Dec 06 2023

Your car is probably harvesting your data. Here’s how you can wipe it

Category: Information Security,Mobile Securitydisc7 @ 8:16 am
https://therecord.media/car-data-privacy-service-wiping

It is so easy to vacuum up private data from vehicles that Andrea Amico taught his daughter how to extract text messages from her mom’s car when she was only eight years old.

Blue-haired and an engineer by training, Amico has a hacker’s mentality, which has manifested in giving drivers a way to protect their data and beat the system at no cost.

Amico is the founder and CEO of Privacy4Cars, the outfit behind a free app that lets individuals erase the astonishing amount of personal data — including text messages, biometrics and geolocation — that many automakers collect, store and often share with law enforcement, insurers and even data brokers.

Privacy4Cars also allows consumers to pull a full report on exactly what data their own car is scooping up, using nothing but a vehicle identification number.

Amico worked on car data privacy for years on what he called a “passion project” basis. After running a large car inspection business, he came to understand the scale of the problem — and the stakes — and founded Privacy4Cars in 2019.

Consumers can use the app to delete data retroactively, but there is no way to block its collection moving forward so those especially concerned about privacy have to regularly wipe the car’s data, which usually primarily resides in the infotainment system, Amico said.

The process for deletion is unique for most car models and types. Amico says the company has amassed step-by-step delete instructions for tens of thousands of vehicles, whose settings often differ by model, make, year manufactured and even how many extras customers pay for to enhance a given model.

The app typically works for four out of five cars. Wiping data can take as few as three commands, or as many as 50, Amico said. If a car owner has not downloaded a given car’s software updates, that can complicate matters.

Data linked to more than a million cars has been deleted using the app to date, Amico said.

With car data privacy in the spotlight recently, the demand is likely to rise.

Last month a Seattle-based federal judge declined to revive a class action lawsuit alleging four auto manufacturers had broken Washington state privacy laws by gathering and storing customers’ private text messages and mobile phone call logs.

The judge ruled the practice did not meet the threshold for an illegal privacy violation under state law, which requires plaintiffs prove that “his or her business, his or her person, or his or her reputation” has been threatened by the harvesting of private data.

Despite the ruling, car data privacy concerns are growing as more consumers become aware of their exposure, and even some industry figures concede more needs to be done to educate car owners about data practices.

Running the report

Privacy4Cars offers a website feature which allows users to search their vehicle identification number and quickly learn the data their car gathers, pulling and crystallizing information from the small print manufacturers typically disclose in complex, dense and lengthy terms and conditions and privacy disclosures.

A recent search of what Privacy4Cars calls its “Vehicle Privacy Report” showed a variety of automakers disclosing they can or do pull, store and even sell a wide range of data, including:

  • Personal identifiers, which can include data as granular as a driver’s signature; Social Security number; passport number; insurance policy number; employment history and medical information, among other things
  • Biometrics, which can identify individuals, including through fingerprint mapping, facial recognition and retina scans
  • Geolocation data
  • Data collected and used to create profiles on drivers
  • Consumer data collected from synced phones like text messages and call logs. Often manufacturers don’t disclose whether they also gather data from drivers’ connected smart devices when third-party apps run on or sync with the infotainment system, the report said.

Many automakers also acknowledge they share data with law enforcement, insurers and data brokers.

While some cars searched on the Privacy4Cars website were silent on whether they collect data from synced phones, Sean McKeever, a senior security researcher at GRIMM, a cybersecurity company with an automotive division, said most cars do gather and store phone data.

“If the vehicle offers phone connectivity, you can assume there is some level of data being stored on the vehicle,” McKeever said via email.

Amico estimated that about two-thirds of U.S. auto manufacturers declare they collect data from synced phones, at least for some models.

“They’re also very quick to say that it’s none of their responsibility and essentially it’s the consumers’ fault if they leave this data behind,” he said in an interview.

To use the Privacy4Cars’ Vehicle Privacy Report search tool, drivers must have their vehicle identification number (VIN). A recent random check of the privacy report’s portal, using VIN numbers linked to used vehicles on Carmax, showed that many cars collect all of the data listed above and more.

Vehicles collecting synced phone data, for example, included a 2018 Vokswagen Atlas, a 2023 Audi Q4, a 2019 Volvo XC90 and a 2020 Honda Civic. All of these vehicles also collect location data and some gather biometric data along with compiling personal identifiers and user profiles.

None of the automakers offered comment except for Volkswagen. A spokesperson said that “when a customer syncs their phone via Bluetooth, the car can access phone data as granted by the customer and all of this data is stored within the vehicle.”

They added that customers can delete this data at any time through a factory reset and noted that “while the car itself will access the data, the car does not transmit this data beyond the car.”

Vehicle Privacy Report screenshot.jpgA privacy report for a 2020 Volkswagen Tiguan.

Many of the cars Recorded Future News searched in the Vehicle Privacy Report also allowed data to be collected from Android Auto, Apple Carplay and Amazon Alexa.

Amico said that if your car uses Android Auto, for example: “Guess what? Google collects data from you as well.” Google does not have an Android Auto-specific privacy policy or data disclosure, Amico said. The data can also potentially be sold by Google for targeted advertising. Google did not respond to a request for comment.

Privacy4Cars also takes on data brokers, offering a way for consumers to easily reach them and tell them not to sell their data. An “Assert Your Rights” button on the upper right corner of the company’s homepage takes users to a place to share their information so that Privacy4Cars can submit consumer privacy requests to first-party businesses, data brokers, and third parties on their behalf.

Consumers in the dark

Most drivers have no idea what data their car is collecting because other than through Privacy4Cars it can be very hard to track down and digest the information. The privacy disclosures for the four cars mentioned above involved between nine and 12 unique documents, and each ran between 55,00 and 60,000 words, according to the Privacy4Cars site.

Older cars appear not to be immune. A check for a 2012 Honda Odyssey, for example, revealed the vehicle collects data from synced phones, geolocation information and compiles personal identifiers and user profiles.

Car owners should use the app to wipe data particularly when they buy or sell a used car and return vehicles to car rental agencies or leasing companies, Amico said, although most people don’t know they should do so.

Four out of five used cars contain the data of previous owners since most owners and subsequently car dealers don’t wipe them clean, he said.

In some cases cars even store pieces of code from previous drivers that can allow old owners to access new owners’ data. Most cars’ infotainment systems also store text messages and other unencrypted data.

Amico’s services aren’t foolproof. The FBI, for instance, still might be able to hack into the car’s systems and extract data. But they do make it a “hell of a lot harder” for them or anyone else to do so.

Even those unworried about getting entangled with the FBI have serious reasons to delete their data, he said.

“If you have a navigation system, you have about a 50/50 chance that you can press two buttons and show up inside the house of somebody because you press ‘go home’ and then you pop the garage open,” Amico said.

This is Part 1 of a three-part series on automobile privacy that will run through the month of December.

