks. These can include adverse weather conditions, navigational errors, mechanical failures, and miscommunication among crew members. Such factors have historically been the most common causes of maritime accidents and cannot be overlooked in any thorough investigation.

Complexity of Executing a Targeted Cyber Attack

Executing a cyber attack that leads to a specific outcome, such as causing a ship to collide with a bridge, requires an intimate knowledge of the vessel’s systems, current position, and intended course. It also necessitates overcoming the vessel’s cybersecurity measures without detection. The complexity and specificity of such an attack make it a less likely cause of maritime incidents compared to more conventional explanations.

Lack of Evidence Indicating a Cyber Attack

In the absence of specific evidence pointing to a cyber intrusion, such as anomalies in the ship’s digital systems, unauthorized access logs, or the presence of malware, it is prudent to consider other more likely causes. Cybersecurity investigations involve detailed analysis of digital footprints and system logs, and without concrete evidence suggesting a cyber attack, attributing the incident to such a cause would be speculative.

THE PATH FORWARD: STRENGTHENING CYBERSECURITY WHILE ACKNOWLEDGING OTHER RISKS

Regardless of whether a cyberattack played a role in the Baltimore bridge incident, this event underscores the importance of robust cybersecurity practices in the maritime industry. Enhancing cyber defenses, conducting regular security assessments, and training personnel in cybersecurity awareness are crucial steps in safeguarding maritime operations.

However, it is equally important to recognize and mitigate the non-cyber risks that ships face. A comprehensive approach to safety and security, encompassing both cyber and traditional factors, is essential for protecting the maritime industry against a wide range of threats.

The collision of a container ship with the Francis Scott Key Bridge has highlighted the critical role of cybersecurity in modern maritime operations, while also reminding us of the myriad other factors that can lead to such incidents. As the investigation into this event continues, the maritime industry must take a holistic view of security, embracing both digital and physical measures to ensure the safety of its operations in an increasingly complex and interconnected world.

“Our thoughts and prayers are with the U.S. Coast Guard Sector NCR, multiple first responders, and all those affected by the tragic incident at the Francis Scott Key Bridge in Baltimore. According to reports, a 948-foot Singapore-flagged containership collided with the bridge causing it to collapse, with persons reported to be in the water.”

Next Level Cybersecurity: Detect the Signals, Stop the Hack

Maritime Cybersecurity: A Guide for Leaders and Managers

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: BALTIMORE BRIDGE COLLISION, Maritime Cybersecurity

Comments (0)

Mar 25 2024

170K+ Python Developers GitHub Accounts Hacked In Supply Chain Attack

Category: Cyber Attack,Hacking,Python — disc7 @ 8:38 am

170K+ Python Developers GitHub Accounts Hacked in Supply Chain Attack

Over 170,000 users have fallen victim to a meticulously orchestrated scheme exploiting the Python software supply chain.

The Checkmarx Research team has uncovered a multi-faceted attack campaign that leverages fake Python infrastructure to distribute malware, compromising the security of countless developers and organizations.

This article delves into the attack campaign, its impact on victims, the tactics, techniques, and procedures (TTPs) employed by the threat actors, and the critical findings from Checkmarx’s investigation.

Attack Campaign Description

The core of this malicious campaign revolves around an attacker’s ability to combine several TTPs to launch a silent attack on the software supply chain, specifically targeting the Python ecosystem.

By creating multiple malicious open-source tools with enticing descriptions, the attackers lured victims into their trap, primarily through search engines.

The campaign’s sophistication is evident in distributing a malicious dependency hosted on a fake Python infrastructure, which was then linked to popular projects on GitHub and legitimate Python packages.

A chilling account from Mohammed Dief, a Python developer and one of the campaign’s victims, highlights the stealth and impact of the attack.

Dief encountered a suspicious error message while working on his laptop, the first sign of the compromise, leading to the realization that his system had been hacked.

