InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Han Bing allegedly felt undervalued after his security warnings were ignored, and decided to prove his point by trashing four financial servers.
(Image credit: Getty – Andrew Aitchison)
An indignant IT admin, seemingly aiming to prove the lax security his employer had hitherto ignored, proceeded to delete a bunch of vital financial databases, and has subsequently been given seven years in prison as a result. It’s what’s known in the IT trade as ‘cutting your nose off to spite your face,’ or inadvisably hulking out on a server you’re known to have access to and have already complained about.
Han Bing, a database administrator for Lianjia, a Chinese real estate brokerage, previously known as Homelink, was allegedly one of only five people in the security team with access to the company’s financial system databases. So when someone logged in with root access to Lianjia’s financial system and deleted the lot(opens in new tab) (via Bleeping Computer(opens in new tab)), the company already had a handful of suspects.
Four of the five handed over their laptops and passwords immediately, while Bing refused to hand over his password, claiming that it held private information. He agreed to access the device for the company’s investigators while he was present, and no incriminating evidence was found on his machine.
The company, however, claimed the attack could be done simply by connecting to the server in a way that would leave no residual trace on the client laptop.
Subsequent electronic forensic analysis of the company’s server logs, alongside the use of CCTV footage, linked records held on the server with the host name of Bing’s MacBook, “Yggdrasil,” as well as certain MAC and IP addresses linked on his computer.
Yeah, Yggdrasil. The tree of life. The roots of which can be seen sprawling across the sky in Valheim, and as that big f-off plant glowing away in Elden Ring. Everything in 2022 always seems to lead back to Elden Ring. This whole case is probably in the game somewhere as lore.
With all the evidence in hand, the Beijing Tongda Fazheng Forensic Identification Centre concluded none of the other potential suspects could be linked to the attack on June 4, 2018, and Han Bing was found guilty of damaging computer information and sentenced to seven years in prison.
Initially that feels a bit harsh on the guy, but he did basically destroy four different servers, salting the earth so nothing could be recovered, and grinding the company’s operation to a halt. It then had to pay some $30,000 as amends for the fact that Lianjia employees were left without pay for an extended amount of time.
Which is also pretty harsh.
Bing’s colleagues have suggested that the reasoning behind his deletion of company records was down to the fact he discovered the security of the financial system was compromised, and his concerns were ignored.
He worked with another database admin to bring the issues to his seniors in the organisation but was apparently dismissed. It’s alleged this led to Bing arguing with other colleagues, and after his office was relocated it is suggested that he no longer felt valued by the company, was “passive and sluggish, often late and early, and there is also the phenomenon of absenteeism.” That’s according to the Edge machine translation, so make of that what you will.
Maybe Bing thought he was going to be rewarded for highlighting the problems more obviously, or maybe he was just a grumpy, vengeful admin by the end of it. Either way going to prison for seven years was most definitely not what he was aiming to get out of this.
I just wanted to inform you that, at the end of September, Advisera launched “Second Course Exam for Free” promotional campaign. The campaign will start on September 22, and end on September 29, 2022.
In this promotion the second course exam is completely FREE OF CHARGE.
The bundles are displayed on two landing pages, one with bundles related to ISO 9001 and another with bundles related to ISO 27001.