Automated Vehicle Law: Legal Liability, Regulation, and Data Security

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Automated Vehicle, Car Security


Dec 03 2023

Introduction to Cyber Security

Category: cyber security,Information Securitydisc7 @ 10:41 am

Introducing to Cybersecurity | Cyber Writes ✍

Introduction to Cyber Security: Basic to Advance Techniques

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Intro to Cyber Security


Nov 29 2023

Chrome Zero-Day Vulnerability That Exploited In The Wild

Category: Information Security,Web Search Engine,Web Securitydisc7 @ 8:13 am

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this year. The flaw, identified as CVE-2023-6345, is classified as an integer overflow in Skia, an open-source 2D graphics library written in C++.

“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” Google said.

There are several potential risks associated with this high-severity zero-day vulnerability, including the execution of arbitrary code and crashes.

On November 24, 2023, Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group reported the issue.

Google has upgraded the Stable channel version 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, addressing the year’s sixth actively exploited zero-day vulnerability. This upgrade will be rolled out over the next few days/weeks.

Additionally, Google has fixed six high-severity security vulnerabilities with this update.

Details Of The Vulnerabilities Addressed

Type Confusion in Spellcheck is a high-severity bug that is being tracked as CVE-2023-6348. Mark Brand from Google Project Zero reported the issue.

Use after free in Mojo is the next high-severity bug, tagged as CVE-2023-6347. 360 Vulnerability Research Institute’s Leecraso and Guang Gong reported the issue, and they were rewarded with a bounty of $31,000.

Use after free in WebAudio is a high-severity issue identified as CVE-2023-6346. Following Huang Xilin of Ant Group Light-Year Security Lab’s disclosure, a $10,000 prize was given out.

A High severity bug in libavif, Out-of-bounds memory access, is tagged as CVE-2023-6350. Fudan University reported it, and $7000 was given out.

Use after free in libavif is a high-severity bug identified as CVE-2023-6351. Fudan University reported it, and $7000 was given out.

Update Now

To stop exploitation, Google highly advises users to update their Chrome web browser right away. The following are the easy procedures that you must follow to update the Chrome web browser:-  

  • Go to the Settings option.
  • Then select About Chrome.
  • Wait, as Chrome will automatically fetch and download the latest update.
  • Once the installation process completes, you have to restart Chrome.
  • That’s it. Now you are done.

Attacking and Exploiting Modern Web Applications: Discover the mindset, techniques, and tools to perform modern web attacks and exploitation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Chrome zero-day


Nov 25 2023

CISSP Study Guide

Category: CISSP,Information Securitydisc7 @ 2:44 pm

CISSP Study Guide | Cyber Press

CISSP Study Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISSP study guide


Nov 17 2023

Why cyber war readiness is critical for democracies

Category: Cyber War,Digital cold war,Information Security,OT/ICSdisc7 @ 9:41 am

The skills employed, the hacktivists and other threat actors are not going anywhere. Right now, Russia might be overwhelmingly interested in Ukraine, but their aims and goals remain global.

“These skills will be turned in other directions and other targets in the future, they will be shared in threat actor groups online. This is the world you need to be preparing for right now,” he added.

His warning echoed a similar one by Viktor Zhora, Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine.

Russia’s attack force consists of “hackers in uniform”, cybercriminals and hacktivists congregating in various Telegram channels, but the nation is also working on engaging ever more younger people in their cyber offensive campaigns. They are seeking talented individuals in schools (and not just tech universities), selecting the most talented and training them, he shared.

“The Russians are in it for the long run,” Zhora warned during his IRISSCON talk, and called on countries that are – or expect to be – targeted by cyber aggressive nations to create a cyber coalition so they can prepare, share their experiences, and exchange information.

OT under attack

We can’t talk about the war in Ukraine and not mention cyber attacks aimed at disrupting operational technology (OT) used by companies that are part of the country’s critical infrastructure (CI).

In his talk, Ferguson briefly passed through the known attacks that hit CI entities with OT-specific malware, starting with Stuxnet in 2010 and ending with CosmicEnergy in 2023.

Some of the attacks are believed to be the work of the US and Israel (Stuxnet), cybercriminals (EKANS ransomware, 2020) or are still unattributed (the destructive 2014 attack against a steel plant in Germany). But the rest, he noted, are all believed to have been mounted by Russian state-backed attackers.

And, he says, they are getting better at it. Mirroring the development of attacks against IT systems, they have recently begun exploiting legitimate tools found in OT environments, so they don’t need to develop customized malware.

Many attackers are scanning for OT-specific protocols and probing OT devices, Ferguson noted. While their actual exploitation hinges on the skills of the attackers, some modes of attack (e.g., DDoS and phishing) are available to those who are less skilled, but eager. Hacktivists can target critical infrastructure that’s exposed on the internet as it’s easily discoverable via online tools.

Unfortunately, securing OT systems comes with a host of challenges: a complex infrastructure; an increasing number of endpoints; OT devices insecure by design (and generally not meant to be connected to the internet); rarely integrated OT and IT security teams, a lack of visibility into the OT infrastructure – to name just a few.

A new level of cyber conflict

Since the start of the war, Russian hackers have been trying to shut down electrical power in the country, have gone after government agencies, IT companies, telecoms, software development firms, media houses, editors, and media personalities, Zhora noted.

While the initial attacks were mostly geared towards destruction, Russian cyber attackers are now also trying to get their hands on information that can help them determine the effectiveness of their kinetic attacks, discover whether their spies have been flagged by the Ukrainian authorities, and see what evidence those authorities have gathered about war crimes.

Clever and subtle psy-ops online campaigns are, as well, a favorite tactic employed by the Russian state to manipulate enemies. And, since the advent of generative AI, it has became easier to mount them, Ferguson added.

All these things should be taken in consideration by governments when preparing for the future. Looking at the cyber component of the unfolding wars in Ukraine and Israel, they can see what future conflicts will look like.

Zhora says that Ukraine is becoming more and more confident of its capacity to counter future attacks, but that each democracy needs to ask themselves: Are we prepared for a global cyber war? “And they need to be honest with the answer,” he noted.

If they are not, they should immediately begin investing in cyber defense and intensifying cooperation, he added.

All the War They Want: Special Operations Techniques for Winning in Cyber Warfare, Business, and Life

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: OT/ICS critical infrastructure


Nov 15 2023


SystemBC, A SWISS KNIFE Proxy Malware, Used By Numerous Ransomware Groups

Category: Information Securitydisc7 @ 7:51 am

SystemBC (aka Coroxy or DroxiDat) is a multifunctional malware known as Proxy, Bot, Backdoor, and RAT, adapting to attackers’ needs. 

Since 2018, this multifunctional malware has been active, and it remains popular in underground markets, with consistent annual incidents.

Cybersecurity researcher, REXor (aka Aaron) recently discovered that several ransomware groups are employing SystemBC, a Swiss Knife proxy malware, for their illicit purposes. 