Victims And Impact

Among the notable victims of this campaign is the Top.gg GitHub organization, a community boasting over 170,000 members.

The attackers managed to hijack GitHub accounts with high reputations, including that of “editor-syntax,” a maintainer with write permissions to Top.gg’s repositories.

The Top.gg community (which boasts over 170K members) was also a victim of this attack

This allowed them to commit malicious acts and increase the visibility and credibility of their malicious repositories.

The attack’s impact is far-reaching, affecting individual developers and larger communities alike.

Social engineering schemes, account takeovers, and malicious packages published on the PyPi registry have underscored the software supply chain’s vulnerability to such sophisticated attacks.

The Checkmarx Research team has uncovered an attack campaign aimed at the software supply chain.

The campaign appears to have successfully exploited multiple victims.

Threat Actors And TTPs

The threat actors behind this campaign demonstrated high sophistication and planning.

They employed a range of TTPs, including:

Account Takeover via Stolen Cookies: The attackers gained access to high-reputation GitHub accounts by stealing session cookies, bypassing the need for passwords.
Publishing Malicious Packages: By setting up a custom Python mirror and publishing malicious packages to the PyPi registry, they could distribute malware under the guise of legitimate software.
Social Engineering: The attackers used social engineering to trick users into downloading malicious dependencies, further spreading the malware.

By deploying a fake Python package mirror and utilizing typosquatting techniques, the attackers could deceive users and systems into downloading poisoned versions of popular packages like “Colorama.

“The malicious payload delivered through these packages is designed to harvest sensitive information, including passwords, credentials, and data from various software applications.

The malware targets web browsers, Discord, cryptocurrency wallets, and Telegram, and even includes a keylogging component to capture victims’ keystrokes.

The final stage of the malware reveals its data-stealing capabilities, targeting not only personal and financial information but also attempting to gain unauthorized access to victims’ social media and communication platforms.

This attack campaign highlights the critical vulnerabilities within the software supply chain, particularly in open-source ecosystems like Python’s.

The sophistication and success of the attackers in exploiting these vulnerabilities underscore the need for heightened vigilance and robust security practices among developers and organizations.

Through continuous monitoring, collaboration, and information sharing, the cybersecurity community can mitigate risks and protect the integrity of open-source software.

Python for Cybersecurity: Using Python for Cyber Offense and Defense

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: supply chain attack

Comments (0)

Feb 02 2024

FritzFrog Botnet Attacking Linux Servers To Steal SSH Credentials

Category: Botnet,Cyber Attack — disc7 @ 9:38 am

FritzFrog Botnet Attacking Linux Servers to Steal SSH Credentials

The FritzFrog botnet, originally identified in 2020, is an advanced peer-to-peer botnet built in Golang that can operate on both AMD and ARM-based devices. With constant updates, the malware has developed over time, adding and enhancing features.

A new strain of the FritzFrog botnet was discovered exploiting the Log4Shell vulnerability to target all hosts in the internal network.

Additionally, by using weak SSH credentials, the malware attacks servers that are accessible over the internet.

“Newer variants now read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable,” Akamai shared with Cyber Security News.

The Exploitation Chain

The only infection vector used by FritzFrog was SSH brute force; however, more recent iterations of the malware have added the Log4Shell exploitation dubbed “Frog4Shell”.

A vulnerability called Log4Shell was found in the popular open-source Log4j web tool in 2021. Governments and security firms carried out a global initiative to patch the technology.

Presently, the malware targets every host on the internal network as part of its routine for spreading. The malware is attempting to connect to every address on the local network to accomplish this.

According to the researchers, internal computers, which were less likely to be exploited, were frequently overlooked and went unpatched—a situation that FritzFrog takes advantage of.

FritzFrog scanning the local network to identify targets

“This means that even if the “high-profile” internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,” researchers said.

