Oct 06 2022

Top Cybersecurity Threats for Public Sector

Category: Cyber Threats,Information Security,Insider Threat,Threat detection,Threat ModelingDISC @ 9:11 am
Top Cybersecurity Threats for Public Sector

In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.

But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.

The top cybersecurity threats for the public sector are as follows.

Phishing

An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.

Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.

While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.

Distributed Denial of Service (DDoS) Attacks

A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.

DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.

DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.

Nation-State Sponsored Cyber Attacks

With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.

Nation-state-sponsored cyber attacks aim to

  • Hinder communication
  • Gather intelligence
  • Steal intellectual property
  • Damage to digital and physical infrastructure

They are even used for financial gain.

Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.

Ransomware

Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.

Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).

These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.

The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.

What The Public Sector Can Do to Stay Ahead?

Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.

You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.

Top Cybersecurity Threats for Public Sector

Tags: Top Cybersecurity Threats

Sep 22 2022

How to Spot Your Biggest Security Threat? Just Look out for the Humans

Category: Cyber Threats,Insider Threat,Threat detectionDISC @ 8:04 am

How to Spot Your Biggest Security Threat? Just Look out for the Humans

As it turns out, it’s not some AI-powered machine learning super virus or pernicious and anonymous cybercrime syndicate. It’s not the latest and greatest in botnets, malware, or spyware either.

Sure, these can be scary, and they are worth protecting against. The headlines report the increased volume and velocity of security threats every other day. The risk is real, and companies need to take cybersecurity seriously.

Just Look out for the Humans

How to Spot Your Biggest Security Threat? Just Look out for the Humans
What is the biggest security threat in your company?

But the greatest threat of all? Well, that would be humans. Look no further if you’re trying to identify your biggest cyber threats.

Humans: The Biggest Cyber Security Threats

When we say “humans,” you may assume we are talking about hackers and cybercriminals. After all, they are humans, too, right?

But no, we are talking about employees in your organization, not necessarily disgruntled or vengeful ones.

Verizon’s latest 2022 Data Breach Investigation Report showed that 82% of breaches involved the human element, including social attacks, errors, and misuse.

This is the 80/20 Rule (also known as the Pareto Principle) at work. In cybersecurity, 80% of your problems come from 20% of sources – in this case, human beings.

Whether using a weak, compromised password, clicking on a link in a phishing email, or accidentally setting sensitive cloud-based databases to “public,” your team is the weakest link in the chain.

Here’s a breakdown of the leading issues:

  • Credential problems account for nearly 50% of non-error, non-misuse breaches
  • Phishing accounts for nearly 20% of breaches
  • Nearly 20% of breaches are the result of misconfigured cloud accounts or emailing sensitive data to the wrong people
  • Vulnerability exploits account for less than 10% of attacks

The biggest cyber threats, therefore, cannot be prevented with a robust security technology infrastructure alone. Technology is critical but cannot always account for the human element.

3 Types of Internal Threats

The biggest security threat is humans, who make up your team. The majority are innocent, or at the very least well-meaning. But there are also those with malicious intent. Identifying the different types of internal threats is critical to your security plans.

These are the three types of internal threats to be aware of:

  1. Unintentional. Employees with poor cybersecurity training and habits can unintentionally compromise an organization’s security by clicking on a malicious link, trusting a spoofed website with their credentials, offering sensitive data to the wrong person, or otherwise. Proper cybersecurity training is key to mitigating risk.
  2. Malicious. The occasional disgruntled employee whose primary interest is personal or financial gain. Advanced technologies can help prevent internal threats such as these, but there is no way to read the minds of your employees, so as with cybersecurity in general, an ounce of prevention is worth a pound of cure.
  3. Accomplice. Employees can also collude with cybercriminals or other external parties to steal information from your company for personal gain. Limiting access to key data is critical to preventing scenarios like the “Wolf of Manchester,” who made thousands by selling customer data from an insurance company.

How To Prevent the Biggest Cyber Security Attacks

It’s critical to understand that the same hackers exploiting software vulnerabilities also exploit human vulnerabilities. Cybercriminals have grown wiser about human psychology and are waiting at every turn to seize upon the unsuspecting.

So, you can’t simply reallocate your resources from vulnerability management to in-house training programs. The key is finding a meaningful balance where good cybersecurity practices are baked into your IT security infrastructure.

Preventing the biggest security threat will mean developing a cybersecurity culture in your organization. Blanket policies and procedures are helpful, but they can fall short. Creating an entire culture of cybersecurity will ensure that best practices and good habits are adopted by all.

Naturally, this will mean investing in training. These are the key topics that should be addressed:

  • Password management
  • Phishing attacks, how they work, how to avoid them
  • Encryption and digital signing
  • Authentication
  • Creating backups
  • Best practices in sending personal or sensitive information
  • Account access and privileges as well as oversight and management

Note that if you don’t have all the resources and personnel necessary to handle the training internally, you can hire an outside party to lead it.