Ransomware Groups Involved

Here below, we have mentioned all the ransomware groups that are involved in using this malware:-

  • ViceSociety
  • Rhysida
  • GoldDupont
  • FIN12
  • 8BASE
  • PLAY
  • Hive
  • BlackBasta
  • TropicalScoprious (CUBA)
  • RiddleSpider (Avaddon)
  • WizardSpider (Conti, Ryuk)
  • Egregor
  • DarkSide
  • Maze Team (Maze & IcedID)

SystemBC, The SWISS KNIFE

Coroxy infiltrates systems using diverse methods tailored to the user group, employing:-

  • Reconnaissance
  • Lateral movement
  • Deploying SystemBC (often alongside CobaltStrike)

It’s also utilized in Spear Phishing campaigns, delivered via loaders or other malware for installation on victim systems.

SystemBC malware adapts its methods but maintains core tasks:-

Gather system info –> Establish persistence –> Create a Socks5 connection to the C&C server –> Transmit data –> Await attacker commands or malware launches

This backdoor enables attackers to operate from their infrastructure, and over time, numerous groups have used SystemBC.

SystemBC usage varies with each attacker’s access to the infrastructure. Studied samples show diverse executions yet share consistent core functions.

Usually, when an executable is run, a duplicate copy of SystemBC is made and persistence is established via tasks or registry entries.

Some samples may use a packer or need deobfuscation/extraction without a loader or malware. 

Extracting from memory may be required, revealing identical copies in a temporary folder indicating malware duplication with dynamic filenames. 

Coroxy employs a Mutex control in all examined samples that prevents multiple runs. It may generate a random string or deobfuscate a domain as a Mutex, adding complexity.

Samples establish persistence differently, as some create jobs or registry entries, often using PowerShell to execute SystemBC.

In certain versions, SystemBC launches a duplicate in the following paths:-

  • ProgramData
  • Roaming
  • Temp

SystemBC detects a2guard, a handy anti-analysis move to spot antivirus or disruptive software. It captures process snapshots, using ProcessFirst and ProcessNext to hunt for the binary. 

This grants persistence, process control, and info gathering, with deobfuscation and decryption for future network connections.

After pinpointing the connection location, SystemBC establishes it through a loop, usually targeting a known server and port, reads the report.

Though versions may differ slightly, the core behavior remains the same. However, the analyst found a focus on Coroxy’s relevance, with active discussions and inquiries in forums. 

Besides this, the identified infrastructure allows OS access for around $350 to $300, payable through active cryptocurrency wallets.

Active discussions and inquiries (Source - RexorVC0)
Active discussions and inquiries (Source – RexorVC0)

IOCs

Hash:

  • c96f8d4d1ee675c3cd1b1cf2670bb9bc2379a6b66f3029b2ffcfdd67c612c499
  • 6f78256f20eb2b5594391095a341f8749395e7566fdd2ddd3a34a0db9bb9f871
  • E81eb1aa5f7cc18edfc067fc6f3966c1ed561887910693fa88679d9b43258133
  • 97ebef56e3fa3642d0395c00c25975e586089d26632e65422099a5107d375993
  • ef71c960107ba5034c2989fd778e3fd72d4cdc044763aef2b4ce541a62c3466c
  • 6E57D1FC4D14E7E7C2216085E41C393C9F117B0B5F8CE639AC78795D18DBA730
  • 6b56f6f96b33d0acefd9488561ce4c0b4a1684daf5dde9cc81e56403871939c4
  • F0073027076729CE94BD028E8F50F5CCB1F0184C91680E572580DB0110C87A82
  • 3d1d747d644420a2bdc07207b29a0509531e22eb0b1eedcd052f85085bef6865
  • c68035aabbe9b80ace209290aa28b8108cbb03a9d6a6301eb9a8d638db024ad0
  • c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5

Domain:

  • payload[.]su
  • mxstat215dm[.]xyz
  • mxstex725dm[.]xyz
  • zl0yy[.]ru
  • r0ck3t[.]ru

IP (High confidence):

  • 91[.]191[.]209[.]110
  • 5[.]42[.]65[.]67
  • 45[.]15[.]158[.]40

IP (Mid-Low confidence):

  • 178[.]236[.]246[.]117
  • 185[.]174[.]136[.]148
  • 45[.]142[.]122[.]179
  • 178[.]236[.]247[.]39
  • 45[.]142[.]122[.]105
  • 185[.]112[.]83[.]129
  • 185[.]112[.]83[.]164
  • 185[.]112[.]83[.]172
  • 185[.]112[.]83[.]59
  • 5[.]42[.]65[.]67
  • 78[.]153[.]130[.]166
  • 45[.]142[.]122[.]215
  • 91[.]191[.]209[.]110
  • 5[.]188[.]206[.]246

Configuration and Evaluation of Some Microsoft and Linux Proxy Servers, Security, Intrusion Detection, AntiVirus and AntiSpam Tools

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Nov 14 2023

Hackers Selling Exploits For Critical Vulnerabilities On The Dark Web

Category: Dark Web,Information Securitydisc7 @ 1:31 pm

Dark forums and Telegram channels have become great places for threat actors to sell critical vulnerabilities and exploits.

These vulnerabilities and exploits were associated with the Elevation of Privilege, Authentication Bypass, SQL Injection, and Remote Code Execution in products like Windows, JetBrains software, Microsoft Streaming Service Proxy, and Ubuntu kernels.

Recent discoveries state that these vulnerabilities were sold in underground forums even before the Vendor officially assigned them.

One such example was the Microsoft Streaming Server vulnerability (CVE-2023-36802) that was on sale in February, though the CVE was officially assigned in September 2023.

Key Vulnerabilities

According to the reports shared with Cyber Security News, several critical and high-severity vulnerabilities were sold in the underground forums, which certain ransomware groups used to gain initial access and lateral movement inside the victim network.

Critical Vulnerabilities

CVE-2023-34362: MOVEit RCE Vulnerability (Exploited By Cl0p Ransomware Group)

This vulnerability was published in NVD on June 02, 2023. However, it was observed to be exploited by threat actors since May 2023. This vulnerability had a severity of 9.8 (Critical) and was patched by Progress. 

This vulnerability arises due to insufficient sanitization of user-provided data, which enables unauthenticated remote attackers to access the MOVEit application. With this vulnerability, the Cl0p ransomware group targeted more than 3000 organizations in the US and 8000 organizations worldwide.

CVE-2023-3519: Citrix ADC And Gateway Vulnerability (Exploited By Unknown Threat Actor)

NVD published this vulnerability on June 19, 2023, and Citrix patched it in July 2023. However, threat actors were seen to be exploiting this vulnerability in June 2023, which affected Netscaler ADC and Gateway versions.

A threat actor can use this vulnerability to execute remote code on affected Citrix ADC and Gateway systems to steal sensitive information without any authentication. The severity of this vulnerability was given as 9.8 (Critical).

Exploits Vulnerabilities Dark Web

CVE-2023-42793: JetBrains Unauthenticated RCE (Exploited By North Korean Threat Actors)

This vulnerability could allow an unauthenticated threat actor to access the TeamCity server and execute remote code,, which could compromise the source code and add to a supply chain attack.