FritzFrog searches for HTTP servers on ports 8080, 8090, 8888, and 9000 to find possible Log4Shell targets. The malware is currently targeting as many vulnerable Java applications as possible.

Additionally, FritzFrog enhanced its capacity to identify targets for SSH brute force, which is its primary infection vector.

FritzFrog will now attempt to identify specific SSH targets by counting multiple system logs on each of its victims, in addition to targeting randomly generated IP addresses.

The malware now includes a module that exploits CVE-2021-4034, a privilege escalation in the polkit Linux component. On susceptible servers, this module allows the malware to operate as root.

“Since it is installed by default on most Linux distributions, many unpatched machines are still vulnerable to this CVE today,” researchers said.

Recommendation

The network segmentation can stop the lateral movement of the malware. Software-based segmentation has the potential to be a long-lasting protective measure that is comparatively easy to implement.
For use on SSH servers, a FritzFrog detection script is given that searches for the following FritzFrog indicators:

a. Running processes named nginx, ifconfig, php-fpm, apache2, or libexec, whose executable file no longer exists on the file system (as seen below)

b. Listening port 1234

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Comments (0)

Jan 04 2024

Google Chrome Use After Free Flaw Let Attacker Hijack Browser

Category: Cyber Attack,Information Security,Web Security — disc7 @ 10:26 am

Google Chrome Use After Free Flaw Let Attacker Hijack Browser

The latest stable channel update for Google Chrome, version 120.0.6099.199 for Mac and Linux and 120.0.6099.199/200 for Windows, is now available and will shortly be rolled out to all users.

Furthermore, the Extended Stable channel has been updated to 120.0.6099.200 for Windows and 120.0.6099.199 for Mac.

There are six security fixes in this release. Three of these flaws allowed an attacker to take control of a browser through use-after-free conditions.

Use-after-free is a condition in which the memory allocation is freed, but the program does not clear the pointer to that memory. This is due to incorrect usage of dynamic memory allocation during an operation.

CVE-2024-0222: Use After Free In ANGLE

Use after free in ANGLE in Google Chrome presents a high-severity vulnerability that might have led to a remote attacker compromising the renderer process and using a crafted HTML page to exploit heap corruption.

Google awarded $15,000 to Toan (suto) Pham of Qrious Secure for reporting this vulnerability.

CVE-2024-0223: Heap Buffer Overflow In ANGLE

This high-severity flaw was a heap buffer overflow in ANGLE that could have been exploited by a remote attacker using a crafted HTML page to cause heap corruption.

Toan (suto) Pham and Tri Dang of Qrious Secure received a $15,000 reward from Google for discovering this vulnerability.

CVE-2024-0224: Use After Free In WebAudio

A high-severity use after free in WebAudio in Google Chrome might potentially allow a remote attacker to exploit heap corruption through a manipulated HTML page.

Google awarded Huang Xilin of Ant Group Light-Year Security Lab a $10,000 reward for finding this issue.

CVE-2024-0225: Use After Free In WebGPU

A remote attacker may have been able to exploit heap corruption through a specifically designed HTML page due to high severity vulnerability in Google’s use after free in WebGPU.

The details about the reporter of this vulnerability were mentioned as anonymous.

The use after free conditions existed in Google Chrome before version 120.0.6099.199. To avoid exploiting these vulnerabilities, Google advises users to update to the most recent version of Google Chrome.

How To Update Google Chrome

Open Chrome.
At the top right, click More.
Click Help About Google Chrome.
Click Update Google Chrome. Important: If you can’t find this button, you’re on the latest version.
Click Relaunch.

Browser Security Platform Checklist

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Google Chrome

Comments (0)

Jan 02 2024

Hackers Attack UK’s Nuclear Waste Services Through LinkedIn

Category: Cyber Attack,Hacking — disc7 @ 10:48 am

Hackers Attack UK’s Nuclear Waste Services Through LinkedIn

Fortunately for Radioactive Waste Management (RWM), the first-of-its-kind hacker attack on the project was unsuccessful.