Cyber Security Threats and Challenges Facing Human Life

InfoSec Threats

Tags: InfoSec Threats, Security Threat

Sep 02 2022

Researchers analyzed a new JavaScript skimmer used by Magecart threat actors

Category: Cyber Threats,pci dssDISC @ 8:33 am

Researchers from Cyble analyzed a new, highly evasive JavaScript skimmer used by Magecart threat actors.

Cyble Research & Intelligence Labs started its investigation after seeing a post on Twitter a new JavaScript skimmer developed by the Magecart threat group used to target Magento e-commerce websites.

In Magecart attacks against Magento e-stores, attackers attempt to exploit vulnerabilities in the popular CMS to gain access to the source code of the website and inject malicious JavaScript. The malicious code is designed to capture payment data (credit/debit owner’s name, credit/debit card number, CVV number, and expiry date) from payment forms and checkout pages. The malicious code also performs some checks to determine that data are in the correct format, for example analyzing the length of the entered data.

In this specific case, the researchers discovered that when a user visits the compromised website, the skimmer loads the payment overlay and asks the user to enter the payment information.

The skimmer is obfuscated and embedded in the JavaScript file “media/js/js-color.min.js”

Magecart skimmer

nce the victim has entered its payment data in the form, the JavaScript file collects them and then sends the Base64-encoded data to the URL included in the JavaScript using the POST method

Cyble experts noticed that upon executing the JavaScript, it checks if the browser’s dev tool is open to avoid being analyzed.

“Online shopping activity is constantly on the rise due to its ease of use, digital transformation, and the sheer convenience. Skimmer groups continue to infect e-commerce sites in large numbers and are improving their techniques to remain undetected.” concludes the report. “Historically, Magento e-commerce websites have been the most highly targeted victims of skimmer attacks. While using any e-commerce website, ensure that you only use known and legitimate platforms.”

Researchers analyzed a new JavaScript skimmer used by Magecart threat actors

Data Privacy: A runbook for engineers

Tags: data protection, JavaScript skimmer, Magecart threat actors

Aug 29 2022

NATO Investigates Dark Web Leak of Data Stolen from Missile Vendor

Category: Cyber Threats,Cyber War,Dark Web,Digital cold warDISC @ 1:23 pm

Documents allegedly belonging to an EU defense dealer include those relating to weapons used by Ukraine in its fight against Russia.

blue hacker hands over keyboard
Source: Andrey Khokhlov via Alamy Stock Photo

NATO is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web, according to a published report.

The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia.

Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack.

Contradicting the cyberattackers’ claims in their ads, nothing up for grabs is classified information, MBDA said. It added that the data was acquired from a compromised external hard drive, not the company’s internal networks.

NATO, meanwhile, is “assessing claims relating to data allegedly stolen from MBDA,” a NATO official told Dark Reading on Monday.

“We have no indication that any NATO network has been compromised,” the official said.

Double Extortion

MBDA acknowledged in early August that it was “the subject of a blackmail attempt by a criminal group that falsely claims to have hacked the company’s information networks,” in a post on its website.

The company refused to pay the ransom and thus the data was leaked for sale online, according to the post.

Specifically, threat actors are selling 80GB of stolen data on both Russian- and English-language forums with a price tag of 15 bitcoins, which is about $297,279, according to a report from the BBC, which broke the news about the NATO investigation Friday. In fact, cybercriminals claim to already have sold data to at least one buyer.

NATO is investigating one of the firm’s suppliers as the possible source of the breach, according to the report. MBDA is a joint venture between three key shareholders: AirBus, BAE Systems, and Leonardo. Though the company operates out of Europe, it has subsidiaries worldwide, including MBDA Missile Systems in the United States.

The company is working with authorities in Italy, where the breach occurred.

MBDA reported $3.5 billion in revenue last year and counts NATO, the US military, and the UK Ministry of Defense among its customers.

Classified Info & Ukraine

Hackers claimed in their ad for the leaked data to have “classified information about employees of companies that took part in the development of closed military projects,” as well as “design documentation, drawings, presentations, video and photo materials, contract agreements, and correspondence with other companies,” according to the BBC.

Among the sample files in a 50-megabyte stash viewed by the BBC is a presentation appearing to provide blueprints of the Land Ceptor Common Anti-Air Modular Missile (CAMM), including the precise location of the electronic storage unit within it. One of these missiles was recently sent to Poland for use in the Ukraine conflict as part of the Sky Sabre system and is currently operational, according to the report.

This might provide a clue about the motive of threat actors; advanced persistent threats (APTs) aligned with Russia began hitting Ukraine with cyberattacks even before the Russian official invasion on Feb. 24.

After the conflict on the ground began, threat actors continued to throttle Ukraine with a cyberwar to support the Russian military efforts.

The sample data viewed by the BBC also included documents labelled “NATO CONFIDENTIAL,” “NATO RESTRICTED,” and “Unclassified Controlled Information,” according to the report. At least one stolen folder contains detailed drawings of MBDA equipment.

