Oct 08 2024

American Water shut down some of its systems following a cyberattack

Category: Cyber Attack,OT/ICSdisc7 @ 11:29 am

American Water, the largest water and wastewater utility company in the U.S., experienced a cyberattack that prompted the shutdown of specific systems. The company took immediate action to secure its infrastructure, and an investigation is ongoing to determine the extent of the breach. The attack has raised concerns about the vulnerability of critical infrastructure to cyber threats.

While the affected systems were isolated to mitigate damage, it is unclear if any customer or operational data was compromised. American Water has stated that service to customers was not disrupted during the incident.

The breach highlights the growing risks faced by essential services and critical infrastructure sectors. This event underscores the importance of robust cybersecurity measures, particularly for utilities that deliver essential public services like water and power.

Homeland Security and Critical Infrastructure Protection

OT, ICS & SCADA Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: critical infrastructure protection, ICS & SCADA Security, OT


Oct 05 2024

Pager attacks will trigger tighter security at airports, schools, and even hospitals

Category: Cyber Attack,Security Incidentdisc7 @ 10:54 pm

The Cybernews article discusses a groundbreaking cyberattack orchestrated by Israel’s Mossad using analog devices, such as pagers and walkie-talkies, to target Hezbollah members in Lebanon and Syria. The attacks occurred on September 17-18, 2024, resulting in over 4,000 injuries and nearly two dozen deaths. The devices were reportedly rigged with explosives and detonated remotely, marking the first time such devices were weaponized in a cyberattack. Hezbollah had previously switched to analog communication methods after Israel had infiltrated their mobile networks, but Mossad exploited this by using a supply chain strategy to distribute compromised devices through a fake company.

Mossad’s complex plan involved creating a shell company that supplied pagers and other devices to Hezbollah, which were secretly manufactured with explosives. The devices were later activated remotely, demonstrating the vulnerability of even low-tech solutions in modern warfare. This supply chain attack highlighted the risks of relying on unverified communication devices and prompted immediate security changes in Lebanon, such as a ban on pagers and walkie-talkies on flights. Iran’s Revolutionary Guard also stopped using communication devices in response to the incident.

Security experts predict that this attack will have far-reaching implications for global security, particularly in the West. The use of handheld devices as weapons could lead to stricter scrutiny of all electronic devices with batteries and communication links, especially in industries like healthcare, where pagers are still in use. Manufacturers are expected to strengthen their supply chain security to prevent such vulnerabilities from being exploited again. There is also concern that security measures in airports, government buildings, and other sensitive locations will be tightened, possibly leading to longer lines and more stringent screening processes.

The implications for security are profound, as this incident demonstrates the potential for even basic technology to be weaponized. Security systems and detection technologies may need to be enhanced to catch these types of attacks in the future. The use of analog devices in high-security environments, such as hospitals and government facilities, may also come under review, with industries either moving away from these tools or enforcing stricter security protocols. This attack underscores the evolving nature of cyber threats and the importance of securing both digital and physical supply chains to prevent similar incidents.

For more information, you can visit here

Image by Justin Sullivan | Shutterstock

How will the TSA respond to exploding pagers

What the Exploding Pager Attack Means for Air Travel

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Pager attacks


Jul 10 2024

Attackers Already Exploiting Flaws in Microsoft’s July Security Update

Category: Cyber Attack,Security vulnerabilitiesdisc7 @ 10:12 am

Microsoft has given administrators plenty of work to do with July’s security update that contains patches for a brutal 139 unique CVEs, including two that attackers are actively exploiting and one that’s publicly known but remains unexploited for the moment.

The July update contains fixes for more vulnerabilities than the previous two monthly releases combined and addresses issues that left unmitigated could enable remote code execution, privilege escalation, data theft, security feature bypass, and other malicious activities. The update included patches for four non-Microsoft CVEs, one of which is a publicly known Intel microprocessor vulnerability.

Lack of Details Heighten Urgency to Fix Zero-Days

One of the zero-day vulnerabilities (CVE-2024-38080) affects Microsoft’s Windows Hyper-V virtualization technology and allows an authenticated attacker to execute code with system-level privileges on affected systems. Though Microsoft has assessed the vulnerability as being easy to exploit and requiring no special privileges or user interaction to exploit, the company has given it only a moderate — or important — severity rating of 6.8 on the 10-point CVSS scale.

As is typical, Microsoft provided scant information on the flaw in its release notes. But the fact that attackers are already actively exploiting the flaw is reason enough to patch now, said Kev Breen, senior director threat research at Immersive Labs, in an emailed comment. “Threat hunters would benefit from additional details, so that they can determine if they have already been compromised by this vulnerability,” he said.

The other zero-day bug, tracked as CVE-2024-38112, affects the Windows MSHTML Platform (aka Trident browser engine) and has a similarly moderate CVSS severity rating of 7.0. Microsoft described the bug as a spoofing vulnerability that an attacker could exploit only by convincing a user to click on a malicious link.

That description left some wondering about the actual nature of the threat it represented. “This bug is listed as ‘spoofing’ for the impact, but it’s not clear exactly what is being spoofed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), wrote in a blog post. “Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here.”

Rob Reeves, principal cybersecurity engineer at Immersive Labs, viewed the vulnerability as likely enabling remote code execution but potentially complex to exploit, based on Microsoft’s sparse description. “Exploitation also likely requires the use of an ‘attack chain’ of exploits or programmatic changes on the target host,” he said in prepared comments. “But without further information from Microsoft or the original reporter … it is difficult to give specific guidance.”

Other High-Priority Bugs

The two bugs that were publicly known prior to Microsoft’s July update — and hence are also technically zero-day flaws — are CVE-2024-35264, a remote code execution vulnerability in .Net and Visual Studio, and CVE-2024-37985, which actually is a third-party (Intel) CVE that Microsoft has integrated into its release.

In all, Microsoft rated just four of the flaws in its enormous update as being of critical severity. Three are of them, each with a near maximum severity rating of 9.8 on 10, affect the Windows Remote Desktop Licensing Service component that manages client access licenses (CALs) for remote desktop services. The vulnerabilities, identified as CVE-2024-38076CVE-2024-38077, and CVE-2024-38089, all enable remote code execution and should be on the top of the list of bugs to prioritize this month. “Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server,” Child said in his post.

Microsoft wants organizations to disable the Remote Desktop Licensing Service if they are not using it. The company also recommends organizations immediately install the patches for the three vulnerabilities even if they plan to disable the service.

One eyebrow-raising aspect in this month’s Microsoft security update is the number of unique CVEs that affect Microsoft SQL Server — some 39, or more than a quarter of the 139 disclosed vulnerabilities. “Thankfully, none of them are critical based on their CVSS scores and they’re all listed as ‘Exploitation Less Likely,'” saysTyler Reguly, associate director of security R&D at Fortra. “Even with those saving graces, there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will be looking to patch,” he noted.

As has been the trend in recent months, there were 20 elevation of privilege (EoP) bugs in this month’s update, slightly outnumbering remote code execution vulnerabilities (18). Though Microsoft and other software vendors often tend to rate EoP bugs overall as being less severe than remote code execution vulnerabilities, security researchers have advocated that security teams pay equal attention to both. That’s because privilege escalation bugs often allow attackers to take complete admin control of affected systems and wreak the same kind of havoc as they would by running arbitrary code on it remotely.

https://www.darkreading.com/application-security/attackers-already-exploiting-flaws-in-microsofts-july-security-update

SOURCE: ANUCHA CHEECHANG VIA SHUTTERSTOCK

Zero Day: Novice No More: Expose Software Vulnerabilities And Eliminate Bugs

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Microsoft's Security Update


Jul 09 2024

How nation-state cyber attacks disrupt public services and undermine citizen trust

Category: APT,Cyber Attackdisc7 @ 11:25 am

In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure.

Greer also discusses common vulnerabilities in government IT systems and the potential of AI and public-private collaborations to enhance cybersecurity defenses.

How do nation-state attacks affect the public sector and services provided to citizens?

All attacks, nation-state or not, have the potential to impact public sector services and the citizens who rely on them.