Foundations course exam bundles:
ISO 9001 Foundations exam + ISO 14001 Foundation exam
ISO 9001 Foundations exam + ISO 27001 Foundation exam
ISO 9001 Foundations exam + ISO 13485 Foundation exam
ISO 9001 Foundations exam + ISO 45001 Foundation exam
ISO 14001 Foundations exam + ISO 45001 Foundation exam
Internal Auditor course exam bundles:
ISO 9001 Internal Auditor exam + ISO 14001 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 27001 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 13485 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 45001 Internal Auditor exam
ISO 14001 Internal Auditor exam + ISO 45001 Internal Auditor exam
Lead Auditor course exam bundles:
ISO 9001 Lead Auditor exam + ISO 14001 Lead Auditor exam
ISO 9001 Lead Auditor exam + ISO 13485 Lead Auditor exam
ISO 9001 Lead Auditor exam + ISO 45001 Lead Auditor exam
ISO 14001 Lead Auditor exam + ISO 45001 Lead Auditor exam
Lead Implementer course exam bundles:
ISO 9001 Lead Implementer exam + ISO 14001 Lead Implementer exam
ISO 9001 Lead Implementer exam + ISO 13485 Lead Implementer exam
ISO 9001 Lead Implementer exam + ISO 45001 Lead Implementer exam
ISO 14001 Lead Implementer exam + ISO 45001 Lead Implementer exam
2/ ISO 27001/EU GDPR-related bundles:
ISO 27001 Foundations exam + EU GDPR Foundations exam
ISO 27001 Foundations exam + ISO 9001 Foundation exam
ISO 27001 Internal Auditor exam + EU GDPR Data Protection Officer exam
ISO 27001 Internal Auditor exam + ISO 9001 Internal Auditor exam
ISO 27001 Lead Auditor exam + ISO 9001 Lead Auditor exam
ISO 27001 Lead Implementer exam + ISO 9001 Lead Implementer exam
Take ISO 27001 course exam and get the EU GDPR course exam for Free
This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.
The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment.
It has been discovered recently by the European security and compliance assessment company Onekey that arbitrary code may be injected into multiple Netgear router models through FunJSQ in a malicious manner.
In order to accelerate online games, Xiamen Xunwang Network Technology has developed a third-party module known as FunJSQ. In short, FunJSQ is a third-party gaming module.
Along with routers there are some Orbi WiFi Systems that are also affected. If your WiFi password is known to an attacker or your router’s Ethernet cable is connected to your computer, then this vulnerability is exploitable.
Affected Routers and WiFi Systems
Here below we have mentioned the all the router models and WiFi systems that are affected. Not only that even we have also mention their respective fixed firmware versions as well:-
Routers:-
R6230 fixed in firmware version 1.1.0.112
R6260 fixed in firmware version 1.1.0.88
R7000 fixed in firmware version 1.0.11.134
R8900 fixed in firmware version 1.0.5.42
R9000 fixed in firmware version 1.0.5.42
RAX120 fixed in firmware version 1.2.8.40
RAX120v2 fixed in firmware version 1.2.8.40
XR300 fixed in firmware version 1.0.3.72
Orbi WiFi Systems
RBR20 fixed in firmware version 2.7.2.26
RBR50 fixed in firmware version 2.7.4.26
RBS20 fixed in firmware version 2.7.2.26
RBS50 fixed in firmware version 2.7.4.26
Illicit Actions
The FunJSQ gaming module does not have a secure update process. Update packages that are sent from the server to the FunJSQ module are only superficially checked.
A hash checksum is used to validate the packages on the device as they are unsigned.
There are a number of actions that an attacker can take in order to exploit an insecure communication channel, such as:-
The data that has been returned from the server can be tampered with.
A package can be extracted with elevated privileges from its contents and placed in the root folder.
It is possible to overwrite anything on the device by taking control of the update package.
There is a potential for arbitrary code to be executed from the WAN interface as a result of these factors combined.
CVE-2022-40620 has been assigned to the issue relating to an insecure update mechanism introduced in the release. CVE-2022-40619 was the CVE ID number assigned to the flaw related to unauthenticated command injections.
Download the Latest Firmware
To begin with, you will need to visit the NETGEAR Support page.
In the search box, you will need to enter your model number.
Once the drop-down menu appears, you can select the model you are looking for from it.
After that, click on the Downloads tab.
If the title of your first download starts with the firmware version under Current Versions, then pick that one.
The next thing you need to do is click the Release Notes button.
For instructions on downloading and installing the new firmware, please refer to the firmware release notes.
It should be noted that Netgear has not yet divulged a workaround for this vulnerability. The latest firmware from NETGEAR should be downloaded as soon as possible, as NETGEAR strongly recommends you do so.
DISC LLC presents a phase approach to deliver ISO 27001 Internal Audit services to SaaS businesses.