The criminals also sent by email documents to the BBC including two marked “NATO SECRET,” according to the report. The hackers did not confirm whether the material had come from a single source or more than one hacked source.

Nonetheless, MBDA insists that the verification processes that the company has executed so far “indicate that the data made available online are neither classified data nor sensitive.”

https://

www.darkreading.com
/vulnerabilities-threats/nato-investigates-leak-of-data-stolen-from-missile-vendor

Cyber War

Tags: cyber threats, cyberwarfare, dark web

Aug 16 2022

Clop Ransomware Gang Breaches Water Utility, Just Not the Right One

Category: Cyber Threats,Grid Vulnerabilities,Information Security,Security vulnerabilitiesDISC @ 12:39 pm

South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.

Uk man hole cover

South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.

The problem? Thames Water wasn’t breached. 

Apparently, Clop got its UK water companies confused. 

South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was “experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible.” It added there has been no disruption on service. 

“This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers,” the water company said. 

Meanwhile, Thames Water, the UK’s largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports. 

“As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror

While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group’s attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence. 

“I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact,” Liebeg said. “And had Thames Water not done an investigation of the ‘proof of compromise,’ they may very well have decided to negotiate further. In both instances, each organization did their due diligence.”

https://www.darkreading.com/attacks-breaches/clop-ransomware-gang-breaches-water-utility

Ransomware Protection Playbook

Tags: ransomware attacks, Ransomware Protection Playbook

Aug 01 2022

Threat Actors Circumvent Microsoft Efforts to Block Macros

Category: Cyber Threats,MalwareDISC @ 8:50 am
Threat Actors Circumvent Microsoft Efforts to Block Macros

Microsoft’s announcement that it would block macros in Microsoft Office apps by default didn’t stop threat actors—they have simply resorted to new tricks.

“Threat actors across the landscape responded by shifting away from macro-based threats,” Proofpoint researchers noted in a blog post. In fact, an analysis of campaign data, “which include threats manually analyzed and contextualized,” showed the use of VBA and XL4 Macros ticked down 66% or so between October 2021 and June 2022.

“While Proofpoint observed a notable increase in other attachment types, macro-enabled documents are still used across the threat landscape,” the researchers wrote, explaining that the tactics, techniques and procedures (TTPs) have changed, with miscreants turning to use of container files—like ISO and RAR—and Windows Shortcut files to pass malware along, according to Proofpoint research.

Threat actors have long used VBA macros “to automatically run malicious content when a user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application, but can also be weaponized by threat actors,” researchers pointed out. “Typically, threat actors distributing macro-enabled documents rely on social engineering to convince a recipient the content is important, and enabling macros is necessary to view it.”

Microsoft took steps to block VBA macros by keying on a Mark of the Web (MOTW) attribute called the Zone.Identifier that shows whether a file comes from the internet and is added by Microsoft apps to some documents downloaded from the web. But bad actors can bypass MOTW by using container file formats.

By using container file formats like ISO (.iso), RAR (.rar), ZIP (.zip) and IMG (.img) files to send macro-enabled documents, “ … the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not,” researchers noted. “When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web.”

They also can distribute payloads directly using container files so that when they’re opened they can contain “additional content such as LNKs, DLLs or executable (.exe) files that lead to the installation of a malicious payload.”

“The change to block macros by default is a very good thing; has been suggested for years and it’s good Microsoft is finally doing it,” said Rob Jenks, SVP strategy and business at Tanium. He explained that “as with all security techniques, it’s not a silver bullet and attackers inevitably move on to the next attack pathway(s)—so the findings aren’t surprising.”

But “regarding the new attacks, there are other restrictions on not trusting zip content, so these other mechanisms throw more consent dialogs into the user’s face, potentially making a phishing attack less reliable,” Jenks said.

Proofpoint researchers have not only noted a two-thirds decrease in macro-enabled documents leveraged as attachments in email-based threats, but they observed “the number of campaigns leveraging container files including ISO and RAR, and Windows Shortcut (LNK) attachments increased nearly 175%,” researchers said.

“They attribute the increase in part to the uptick in use of ISO and LNK files in campaigns. Cybercriminal threat actors are increasingly adopting these as initial access mechanisms, such as actors distributing Bumblebee malware,” they said. “The use of ISO files increased over 150% between October 2021 and June 2022. More than half of the 15 tracked threat actors that used ISO files in this time began using them in campaigns after January 2022.”

Most notably, LNK files have emerged as a go-to for threat actors—at least 10 of them have begun using LNK files since February.  In fact, the number of campaigns containing LNK files exploded an incredible 1,675% since October 2021.

While fewer campaigns are using XL4 macros, Proofpoint did see a spike in macro use in March 2022, which researchers attributed to an uptick in campaigns with higher volumes of messages conducted by the TA542 actor delivering Emotet. “Typically, TA542 uses Microsoft Excel or Word documents containing VBA or XL4 macros,” the researcher wrote. “Emotet activity subsequently dropped off in April and it began using additional delivery methods including Excel Add-In (XLL) files and zipped LNK attachments in subsequent campaigns.”