Just recently on June 3, 2024, Synnovis, a provider to the UK National Health Service (NHS), suffered a cyber attack preventing the processing of blood test results and impacting thousands of patient appointments and surgeries. In 2017, the WannaCry attack, which spread to 150 countries across the world, disrupted the UK NHS, limiting ambulance service, patient appointments, medical tests and results, and forcing the closure of various facilities.

In the United States, many private sector organizations that provide public or critical infrastructure services have been significantly affected by cyberattacks. In 2021, JBS Foods, the largest US meat processor, was breached, forcing it to cease operations at 13 of its meat processing plants, impacting the US meat supply. One month prior, Colonial Pipeline was hit with a ransomware cyberattack, causing a run on gas in the eastern seaboard and requiring a presidential executive order to allow gas transport via semi-trucks.

A cyber attack in the Ukraine in 2015 brought down power for 230,000 customers, and such attacks have continued to disrupt the Ukrainian power grid since then.

In the US, we have seen the same nation-states employ less aggressive but potentially more disruptive strategies of espionage and misinformation in an effort to undermine the public’s trust in the electoral system.

While these are just a few notable examples, the impact ranges from delays and inconveniences to more significant repercussions like reduced capacity of healthcare services and other critical infrastructure. What’s harder to calculate is the degradation of trust when the public sector is compromised due to a cyber attack.

What are the most common vulnerabilities within government IT systems that cyber attackers exploit?

Many of the attack techniques that we see nation-states use are picked up by more common cyber criminals shortly after. While nation-states do have advanced capabilities and visibility that are hard or impossible for cyber criminals to replicate, the general strategy for attackers is to target vulnerable perimeter devices such as VPNs or firewalls as an entry point to the network. Next they focus on obtaining privileged credentials while leveraging legitimate software to masquerade as normal activity while they scout the environments for valuable data or large repositories to disrupt.

It’s important to note that the commonly exploited vulnerabilities in government IT systems are not distinctly different from the vulnerabilities exploited more broadly. Government IT systems are often extremely diverse and thus, subject to a variety of exploits. CISA actively maintains a Known Exploited Vulnerabilities (KEV) Catalog. These are vulnerabilities known to be exploited in the wild and pose an increased risk of exploitation for government organizations using any of the technologies cataloged.

How can governments use AI to strengthen cybersecurity defenses against sophisticated attacks?

AI has been in use for more than a decade in state-of-the-art security technologies, primarily to detect novel and constantly evolving attacks. Detecting the sheer volume of attacks today, as well as finding the singular “needle in a haystack” cannot be done by classic technologies, but is possible with sophisticated AI techniques. As a baseline, governments should evaluate their security technology to understand how effective AI and machine learning are at detecting the latest threats.

The more advanced capabilities can analyze the infrastructure to determine typical behavior and usage patterns and auto-configure security settings and policies, providing adaptive security that is even more efficient at detecting anomalous activities.

The latest generative AI technologies are also helping drive efficiency in the Security Operations Center (SOC). GenAI can help SOC analysts more quickly and fully understand attacks, and provide guidance to analysts using natural language. This is especially important as we face continued challenges staffing security professionals.

Are there any specific regulatory frameworks or policies that must be implemented or improved?

Currently, there are numerous policies and regulations, both domestically and internationally, which are inconsistent and vary in their requirements. These administrative requirements take significant resources which could otherwise be used to strengthen a company’s cybersecurity program. Therefore, it is imperative that existing and forthcoming cybersecurity regulations be harmonized and policies be considered comprehensively.

The recent summary from the Office of the National Cyber Director (ONCD) on the 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI) shows that the U.S. Government understands this problem. The report finds that the “lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.” The ONCD is working with other federal agencies as well as the private sector to address these issues by seeking to “simplify oversight and regulatory responsibilities of cyber regulators” and “substantially reduce the administrative burden and cost on regulated entities.”

This is a much-needed exercise and it’s encouraging to see steps being taken to ensure that cybersecurity regulations are comprehensive, effective, and efficient.

What role should the private sector play in supporting government cybersecurity efforts?

The private sector has threat intelligence that the government often doesn’t have. This makes the bidirectional sharing of information between the private and public sectors essential in combating bad actors. Partnerships between leading cybersecurity research groups and vendors like the Cyber Threat Alliance (CTA), as well as public and private sector partnerships like the Joint Cyber Defense Collaborative (JCDC), help the cybersecurity community at large bring its combined intelligence to bear to help defend our global digital ecosystem.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: nation-state cyber attacks


May 09 2024

Polish Government Under Sophisticated Cyber Attack From APT28 Hacker Group

Category: APT,Cyber Attackdisc7 @ 8:55 am

The Polish computer emergency response team CERT.pl has issued a warning about an ongoing cyberattack campaign by the notorious APT28 hacking group, also known as Fancy Bear or Sofacy. The campaign is targeting various Polish government institutions with a new strain of malware.

According to the CERT.pl analysis, the attack begins with spear-phishing emails containing malicious attachments or links.

The malware is deployed once the victim opens the attachment or clicks the link, establishing a foothold in the targeted network.

Subject: I solved your problem

Hello Paweł!
I did a little research and found this mysterious Ukrainian woman.
Now she is in Warsaw.
She runs a rather unusual company that sells used underwear.
also has clients from senior authorities in Poland and Ukraine.
All information on this subject is available at this link - ALINA-BOKLAN (Link)

Threat actors are increasingly using free, commonly-used services like run.mocky.io and webhook.site to deliver malware while evading detection.

This technique involves redirecting through these services to obfuscate the final malicious payload. The link first goes to run.mocky.io, a free API testing service, which then redirects to webhook.site for logging requests.

A ZIP archive disguised as an image file (e.g. IMG-238279780.zip) is downloaded from webhook.site.

With default Windows settings hiding extensions and hidden files, the victim sees the ZIP as an image, potentially leading them to open the malicious payload.

entire attack flow

Using free services reduces costs and makes malicious links harder to flag as they blend in with legitimate developer traffic. This stealthy approach is becoming a trend across many APT groups.

“The malware used in this campaign is a new variant of the X-Agent backdoor, which allows the attackers to execute arbitrary commands, exfiltrate data, and move laterally within the compromised network,” explained CERT.pl in their report.

CERT.pl urges all Polish government agencies and critical infrastructure operators to remain vigilant and implement security measures.

APT28 is a highly sophisticated cyber-espionage group believed to be associated with the Russian military intelligence agency GRU.

The group has been active since at least 2007 and has been linked to numerous high-profile cyberattacks, including the 2016 Democratic National Committee email leak and the 2017 NotPetya ransomware outbreak.

This latest campaign highlights the persistent threat posed by state-sponsored hacking groups and the importance of maintaining robust cybersecurity measures, especially for critical government and infrastructure systems.

The report details the attack flow, providing indicators of compromise (IOCs) and recommendations for detecting and mitigating the threat.

The Bear Roars: Russia’s Cyber Spies And Global Threat To Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT28, Hacker Group


Apr 08 2024

Social Engineering Attacks Targeting IT Help Desks in the Health Sector

Category: Cyber Attack,social engineeringdisc7 @ 5:17 pm

Cyberwarfare & Social Engineering

Explore Social Engineering

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cyberwarfare, social engineering


Apr 05 2024

Attempted hack on NYC continues wave of cyberattacks against municipal governments

Category: Cyber Attackdisc7 @ 6:08 pm
https://therecord.media/new-york-city-government-smishing-attack

2024 has already seen dozens of local governments slammed by ransomware incidents and cyberattacks, limiting services for millions of people across the United States.

The latest high-profile incident involves New York City, which was forced to take a city payroll website offline and remove it from public view after dealing with a phishing incident.

The incident was first reported by Politico, which spoke to city workers who complained of the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) being offline right as many tried to file their taxes. 

New York City’s Office of Technology and Innovation and told Recorded Future News that NYC Cyber Command “was made aware of a smishing campaign targeting NYCAPS users.” Smishing is essentially phishing via text messages instead of emails. 