This vulnerability was published in NVD in September 2023 and was found to be sold in the underground forums in October 2023. This authentication bypass leading to RCE vulnerability was given a severity of 9.8 (Critical).

Exploits Vulnerabilities Dark Web

According to Microsoft, this vulnerability was potentially used by North Korean nation-state threat actors like Diamond Sleet and Onyx Sleet to install malware and backdoors on their targets.

complete report about the vulnerabilities sold on the underground market, their associated threat groups, and other information has been published.

Users of these products are recommended to patch the affected versions accordingly and take precautionary measures to prevent them from getting exploited by threat actors.

The Darkest Web: Drugs, Death and Destroyed Lives . . . the Inside Story of the Internet’s Evil Twin

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Hackers Selling Exploits, The Darkest Web


Nov 10 2023


Russian Hackers Hijacked Power Station Circuit Breakers Using LotL Technique

Category: Hacking,Information Securitydisc7 @ 11:10 am

In a recent and alarming development, the notorious Russia-linked threat actor Sandworm executed a sophisticated cyber-physical attack targeting a critical infrastructure organization in Ukraine. 

The incident, responded to by cybersecurity firm Mandiant, unfolded as a multi-event assault, showcasing a novel technique to impact Industrial control systems (ICS) and operational technology (OT).

Unraveling Russia’s Cyber-Physical Capabilities

The attack, spanning from June to October 2022, demonstrated a significant evolution in Russia’s cyber-physical attack capabilities, notably visible since the invasion of Ukraine. 

Sandworm, known for its allegiance to Russia’s Main Intelligence Directorate (GRU), has historically focused on disruptive and destructive campaigns, particularly in Ukraine.

The unique aspect of this attack involved Sandworm’s utilization of living-off-the-land (LotL) techniques at the OT level, initially causing an unplanned power outage in conjunction with missile strikes across Ukraine. 

The threat actor further demonstrated its adaptability by deploying a new variant of the CADDYWIPER malware in the victim’s IT environment.

Mandiant’s analysis revealed the complexity of the attack, highlighting Sandworm’s ability to recognize novel OT threat vectors, develop new capabilities, and exploit various OT infrastructures. 

The threat actor’s deployment of LotL techniques indicated a streamlined approach, reducing the time and resources required for the cyber-physical assault.

Concerns Over Sandworm’s Adaptive Capabilities

Despite being unable to pinpoint the initial intrusion point, Mandiant suggested that the OT component of the attack may have been developed in as little as two months. 

This raises concerns about Sandworm’s capability to rapidly adapt and deploy similar attacks against diverse OT systems worldwide.

Sandworm’s global threat activity, coupled with its novel OT capabilities, prompted a call to action for OT asset owners worldwide. 

Mandiant provided detailed guidance, including detection methods, hunting strategies, and recommendations for hardening systems against such threats.

The attack’s timing, coinciding with Russian kinetic operations, suggested a strategic synchronization, indicating that the threat actor may have been waiting for a specific moment to deploy its capabilities. 

As observed in this incident, the evolution of Sandworm’s tactics offers insights into Russia’s ongoing investment in OT-oriented offensive cyber capabilities.

In conclusion, this Sandworm attack serves as a stark reminder of the escalating cyber threats faced by critical infrastructure globally. 

The continuous evolution of cyber adversaries necessitates a proactive approach from governments, organizations, and asset owners to secure and safeguard vital systems against such sophisticated attacks.

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Power station, Sandworm


Nov 01 2023

Hackers Deliver Malicious DLL Files Chained With Legitimate EXE Files

Category: Hacking,Information Securitydisc7 @ 9:31 am

Hackers opt for DLL hijacking as a technique to exploit vulnerable applications because it allows them to load malicious code by tricking a legitimate application into loading a malicious DLL.

This can give them unauthorized access and control over a system or application, enabling various types of attacks like:- 

  • Privilege escalation
  • Data theft
  • System compromise

An active threat involves an Infostealer distributing a legitimate EXE file alongside a hidden malicious DLL in the same directory.

The legitimate EXE runs the malicious DLL, a technique known as DLL hijacking, commonly used for malware distribution.

Malicious DLL With Legitimate EXE Files

Malware posing as software cracks is growing at a rapid pace and is getting distributed by the threat actors using DLL hijacking.

Users searching for cracked software leads to malicious sites, and the downloads are encrypted RAR files with passwords.

Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report.

Distribution of the malware via webpages (Source - ASEC)
Distribution of the malware via webpages (Source – ASEC)

Malicious DLLs tweak part of legitimate DLLs as they decrypt and run data from a nearby file. Hiding data this way avoids altering DLL appearance, reducing detection risk.

For malware to work, the following elements are required to be placed in the same folder:-

  • Data
  • EXE
  • Modified DLL

Unzipping the password-protected file with the code “2023” gives you the following files:-

Contents of compressed file (Source - ASEC)
Contents of compressed file (Source – ASEC)

The following two files are genuine VLC files with valid signatures:-

  • Setup.exe
  • libvlc.dll

The “libvlccore.dll” is altered and lacks a matching signature, due to which the extra directories like demux and lua serve to mask its malicious nature.

Running ‘Setup.exe’ activates ‘libvlccore.dll,’ triggering a modified function that reads and decrypts ‘ironwork.tiff’ in the same folder. This file holds code info. disguised as a PNG.

It loads “pla.dll” from SysWow64 and injects code into its memory differently than typical malware. This method uses NTDLL relocation, and for “cmd.exe,” it loads “pla.dll” and injects the malware into it. 

A data file is written to %TEMP%. cmd.exe inherits it and has its EntryPoint changed to “pla.dll” code. This code decrypts a file, generates LummaC2 malware, and runs “explorer.exe,” injecting and executing the binary.

Process tree of malware execution (Source - ASEC)

LummaC2 targets victims and installs malware from its C2 server, and it steals various sensitive data using JSON-formatted responses from C2. 

The malware infects via legitimate EXE files, looking like original DLLs, posing a low detection risk.

IOCs

IOCs (Source - ASEC)
IOCs (Source – ASEC)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Malicious DLL


Oct 27 2023

HOW APT28 INFILTRATES NETWORKS IN FRENCH UNIVERSITIES & NUCLEAR PLANTS WITHOUT DETECTION

Category: APT,Information Securitydisc7 @ 1:19 pm

According to a recent study published by the leading cybersecurity agency in France, a hacking organisation affiliated with Russia’s military intelligence agency has been spying on French colleges, corporations, think tanks, and government institutions. The research was published by the agency.