The adoption of ISO and other container file formats is driving the pivot away from macro-enabled documents to different file types that can bypass the macro-blocking protections offered by Microsoft. “Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft and ransomware,” said Proofpoint researchers, who called the change “one of the largest email threat landscape shifts in recent history.”

Proofpoint has also observed a slight increase in threat actors using HTML attachments to deliver malware. The number of malware campaigns using HTML attachments more than doubled from October 2021 to June 2022, but the overall number remains low. Proofpoint researchers also observed threat actors increasingly adopt HTML smuggling, a technique used to “smuggle” an encoded malicious file within a specially crafted HTML attachment or web page.

Microsoft Koverse data protection impact assessment DPIA Dell AWS data protection cybersecurity

Tags: Block Macros, Threat actors

Jul 27 2022

How DDoSecrets built the go-to home for Russian leaks

Category: Cyber Threats,Data Breach,Information SecurityDISC @ 2:56 pm
How DDoSecrets built the go-to home for Russian leaks

American investigative reporter Emma Best knows how arduous it is to ask for information from government agencies. 

She made more than 5,000 such requests during her career at MuckRock, a non-profit ​​news site that publishes original government documents and conducts investigations based on them. Best was so persistent that the FBI temporarily banned her from filing any more information requests.

She found a way to cut through the government bureaucracy. Together with an anonymous partner known as The Architect, Best founded the whistleblower site Distributed Denial of Secrets (DDoSecrets) in 2018. 

Since then, it has distributed hacked and leaked data from more than 200 entities, including U.S. law enforcement agencies, fascist groups, shell companies, tax havens, and the far-right social media sites Gab and Parler. 

Unlike cybercriminals who sell hacked data on the darknet for personal gain, DDoSecrets says it exposes leaked information for the public good. “Secrets can be used for extortion by threatening to make it public, while public information can’t,” Best said.

Her website has become a go-to place for whistleblowers and hackers, especially given the absence of its most famous predecessor, WikiLeaks, which has been inactive for the last two years.

Russian leaks

https://therecord.media/how-ddosecrets-built-the-go-to-home-for-russian-leaks/

Tags: DDoSecrets

Jul 08 2022

ENISA released the Threat Landscape Methodology

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 11:17 am
ENISA released the Threat Landscape Methodology

I’m proud to announce that the European Union Agency for Cybersecurity, ENISA, has released the Threat Landscape Methodology.

Policy makers, risk managers and information security practitioners need up-to-date and accurate information on the current threat landscape, supported by threat intelligence. The EU Agency for Cybersecurity (ENISA) Threat Landscape report has been published on an annual basis since 2013. The report uses publicly available data and provides an independent view on observed threat agents, trends and attack vectors.

ENISA aims at building on its expertise and enhancing this activity so that its stakeholders receive relevant and timely information for policy-creation, decision-making and applying security measures, as well as in increasing knowledge and information for specialised cybersecurity communities or for establishing a solid understanding of the cybersecurity challenges related to new technologies.

The added value of ENISA cyberthreat intelligence efforts lies in offering updated information on the dynamically changing cyberthreat landscape. These efforts support risk mitigation, promote situational awareness and proactively respond to future challenges.
Following the revised form of the ENISA Threat Landscape Report 2021, ENISA continues to further improve this flagship initiative.
ENISA seeks to provide targeted as well as general reports, recommendations, analyses and
other actions on future cybersecurity scenarios and threat landscapes, supported through a clear
and publicly available methodology.

By establishing the ENISA Cybersecurity Threat Landscape (CTL) methodology, the Agency
aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and
sectorial cybersecurity threat landscapes. The following threat landscapes could be considered
as examples.

  • Horizontal threat landscapes, such as the overarching ENISA Threat Landscape (ETL), a product which aims to cover holistically a wide-range of sectors and industries.
  • Thematic threat landscapes, such as the ENISA Supply Chain Threat Landscape, a product which focuses on a specific theme, but covers many sectors.
  • Sectorial threat landscape, such as the ENISA 5G Threat Landscape, focuses on a specific sector. A sectorial threat landscape provides more focused information for a particular constituent or target group.

Recognising the significance of systematically and methodologically reporting on the threat landscape, ENISA has set up an ad hoc Working Group on Cybersecurity Threat Landscapes2 (CTL WG) consisting of experts from European and international public and private sector entities.

The scope of the CTL WG is to advise ENISA in designing, updating and reviewing the methodology for creating threat landscapes, including the annual ENISA Threat Landscape (ETL) Report. The WG enables ENISA to interact with a broad range of stakeholders for the purpose of collecting input on a number of relevant aspects. The overall focus of the methodological framework involves the identification and definition of the process, methods, stakeholders and tools as well as the various elements that, content-wise, constitute the cyberthreat Landscape (CTL).