“NYC Cyber Command has been advising and working with FISA-OPA and DCAS to implement enhancements to security measures,” the office  said. “City employees have been advised to remain vigilant and confirm the legitimacy of any NYCAPS and payroll-related communications and activity.”

A city official reiterated that the NYCAPS website is still online and accessible to all employees through the city’s secure internal network.

The smishing campaign allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain. 

Shashi Prakash, CTO at security firm Bolster.AI, told Recorded Future News that his team saw the domain “essnyc{.}online” the day it was registered. Other researchers said the domain was registered in Lithuania. 

Prakash explained that his team’s data shows it has been live since December 9 and shared a screenshot of the page, which looks exactly like the NYCAPS website. 

“There is one additional domain cityofanaheim{.}online on the same infrastructure which does make it look like they were targeting other cities,” Prakash said. 

Keeper Security’s Teresa Rothaar said more than 80 percent of breaches happen because of weak or stolen passwords, credentials and secrets, much of which is acquired through the kind of phishing and smishing attacks New York City is currently dealing with. 

To make matters worse, the New York City attackers clearly knew that multi-factor authentication is a critical layer of security and played on that concept while trying to steal credentials. 

“Often, innocent people who are not trained on phishing prevention will focus on the ‘pinstripes’ of the email or illegitimate site, meaning the aesthetics that they are familiar with, such as the logo or colors of their banking site,” she said.  

“Cybercriminals spend a lot of time making ‘lookalike’ sites appear authentic so that users are tricked into entering login credentials. Employees should always err on the side of caution and assume that all of their work-related (and even personal) passwords have been compromised – especially if they reuse the same passwords across accounts (a big no-no, and this situation illustrates why).”

Countrywide problem

The campaign targeting New York City is one of many specifically going after city, county and state-level governments across the United States. 

Just in the last week, the cities of Birmingham, Alabama, and East Baton Rouge, Louisiana, have announced security incidents affecting public services. Jackson County in Missouri was forced to declare a state of emergency after discovering a ransomware attack last month. 

On Thursday, the Florida Department of Juvenile Justice in Tallahassee admitted to local news outlets that it was dealing with a cyberattack that forced some systems offline. 

Florida’s Hernando County similarly announced a cyberattack on Thursday, warning that while 911, police and EMS systems were still operational, several other government services would be down for an unknown amount of time. Local news outlets reported that the FBI is involved in the response to the incident. 

Rebecca Moody, head of data research at Comparitech, has been looking into ransomware attacks on U.S. government offices and said she has found 18 confirmed ransomware attacks so far this year. 

Other researchers have tracked at least 25 ransomware attacks on U.S. government offices. 

While several states have banned government organizations from paying ransoms to groups, the offices continue to be ripe targets for ransomware gangs and hackers. Washington County in Pennsylvania recently revealed that it paid a $350,000 ransom to hackers following a January ransomware attack. 

James Turgal, who spent 22 years working at the FBI, told Recorded Future News that attacks against state, local and tribal governments have accelerated over the last year. 

“From the threat actors’ point of view, these municipalities are a target-rich environment with an abundant source of victims. By my estimation, with just around 95,000 soft targets nationwide, there are 40,000 cities, towns and municipalities, approximately 50,000 special government districts nationwide, and then the additional tribal governments that round out the numbers,” he said. 

“There needs to be a sense of urgency on the part of state and local governments and municipalities to get ahead of the threat, as these local entities have the most direct impact on our citizens, and a cyber focused disruption can be potentially life-threatening when considering the health and public safety services our local governments control.”

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: municipal governments, NYC


Mar 29 2024

Compromised SaaS Supply Chain Apps: 97% Of Organizations At Risk Of Cyber Attacks

Category: Cloud computing,Cyber Attack,Information Securitydisc7 @ 7:55 am

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth.

However, this shift towards a more interconnected digital ecosystem has not come without its risks.

According to the “2024 State of SaaS Security Report” by Wing Security, a staggering 97% of organizations faced exposure to attacks through compromised SaaS supply chain applications in 2023, highlighting a critical vulnerability in the digital infrastructure of modern businesses.

The report, which analyzed data from 493 companies in the fourth quarter of 2023, illuminates the multifaceted nature of SaaS security threats.

From supply chain attacks taking center stage to the alarming trend of exploiting exposed credentials, the findings underscore the urgent need for robust security measures.

Supply Chain Attacks: A Domino Effect

Supply chain attacks have emerged as a significant threat, with 96.7% of organizations using at least one app that had a security incident in the past year.

The MOVEit breach, which directly and indirectly impacted over 2,500 organizations, and North Korean actors’ targeted attack on JumpCloud’s clients are stark reminders of the cascading effects a single vulnerability can have across the supply chain.

The simplicity of credential stuffing attacks and the widespread issue of unsecured credentials continue to pose a significant risk.

The report highlights several high-profile incidents, including breaches affecting Norton LifeLock and PayPal customers, where attackers exploited stolen credentials to gain unauthorized access to sensitive information.

MFA Bypassing And Token Theft

Despite adopting Multi-Factor Authentication (MFA) as a security measure, attackers have found ways to bypass these defenses, targeting high-ranking executives in sophisticated phishing campaigns.

Additionally, the report points to a concerning trend of token theft, with many unused tokens creating unnecessary risk exposure for many organizations.

Looking Ahead: SaaS Threat Forecast For 2024

As we move into 2024, the SaaS threat landscape is expected to evolve, with AI posing a new threat.

The report identifies two primary risks associated with AI in the SaaS domain: the vast volume of AI models in SaaS applications and the potential for data mismanagement.

Furthermore, the persistence of credential-based attacks and the rise of interconnected threats across different domains underscore the need for a holistic cybersecurity approach.

Practical Tips For Enhancing SaaS Security

The report offers eight practical tips for organizations to combat these growing threats, including discovering and managing the risk of third-party applications, leveraging threat intelligence, and enforcing MFA.

Additionally, regaining control of the AI-SaaS landscape and establishing an effective offboarding procedure are crucial steps in bolstering an organization’s SaaS security.

The “2024 State of SaaS Security Report” by Wing Security serves as a wake-up call for businesses to reassess their SaaS security strategies.

With 97% of organizations exposed to attacks via compromised SaaS supply chain apps, the need for vigilance and proactive security measures has never been more critical.

As the digital landscape continues to evolve, so must our approaches to protect it.

Mitigating Supply Chain Attacks in the Digital Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: supply chain attacks


Mar 27 2024

SOCIAL MEDIA CONSPIRACY THEORY: WAS THE BALTIMORE BRIDGE COLLISION A RESULT OF CYBER ATTACK?

Category: Cyber Attackdisc7 @ 9:44 am

On an unexpected Tuesday, the collision of a container ship with the Francis Scott Key Bridge in Baltimore not only disrupted the normal flow of traffic and commerce but also sparked a vigorous debate on the potential causes of this incident. Among the various theories proposed, the role of cybersecurity—or the lack thereof—has emerged as a focal point of discussion. This event has served as a catalyst for a broader examination of cybersecurity practices within the maritime industry, revealing both vulnerabilities and the sometimes-overlooked factors that suggest other causes for such incidents. In the digital age, the maritime industry’s reliance on technology for navigation, communication, and operational functions has grown exponentially. This shift towards digitalization, while beneficial in terms of efficiency and connectivity, has also increased the sector’s exposure to cyber threats. Systems that control navigation, cargo handling, and engine operations are all potential targets for cyberattacks, which can lead to severe safety and financial risks.

EVALUATING THE POTENTIAL FOR A CYBERSECURITY BREACH

In recent years, the maritime industry has increasingly embraced technology, relying on digital systems for navigation, communication, and operational functions. This digital transformation has enhanced efficiency and connectivity but has also exposed the sector to cyber threats. Cyberattacks can target systems controlling navigation, cargo handling, and even the engines of these colossal vessels, posing a significant risk to safety and commerce.

Could Cybersecurity Have Been a Factor in the Baltimore Incident?