The United Kingdom’s Radioactive Waste Management (RWM) company overseeing the nation’s radioactive waste has revealed a recent cyberattack attempt through LinkedIn. While the attack was reportedly unsuccessful, it has raised eyebrows in the nuclear sector, sparking concerns about the security of critical nuclear infrastructure.

As reported by The Guardian, the hackers directed their attack at the company through LinkedIn. However, whether it was a phishing attack or an attempt to trick employees into installing malware on the system, the modus operandi remains unknown.

Typically, LinkedIn is exploited for phishing scams targeting employees of specific companies. An example from last year involves ESET researchers reporting a cyberespionage campaign by North Korean government-backed hackers from the Lazarus group. The campaign specifically targeted employees at a Spanish aerospace firm.

The RWM is spearheading the £50bn Geological Disposal Facility (GDF) project, aimed at constructing a substantial underground nuclear waste repository in Britain. As a government-owned entity, RWM facilitated the merger of three nuclear bodies—the GDF project, the Low-Level Waste Repository, and another waste management entity—to establish Nuclear Waste Services (NWS).

“NWS has seen, like many other UK businesses, that LinkedIn has been used as a source to identify the people who work within our business. These attempts were detected and denied through our multi-layered defences,” stated an NWS spokesperson.

However, the incident raises concerns, as experts warn that social media platforms such as LinkedIn are becoming preferred playgrounds for hackers. These platforms provide multiple avenues for infiltration, including the creation of fake accounts, phishing messages, and direct credential theft.

The FBI’s special agent in charge of the San Francisco and Sacramento field offices, Sean Ragan, has emphasized the ‘significant threat’ of fraudsters exploiting LinkedIn to lure users into cryptocurrency investment schemes, citing numerous potential victims and past and current cases.

In October 2023, email security firm Cofense discovered a phishing campaign abusing Smart Links, part of the LinkedIn Sales Navigator and Enterprise service, to send authentic-looking emails, steal payment data, and bypass email protection mechanisms.

In November 2023, a LinkedIn database containing over 35 million users’ personal information was leaked by a hacker named USDoD, who previously breached the FBI’s InfraGard platform. The database was obtained through web scraping, an automated process to extract data from websites.

Social engineering attacks, such as deceptive emails and malicious links, offer hackers a gateway to sensitive information. LinkedIn has taken steps to warn users about potential scams and provide resources for staying safe online. Still, concerns about digital security remain prevalent in the nuclear industry, especially after the Guardian exposé of cybersecurity vulnerabilities at the Sellafield plant.

In 2023, the Sellafield nuclear site in Cumbria experienced cybersecurity issues, indicating a need for improved safeguards and tighter regulations. The RWM incident highlights the growing interest of cybercrime syndicates to target nuclear sites.

The NWS acknowledges the need for continuous improvement to strengthen cybersecurity measures, highlighting that emergency response plans must match evolving business needs.

Cyber Threats and Nuclear Weapons

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Threats and Nuclear Weapons, UK’s Nuclear Waste Services

Comments (0)

Dec 29 2023

New Medusa Stealer Attacking Users To Steal Login Credentials

Category: Cyber Attack,Password Security — disc7 @ 9:24 am

New Medusa Stealer Attacking Users to Steal Login Credentials

While the world celebrated Christmas, the cybercrime underworld feasted on a different kind of treat: the release of Meduza 2.2, a significantly upgraded password stealer poised to wreak havoc on unsuspecting victims.

Cybersecurity researchers at Resecurity uncovered the details of New Medusa Stealer malware.

Resecurity is a cybersecurity company specializing in endpoint protection, risk management, and cyber threat intelligence.