You can download the ENISA Threat Landscape Methodology here:

ENISA Threat Landscape Methodology

ENISA Threat Landscape Methodology

Did you manage to assess the risks of remote work so that your company data remain safe?

To help you out, Advisera have created a free white paper: Checklist of cyber threats & safeguards when working from home, which outlines the key cyber threats and vulnerabilities you need to address.


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: ENISA, ENISA Threat Landscape, Threat Landscape Methodology

Jun 06 2022

Red TIM Research discovers a Command Injection with a 9,8 score on Resi

Category: App Security,Backdoor,Cyber Attack,Cyber Threats,CyberweaponDISC @ 8:33 am
Red TIM Research discovers a Command Injection with a 9,8 score on Resi

During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.

It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8.  This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server. 

Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.

RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.

Please note that patches for these specific vulnerabilities have been released by Resi.

Resi

What GEMINI-NET from Resi is

GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.

It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.

Resi

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 – RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NIST
    https://nvd.nist.gov/vuln/detail/CVE-2022-29539

    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 – RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NISThttps://nvd.nist.gov/vuln/detail/CVE-2022-29539
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.

It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.

Secure Application Development


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: command injection, Secure Application Development

Apr 21 2022

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns By Mimicking Government Vendors

Category: Cyber Threats,Cybercrime,PhishingDISC @ 8:28 am
Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns By Mimicking Government Vendors

Threat intelligence firm Resecurity details how crooks are delivering IRS tax scams and phishing attacks posing as government vendors.

Cybercriminals are leveraging advanced tactics in their phishing-kits granting them a high delivery success rate of spoofed e-mails which contain malicious attachments right before the end of the 2021 IRS income tax return deadline in the U.S. April 18th, 2022 – there was a notable campaign detected which leveraged phishing e-mails impersonating the IRS, and in particular one of the industry vendors who provide solutions to government agencies which including e-mailing, digital communications management, and the content delivery system which informs citizens about various updates.

Cybercriminals purposely choose specific times when all of us are busy with taxes, and preparing for holidays (e.g., Easter), that’s why you need to be especially careful during these times.

The IT services vendor actors impersonated is widely used by major federal agencies, including the DHS, and other such WEB-sites of States and Cities in the U.S. The identified phishing e-mail warned the victims about overdue payments to the IRS, which should then be paid via PayPal, the e-mail contained an HTML attachment imitating an electronic invoice.

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns by Mimicking Government Vendors

Notably, the e-mail doesn’t contain any URLs, and has been successfully delivered to the victim’s inbox without getting flagged as potential spam. Based on the inspected headers, the e-mail has been sent through multiple “hops” leveraging primarily network hosts and domains registered in the U.S.:

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns by Mimicking Government Vendors

It’s worth noting, on the date of detection none of the involved hosts have previously been ‘blacklisted’ nor have they had any signs of negative IP or abnormal domain reputation:

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns by Mimicking Government Vendors

The HTML attachment with the fake IRS invoice contains JS-based obfuscated code.

IRS Internal Revenue Service

Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists

Tags: IRS Tax Scams, phishing, phishing countermeasures

Mar 28 2022

Shopping trap: The online stores’ scam that hits users worldwide

Category: Cyber crime,Cyber ThreatsDISC @ 8:45 am
Shopping trap: The online stores’ scam that hits users worldwide

Shopping trap: Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world

Malicious schemas linked to online stores are on the rise in 2022. Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world and thereby trick victims. The targets of this massive campaign are online stores geolocated in different countries, including Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others. The campaign has been active since late 2020 but gained momentum in early 2022, with thousands of victims affected.

Shopping trap

Active domains behind the malicious online stores at the time of analysis (21-03-2022). The shopping platforms are available on servers geolocated in the USA, The Netherlands, and Turkey (ZoomEye).

As observed in Figure 1, 617 active shopping platforms were identified worldwide, 562 created in 2022. The servers are located in three countries: the USA, The Netherlands, and Turkey. However, other servers and online stores were also identified during the research. The complete list of IoCs with more than 1k malicious entries is provided at the end of the article.

The high-level diagram of this campaign is presented below, with a graphical representation of the different steps and actions carried out by criminals.

A new campaign typically starts with the authors setting up the malicious domain at the top of Google search through digital ads (Google ads) – as shown above referring to the Lefties clothing store disseminated in Portugal in 2022. After some days, users are hit as the malicious URL appears at the top of searches. In specific cases, social Ads were also found on Instagram and Facebook social media platforms.

The content of the malicious websites – clones of the official stores –  are based on a static Content Management System (CMS) and a PHP API that communicates with a MySQL cluster in the background. Some artifacts related to the static CMS can be found on a GitHub repository from criminals. In detail, criminals put some effort into developing a generic platform that could serve a mega operation at a large scale, where small tweaks of images and templates would allow the reuse of code for different online stores. Then, all the observed stores use the same code with different templates according to the target brand. As mentioned, the store is also equipped with an API that communicates with a MySQL database cluster where all the victims’ data is stored, including:

  • Name (first and last)
  • Complete address (street, zip-code, city, and country)
  • Mobile phone
  • Email
  • Password
  • Credit card information (number, date, and CVV); and
  • Details about the order and tracking code of the package.