To understand whether a cybersecurity breach could have led to the collision with the Francis Scott Key Bridge, it is essential to consider several factors:

  1. Navigation Systems Vulnerability: Modern ships use sophisticated navigation systems like the Automatic Identification System (AIS) and the Electronic Chart Display and Information System (ECDIS). If these systems were compromised, it could lead to inaccurate positioning information or erroneous navigational instructions.
  2. Operational Control Systems: Beyond navigation, ships rely on complex systems for operational control, including engine management and steering control. A cyberattack on these systems could impair a vessel’s ability to maneuver, potentially leading to accidents.
  3. Human Error vs. Cyber Intrusion: Distinguishing between human error and the consequences of a cyberattack can be challenging. Incidents might initially appear as operational or navigational errors but later investigations could uncover tampering with digital systems.
  4. Historical Precedents: The maritime industry has witnessed cyberattacks before, such as the 2017 cyberattack on the shipping giant Maersk, which led to significant operational disruptions. These precedents highlight the plausibility of cybersecurity breaches leading to physical incidents.

ARGUMENTS AGAINST CYBERSECURITY BEING A FACTOR

While the possibility of a cybersecurity breach cannot be dismissed outright, several arguments suggest that other factors could be more plausible:

Technical Safeguards and Redundancies

Maritime vessels are equipped with numerous technical safeguards and redundant systems designed to prevent total system failure in case of a cyber intrusion. These include manual overrides for navigation and control systems, allowing crew members to maintain control over the vessel even if digital systems are compromised. Such safeguards can mitigate the impact of a cyber attack on a ship’s operational capabilities.

Cybersecurity Protocols and Training

The maritime industry has been increasingly aware of the potential cyber threats and has implemented stringent cybersecurity protocols and training for crew members. These measures are aimed at preventing unauthorized access and ensuring the integrity of the ship’s systems. Crews are trained to recognize and respond to cybersecurity threats, reducing the likelihood of a successful cyber attack impacting vessel navigation or control systems.

Physical Factors and Human Error

Many maritime incidents are the result of physical factors or human error rather than cyber attacks. These can include adverse weather conditions, navigational errors, mechanical failures, and miscommunication among crew members. Such factors have historically been the most common causes of maritime accidents and cannot be overlooked in any thorough investigation.

Complexity of Executing a Targeted Cyber Attack

Executing a cyber attack that leads to a specific outcome, such as causing a ship to collide with a bridge, requires an intimate knowledge of the vessel’s systems, current position, and intended course. It also necessitates overcoming the vessel’s cybersecurity measures without detection. The complexity and specificity of such an attack make it a less likely cause of maritime incidents compared to more conventional explanations.

Lack of Evidence Indicating a Cyber Attack

In the absence of specific evidence pointing to a cyber intrusion, such as anomalies in the ship’s digital systems, unauthorized access logs, or the presence of malware, it is prudent to consider other more likely causes. Cybersecurity investigations involve detailed analysis of digital footprints and system logs, and without concrete evidence suggesting a cyber attack, attributing the incident to such a cause would be speculative.

THE PATH FORWARD: STRENGTHENING CYBERSECURITY WHILE ACKNOWLEDGING OTHER RISKS

Regardless of whether a cyberattack played a role in the Baltimore bridge incident, this event underscores the importance of robust cybersecurity practices in the maritime industry. Enhancing cyber defenses, conducting regular security assessments, and training personnel in cybersecurity awareness are crucial steps in safeguarding maritime operations.

However, it is equally important to recognize and mitigate the non-cyber risks that ships face. A comprehensive approach to safety and security, encompassing both cyber and traditional factors, is essential for protecting the maritime industry against a wide range of threats.

The collision of a container ship with the Francis Scott Key Bridge has highlighted the critical role of cybersecurity in modern maritime operations, while also reminding us of the myriad other factors that can lead to such incidents. As the investigation into this event continues, the maritime industry must take a holistic view of security, embracing both digital and physical measures to ensure the safety of its operations in an increasingly complex and interconnected world.

“Our thoughts and prayers are with the U.S. Coast Guard Sector NCR, multiple first responders, and all those affected by the tragic incident at the Francis Scott Key Bridge in Baltimore. According to reports, a 948-foot Singapore-flagged containership collided with the bridge causing it to collapse, with persons reported to be in the water.”

Next Level Cybersecurity: Detect the Signals, Stop the Hack

Maritime Cybersecurity: A Guide for Leaders and Managers

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: BALTIMORE BRIDGE COLLISION, Maritime Cybersecurity


Mar 25 2024

170K+ Python Developers GitHub Accounts Hacked In Supply Chain Attack

Category: Cyber Attack,Hacking,Pythondisc7 @ 8:38 am

Over 170,000 users have fallen victim to a meticulously orchestrated scheme exploiting the Python software supply chain.

The Checkmarx Research team has uncovered a multi-faceted attack campaign that leverages fake Python infrastructure to distribute malware, compromising the security of countless developers and organizations.

This article delves into the attack campaign, its impact on victims, the tactics, techniques, and procedures (TTPs) employed by the threat actors, and the critical findings from Checkmarx’s investigation.

Attack Campaign Description

The core of this malicious campaign revolves around an attacker’s ability to combine several TTPs to launch a silent attack on the software supply chain, specifically targeting the Python ecosystem.

By creating multiple malicious open-source tools with enticing descriptions, the attackers lured victims into their trap, primarily through search engines.

Python mirror -files.pythonhosted.org

The campaign’s sophistication is evident in distributing a malicious dependency hosted on a fake Python infrastructure, which was then linked to popular projects on GitHub and legitimate Python packages.

A chilling account from Mohammed Dief, a Python developer and one of the campaign’s victims, highlights the stealth and impact of the attack.

Dief encountered a suspicious error message while working on his laptop, the first sign of the compromise, leading to the realization that his system had been hacked.

Victims And Impact

Among the notable victims of this campaign is the Top.gg GitHub organization, a community boasting over 170,000 members.

The attackers managed to hijack GitHub accounts with high reputations, including that of “editor-syntax,” a maintainer with write permissions to Top.gg’s repositories.

The Top.gg community (which boasts over 170K members) was also a victim of  this attack
The Top.gg community (which boasts over 170K members) was also a victim of  this attack

This allowed them to commit malicious acts and increase the visibility and credibility of their malicious repositories.

The attack’s impact is far-reaching, affecting individual developers and larger communities alike.

Social engineering schemes, account takeovers, and malicious packages published on the PyPi registry have underscored the software supply chain’s vulnerability to such sophisticated attacks.

The Checkmarx Research team has uncovered an attack campaign aimed at the software supply chain.

The campaign appears to have successfully exploited multiple victims.

Threat Actors And TTPs

The threat actors behind this campaign demonstrated high sophistication and planning.

They employed a range of TTPs, including:

  • Account Takeover via Stolen Cookies: The attackers gained access to high-reputation GitHub accounts by stealing session cookies, bypassing the need for passwords.
  • Publishing Malicious Packages: By setting up a custom Python mirror and publishing malicious packages to the PyPi registry, they could distribute malware under the guise of legitimate software.
  • Social Engineering: The attackers used social engineering to trick users into downloading malicious dependencies, further spreading the malware.

By deploying a fake Python package mirror and utilizing typosquatting techniques, the attackers could deceive users and systems into downloading poisoned versions of popular packages like “Colorama.

“The malicious payload delivered through these packages is designed to harvest sensitive information, including passwords, credentials, and data from various software applications.

Malicious Package

The malware targets web browsers, Discord, cryptocurrency wallets, and Telegram, and even includes a keylogging component to capture victims’ keystrokes.

The final stage of the malware reveals its data-stealing capabilities, targeting not only personal and financial information but also attempting to gain unauthorized access to victims’ social media and communication platforms.

This attack campaign highlights the critical vulnerabilities within the software supply chain, particularly in open-source ecosystems like Python’s.

The sophistication and success of the attackers in exploiting these vulnerabilities underscore the need for heightened vigilance and robust security practices among developers and organizations.

Through continuous monitoring, collaboration, and information sharing, the cybersecurity community can mitigate risks and protect the integrity of open-source software.