The Engagement:
We understand that your core business is your SaaS application and you desire an audit. The audit is to be an independent assessment of the company’s ISMS, to measure the maturity of the program, to identify if the program is ready to pass the certification audit for ISO 27001:2013 certification, and provide strategic guidance for achieving the certification. Our focus will be your application which is hosted at AWS/Azure and you have xxx employees who create, maintain, and manage the application.
The audit will be conducted remotely and we will have a dedicated contact person assigned to our audit team to facilitate access to documentation, records, and select staff for interviews. We will complete your standard audit process documentation according to the ISO 27001 standard.
The Plan:
Below is our high-level audit plan for your ISO 27001internal audit. We propose a staged and flexible approach so we may progressively tune our audit process to deliver maximum business value to you.
Phase 1: This phase starts within a week one of signing of an engagement contract. First step is a kickoff meeting to discuss the overall audit engagement, to finalize the formal audit plan, and to establish access to documents to be reviewed. We will review the available documents based on the ISO27001 standard. At the end of this phase we will present our findings in a briefing session.
Phase2: Phase 2 kickoff will be based on the document review and coordinate scheduling interviews that focus on critical processes to establishing the degree that the various control procedures have been activated. This is a critical part of the audit process. We will measure the maturity of required controls that has been implemented and present the findings for review within another review session (schedule subject to availability for interviews).
Phase 3: Recommendations will be the focus of this phase. This will also start with a kickoff meeting to establish a coordinated plan for what measures are already planned and what new measures are required to actually pass (to-be state) the certification audit. This final step can save you a lot of effort as we can help you navigate to the end goal of passing the audit and also create the precise measures that have maximum business value. The closing meeting of this phase will present our collective recommendations.
All of the efforts outlined above are aligned to a compliant internal audit process with a few enhancements that are value-add. These audit records will likely be a primary target of the certification audit so they need to be well executed. Your controls also have to be tailored to your business. We can help get you certified but that doesn’t mean you are actually secure. We can help you do both. Missing the secure part would be devastating to you and to all of your customers. This is our value-add.
If you have a question about ISO 27001 internal audit:
This book is the hands-on and methodology guide for pentesting with Kali Linux. You’ll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether you’re new to the field or an established pentester, you’ll find what you need in this comprehensive guide.
Build a modern dockerized environment
Discover the fundamentals of the bash language in Linux
Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation
Apply practical and efficient pentesting workflows
Learn about Modern Web Application Security Secure SDLC
If you’re getting started along the exciting path of hacking, cybersecurity, and pentesting, Linux Basics for Hackers is an excellent first step. Using Kali Linux, an advanced penetration testing distribution of Linux, you’ll learn the basics of using the Linux operating system and acquire the tools and techniques you’ll need to take control of a Linux environment.
First, you’ll learn how to install Kali on a virtual machine and get an introduction to basic Linux concepts. Next, you’ll tackle broader Linux topics like manipulating text, controlling file and directory permissions, and managing user environment variables. You’ll then focus in on foundational hacking concepts like security and anonymity and learn scripting skills with bash and Python. Practical tutorials and exercises throughout will reinforce and test your skills as you learn how to:
Cover your tracks by changing your network information and manipulating the rsyslog logging utility
Write a tool to scan for network connections, and connect and listen to wireless networks
Keep your internet activity stealthy using Tor, proxy servers, VPNs, and encrypted email
Write a bash script to scan open ports for potential targets
Use and abuse services like MySQL, Apache web server, and OpenSSH
Build your own hacking tools, such as a remote video spy camera and a password cracker
In this book you’ll learn an offensive approach to enhance your penetration testing skills by testing the sophisticated tactics employed by real hackers. You’ll go through laboratory integration to cloud services so that you learn another dimension of exploitation that is typically forgotten during a penetration test. You’ll explore different ways of installing and running Kali Linux in a VM and containerized environment and deploying vulnerable cloud services on AWS using containers, exploiting misconfigured S3 buckets to gain access to EC2 instances.
This book delves into passive and active reconnaissance, from obtaining user information to large-scale port scanning. Building on this, different vulnerability assessments are explored, including threat modeling. See how hackers use lateral movement, privilege escalation, and command and control (C2) on compromised systems. By the end of this book, you’ll have explored many advanced pentesting approaches and hacking techniques employed on networks, IoT, embedded peripheral devices, and radio frequencies.