As usual, this Personally Identifiable Information (PII) can be utilized later by criminals to leverage other kinds of campaigns. In order to prevent this type of scenario, we provide a tool that allows you to validate if victims’ information is now in the wrong hands.

Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists

Tags: Online scams, Scam Me If You Can

Jan 26 2022

Open-source Threat Intelligence Feeds

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 10:56 pm

Table of Contents

Threat intelligence feeds are a critical part of modern cybersecurity. Widely available online, these feeds record and track IP addresses and URLs that are associated with phishing scams, malware, bots, trojans, adware, spyware, ransomware and more. Open source threat intelligence feeds can be extremely valuable—if you use the right ones. While these collections are plentiful, there are some that are better than others. Being an actively updated database doesn’t guarantee that it is a highly reliable or detailed one either, as some of the best online haven’t necessarily been updated in a few months.

We will try to keep our own tally of some of the better open source threat intelligence feeds below, regularly updating it with new feeds and more details about each one. A share of the entries will be managed by private companies that have premium, or at least closed-source, offerings as well. This list is meant to cover free and open source security feed options.

1. Emerging Threats

Developed and offered by Proofpoint in both open source and a premium version, The Emerging Threats Intelligence feed (ET) is one of the highest rated threat intelligence feeds. ET classifies IP addresses and domain addresses associated with malicious activity online and tracks recent activity by either. The feed maintains 40 different categories for IPs and URLs, as well as a constantly updated confidence score.

2. FBI InfraGard

This being backed by the Federal Bureau of Investigation definitely gives it some clout. It’s actually a collaboration between the FBI and the private sector, with its information freely available to private companies and public sector institutions to keep appraised on threats relevant to 16 specific categories of infrastructure identified by the Cybersecurity and Infrastructure Security Agency (a department of the US Department for Homeland Security). Sectors include energy and nuclear power, communications, chemicals, agriculture, healthcare, IT, transportation, emergency services, water and dams, as well as manufacturing and financial.

3. Dan.me.uk

Dan is a collection of 10 tools that together report on IP and domain information. It includes info on IP subnets, the TOR status of IP addresses, DNS blacklists, IP address checking for autonomous systems, and node lists.

4. CINS Score

The CINS Score is supported by Sentinel. Like ET’s confidence score, the CINS Score rates IP addresses according to their trustworthiness. They add data about suspected or confirmed attacks from those IPs in the form of frequency, nature and breadth. They also try to create ‘personas’ around the sorts of attacks those IPs are tied to: scanning, network or remote desktop vulnerabilities, malware bots, or command-and-control servers.

5. Blocklist.de

Blocklist.de pays attention to server attacks from SSH, FTP, email and webserver sources. Their site claims to report an average of 70,000 attacks every 12 hours using a combo of the abusix.org database, Ripe-Abuse-Finder, and Whois information.

6. hpHosts

hpHosts is a searchable database and hosts file that is community managed. While it was last updated in August 2019, it is considered one of the more reliable data stores of malicious IPs online. It can also be sorted by PSH and FSA-only.

7. AlienVault OTX

AlienVault Open Threat Exchange (OTX) is the company’s free, community-based project to monitor and rank IPs by reputation. It generates alert feeds called “pulses,” which can be manually entered into the system, to index attacks by various malware sources. While some pulses are generated by the community, AlienVault creates its own as well that automatically subscribes all OTX’s users. Most pulses are automatically API-generated and submitted via the OTX Python SDK. This example, SSH bruteforce logs 2016-06-09, shows the indicators, geoip of the attacks, and a full list of the IPs used. It also links to reports in other pulses that include the same IPs.

8. Abuse.ch Feodo Tracker

This abuse.ch offering focuses on botnets and command-and-control infrastructure (C&C). The blocklist is an amalgamation of several minor blocklists with attention paid to Heodo and Dridex malware bots. There were 5,374 entries as of 03-03-2020.

Of course, the name itself is a direct response to an older trojan virus called Feodo, which was a successor to the Cridex e-banking trojan. (to which both Dridex and Heodo both trace their source code). Feodo Tracker also tracks an associative malware bot, TrickBot.

9. Abuse.ch URLhaus

The first of two projects from Swiss website abuse.ch, URLhaus is a depository of malicious domains tied to distributing malware. The database can be accessed via a URLhaus API, allowing you to download CSV collections of flagged URLs, those site’s respective statuses, the type of threat associated with them, and more. Ready-made downloads include periods of recent additions (going back 30 days), or all active URLs.