Python for Cybersecurity: Using Python for Cyber Offense and Defense 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: supply chain attack


Feb 02 2024

FritzFrog Botnet Attacking Linux Servers To Steal SSH Credentials

Category: Botnet,Cyber Attackdisc7 @ 9:38 am

The FritzFrog botnet, originally identified in 2020, is an advanced peer-to-peer botnet built in Golang that can operate on both AMD and ARM-based devices. With constant updates, the malware has developed over time, adding and enhancing features.

A new strain of the FritzFrog botnet was discovered exploiting the Log4Shell vulnerability to target all hosts in the internal network. 

Additionally, by using weak SSH credentials, the malware attacks servers that are accessible over the internet. 

“Newer variants now read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable,” Akamai shared with Cyber Security News.

The Exploitation Chain

The only infection vector used by FritzFrog was SSH brute force; however, more recent iterations of the malware have added the Log4Shell exploitation dubbed “Frog4Shell”. 

A vulnerability called Log4Shell was found in the popular open-source Log4j web tool in 2021. Governments and security firms carried out a global initiative to patch the technology.

Presently, the malware targets every host on the internal network as part of its routine for spreading. The malware is attempting to connect to every address on the local network to accomplish this.

According to the researchers, internal computers, which were less likely to be exploited, were frequently overlooked and went unpatched—a situation that FritzFrog takes advantage of.

FritzFrog scanning the local network to identify targets
FritzFrog scanning the local network to identify targets

“This means that even if the “high-profile” internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,” researchers said.

FritzFrog searches for HTTP servers on ports 8080, 8090, 8888, and 9000 to find possible Log4Shell targets. The malware is currently targeting as many vulnerable Java applications as possible.

Log4Shell exploitation flow
Log4Shell exploitation flow

Additionally, FritzFrog enhanced its capacity to identify targets for SSH brute force, which is its primary infection vector.

FritzFrog will now attempt to identify specific SSH targets by counting multiple system logs on each of its victims, in addition to targeting randomly generated IP addresses.

The malware now includes a module that exploits CVE-2021-4034, a privilege escalation in the polkit Linux component. On susceptible servers, this module allows the malware to operate as root.

“Since it is installed by default on most Linux distributions, many unpatched machines are still vulnerable to this CVE today,” researchers said.

Recommendation

  • The network segmentation can stop the lateral movement of the malware. Software-based segmentation has the potential to be a long-lasting protective measure that is comparatively easy to implement.
  • For use on SSH servers, a FritzFrog detection script is given that searches for the following FritzFrog indicators:

a. Running processes named nginx, ifconfig, php-fpm, apache2, or libexec, whose executable file no longer exists on the file system (as seen below)

b. Listening port 1234

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Jan 04 2024

Google Chrome Use After Free Flaw Let Attacker Hijack Browser

Category: Cyber Attack,Information Security,Web Securitydisc7 @ 10:26 am

The latest stable channel update for Google Chrome, version 120.0.6099.199 for Mac and Linux and 120.0.6099.199/200 for Windows, is now available and will shortly be rolled out to all users.

Furthermore, the Extended Stable channel has been updated to 120.0.6099.200 for Windows and 120.0.6099.199 for Mac.

There are six security fixes in this release. Three of these flaws allowed an attacker to take control of a browser through use-after-free conditions.

Use-after-free is a condition in which the memory allocation is freed, but the program does not clear the pointer to that memory. This is due to incorrect usage of dynamic memory allocation during an operation. 

CVE-2024-0222: Use After Free In ANGLE

Use after free in ANGLE in Google Chrome presents a high-severity vulnerability that might have led to a remote attacker compromising the renderer process and using a crafted HTML page to exploit heap corruption.

Google awarded $15,000 to Toan (suto) Pham of Qrious Secure for reporting this vulnerability.

CVE-2024-0223: Heap Buffer Overflow In ANGLE

This high-severity flaw was a heap buffer overflow in ANGLE that could have been exploited by a remote attacker using a crafted HTML page to cause heap corruption. 

Toan (suto) Pham and Tri Dang of Qrious Secure received a $15,000 reward from Google for discovering this vulnerability.

CVE-2024-0224: Use After Free In WebAudio

A high-severity use after free in WebAudio in Google Chrome might potentially allow a remote attacker to exploit heap corruption through a manipulated HTML page.

Google awarded Huang Xilin of Ant Group Light-Year Security Lab a $10,000 reward for finding this issue.

CVE-2024-0225: Use After Free In WebGPU

A remote attacker may have been able to exploit heap corruption through a specifically designed HTML page due to high severity vulnerability in Google’s use after free in WebGPU.

The details about the reporter of this vulnerability were mentioned as anonymous. 

The use after free conditions existed in Google Chrome before version 120.0.6099.199. To avoid exploiting these vulnerabilities, Google advises users to update to the most recent version of Google Chrome.

How To Update Google Chrome

  • Open Chrome.
  • At the top right, click More.
  • Click Help About Google Chrome.
  • Click Update Google Chrome. Important: If you can’t find this button, you’re on the latest version.
  • Click Relaunch.

Browser Security Platform Checklist

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Google Chrome


Jan 02 2024

Hackers Attack UK’s Nuclear Waste Services Through LinkedIn

Category: Cyber Attack,Hackingdisc7 @ 10:48 am

Fortunately for Radioactive Waste Management (RWM), the first-of-its-kind hacker attack on the project was unsuccessful.

The United Kingdom’s Radioactive Waste Management (RWM) company overseeing the nation’s radioactive waste has revealed a recent cyberattack attempt through LinkedIn. While the attack was reportedly unsuccessful, it has raised eyebrows in the nuclear sector, sparking concerns about the security of critical nuclear infrastructure.

As reported by The Guardian, the hackers directed their attack at the company through LinkedIn. However, whether it was a phishing attack or an attempt to trick employees into installing malware on the system, the modus operandi remains unknown.

Typically, LinkedIn is exploited for phishing scams targeting employees of specific companies. An example from last year involves ESET researchers reporting a cyberespionage campaign by North Korean government-backed hackers from the Lazarus group. The campaign specifically targeted employees at a Spanish aerospace firm.

The RWM is spearheading the £50bn Geological Disposal Facility (GDF) project, aimed at constructing a substantial underground nuclear waste repository in Britain. As a government-owned entity, RWM facilitated the merger of three nuclear bodies—the GDF project, the Low-Level Waste Repository, and another waste management entity—to establish Nuclear Waste Services (NWS).

“NWS has seen, like many other UK businesses, that LinkedIn has been used as a source to identify the people who work within our business. These attempts were detected and denied through our multi-layered defences,” stated an NWS spokesperson.

However, the incident raises concerns, as experts warn that social media platforms such as LinkedIn are becoming preferred playgrounds for hackers. These platforms provide multiple avenues for infiltration, including the creation of fake accounts, phishing messages, and direct credential theft.

The FBI’s special agent in charge of the San Francisco and Sacramento field offices, Sean Ragan, has emphasized the ‘significant threat’ of fraudsters exploiting LinkedIn to lure users into cryptocurrency investment schemes, citing numerous potential victims and past and current cases.

In October 2023, email security firm Cofense discovered a phishing campaign abusing Smart Links, part of the LinkedIn Sales Navigator and Enterprise service, to send authentic-looking emails, steal payment data, and bypass email protection mechanisms.

In November 2023, a LinkedIn database containing over 35 million users’ personal information was leaked by a hacker named USDoD, who previously breached the FBI’s InfraGard platform. The database was obtained through web scraping, an automated process to extract data from websites.

Social engineering attacks, such as deceptive emails and malicious links, offer hackers a gateway to sensitive information. LinkedIn has taken steps to warn users about potential scams and provide resources for staying safe online. Still, concerns about digital security remain prevalent in the nuclear industry, especially after the Guardian exposé of cybersecurity vulnerabilities at the Sellafield plant. 

In 2023, the Sellafield nuclear site in Cumbria experienced cybersecurity issues, indicating a need for improved safeguards and tighter regulations. The RWM incident highlights the growing interest of cybercrime syndicates to target nuclear sites.