Translation:
Attention! The New Year’s Update
Before the New Year 2024, the Meduza team decided to please customers with an update. Under the Christmas tree, you can find great gifts such as significant improvements in user interface (panel), modal windows on loading, and expansion of data collection objects

A Feast Of Features

Meduza 2.2 boasts a veritable buffet of enhancements, including:

Expanded Software Coverage: The stealer now targets over 100 browsers, 100 cryptocurrency wallets, and a slew of other applications like Telegram, Discord, and password managers. This broader reach increases its potential for victimization.
Enhanced Credential Extraction: Meduza 2.2 digs deeper, grabbing data from browser local storage dumps, Windows Credential Manager, and Windows Vault, unlocking a treasure trove of sensitive information.
Google Token Grabber: This new feature snags Google Account tokens, allowing attackers to manipulate cookies and gain access to compromised accounts.
Improved Crypto Focus: Support for new browser-based cryptocurrency wallets like OKX and Enrypt, along with Google Account token extraction, makes Meduza a potent tool for financial fraud.
Boosted Evasion: The stealer boasts an optimized crypting stub and improved AV evasion techniques, making it harder to detect and remove.

These advancements position Meduza as a serious competitor to established players like Azorult and Redline Stealer.

Its flexible configuration, wide application coverage, and competitive pricing ($199 per month) make it an attractive option for cybercriminals of all skill levels.

A Recipe For Trouble

The consequences of Meduza’s widespread adoption are grim.

Account Takeovers (ATOs): Stolen credentials can be used to hijack email accounts, social media profiles, bank accounts, and other online services.
Online Banking Theft: Financial data gleaned from infected machines can be used to drain bank accounts and initiate fraudulent transactions.
Identity Theft: Sensitive information like names, addresses, and Social Security numbers can be exploited for identity theft and financial fraud.

To combat this growing threat, individuals and organizations must:

Practice strong password hygiene: Use unique, complex passwords for all accounts and enable two-factor authentication where available.
Beware of phishing scams: Don’t click on suspicious links or download attachments from unknown sources.
Keep software up to date: Regularly update operating systems, applications, and security software to patch vulnerabilities.
Invest in robust security solutions: Implement comprehensive security solutions that can detect and block malware like Meduza.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Medusa Stealer

Comments (0)

Dec 27 2023

EXPERTS ANALYZED ATTACKS AGAINST POORLY MANAGED LINUX SSH SERVERS

Category: Cyber Attack,Linux Security — disc7 @ 8:07 am

Experts analyzed attacks against poorly managed Linux SSH servers

Researchers warn of attacks against poorly managed Linux SSH servers that mainly aim at installing DDoS bot and CoinMiner.

Researchers at AhnLab Security Emergency Response Center (ASEC) are warning about attacks targeting poorly managed Linux SSH servers, primarily focused on installing DDoS bots and CoinMiners.

In the reconnaissance phase, the threat actors perform IP scanning to look for servers with the SSH service, or port 22 activated, then launch a brute force or dictionary attack to obtain the ID and password.

Threat actors can also install malware to scan, perform brute force attacks, and sell breached IP and account credentials on the dark web.

Common malware used in attacks against poorly managed Linux SSH servers include ShellBot [1][2], Tsunami [3], ChinaZ DDoS Bot [4], and XMRig CoinMiner [5].

Once successfully logged in, the threat actor first executed the following command to check the total number of CPU cores.

> grep -c ^processor /proc/cpuinfo

“The execution of this command signifies that the threat actor has obtained the account credentials. Afterward, the threat actor logged in again using the same account credentials and downloaded a compressed file.” reads the analysis published by ASEC. “The compressed file contains a port scanner and an SSH dictionary attack tool. Additionally, commands accidentally typed by the threat actor can be seen, such as “cd /ev/network” and “unaem 0a”.”

These researchers believe that the tools employed in the attacks are based on the ones that have been created by the PRG old Team. Each threat actor created its custom version of the tools by modifying them.