For more information about this book, we have a video with the author you can watch here.
This is a comprehensive guide for those who are new to Kali Linux and penetration testing that will have you up to speed in no time. Using real-world scenarios, you’ll understand how to set up a lab and explore core penetration testing concepts.
Throughout this book, you’ll focus on information gathering and even discover different vulnerability assessment tools bundled in Kali Linux. You’ll learn to discover target systems on a network, identify security flaws on devices, exploit security weaknesses and gain access to networks, set up Command and Control (C2) operations, and perform web application penetration testing. In this updated second edition, you’ll be able to compromise Active Directory and exploit enterprise networks.
Finally, this book covers best practices for performing complex web penetration testing techniques in a highly secured environment.
The purpose of this document is to define the methodology for assessment and treatment of information risks, and to define the acceptable level of risk.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
There are 3 appendices related to this document. The appendices are not included in the price of this document and can be purchased separately
The purpose of this table is to list all information resources, vulnerabilities and threats, and assess the level of risk. The table includes catalogues of vulnerabilities and threats.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
This document is an appendix. The main document is not included in the price of this document and can be purchased separately
The purpose of this table is to determine options for the treatment of risks and appropriate controls for unacceptable risks. This table includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
This document is an appendix. The main document is not included in the price of this document and can be purchased separately
The purpose of this document is to define which controls are appropriate to be implemented in the organization, what are the objectives of these controls, how they are implemented, as well as to approve residual risks and formally approve the implementation of the said controls.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
The purpose of this document is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
Google announced the completion of the $5.4 billion acquisition of threat intelligence firm Mandiant. The acquisition was announced in March 2022 by both companies:
“RESTON, Va., March 8, 2022 – Mandiant, Inc. (NASDAQ: MNDT) today announced that it has entered into a definitive agreement to be acquired by Google LLC for $23.00 per share in an all-cash transaction valued at approximately $5.4 billion, inclusive of Mandiant’s net cash.” reported the press release.
Mandiant is considered a leading cyber security firm, in 2013 FireEye acquired it, but FireEye separated Mandiant Solutions in 2021 as part of a $1.2 billion private equity transaction.
The cybersecurity firm will join Google Cloud, but despite the acquisition, Google will maintain the Mandiant brand.
Google is expanding its offer adding cybersecurity services to its portfolio, as part of this strategy the company also acquired the Israeli Israeli startup Siemplify which has developed a SOAR (security orchestration, automation and response) technology.
“Today we’re excited to share the next step in this journey with the completion of our acquisition of Mandiant, a leader in dynamic cyber defense, threat intelligence and incident response services. Mandiant shares our cybersecurity vision and will join Google Cloud to help organizations improve their threat, incident and exposure management.” reads the Google’s announcement.
“Combining Google Cloud’s existing security portfolio with Mandiant’s leading cyber threat intelligence will allow us to deliver a security operations suite to help enterprises globally stay protected at every stage of the security lifecycle. With the scale of Google’s data processing, novel analytics approaches with AI and machine learning, and a focus on eliminating entire classes of threats, Google Cloud and Mandiant will help organizations reinvent security to meet the requirements of our rapidly changing world.”
State of the Hack discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions.
HP Secure Erase; HP Sure Click; HP BIOSphere Gen6; HP Sure Admin; Hood Sensor Optional Kit; HP Client Security Manager Gen6; HP Sure Start Gen7; HP Sure Recover Gen4; HP Sure Sense Gen2; HP Sure Run Gen5[19,20,21,22,23,24,25,26,31]
Cobalt’s has announced a new offering, Agile Pentesting! With Agile Pentesting, conduct a pentest that has a targeted scope focused on a specific area of an asset, or a specific vulnerability across an asset. Agile Penesting is flexible in nature, and aligns pentesting to DevSecOps workflows in a way that’s friction-free.
Leverage Agile Pentesting to level up your security program for:
* New Release Testing: pentest a new release before or shortly after it reaches production
* Delta Testing: pentest for incremental improvements based on code differences since date or version
* Single OWASP Category Testing: pentest a single vulnerability or small subset of vulnerabilities across an asset to validate fixes
* Microservice Testing: pentest Kubernetes within AWS, Azure, or GCP, as well as hosted network devicesReady to ship code securely with Cobalt’s Agile Pentesting?