Since the second half of 2021, the group of hackers known as Fancy Bear or APT28 has been operating covertly into French computer networks in an effort to acquire a variety of sensitive sorts of data. According to the findings of the investigation conducted by the National Cybersecurity Agency of France, also known as ANSSI, the perpetrators of the attacks hacked systems that were not being actively watched, such as routers, and abstained from employing backdoors in order to avoid being discovered. These cyber attackers infiltrate peripheral devices on crucially important French organisational networks, according to a recent study published by France’s National Agency for the Security of Information Systems (ANSSI), and they do so without making use of backdoors in order to avoid detection. After conducting an analysis of the group’s Techniques, Tactics, and Procedures (TTPs), ANSSI came to the conclusion that APT28 infiltrates target networks via brute force and credential leaks in order to get access to accounts and Ubiquiti routers. In April of 2023, a phishing expedition was begun with the purpose of obtaining system settings, insights into operational operations, and other relevant data. Using the flaw identified as CVE-2023-23397, APT28 sent emails to Outlook users during the months of March 2022 and June 2023. In order to carry out reconnaissance and data collecting, the attackers made use of other vulnerabilities, such as CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in Roundcube webmail. Both of these vulnerabilities were exploited by the attackers.

In order to carry out their intrusions, the gang made use of applications such as the password harvester Mimikatz and the traffic relay tool reGeorg. Additionally, they made use of open-source services such as Mockbin and Mocky. It is important to understand that APT28 use a wide variety of different VPN clients.

As a cyber-espionage group, APT28’s primary mission is to gain unauthorised access and steal information from its targets. The hackers stole sensitive information from email accounts and stole authentication details by using common tools. The hackers also stole emails that were full of personal information. The Command and Control (C2) architecture is rooted on cloud services such as Google Drive and Microsoft OneDrive, which makes it more difficult to identify them.

ANSSI has mapped the TTPs (techniques, tactics, and procedures) of APT28 and found that the threat organisation breaches accounts and Ubiquiti routers on targeted networks by using brute-force attacks and leaked databases holding passwords.

In one incident that occurred in April 2023, the adversaries carried out a phishing effort that duped the receivers into executing PowerShell, which revealed their system settings, running processes, and other OS-related information.

APT28 is responsible for sending emails to Outlook users that attacked a zero-day vulnerability that is now known as CVE-2023-23397. These emails were sent between March 2022 and June 2023, which places the first exploitation a month earlier than what was previously revealed.

The ANSSI emphasises taking a comprehensive approach to security, which includes conducting risk assessments. In light of the dangers posed by APT28, there should be a special focus on ensuring the safety of email communications. The following is a list of the most important suggestions that the organisation has about the safety of email:

Protecting the privacy of email communications and preventing their disclosure via 
adopting secure exchange systems as a means of preventing the diversion or acquisition of email traffic. Reducing the potential points of attack on email online interfaces and managing the dangers posed by servers such as Microsoft Exchange and putting in place mechanisms that can identify malicious emails.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Oct 26 2023

Most Important Network Penetration Testing Checklist

Category: Cheat Sheet,Information Security,Pen Testdisc7 @ 9:25 am

Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering Open ports, troubleshooting live systems, and services, and grabbing system banners.

The pen-testing helps the administrator to close unused ports, additional services, Hide or customize banners, troubleshoot services, and to calibrate firewall rules.

You should test in all ways to guarantee there is no security loophole.

Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.

The goal of a network penetration test is to identify vulnerabilities and weaknesses in the network’s defenses that malicious actors could potentially exploit.

Let’s see how we conduct step-by-step Network penetration testing by using some famous network scanners.

1. Host Discovery

Footprinting is the first and most important phase where one gathers information about their target system.

DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.

  • A – A record is used to point the domain name such as gbhackers.com to the IP address of its hosting server.
  •  MX – Records responsible for Email exchange.
  • NS – NS records are to identify DNS servers responsible for the domain.
  • SRV – Records to distinguish the service hosted on specific servers.
  • PTR – Reverse DNS lookup, with the help of IP you can get domains associated with it.
  • SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
  • CNAME – Cname record maps a domain name to another domain name.

We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.

Ping&Ping Sweep:

root@kali:~# nmap -sn 192.168.169.128root@kali:~# nmap -sn 192.168.169.128-20 To ScanRange of IProot@kali:~# nmap -sn 192.168.169.* Wildcardroot@kali:~# nmap -sn 192.168.169.128/24 Entire Subnet

Whois Information 

To obtain Whois information and the name server of a websiteroot@kali:~# whois testdomain.com

  1. http://whois.domaintools.com/
  2. https://whois.icann.org/en

Traceroute

Network Diagonastic tool that displays route path and transit delay in packetsroot@kali:~# traceroute google.com

Online Tools

  1. http://www.monitis.com/traceroute/
  2. http://ping.eu/traceroute/

2. Port Scanning

Perform port scanning using tools such as Nmap, Hping3, Netscan tools, and Network monitor. These tools help us to probe a server or host on the target network for open ports.

root@kali:~# nmap –open gbhackers.com             To find all open ports

root@kali:~# nmap -p 80 192.168.169.128           Specific Port

root@kali:~# nmap -p 80-200 192.168.169.128   Range of ports

root@kali:~# nmap -p “*” 192.168.169.128          To scan all ports

Online Tools

  1. http://www.yougetsignal.com/
  2. https://pentest-tools.com/information-gathering/find-subdomains-of-domain

3. Banner Grabbing/OS Fingerprinting

Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, and NMAP determines the operating system of the target host and the operating system.

Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.

root@kali:~# nmap -A 192.168.169.128root@kali:~# nmap -v -A 192.168.169.128 with high verbosity level

IDserve is another good tool for Banner Grabbing.

Networkpentesting Flowchart

Online Tools

  1. https://www.netcraft.com/
  2. https://w3dt.net/tools/httprecon
  3. https://www.shodan.io/

4. Scan For Vulnerabilities

Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.

These tools help us find vulnerabilities in the target and operating systems. With these steps, you can find loopholes in the target network system.

GFILanguard

It acts as a security consultant and offers patch management vulnerability assessment, and network auditing services.

Nessus

Nessus is a vulnerability scanner tool that searches for bugs in software and finds a specific way to violate the security of a software product.

  • Data gathering.
  • Host identification.
  • Port scan.
  • Plug-in selection.
  • Reporting of data.

5. Draw Network Diagrams

Draw a network diagram about the organization that helps you understand the logical connection path to the target host in the network.

The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.

6. Prepare Proxies

Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.

With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads and many others.

Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide from being caught.

6. Document All Findings

The last and very important step is to document all the findings from penetration testing.

This document will help you find potential vulnerabilities in your network. Once you determine the Vulnerabilities, you can plan counteractions accordingly.

You can download the rules and scope Worksheet here: Rules and Scope sheet 

Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in terms of value and finance.

important tools

Important Tools Used For Network Pentesting

Frameworks

Kali Linux, Backtrack5 R3, Security Onion

Reconnaisance

Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft

Discovery

Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident,LanSurveyor, OpManager

Port Scanning

Nmap, Megaping, Hping3, Netscan tools pro, Advanced port scannerService Fingerprinting Xprobe, nmap, zenmap

Enumeration

Superscan, Netbios enumerator, Snmpcheck, onesixtyone, Jxplorer, Hyena,DumpSec, WinFingerprint, Ps Tools, NsAuditor, Enum4Linux, nslookup, Netscan

Scanning

Nessus, GFI Languard, Retina,SAINT, Nexpose

Password Cracking

Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper,Rainbow Crack

Sniffing

Wireshark, Ettercap, Capsa Network Analyzer

MiTM Attacks

Cain & Abel, Ettercap

Exploitation

 Metasploit, Core Impact

These are the Most important checklist you should concentrate with Network penetration Testing .