The researchers recommend administrators should use strong passwords that are difficult to guess and change them periodically. These measures should protect the Linux SSH servers from brute force attacks and dictionary attacks. The experts also recommend updating to the latest patch to prevent attacks exploiting known vulnerabilities.

“Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.” concludes the report.

Mastering Linux Security and Hardening: A practical guide to protecting your Linux system from cyber attacks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SSH SERVERS

Comments (0)

Dec 18 2023

8220 Hacker Group Attacking Windows & Linux Web Servers

Category: Cyber Attack,Hacking,Linux Security,Windows Security — disc7 @ 1:40 pm

8220 Hacker Group Attacking Windows & Linux Web Servers

The 8220 hacker group, which was first identified in 2017 by Cisco Talos, is exploiting both Windows and Linux web servers with crypto-jacking malware. One of their recent activities involved the exploitation of Oracle WebLogic vulnerability (CVE-2017-3506) and Log4Shell (CVE-2021-44228).

However, the history of this threat group had several exploited vulnerabilities such as Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2 applications. Their TTPs are evolved with different publicly released exploits.

8220 Hacker Group

In addition to this, the group was also discovered to be exploiting (CVE-2020-14883), a Remote code execution vulnerability in Oracle WebLogic Server. This exploitation chain is combined with another authentication bypass vulnerability (CVE-2020-14882) in the Oracle WebLogic server.

The exploitation methods of these two vulnerabilities are publicly available, making it relatively easy for the threat actor to modify and exploit them for malicious purposes.

Two different exploit chains were discovered, and one of them enables the loading of an XML file used for further phases of execution of commands on the OS, whereas the other one executes Java code without the use of an XML file.

Infection Chains

The first infection chain uses different XML files that depend on the target OS. In the case of Linux, the downloading of other files is performed via cURL, wget, lwp-download, and python urllib along with a custom bash function that encodes it to base64.

*Custom bash function (Source: Imperva)*

The method injects a Java code which also initially evaluates the OS and executes the same command strings executed in the first method. Once the download and execution process takes place, the compromised hosts are infected with AgentTesla, rhajk, and nasqa malware variants.

A complete report has been published, which provides detailed information about the exploitation, command used, encoding, and other information.

Indicators Of Compromise

URL

Source IPs

Common Windows, Linux and Web Server Systems Hacking Techniques

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Windows & Linux Web Servers

Comments (0)

Dec 11 2023

How Well Do You Know Your Attack Surface? Five Tips to Reduce the Risk of Exposure

Category: Cyber Attack — disc7 @ 8:16 am

It’s no secret the attack surface is expanding at an unprecedented rate. We’ve hand-picked our top tips to reduce your exposure.

https://www.crowdstrike.com/blog/five-tips-to-shield-from-exposures/?

In an increasingly connected digital landscape, the security of your organization’s data and publicly facing assets is more critical than ever. According to the CrowdStrike 2023 Threat Hunting Report, more than 20% of all interactive intrusions are associated with the exploitation of public-facing applications. As an organization’s attack surface expands and cyberthreats proliferate, it is imperative IT and security teams take a proactive approach to safeguarding their digital footprint. This starts with implementing a strong exposure management program across the entire enterprise that drastically reduces all attack surface risks.

Do You Really Know Your Organization’s Attack Surface?

To stop an attack before it begins, you must first understand where critical exposures exist. You can think of your organization’s external attack surface as all of the doorways through which an attacker might attempt to sneak in. This includes anything from domain names, SSL certificates and protocols to operating systems, IoT devices and network services. These assets are scattered across on-premises environments, cloud environments, subsidiaries and third-party vendors, and they represent many of the easiest entry points to internal networks and the sensitive data they contain.

Building a Successful Exposure Management Strategy with EASM

In an age where unknown entryways can lead to invaluable troves of information, external attack surface management (EASM) can find doors that may be left open. CrowdStrike Falcon® Exposure Management finds those potential access points before adversaries do.