Ready to ship code securely with Cobalt’s Agile Pentesting?
Enter to Win a Free Cobalt Agile Pentest!Sometimes the best things in life actually are free! Click here to enter your information to be one of the three lucky winners to receive a free Agile Pentest from Cobalt, worth $6,600 in value! The drawing will take place on September 22nd.
ust as developers and security teams were getting ready to take a breather and fire up the BBQ for the holiday weekend, the U.S.’s most prestigious security agencies (NSA, CISA, and ODNI) dropped a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers.
My first reaction was that it’s great to see these agencies adding to the public discourse in these still heady days where we’re all sorting out software supply chain security best practices. This is an important voice in shaking out the still many requirements, frameworks, and best practices, and kudos to them for sharing some of their hard-fought lessons learned.
But I think it’s also important for developers at large to weigh what makes sense in the most extraordinarily sensitive national security environments, versus what makes sense for the average enterprise developer and security team.
Here’s what stuck out to me as the good, bad, and ugly implications of the report.
The good
There are some excellent, prescriptive recommendations in the report where these agencies are advocating specific frameworks like Supply chain Levels for Software Artifacts (SLSA, pronounced “salsa”) and Secure Software Development Framework (SSDF). The report mentions these frameworks 14 and 38 times, respectively, and for developers and security teams that realize they have a software supply chain security problem but don’t know where to start, now they have a clear path to take their first steps.
The upshot of these frameworks is they give developers clear guidance on (1) how to develop secure code, from design issues to organizational structure issues for more secure software; (2) build system integrity (making sure malicious code isn’t being injected in our build systems); and (3) what happens after software is built and how to operate systems security (vulnerability remediation, monitoring, those types of aspects).
I also think the report does an excellent job of emphasizing what software signing buys developers in terms of artifact security, and how by making the investment in signing and verifying at the start of the software development lifecycle, you can save yourself a lot of toil not having to worry about the security of the package managers further down the line.
The bad
The guide suggests that “all development systems must be restricted to development operations only” … and goes on to say “no other activity such as email should be conducted for business nor personal use.”
I can’t see a future where developers are told they can’t do Slack, email and web browsing on their dev machines, and here’s an example where what’s mandatory in air-gapped environments like the NSA don’t really map out to mainstream developer scenarios.
I also find that the SBOM guidance has great points, but also misses concrete threats and mitigation examples. Overall the industry continues to tell everyone to use SBOMs, but doesn’t really explain what to do with them or what the real benefits are. And while I like the guidance to compare SBOMs with software composition analysis (SCA) results, the reality is that today’s vulnerability scanners actually miss a lot of the transitive dependencies that make software supply chains an attractive threat surface in the first place.
The ugly
While open source is mentioned 31 times in the guide, it’s mostly superficial references, with no new recommendations. We all know most source code being used today is open source, and it has unique aspects for security – the report doesn’t pay any care to how to choose which open source projects to use, what to look for when deciding on a new dependency, approaches to scoring systems, or how to tell the security health of an OSS project.
There’s quite a bit of information overload. Half of the document explains what its contents are, and the other half presents a couple of frameworks and the intersections of those frameworks. I think what we’re going to see next is a tidal wave of security vendor product whitewashing, claiming to have the first capabilities conforming to these guidelines – but it’s important to remember that there is no accreditation process, and most of this will simply be marketing bluster.
What’s next
Software supply chain security is pretty unique – you’ve got a whole lot of different types of attacks that can target a lot of different points in the software lifecycle. You can’t just take one piece of security software, turn it on, and get protected from everything.
Guides and recommendations like this that come down from the most sophisticated organizations that have gone through the early paces give a lot of great clues for developers at large, and I hope the NSA/CSA/ODNI will continue to disclose this type of insight … even if it may require some decoding for what applies to more mainstream developer scenarios outside of the Pentagon.