The NWS acknowledges the need for continuous improvement to strengthen cybersecurity measures, highlighting that emergency response plans must match evolving business needs.

Cyber Threats and Nuclear Weapons

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Threats and Nuclear Weapons, UK’s Nuclear Waste Services


Dec 29 2023

New Medusa Stealer Attacking Users To Steal Login Credentials

Category: Cyber Attack,Password Securitydisc7 @ 9:24 am

While the world celebrated Christmas, the cybercrime underworld feasted on a different kind of treat: the release of Meduza 2.2, a significantly upgraded password stealer poised to wreak havoc on unsuspecting victims. 

Cybersecurity researchers at Resecurity uncovered the details of New Medusa Stealer malware.

Resecurity is a cybersecurity company specializing in endpoint protection, risk management, and cyber threat intelligence.

Translation:
Attention! The New Year’s Update
Before the New Year 2024, the Meduza team decided to please customers with an update. Under the 
Christmas tree, you can find great gifts such as significant improvements in user interface (panel), modal windows on loading, and expansion of data collection objects

A Feast Of Features

Meduza 2.2 boasts a veritable buffet of enhancements, including:

  • Expanded Software Coverage: The stealer now targets over 100 browsers, 100 cryptocurrency wallets, and a slew of other applications like Telegram, Discord, and password managers. This broader reach increases its potential for victimization.
  • Enhanced Credential Extraction: Meduza 2.2 digs deeper, grabbing data from browser local storage dumps, Windows Credential Manager, and Windows Vault, unlocking a treasure trove of sensitive information.
  • Google Token Grabber: This new feature snags Google Account tokens, allowing attackers to manipulate cookies and gain access to compromised accounts.
  • Improved Crypto Focus: Support for new browser-based cryptocurrency wallets like OKX and Enrypt, along with Google Account token extraction, makes Meduza a potent tool for financial fraud.
  • Boosted Evasion: The stealer boasts an optimized crypting stub and improved AV evasion techniques, making it harder to detect and remove.

These advancements position Meduza as a serious competitor to established players like Azorult and Redline Stealer

Its flexible configuration, wide application coverage, and competitive pricing ($199 per month) make it an attractive option for cybercriminals of all skill levels.

A Recipe For Trouble

The consequences of Meduza’s widespread adoption are grim.

  • Account Takeovers (ATOs): Stolen credentials can be used to hijack email accounts, social media profiles, bank accounts, and other online services.
  • Online Banking Theft: Financial data gleaned from infected machines can be used to drain bank accounts and initiate fraudulent transactions.
  • Identity Theft: Sensitive information like names, addresses, and Social Security numbers can be exploited for identity theft and financial fraud.

To combat this growing threat, individuals and organizations must:

  • Practice strong password hygiene: Use unique, complex passwords for all accounts and enable two-factor authentication where available.
  • Beware of phishing scams: Don’t click on suspicious links or download attachments from unknown sources.
  • Keep software up to date: Regularly update operating systems, applications, and security software to patch vulnerabilities.
  • Invest in robust security solutions: Implement comprehensive security solutions that can detect and block malware like Meduza.

Login Credentials: Username/Password Journal

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Medusa Stealer


Dec 27 2023

EXPERTS ANALYZED ATTACKS AGAINST POORLY MANAGED LINUX SSH SERVERS

Category: Cyber Attack,Linux Securitydisc7 @ 8:07 am

Researchers warn of attacks against poorly managed Linux SSH servers that mainly aim at installing DDoS bot and CoinMiner.

Researchers at AhnLab Security Emergency Response Center (ASEC) are warning about attacks targeting poorly managed Linux SSH servers, primarily focused on installing DDoS bots and CoinMiners.

In the reconnaissance phase, the threat actors perform IP scanning to look for servers with the SSH service, or port 22 activated, then launch a brute force or dictionary attack to obtain the ID and password.

Threat actors can also install malware to scan, perform brute force attacks, and sell breached IP and account credentials on the dark web.

Common malware used in attacks against poorly managed Linux SSH servers include ShellBot [1][2]Tsunami [3], ChinaZ DDoS Bot [4], and XMRig CoinMiner [5]

Linux SSH servers

Once successfully logged in, the threat actor first executed the following command to check the total number of CPU cores.

> grep -c ^processor /proc/cpuinfo

“The execution of this command signifies that the threat actor has obtained the account credentials. Afterward, the threat actor logged in again using the same account credentials and downloaded a compressed file.” reads the analysis published by ASEC. “The compressed file contains a port scanner and an SSH dictionary attack tool. Additionally, commands accidentally typed by the threat actor can be seen, such as “cd /ev/network” and “unaem 0a”.”

These researchers believe that the tools employed in the attacks are based on the ones that have been created by the PRG old Team. Each threat actor created its custom version of the tools by modifying them.

Linux SSH servers

The researchers recommend administrators should use strong passwords that are difficult to guess and change them periodically. These measures should protect the Linux SSH servers from brute force attacks and dictionary attacks. The experts also recommend updating to the latest patch to prevent attacks exploiting known vulnerabilities.

“Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.” concludes the report.

Mastering Linux Security and Hardening: A practical guide to protecting your Linux system from cyber attacks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SSH SERVERS


Dec 18 2023

8220 Hacker Group Attacking Windows & Linux Web Servers

Category: Cyber Attack,Hacking,Linux Security,Windows Securitydisc7 @ 1:40 pm

The 8220 hacker group, which was first identified in 2017 by Cisco Talos, is exploiting both Windows and Linux web servers with crypto-jacking malware. One of their recent activities involved the exploitation of Oracle WebLogic vulnerability (CVE-2017-3506) and Log4Shell (CVE-2021-44228).

However, the history of this threat group had several exploited vulnerabilities such as Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2 applications. Their TTPs are evolved with different publicly released exploits.

8220 Hacker Group

In addition to this, the group was also discovered to be exploiting (CVE-2020-14883), a Remote code execution vulnerability in Oracle WebLogic Server. This exploitation chain is combined with another authentication bypass vulnerability (CVE-2020-14882) in the Oracle WebLogic server.

The exploitation methods of these two vulnerabilities are publicly available, making it relatively easy for the threat actor to modify and exploit them for malicious purposes. 

Two different exploit chains were discovered, and one of them enables the loading of an XML file used for further phases of execution of commands on the OS, whereas the other one executes Java code without the use of an XML file.

Infection Chains

The first infection chain uses different XML files that depend on the target OS. In the case of Linux, the downloading of other files is performed via cURL, wget, lwp-download, and python urllib along with a custom bash function that encodes it to base64.

Custom bash function (Source: Imperva)

The method injects a Java code which also initially evaluates the OS and executes the same command strings executed in the first method. Once the download and execution process takes place, the compromised hosts are infected with AgentTesla, rhajk, and nasqa malware variants.

complete report has been published, which provides detailed information about the exploitation, command used, encoding, and other information.

Indicators Of Compromise

URL

URL

Source IPs

Source IPs
Malicious File Hashes

Common Windows, Linux and Web Server Systems Hacking Techniques

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Windows & Linux Web Servers


Dec 11 2023

How Well Do You Know Your Attack Surface? Five Tips to Reduce the Risk of Exposure

Category: Cyber Attackdisc7 @ 8:16 am

It’s no secret the attack surface is expanding at an unprecedented rate. We’ve hand-picked our top tips to reduce your exposure.

https://www.crowdstrike.com/blog/five-tips-to-shield-from-exposures/?

In an increasingly connected digital landscape, the security of your organization’s data and publicly facing assets is more critical than ever. According to the CrowdStrike 2023 Threat Hunting Report, more than 20% of all interactive intrusions are associated with the exploitation of public-facing applications. As an organization’s attack surface expands and cyberthreats proliferate, it is imperative IT and security teams take a proactive approach to safeguarding their digital footprint. This starts with implementing a strong exposure management program across the entire enterprise that drastically reduces all attack surface risks.

Do You Really Know Your Organization’s Attack Surface?