Also Read:

Penetration Testing – Protecting Networks and Systems

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Network Penetration Testing Checklist


Oct 23 2023

10 Best Hacker-Friendly Search Engines Of 2023

Category: Hacking,Information Security,Web Search Enginedisc7 @ 8:33 am

The search engines allow users to find any content via the world wide web.

It helps to find any information easily and is a web-based tool that allows someone to discover or detect any data.

Here are the best Hackers’ Search Engines.

There are various search engines that are available online, hackers use. So we are describing here in this article the top search engines for hackers.

10 Best Hackers Search Engines

The search engines allow users to find any content via the world wide web.

It helps to find any information easily and is a web-based tool that allows someone to discover or detect any data.

Here are the best Hackers’ Search Engines.

There are various search engines that are available online, hackers use. So we are describing here in this article the top search engines for hackers.

10 Best Hackers Search Engines

Best Hackers Search EnginesKey Features
ShodanIt is very useful and easy to use
Freely available
GreyNoise VisualizerTargeted scan and attack traffic.
WiGLEWireless network mapping
It has web applications
CensysEnhance general security
It helps to find open ports
HunterThis is the most dynamic
It is also accessible along with their API
PiplThis is the world’s largest people search engine.
PublicWWWIt has API  also for developers for integration
Shows millions of results for any search request
Zoom EyeIt is very useful for investigators
It is used in cyberspace as wayfinding
HIBPIt is one of the most powerful tools
OSINT FrameworkOpen Source Intelligence framework
Easy to use

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Hacker-Friendly Search Engines


Oct 20 2023

Hackers Using Secure USB Drives To Attack Government Entities

Category: Cyber Attack,Hacking,Information Securitydisc7 @ 9:36 am

An ongoing attack on government agencies in the APAC region has been claimed to have compromised a secure USB device with hardware encryption.

The nation’s government agencies utilize these safe USB devices to transfer and save data between computer systems.

The attacks had a very small number of victims and were highly targeted. The attacks are believed to have been conducted by a highly experienced and resourceful threat actor interested in conducting espionage operations in secure and private government networks.

Cyber Espionage Via Secure USBs

According to the Kaspersky APT trends report for Q3 2023, this long-running campaign comprises several malicious modules that may execute commands, gather data from infected workstations, and transfer it to further machines using the same or different secure USB drives. 

On the infected computers, the attacks can also carry out additional harmful files.

The attack uses sophisticated tools and methods, such as virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to spread to other air-gapped systems, and code injection into a legitimate access management program on the USB drive that serves as a loader for the malware on a new machine.

BlindEagle, a financially motivated threat group, has targeted both people and governmental organizations in South America. Although espionage is the threat actor’s main objective, it has demonstrated interest in obtaining financial data.

BlindEagle is characterized by its capacity to cycle through different open-source remote access Trojans (RATs), including AsyncRAT, Lime-RAT, and BitRAT, and utilize them as the ultimate payload to accomplish its goals.

The gang sends spear-phishing emails with Microsoft Office documents attached to its victims. This starts a multi-level infection strategy that results in installing a new Trojan that is primarily made to steal data from the victim’s computer and take over by executing arbitrary commands.

APT campaigns are still widely spread geographically. Attackers have targeted Europe, South America, the Middle East, and other regions of Asia this quarter.

Government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing are just a few of the industries being attacked.

Cyber espionage continues to be a top priority of APT campaigns, and geopolitics continues to be a major factor in APT development.

“It is therefore very important to build a deep understanding of the TTPs of this threat actor and to watch out for future attacks,” reads the report.

https://gbhackers.com/hackers-using-secure-usb-attack-government-entities/

Kingston Ironkey Locker+ 50 16GB Encrypted USB Flash Drive | USB 3.2 Gen 1 | XTS-AES Protection | Multi-Password Security Options | Automatic Cloud Backup

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: encrypted usb drive, USB Drives To Attack


Oct 18 2023

XorDDoS Infects Linux Devices And Uses Them To Carry Out DDoS Attacks

Category: DDoS,Information Securitydisc7 @ 9:00 am

A new campaign has been discovered that uses XorDDoS Trojan, which affects Linux systems and devices, turning them into zombies that can be controlled by threat actors remotely.

Moreover, these compromised systems can later be used for DDoS(Distributed Denial-of-Service) attacks.

Comparing this current campaign with the campaign conducted in 2022, there was only one change found, which was the configuration of the C2 hosts.

However, the attacking domains were still unchanged. The threat actors seem to have migrated their offensive infrastructure to hosts running on legitimate public hosting services.

Additionally, with respect to the 2022 campaign, many security vendors have already classified the C2 domains as malicious and barred them but still the current active malware traffic is being directed to new IPs.

As part of the initial access vector, the threat actors scanned for hosts with HTTP service, vulnerable to directory traversal attacks that can enable access to arbitrary files on the server.

Threat actors specifically targeted the /etc/passwd file to read passwords. However, since the file has only encrypted passwords, they were forced to gain initial access through SSH brute-force attacks. Once they gained access, they downloaded malware from remote servers and owned the system.

XorDDoS Infects Linux Devices

XorDDoS Trojan uses an XOR encryption key (BB2FA36AAA9541F0) to encrypt all the execution-related data which are then decrypted using a decryption function. Once the malware is activated on the victim machine, it retrieves essential information such as /var/run/gcc.pid, the OS version, malware version, memory status, and CPU information.

The malware also used the decrypt_remotestr() function to decrypt the C2 domains embedded inside the executable. The C2 endpoints are,

  • ppp.gggatat456[.]com:53
  • ppp.xxxatat456[.]com:53
  • p5.dddgata789[.]com:53
  • P5.lpjulidny7[.]com:53
C2 decryption function
C2 decryption function (Source: Palo Alto Unit42)

Persistence

As a means of persistence, the malware creates scheduled autorun tasks, which will run every three minutes, along with an autorun service configured during startup.

Detection evasion is achieved by turning its process into a background service that can disguise itself as a legitimate process.