The full URLhaus dataset—as updated every 5 minutes—is automatically and immediately available for CSV download. It also includes a ruleset suited for use in Suricata or Snort. URLhaus also offers a DNS firewall dataset that includes all marked URLs for blocking. 

source: https://logz.io/blog/open-source-threat-intelligence-feeds/

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: Open-source Threat Intelligence Feeds

Jan 13 2022

Threat actors abuse public cloud services to spread multiple RATs

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 10:05 am
Threat actors abuse public cloud services to spread multiple RATs

Threat actors are actively exploiting public cloud services from Amazon and Microsoft to spread RATs such as NanocoreNetwire, and AsyncRAT used to steal sensitive information from compromised systems.

The malware campaign was spotted by Cisco Talos in October 2021, most of the victims were located in the United States, Italy and Singapore.

Threat actors leverages cloud services like Azure and AWS because they can be easily set up with minimal efforts making it more difficult for defenders to detect and mitigate the campaigns.

The attackers used complex obfuscation techniques in the downloader script.

The attack chains starts with a phishing email using a malicious ZIP attachment that contain an ISO image with a loader in the form of JavaScript, a Windows batch file or Visual Basic script. Upon executing the initial script, the victim’s machine download the next stage from the C2 server, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.

“To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans.” reads the analysis published by Talos. “Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure.”

Once installed the malware on the target system, it can be used to steal confidential data or to deliver additional payloads such as ransomware attacks. Threat actors can also sell the access to other cybercrime gangs, including ransomware affiliates.

“Organizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.” concludes the report that also includes Indicators of Compromise (IoCs).

Tags: Cyber-Security Threats, public cloud services, RATs

Jan 11 2022

Small businesses are most vulnerable to growing cybersecurity threats

Category: Cyber ThreatsDISC @ 10:50 am
Small businesses are most vulnerable to growing cybersecurity threats

While protecting digital resources may be easy for large companies that can afford to hire in-house cybersecurity staff and establish threat monitoring and endpoint detection infrastructure, this endeavor can often seem impossible for SMBs. All the while, the dangers for smaller businesses could not be more acute, especially since the businesses’ operators and employees are often uninformed about common cybersecurity threats.

By understanding the threats they face and implementing a few relatively low-effort but highly effective protection measures, SMBs can leap into the next phase of growth with their digital assets secured.

Unique threats to SMBs

The scope of cybersecurity threats to small companies is no less varied than the threats large multinational corporations face, but SMBs’ size and lack of infrastructure often leaves them more vulnerable to targeted hacking schemes and threats. Hackers often opt for schemes that require less preparation and risk and find easier targets in SMBs.

One major vulnerability is the disadvantage SMBs face because they often do not control every aspect of their supply chain. A bad actor can conduct a software supply chain hack, isolating smaller vendors and suppliers as weak points with little to no cybersecurity protection, forcing them to unwittingly pass on malware that can disable an entire chain of businesses. SMBs in the logistics and operations industries are particularly vulnerable targets since they are connected to many other companies and will likely be more willing to pay the ransom to quickly resume operations at 100% capacity.

In addition, an entirely new slew of cyber threats has cropped up along with the hybrid work model. In a rush to digitize at the start of the pandemic, many SMBs relied on single systems that they perceived to be safe, including migrating their files and processes to the cloud. They hoped that the cloud’s decentralized nature would prevent them from being victimized by cyber attackers. However, even cloud software providers can be infiltrated, as all it takes is one bug to create a vulnerability. Yet most SMBs fail to acknowledge the new vulnerabilities remote work creates and are now even more vulnerable since they are complacently conducting business through unsecured systems.

All these threats represent a growing danger to SMBs’ success – and some SMBs are more vulnerable than others. Many of the industries (e.g., agriculture) that never thought they would be targeted and therefore eschewed any type of basic cybersecurity are years behind in their cyber protection measures.

wolf

Regulations add another complication

Cybersecurity for Small and Midsize Businesses

Cybersecurity for Small and Midsize Businesses by [Marlon Bermudez]

Tags: Cybersecurity for Small and Midsize Businesses, Cybersecurity for SMBs, SMB

Dec 28 2021

External attackers can penetrate most local company networks

Category: Cyber Threats,Insider Threat,Threat detectionDISC @ 9:54 am
External attackers can penetrate most local company networks

These are the results of a new research report by Positive Technologies, analyzing results of the company’s penetration testing projects carried out in the second half of 2020 and first half of 2021.

The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors.

During the assessment of protection against external attacks, Positive Technologies experts managed to breach the network perimeter in 93% of cases. According to the company’s researchers, this figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure.

“In 20% of our pentesting projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those. According to our customers, events related to the disruption of technological processes and the provision of services, as well as the theft of funds and important information pose the greatest danger,” said Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies.

“In total, Positive Technologies pentesters confirmed the feasibility of 71% of these unacceptable events. Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,” Kilyusheva added.

Despite the fact that financial organizations are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks we tested, our specialists managed to perform actions that could let criminals disrupt the bank’s business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds.