Our EASM technology, as part of Falcon Exposure Management, uses a proprietary engine to continuously scan the entire internet, enabling organizations to see their attack surface from an adversary’s perspective. The digital footprint of an organization is simple to generate, using only a company’s root domain. Once generated, it gives security teams a complete view of all of their internet-facing assets, including those on-premises and in the cloud. All exposed assets are automatically classified, analyzed and rated with a contextualized risk score, allowing teams to fix first what matters most.

Reducing the size of your attack surface can minimize the risk of a breach. By following the five tips below, organizations can reduce the number of opportunities an adversary has, strengthen their cybersecurity posture and proactively protect valuable assets from malicious actors.

Top Tips to Reduce External Attack Surface Exposures

Do not allow Remote Desktop Protocol (RDP) connections from outside your organization’s networks

There are plenty of products and open source solutions offering remote access to company resources. When RDP is opened to the internet, it is often not monitored and is susceptible to attacks.

How:

Stand up a server that sits outside of your network perimeter
Install nmap or any other network scanner you’re comfortable with
Grab a list of your IP ranges
Set up a cron job to scan continuously for port 3389
Grab the logs weekly
Use this list to figure out the person inside your organization who owns or is responsible for each host that has responded on port 3389
- Clues:
  - Domain name (if applicable)
  - IPAM IP range notes
  - Login banners
For any hosts that MUST have RDP exposed to the internet, enable multifactor authentication (MFA), remove them from your scan script above and continue the process of scanning
Use Network Level Authentication, a Remote Desktop Services feature that requires a user to authenticate before connecting to the server

Avoid allowing directory listing on your web servers

Directory listings expose the server to traversal attacks and a large variety of vulnerabilities. Moreover, the web server may contain files that shouldn’t be exposed through links on the website. Ensure your server does not expose directory listings, and if it must, make sure the directories do not contain sensitive information.

How:

Stand up a server that sits outside of your network perimeter
Install nmap or any other network scanner you are comfortable with
Grab a list of your IP ranges
Set up a cron job to scan continuously for open HTTP
Grab the logs weekly
For every host answering on an HTTP or HTTPS port, use this list as an input for your web app scanning tool of choice (such as nikto or dirsearch)
For any host allowing directory traversal, figure out the person inside your company who owns or is responsible for this website
- Clues:
  - Domain name (if applicable)
  - IPAM IP range notes
  - Login banners
  - Other website info

Place test environments behind a VPN

Ensure none of your development, staging or test environments is exposed to the internet. These environments are often not well-secured and in many cases have access to restricted resources.

How:

Identify all of your production environments:
- Have a clear list of domains and IP ranges from IT admin, content delivery network providers and web application firewall providers
- Query whois reverse search under your organization name (there are multiple vendors and open source tools for this)
All other environments (domains, subdomains and machines with external-facing IPs) should be protected with a VPN and MFA

Avoid hostile subdomain takeovers

Confirm none of your subdomains is expired or points to third-party pages and accounts that no longer exist, as it might be vulnerable to hostile subdomain takeovers. If you find such subdomains, reconfigure the DNS settings or remove the DNS entry pointing to the external service.

How:

Talk to your IT admin team and get access to your DNS (may be route53, may be self-hosted)
Do a zone transfer on all of the domains your organization owns
Get a list of all of your IP ranges
Parse the IP addresses against your known IP range list
For any IPs that aren’t part of your infrastructure, figure out who they belong to (whois lookup, published list of cloud provider IP ranges)
Determine if they are pointing at anything you know you own
Any unused subdomain should be retired properly:
- Use “Null MX” record
- Use DMARC configuration to prevent any email from being sent on behalf of the sub/domain

Enforce input validation

Enforce input validation on all internal and external inputs to prevent injection attacks. Input validation best practices include: predefining input size limitation per field and type (str/int if applicable), applying maximum retries for password and user fields, and enforcing backend strict logic to prevent injections (prepared statements with parameterized queries, stored procedures, escaping all user inputs, etc.).