C2 Network Infrastructure

A list of C2 domains that were registered and used by the threat actors is as follows:

C2 DomainsName ServerC2 SubdomainsIP AddressesAutonomous System
xxxatat456[.]comname-services[.]comaaa.xxxatat456[.]comb12.xxxatat456[.]comppp.xxxatat456[.]comwww.ppp.xxxatat456[.]comwww.xxxatat456[.]com142.0.138[.]41142.0.138[.]42142.0.138[.]43142.0.138[.]44142.4.106[.]73142.4.106[.]75192.74.236[.]33192.74.236[.]34192.74.236[.]3554600
gggatat456[.]comname-services[.]comaaa.gggatat456[.]comppp.gggatat456[.]comwww1.gggatat456[.]comwww.ppp.gggatat456[.]com142.0.138[.]41142.0.138[.]42142.0.138[.]43142.4.106[.]73142.4.106[.]74142.4.106[.]75142.4.106[.]76192.74.236[.]33192.74.236[.]34192.74.236[.]35192.74.236[.]3654600
lpjulidny7[.]comdomaincontrol[.]comp0.lpjulidny7[.]comp2.lpjulidny7[.]comp3.lpjulidny7[.]comp4.lpjulidny7[.]comp5.lpjulidny7[.]com34.98.99[.]30396982
dddgata789[.]comdomaincontrol[.]comddd.dddgata789[.]comp5.dddgata789[.]comN/AN/A

Source: Palo Alto Unit42

Complete Network Infrastructure
Complete Network Infrastructure (Source: Palo Alto Unit42)

Furthermore, a comprehensive report about this new campaign and the trojan has been published by Unit42 of Palo Alto, which provides detailed information about the campaign, code analysis, obfuscation techniques, and other information.

Indicators Of Compromises (IOCs)

XorDDoS Binaries

  • b8c4d68755d09e9ad47e0fa14737b3d2d5ad1246de5ef1b3c794b1339d8fe9f8
  • 265a38c6dee58f912ff82a4e7ce3a32b2a3216bffd8c971a7414432c5f66ef11
  • 1e823ae1e8d2689f1090b09dc15dc1953fa0d3f703aec682214750b9ef8795f1
  • 989a371948b2c50b1d45dac9b3375cbbf832623b30e41d2e04d13d2bcf76e56b
  • 20f202d4a42096588c6a498ddb1e92f5b7531cb108fca45498ac7cd9d46b6448
  • 9c5fc75a453276dcd479601d13593420fc53c80ad6bd911aaeb57d8da693da43
  • ce0268e14b9095e186d5d4fe0b3d7ced0c1cc5bd9c4823b3dfa89853ba83c94f
  • aeb29dc28699b899a89c990eab32c7697679f764f9f33de7d2e2dc28ea8300f5

Ethical Hacking Volume 10: DoS/DDoS Attacks: Protecting Network and Services

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DDoS attacks, XorDDoS


Sep 25 2023

MOVEit fallout continues as National Student Clearinghouse says nearly 900 schools affected

Category: Cyber Attack,Information Securitydisc7 @ 2:18 pm

https://therecord.media/moveit-fallout-continues-nsc-schools

The National Student Clearinghouse (NSC) reported that nearly 900 colleges and universities across the U.S. had data stolen during attacks by a Russia-based ransomware gang exploiting the popular MOVEit file-sharing tool.

The nonprofit manages educational reporting, data exchange, verification, and research services for 3,600 colleges and universities as well as 22,000 high schools.

In June, the organization first confirmed that it was affected by exploitation of the tool, which was targeted via several critical vulnerabilities by the ransomware gang Clop.

Dozens of schools published notices confirming that student and alumni data was accessed in the breach but it was never clear just how many colleges or universities were affected.

In filings with California regulators last week, the National Student Clearinghouse provided a list of affected schools totalling nearly 890 — covering almost every state and including several of the largest, most prominent universities in the U.S.

The U.S. Department of Education requires 3,600 colleges and universities nationwide to use the MOVEit tool to share information with the NSC, which provides this data to the National Student Loan Data System (NSLDS) on behalf of the schools.

The stolen information includes personally identifiable information such as Social Security numbers and dates of birth.

NSC says it notified law enforcement after discovering the incident and told regulators in Maine on August 31 that it is sending breach notification letters to 51,689 people. NSC also sent letters to each school affected by the breach.

“The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students,” NSC said in an advisory released this summer. “We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”

The attack on NSC was one of several involving MOVEit that had wide-ranging downstream effects. The Clop ransomware gang targeted several organizations with connections to other companies or businesses, including PBI Research Services and the Teachers Insurance and Annuity Association of America (TIAA).

Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. Several class action lawsuits have been filed against Progress Software, the company behind MOVEit.

Sean Matt, one of the lawyers behind the lawsuits, called it a “cybersecurity disaster of staggering proportions.”

“Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software. The data compromised in this incident — social security numbers, banking information and even the names of people’s children — will undoubtedly lead to years of strife and concern,” he said.

“This is not just a data breach, but an unacceptable breach of the public’s trust in Progress and other companies that have a responsibility to protect the private data they collect.”

North of the border

UnitedHealthcare Student Resources Notifies Individuals of Data Security Incident

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MOVEit, supply chain attack


Sep 19 2023

What are the Common Security Challenges CISOs Face?

Category: Information Securitydisc7 @ 9:14 am

Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.

As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.

These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.

The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.

This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.

By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.

Who is a CISO?

Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.

A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.

They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.

CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.

They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.

In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.

They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.

The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.

CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.

CISO Guide to Balancing Network Security Risks Offered by Perimeter 81 for free, helps to prevent your network from being at Risk.

What are all the Roles and Responsibilities of CISO?

  1. Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organization’s business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
  2. Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
  3. Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organization’s assets.
  4. Risk Management: The CISO is responsible for identifying and assessing security risks to the organization’s information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
  5. Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
  6. Security Incident Response: The CISO leads the organization’s response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
  7. Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
  8. Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
  9. Security Governance and Reporting: The CISO provides regular reports and updates on the organization’s security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
  10. Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.

Security Challenges CISOs Face

CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:

  • Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
  • Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
  • Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
  • Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
  • Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industry’s rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
  • Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
  • Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
  • Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
  • Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
  • Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.

DISC InfoSec previous posts on CISO topic

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Sep 18 2023

Steps CEOs Should Follow in Response to a Cyberattack

Category: Cyber Attack,Information Securitydisc7 @ 2:12 pm

Over the years, numerous individuals have sounded the alarm about the increasing cyber threats, and several have provided insightful guidance on enhancing an organization’s security and resilience. To gauge the adequacy of your efforts, consider the following three questions: Firstly, have you recently engaged in a cyber tabletop exercise? Secondly, is the contact information for your chief information security officer stored in a location other than your work phone or computer? (Keep in mind that if your company’s networks fall victim to a ransomware attack, your work devices might be unreachable.) Lastly, are you aware of your government liaison in the event of a cybersecurity incident?

On May 7, 2021, Colonial Pipeline, a crucial fuel supply network for the eastern United States, suffered a ransomware attack and chose to halt its operations. This decision triggered a broader crisis, resulting in fuel shortages and skyrocketing gas prices at thousands of gas stations. The incident highlighted the intricate connection between physical and digital infrastructures.

In response, the U.S. government took action, with Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Energy Jennifer Granholm addressing the public on May 11, 2021. They reassured the American people and explained the government’s efforts to mitigate the attack’s impact, urging against panic buying of gasoline as the pipeline was expected to be operational again soon. This incident underscored the vulnerability of critical infrastructure to cyber threats and the importance of a coordinated response.