An attacker’s path from external networks to target systems begins with breaching the network perimeter. According to our research, on average, it takes two days to penetrate a company’s internal network. Credential compromise is the main way criminals can penetrate a corporate network (71% of companies), primarily because of simple passwords used, including for accounts used for system administration.

Microservices Security in Action: Design secure network and API endpoint security for Microservices applications

Tags: External attackers

Dec 28 2021

Threat actors are abusing MSBuild to implant Cobalt Strike Beacons

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 9:30 am
Threat actors are abusing MSBuild to implant Cobalt Strike Beacons

Security expert from Morphus Labs recently observed several malicious campaigns abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines.

MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema that controls how the build platform processes and builds software to deliver malware using callbacks.

Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler Renato Marinho revealed to have uncovered two different malicious campaigns that were abusing MSBuild for code execution.

The malicious MSBuild project employed in the attacks was designed to compile and execute specific C# code that in turn decodes and executes Cobalt Strike payload.

“Now, let’s look at the malicious MSBuild project file in Figure 3. Using the same principle, when called by MSBuild, it will compile and execute the custom C#, decode and execute the Cobalt Strike beacon on the victim’s machine.” wrote Marinho.

malicious msbuild project

In the attack scenario described by the researcher, the attackers initially gained access to the target environment using a valid remote desktop protocol (RDP) account, then leveraged remote Windows Services (SCM) for lateral movement, and MSBuild to execute the Cobalt Strike Beacon payload.

The Beacon was used to decrypt the communication with the C2 server, which was SSL encrypted.

Cobalt Strike, a Defender’s Guide

Cobalt Strike, a Defender’s Guide (The DFIR Report's 2021 Intrusions) by [The DFIR Report]

Tags: Cobalt Strike, Cobalt Strike Beacons, MSBuild

Dec 17 2021

SANS 2021 Top New Attacks and Threat Report

Category: Cyber Attack,Cyber Threats,Information Security,Threat detection,Threat ModelingDISC @ 2:21 pm

SANS 2021 Top New Attacks and Threat Report Download

System Security Threats | Computer Science Posters

Tags: SANS 2021, System Security Threats

Dec 11 2021

Cybereason released Logout4Shell, a vaccine for Log4Shell Apache Log4j RCE

Category: Cyber Threats,Cyberweapons,Web SecurityDISC @ 12:48 pm
Cybereason released Logout4Shell, a vaccine for Log4Shell Apache Log4j RCE

Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library.

The Log4j is widely used by both enterprise apps and cloud services, including Apple iCloud and Steam.

A remote, unauthenticated attacker can exploit the CVE-2021-44228 to execute arbitrary code on a vulnerable system leading to a complete system takeover.

The vulnerability was discovered by researchers from Alibaba Cloud’s security team that notified the Apache Foundation on November 24. According to the experts, the vulnerability is easy to exploit and does not require special configuration, for this reason, it received a CVSSv3 score of 10/10. Researchers pointed out that Apache Struts2, Apache Solr, Apache Druid, Apache Flink are all affected by this vulnerability.

Now researchers from cybersecurity firm Cybereason have released a script that works as a “vaccine”(dubbed Logout4Shell) that allows remotely mitigating the Log4Shell vulnerability by turning off the “trustURLCodebase” setting in vulnerable instances of the library.

“While the best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk. However, enabling these system property requires access to the vulnerable servers as well as a restart.” reads the GitHub Page set up for the Log4Shell project.

Cyberreson experts pointed out that enabling these system property requires access to the vulnerable servers, and the servers have to be restarted. 

A zero-day exploit for Log4j Java library could have a tsunami impact on IT giants

Defensive Security Handbook: Best Practices for Securing Infrastructure

Tags: Apache patch, Defensive Security, Log4j, Log4shell

Dec 06 2021

2022 and the threat landscape: The top 5 future cybersecurity challenges

Category: Cyber Threats,Insider Threat,Threat detection,Threat ModelingDISC @ 10:34 am
2022 and the threat landscape: The top 5 future cybersecurity challenges

2022 is going to be a year of building greater resiliency and integrating this into all aspects of business operations. This will require organizations of all levels to review how they are responding to a larger scale of sophisticated threats. To build on the efforts of 2021, CISOs need to address how they can implement innovation into their business without making themselves more vulnerable to damaging attacks.

There are five big trends that I see defining the market in 2022 that security professionals should pay attention to:

. The rise of the “assume-breach” mindset

Zero trust applies the principle of fundamentally not trusting anything on or off your network and deploys a “assume-breach” mindset. 

. Innovation and new risk in 5G

. Customization, personalization and getting personal with phishing tactics

. Hackers will go for gold at the Beijing Olympics

. The enterprise API ecosystem will show its vulnerabilities

The Ransomware Threat Landscape: Prepare for, recognize and survive ransomware attacks

Tags: threat landscape

Nov 09 2021

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!

Category: Cyber ThreatsDISC @ 6:29 am
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!

Tags: Sophos 2022 Threat Report, Threat Report

« Previous PageNext Page »