How:

Follow the OWASP input validation cheat sheet
Assume all external user-defined input is an attack surface:

Forms fields
Uniform resource identifiers (URIs)
APIs
Attachments
And more

Bonus Tip: Continuously monitor your attack surface

Securing an expanding attack surface is challenging. The dynamic nature of most modern IT ecosystems means secure assets can suddenly become exposed unknowingly due to an error, misconfiguration or simple oversight. This category of forgotten assets can grow for many reasons: employees with revoked access, engineers with lingering cloud token permissions, or unmaintained databases that should have never been exposed in the first place. Moreover, there are instances of abandoned assets that remain unused or unclassified for extended periods, leaving IT departments without records and, consequently, unable to secure them. Regardless of their origin, these assets present significant security risks.

Having an effective exposure management program enables teams to stay vigilant and proactively monitor and secure entire IT ecosystems, which is essential in safeguarding an entire attack surface. You need to add a scalable way to monitor your internet-facing assets and discover your unknown exposures and risks in real time.

Additional Resources

Tune in to our October CrowdCast, “Shut Down Adversary Opportunities with Proactive Exposure Management,” and learn about the rest of our upcoming series.
Want to learn more about Falcon Exposure Management ? Visit the Falcon Exposure Management product page.
Download the Falcon Surface data sheet to learn more about our EASM technology.
See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

Mastering Attack Surface Management: A Comprehensive Guide To Learn Attack Surface Management

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Attack Surface

Comments (0)

Google‘s AI-Powered Countermeasures Against Cyber Scams

🔐 1. Evasion Attacks

🧪 2. Poisoning Attacks

🔍 3. Privacy Attacks

🎭 4. Abuse Attacks

📘 Bonus Best Practices

1. Reconnaissance & Initial Access

2. Privilege Escalation & Persistence

3. Lateral Movement & Discovery

4. Data Exfiltration, Impact, or Exploitation

Lack of Details Heighten Urgency to Fix Zero-Days

Other High-Priority Bugs

How do nation-state attacks affect the public sector and services provided to citizens?

What are the most common vulnerabilities within government IT systems that cyber attackers exploit?

How can governments use AI to strengthen cybersecurity defenses against sophisticated attacks?

Are there any specific regulatory frameworks or policies that must be implemented or improved?

What role should the private sector play in supporting government cybersecurity efforts?

Countrywide problem

Supply Chain Attacks: A Domino Effect

MFA Bypassing And Token Theft

Looking Ahead: SaaS Threat Forecast For 2024

Practical Tips For Enhancing SaaS Security

EVALUATING THE POTENTIAL FOR A CYBERSECURITY BREACH

ARGUMENTS AGAINST CYBERSECURITY BEING A FACTOR

THE PATH FORWARD: STRENGTHENING CYBERSECURITY WHILE ACKNOWLEDGING OTHER RISKS

Attack Campaign Description

Victims And Impact

Threat Actors And TTPs

The Exploitation Chain

Recommendation

CVE-2024-0222: Use After Free In ANGLE

CVE-2024-0223: Heap Buffer Overflow In ANGLE

CVE-2024-0224: Use After Free In WebAudio

CVE-2024-0225: Use After Free In WebGPU

How To Update Google Chrome

A Feast Of Features

A Recipe For Trouble

Researchers warn of attacks against poorly managed Linux SSH servers that mainly aim at installing DDoS bot and CoinMiner.

8220 Hacker Group

Infection Chains

Indicators Of Compromise

Do You Really Know Your Organization’s Attack Surface?

Building a Successful Exposure Management Strategy with EASM

Top Tips to Reduce External Attack Surface Exposures

Bonus Tip: Continuously monitor your attack surface

Additional Resources

Get new posts by email:

vCISO as a service