To stop an attack before it begins, you must first understand where critical exposures exist. You can think of your organization’s external attack surface as all of the doorways through which an attacker might attempt to sneak in. This includes anything from domain names, SSL certificates and protocols to operating systems, IoT devices and network services. These assets are scattered across on-premises environments, cloud environments, subsidiaries and third-party vendors, and they represent many of the easiest entry points to internal networks and the sensitive data they contain. 

Building a Successful Exposure Management Strategy with EASM

In an age where unknown entryways can lead to invaluable troves of information, external attack surface management (EASM) can find doors that may be left open. CrowdStrike Falcon® Exposure Management finds those potential access points before adversaries do. 

Our EASM technology, as part of Falcon Exposure Management, uses a proprietary engine to continuously scan the entire internet, enabling organizations to see their attack surface from an adversary’s perspective. The digital footprint of an organization is simple to generate, using only a company’s root domain. Once generated, it gives security teams a complete view of all of their internet-facing assets, including those on-premises and in the cloud. All exposed assets are automatically classified, analyzed and rated with a contextualized risk score, allowing teams to fix first what matters most.  

Reducing the size of your attack surface can minimize the risk of a breach. By following the five tips below, organizations can reduce the number of opportunities an adversary has, strengthen their cybersecurity posture and proactively  protect valuable assets from malicious actors. 

Top Tips to Reduce External Attack Surface Exposures

  1. Do not allow Remote Desktop Protocol (RDP) connections from outside your organization’s networks

There are plenty of products and open source solutions offering remote access to company resources. When RDP is opened to the internet, it is often not monitored and is susceptible to attacks.

How: 

  • Stand up a server that sits outside of your network perimeter
  • Install nmap or any other network scanner you’re comfortable with
  • Grab a list of your IP ranges
  • Set up a cron job to scan continuously for port 3389
  • Grab the logs weekly 
  • Use this list to figure out the person inside your organization who owns or is responsible for each host that has responded on port 3389
    • Clues:
      • Domain name (if applicable)
      • IPAM IP range notes
      • Login banners
  • For any hosts that MUST have RDP exposed to the internet, enable multifactor authentication (MFA), remove them from your scan script above and continue the process of scanning
  • Use Network Level Authentication, a Remote Desktop Services feature that requires a user to authenticate before connecting to the server
  1. Avoid allowing directory listing on your web servers 

Directory listings expose the server to traversal attacks and a large variety of vulnerabilities. Moreover, the web server may contain files that shouldn’t be exposed through links on the website. Ensure your server does not expose directory listings, and if it must, make sure the directories do not contain sensitive information. 

How: 

  • Stand up a server that sits outside of your network perimeter 
  • Install nmap or any other network scanner you are comfortable with
  • Grab a list of your IP ranges
  • Set up a cron job to scan continuously for open HTTP 
  • Grab the logs weekly 
  • For every host answering on an HTTP or HTTPS port, use this list as an input for your web app scanning tool of choice (such as nikto or dirsearch)
  • For any host allowing directory traversal, figure out the person inside your company who owns or is responsible for this website
    • Clues:
      • Domain name (if applicable)
      • IPAM IP range notes
      • Login banners
      • Other website info
  1. Place test environments behind a VPN 

Ensure none of your development, staging or test environments is exposed to the internet. These environments are often not well-secured and in many cases have access to restricted resources.

How: 

  • Identify all of your production environments:
    • Have a clear list of domains and IP ranges from IT admin, content delivery network providers and web application firewall providers
    • Query whois reverse search under your organization name (there are multiple vendors and open source tools for this) 
  • All other environments (domains, subdomains and machines with external-facing IPs) should be protected with a VPN and MFA
  1. Avoid hostile subdomain takeovers 

Confirm none of your subdomains is expired or points to third-party pages and accounts that no longer exist, as it might be vulnerable to hostile subdomain takeovers. If you find such subdomains, reconfigure the DNS settings or remove the DNS entry pointing to the external service.

How: 

  • Talk to your IT admin team and get access to your DNS (may be route53, may be self-hosted)
  • Do a zone transfer on all of the domains your organization owns
  • Get a list of all of your IP ranges
  • Parse the IP addresses against your known IP range list
  • For any IPs that aren’t part of your infrastructure, figure out who they belong to (whois lookup, published list of cloud provider IP ranges)
  • Determine if they are pointing at anything you know you own
  • Any unused subdomain should be retired properly:
    • Use “Null MX” record
    • Use DMARC configuration to prevent any email from being sent on behalf of the sub/domain
  1. Enforce input validation

Enforce input validation on all internal and external inputs to prevent injection attacks. Input validation best practices include: predefining input size limitation per field and type (str/int if applicable), applying maximum retries for password and user fields, and enforcing backend strict logic to prevent injections (prepared statements with parameterized queries, stored procedures, escaping all user inputs, etc.).

How: 

  • Forms fields
  • Uniform resource identifiers (URIs)
  • APIs
  • Attachments
  • And more

Bonus Tip: Continuously monitor your attack surface

Securing an expanding attack surface is challenging. The dynamic nature of most modern IT ecosystems means secure assets can suddenly become exposed unknowingly due to an error, misconfiguration or simple oversight. This category of forgotten assets can grow for many reasons: employees with revoked access, engineers with lingering cloud token permissions, or unmaintained databases that should have never been exposed in the first place. Moreover, there are instances of abandoned assets that remain unused or unclassified for extended periods, leaving IT departments without records and, consequently, unable to secure them. Regardless of their origin, these assets present significant security risks.

Having an effective exposure management program enables teams to stay vigilant and proactively  monitor and secure entire IT ecosystems, which  is essential in safeguarding an entire  attack surface. You need to add a scalable way to monitor your internet-facing assets and discover your unknown exposures and risks in real time.

Additional Resources

Mastering Attack Surface Management: A Comprehensive Guide To Learn Attack Surface Management

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Attack Surface


Nov 20 2023

Cyber Attack Forces World’s Biggest Bank to Trade via USB Stick

Category: Cyber Attackdisc7 @ 11:17 am

Cyber Attack Forces World’s Biggest Bank to Trade via USB Stick

https://time.com/6333716/china-icbc-bank-hack-usb-stick-trading/

On Thursday, trades handled by the world’s largest bank in the globe’s biggest market traversed Manhattan on a USB stick.

Industrial & Commercial Bank of China Ltd.’s U.S. unit had been hit by a cyberattack, rendering it unable to clear swathes of U.S. Treasury trades after entities responsible for settling the transactions swiftly disconnected from the stricken systems. That forced ICBC to send the required settlement details to those parties by a messenger carrying a thumb drive as the state-owned lender raced to limit the damage.

The workaround — described by market participants — followed the attack by suspected perpetrator Lockbit, a prolific criminal gang with ties to Russia that has also been linked to hits on Boeing Co., ION Trading U.K. and the U.K.’s Royal Mail. The strike caused immediate disruption as market-makers, brokerages and banks were forced to reroute trades, with many uncertain when access would resume.

The incident spotlights a danger that bank leaders concede keeps them up at night — the prospect of a cyber attack that could someday cripple a key piece of the financial system’s wiring, setting off a cascade of disruptions. Even brief episodes prompt bank leaders and their government overseers to call for more vigilance.

“This is a true shock to large banks around the world,” said Marcus Murray, the founder of Swedish cybersecurity firm Truesec. “The ICBC hack will make large banks around the globe race to improve their defenses, starting today.”

https://time.com/robots.txt?upapi=true

As details of the attack emerged, employees at the bank’s Beijing headquarters held urgent meetings with the lender’s U.S. division and notified regulators as they discussed next steps and assessed the impact, according to a person familiar with the matter. ICBC is considering seeking help from China’s Ministry of State Security in light of the risks of potential attack on other units, the person said.

Late Thursday, the bank confirmed it had experienced a ransomware attack a day earlier that disrupted some systems at its ICBC Financial Services unit. The company said it isolated the affected systems and that those at the bank’s head office and other overseas units weren’t impacted, nor was ICBC’s New York branch.

The extent of the disruption wasn’t immediately clear, though Treasury market participants reported liquidity was affected. The Securities Industry and Financial Markets Association, or Sifma, held calls with members about the matter Thursday.