Significant Implications:

The Colonial Pipeline ransomware attack had significant geopolitical implications. It prompted direct engagement between President Biden and Russian President Vladimir Putin, highlighting the seriousness of the situation. This incident emphasized the critical need for stronger cybersecurity measures, especially for vital infrastructure like Colonial Pipeline. It served as a stark reminder that cyber threats can have far-reaching real-world consequences. The incident has had lasting effects, reshaping the roles of CEOs and industry leaders and influencing future cybersecurity considerations.

One notable outcome is the way CEOs are reevaluating their roles and responsibilities. The CEO of Colonial Pipeline, Joseph Blount, faced the difficult decision of paying a $4.3 million Bitcoin ransom to hackers, describing it as the most challenging choice in his 39-year career. This dilemma of whether to pay ransom or risk severe disruption has garnered attention from CEOs, who are keen to avoid public scrutiny and congressional hearings.

In light of this and other recent incidents, here are six recommendations for CEOs to consider:

  1. Prioritize cybersecurity as a top-level concern.
  2. Invest in robust cybersecurity measures and incident response plans.
  3. Foster a culture of cybersecurity awareness within the organization.
  4. Establish clear communication channels and relationships with relevant authorities.
  5. Assess the potential impact of cyber incidents on critical operations.
  6. Develop a strategy for handling ransomware demands that aligns with both legal and ethical considerations.

These recommendations are essential in an era where cyber incidents can quickly escalate to national security crises, demanding the attention of the U.S. president, and where the role of CEOs in responding to such threats is under increased scrutiny.

Exercise caution when communicating with the public.

A run on banks is a classic example of how public reactions and group psychology can exacerbate a crisis. Recent instances such as the rush for toilet paper during the Covid-19 pandemic and the panic at gas stations following the ransomware attack demonstrate that this issue goes beyond financial institutions.

Being cautious in how and what you communicate to the public doesn’t mean avoiding public communication altogether; it’s a necessity. However, companies must approach this with careful consideration. The Colonial Pipeline incident serves as an example, highlighting that even companies not accustomed to regular public engagement may suddenly find it necessary.

Collaborate with government authorities.

Colonial Pipeline’s swift decision to shut down its pipeline system was necessary, but it could have allowed for consultation with U.S. government experts. The shutdown, regardless of infection, would lead to days of disruption in the fuel supply chain, necessitating government intervention due to the serious consequences. Effective coordination with the government is crucial to prevent an unintentional worsening of a crisis.


Be aware of who to get in touch with. Updated Incident handling decision tree.

CEOs must have the knowledge of the appropriate government contacts to facilitate informed decision-making and effective coordination. Contacting entities like NATO or the military, as some anecdotes have indicated, is not the correct approach. However, at times, the government may not make it straightforward for external parties to determine the right person or agency to reach out to, underscoring the government’s responsibility to offer clear guidance in this regard.

Establish a Incident Handling plan and put it into practice.

This point is paramount, as it serves as the foundation for achieving other objectives. Besides creating and maintaining a plan, ideally under the CEO’s supervision, it’s crucial to conduct annual practice sessions, such as tabletop exercises. These exercises help company leaders and employees develop the necessary “muscle memory” for responding efficiently during actual crises.

Know your infrastructure.

Ideally, a CEO should possess a high-level understanding of how a company’s business IT networks and operational technology (OT) networks interact. In cases where systems are isolated (air-gapped), it may not be necessary to shut down the OT network if a compromise is limited to the IT network. However, the Colonial Pipeline ransomware attack illustrated that even the incapacitation of business IT networks can have substantial repercussions. In scenarios where a company is unable to generate invoices, identify customers, or establish contact with them, the resulting disruption can be as disruptive as a complete production halt. This was evident to anyone who has been stranded at an airport due to an airline’s IT system outage, experiencing firsthand the disruptive consequences.

Demonstrate humility and actively seek expertise from professionals.

Cybersecurity is a complex and multifaceted challenge that varies significantly across different sectors, such as pipelines, finance, healthcare, education, and transportation. Recognizing the limits of expertise, including that of cybersecurity professionals, is a crucial insight gained from years of cross-sector cyber incidents. CEOs should not hesitate to seek external assistance when developing, testing, or refining cybersecurity plans or reviewing existing processes and policies within their organizations. Additionally, there are numerous detailed resources available, including guides and checklists tailored for CEOs, board members, and Chief Information Security Officers (CISOs). The U.S. government, through agencies like the Cybersecurity and Infrastructure Security Agency (CISA), offers resources like Stopransomware.gov and Shields Up, designed to cater to companies at different levels of cybersecurity maturity. These resources are valuable tools for enhancing cybersecurity preparedness.

An Executive Self-Assessment:

In addition to the numerous warnings and valuable advice regarding the growing cyber threats, three key questions can serve as a practical self-check to assess an organization’s cybersecurity readiness:

  1. Have you recently participated in a cyber tabletop exercise?
  2. Is the contact information of your chief information security officer stored outside your work phone or computer to ensure accessibility during a network compromise?
  3. Do you have IHP one page summary and know your contact for cybersecurity incident reporting?

If the response to any of these questions is “no,” it’s essential to take action to enhance your organization’s cybersecurity preparedness. This proactive approach can significantly improve protection, prevent potential crises, and contribute to national security.

Source: https://hbr.org/2023/09/6-actions-ceos-must-take-during-a-cyberattack

Your System’s Sweetspots: CEO’s Advice on Basic Cyber Security

In what situations would a vCISO or CISOaaS Service be appropriate?

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CEO, cyberattack


Sep 17 2023

Top 10 high-paying jobs in cybersecurity industry

Category: Cyber career,Information Securitydisc7 @ 7:55 am

The need for cybersecurity professionals is at an all-time high in our rapidly evolving digital landscape. As cyber threats continue to advance and grow in frequency, businesses are showing a strong commitment to safeguarding their valuable data and networks, resulting in a significant rise in job openings within the cybersecurity field, some of which come with attractive compensation packages. In this article, author delve into the ten highest-paying positions within the cybersecurity sector, shedding light on the specific roles, duties, and salary brackets linked to each role.

Cybersecurity Career Master Plan: Proven techniques and effective tips to help you advance in your cybersecurity career

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cybersecurity industry


Sep 10 2023

Security Controls and Vulnerability Management

IS27002 Control:-Vulnerability Management
Why penetration test is important for an organization.
Ensuring the protection of user data in real-time, effectively prioritizing risk, fostering security awareness, devising strategies to identify vulnerabilities, and implementing an incident response protocol aligned with vulnerability management. Following compliance protocols becomes crucial in order to abide by and fulfil regulatory standards.
#informationsecurity #cyberdefense #cybersecurity
Cheat sheet for pentester
Image credit:-https://lnkd.in/eb2HRA3n

Linux Cheat Sheet

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: vulnerability management


Sep 03 2023

Nmap cookbook, cheat sheet and mindmap

Category: Information Security,Network securitydisc7 @ 9:28 am

Nmap Network Exploration and Security Auditing Cookbook: Network discovery and security scanning at your fingertips

Mastering Nmap: A Comprehensive Guide to Network Discovery and Security

Nmap 7: From Beginner to Pro

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Nmap, Nmap network scanning


Next Page »