ICBC FS offers fixed-income clearing, Treasuries repo lending and some equities securities lending. The unit had $23.5 billion of assets at the end of 2022, according to its most recent annual filing with U.S. regulators.

The attack is only the latest to snarl parts of the global financial system. Eight months ago, ION Trading U.K. — a little-known company that serves derivatives traders worldwide — was hit by a ransomware attack that paralyzed markets and forced trading shops that clear hundreds of billions of dollars of transactions a day to process deals manually. That has put financial institutions on high alert.

ICBC, the world’s largest lender by assets, has been improving its cybersecurity in recent months, highlighting increased challenges from potential attacks amid the expansion of online transactions, adoption of new technologies and open banking.

“The bank actively responded to new challenges of financial cybersecurity, adhered to the bottom line for production safety and deepened the intelligent transformation of operation and maintenance,” ICBC said in its interim report in September.

Ransomware attacks against Chinese firms appear rare in part because China has banned crypto-related transactions, according to Mattias Wåhlén, a threat intelligence specialist at Truesec. That makes it harder for victims to pay ransom, which is often demanded in cryptocurrency because that form of payment provides more anonymity. 

But the latest attack likely exposes weaknesses in ICBC’s defenses, Wåhlén said. 

“It appears ICBC has had a less effective security,” he said, “possibly because Chinese banks have not been tested as much as their Western counterparts in the past.” 

Record levels

Ransomware hackers have become so prolific that attacks may hit record levels this year. 

Blockchain analytics firm Chainalysis had recorded roughly $500 million of ransomware payments through the end of September, an increase of almost 50% from the same period a year earlier. Ransomware attacks surged 95% in the first three quarters of this year, compared with the same period in 2022, according to Corvus Insurance.

In 2020, the website of the New Zealand Stock Exchange was hit by a cyberattack that throttled traffic so severely that it couldn’t post critical market announcements, forcing the entire operation to shut down. It was later revealed that more than 100 banks, exchanges, insurers and other financial firms worldwide were targets of the same type of so-called DDoS attacks simultaneously.

Caesars Entertainment Inc., MGM Resorts International and Clorox Co. are among companies that have been hit by ransomware hackers in recent months.

ICBC was struck as the Securities and Exchange Commission works to reduce risks in the financial system with a raft of proposals that include mandating central clearing of all U.S. Treasuries. Central clearing platforms are intermediaries between buyers and sellers that assume responsibility for completing transactions and therefore prevent a default of one counterparty from causing widespread problems in the marketplace.

The incident underscores the benefits of central clearing in the $26 trillion market, said Stanford University finance professor Darrell Duffie.

“I view it as one example of why central clearing in the U.S. Treasuries market is a very good idea,” he said, “because had a similar problem occurred in a not-clearing firm, it’s not clear how the default risk that might result would propagate through the market.”

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

In the Lair of the Cozy Bear: Cyberwarfare with APT 29 Up Close and Personal

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: The Hacker and the State, Trade via USB Stick


Oct 30 2023

IT ARMY OF UKRAINE DISRUPTED INTERNET PROVIDERS IN TERRITORIES OCCUPIED BY RUSSIA

Category: Cyber Attackdisc7 @ 10:39 am

IT Army of Ukraine hacktivists have temporarily disrupted internet services in some of the territories that have been occupied by Russia.

Ukrainian hacktivists belonging to the IT Army of Ukraine group have temporarily disabled internet services in some of the territories that have been occupied by the Russian army.

After the invasion of the Crimea and the eastern Ukraine, Ukrainian telecommunications infrastructure was disable by Russian soldiers.

The hacktivists carried out DDoS attacks against the three Russian internet providers “Miranda-media,” “Krimtelekom,” and “MirTelekom.” The IT Army is inviting supporters to joint its operations by installing their software.

“We continue targeting internet and telecom providers to disrupt enemy communications. Today, our intel orchestrated a “thousand proxies” strike, disabling “Miranda-media,” “Krimtelekom,” and “MirTelekom.” This affects not only Crimea but also occupied parts of Kherson, Zaporizhia, Donetsk, and Luhansk regions. Another blow by our cyber army disrupting enemy military communication at the frontlines.” reads the message published by the group IT Army of Ukraine on its Telegram channel.

The Miranda Media ISP announced on Friday that is was facing a massive DDoS attack.

“Digital services operator Miranda-Media has been recording an unprecedented level of DDoS attacks from Ukrainian hacker groups since 9.05 am on October 27, 2023. As a result, there is a temporary unavailability of the services of Miranda-Media, Krymtelecom and MirTelecom.” reads the announcement.

“All technical and IT services of the company have been placed on high alert. All necessary measures are being taken to restore the network’s functionality. We will inform you further about the progress of the work.”

The Russian ISP managed to mitigate the attack by the end of Friday, it partially restored its services on Friday evening.

Telecommunication infrastructure and internet services are critical infrastructure and were targeted by both Russian and Ukrainian threat actors.

The Russia-linked APT group Sandworm (UAC-0165) has compromised eleven telecommunication service providers in Ukraine between May and September 2023, reported the Ukraine’s Computer Emergency Response Team (CERT-UA).

According to public sources, the threat actors targeted ICS of at least 11 Ukrainian telecommunications providers leading to the disruption of their services.

“According to public sources, for the period from 11.05.2023 to 27.09.2023, an organized group of criminals tracked by the identifier UAC-0165 interfered with the information and communication systems (ICS) of no less than 11 telecommunications providers of Ukraine, which, among other things, led to interruptions in the provision of services to consumers.” reads the advisory published by the CERT-UA.

Internet Provider Security A Complete Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Internet Provider Security, INTERNET PROVIDERS


Oct 20 2023

Hackers Using Secure USB Drives To Attack Government Entities

Category: Cyber Attack,Hacking,Information Securitydisc7 @ 9:36 am

An ongoing attack on government agencies in the APAC region has been claimed to have compromised a secure USB device with hardware encryption.

The nation’s government agencies utilize these safe USB devices to transfer and save data between computer systems.

The attacks had a very small number of victims and were highly targeted. The attacks are believed to have been conducted by a highly experienced and resourceful threat actor interested in conducting espionage operations in secure and private government networks.

Cyber Espionage Via Secure USBs

According to the Kaspersky APT trends report for Q3 2023, this long-running campaign comprises several malicious modules that may execute commands, gather data from infected workstations, and transfer it to further machines using the same or different secure USB drives. 

On the infected computers, the attacks can also carry out additional harmful files.

The attack uses sophisticated tools and methods, such as virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to spread to other air-gapped systems, and code injection into a legitimate access management program on the USB drive that serves as a loader for the malware on a new machine.

BlindEagle, a financially motivated threat group, has targeted both people and governmental organizations in South America. Although espionage is the threat actor’s main objective, it has demonstrated interest in obtaining financial data.

BlindEagle is characterized by its capacity to cycle through different open-source remote access Trojans (RATs), including AsyncRAT, Lime-RAT, and BitRAT, and utilize them as the ultimate payload to accomplish its goals.

The gang sends spear-phishing emails with Microsoft Office documents attached to its victims. This starts a multi-level infection strategy that results in installing a new Trojan that is primarily made to steal data from the victim’s computer and take over by executing arbitrary commands.

APT campaigns are still widely spread geographically. Attackers have targeted Europe, South America, the Middle East, and other regions of Asia this quarter.

Government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing are just a few of the industries being attacked.

Cyber espionage continues to be a top priority of APT campaigns, and geopolitics continues to be a major factor in APT development.

“It is therefore very important to build a deep understanding of the TTPs of this threat actor and to watch out for future attacks,” reads the report.

https://gbhackers.com/hackers-using-secure-usb-attack-government-entities/

Kingston Ironkey Locker+ 50 16GB Encrypted USB Flash Drive | USB 3.2 Gen 1 | XTS-AES Protection | Multi-Password Security Options | Automatic Cloud Backup

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: encrypted usb drive, USB Drives To Attack


Next Page »