August 2022 has been a lesson in being careful with whom you provide sensitive information. In a month that saw the former US president accused of misappropriating classified government documents, there were also a spate of malicious insiders compromising their employer’s systems.
Meanwhile, the bastion of password security, LastPass, announced that its systems had been breached – although the organisation is confident that customers’ details remain secure.
In total, we identified 112 publicly disclosed security incidents in August, resulting in 97,456,345 compromised records.
You can find the full list of incidents below, broken into their respective categories.
The role of the Chief Information Security Officer (CISO) is a relatively new senior-level executive position within most organizations, and is still evolving.
To find out how current CISOs landed in that role, their aspirations, the compensation they receive, and which risks they face and responsibilities they shoulder, analysts with international executive search firm Heidrick & Struggles have asked 327 CISOs (and CISOs in all but name) to participate in their 2022 Global CISO Survey.
The results of the survey revealed these main takeaways:
Who reports to CISOs and to whom do the CISOs report?
The main organizational functions that report to CISOs are SecOps (88%); governance, risk, and compliance (87%); penetration testing (87%); security architecture (86%); product and application security (79%); and business continuity planning or disaster recovery (79%).
CISOs mostly report to the CIO (38%); the CTO or senior engineering executive (15%); the COO or CAO (9%); the global CISO (8%); and the CEO (8%). But 88% of them also report to the company board and/or advisory committee.
CISO roles are often terminal
Most CISOs move laterally into their current role and the career path forward for CISOs is most often to another CISO role, the analysts found.
If they were not CISOs before – and 53% of them were! – they were mostly a deputy CISO, a regional or business unit CISO, and the senior information security executive in their organization.
Many CISOs aspire to be a board member next, but that ambition is unlikely to be realized. Even though cybersecurity experience is sorely needed on boards, many boards still frequently prefer board members with prior board experience, the analysts pointed out.
The Chief Security Officer (CSO) or the Chief Information Officer (CIO) roles are also coveted by many of the respondents.
Threats CISOs are facing and personal risks they are worried about
CISOs say ransomware attacks are the most significant cyber risk to their organization (67%), followed by insider threats (32%) and nation/state attacks (31%).
On a more personal note, CISOs are most worried about stress related to the role (59%) and burnout (48%), and much less about job loss as a result of a breach (25%) or being faced with personal financial accountability for a breach (11%).
“Our survey responses here tell a few different stories,” the analysts noted.
“One is that there is burnout and stress associated with this role, which should lead organizations to consider succession plans and/or retention strategies so that CISOs don’t make unnecessary exits. The second story is that CISOs feel relatively secure in their jobs—job loss as a result of a breach wasn’t the highest risk. That is, in part, because the best CISOs are able to command executive-level protections (D&O insurance coverage and severance, for example) that enable them to do their jobs unencumbered by the threat of career risk.”
CISO compensation keeps rising
“In the United States, reported median cash CISO compensation has risen to $584,000 this year, up from $509,000 last year and $473,000 in 2020. Median total compensation, including any annualized equity grants or long-term incentives, also increased, to $971,000 from $936,000,” the company found.
New CISOs, in particular, saw the highest rises in overall compensation – probably because talent to fill out the role is hard to find and organizations are competing fiercely to take hold of it.
In the UK, the median cash CISO compensation has risen to £318,000 this year, but there was a 14% drop in annual equity.
For those interested, Heidrick & Struggles’s report offers more granular insight on the various factors that impact CISO compensation in different geographical locations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 10 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a high-severity security flaw (
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
According to the US agency, Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation). An attacker can trigger the flaw to cause an out-of-bounds write and achieve code execution.
It is important to highlight that there are no security patches to fix this issue and that the impacted product is end-of-life.
CISA also added to the catalog a Sanbox Bypass Vulnerability, tracked as CVE-2021-31010 (CVSS score: 7.5), in Apple iOS, macOS, and watchOS.
“In affected versions of Apple iOS, macOS, and watchOS, a sandboxed process may be able to circumvent sandbox restrictions.” reads the advisory.
The other vulnerabilities added to the catalog are:
CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability
CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability
CyberWire Inc. (Author)Flash cybersecurity advisories from the US Government. These alerts provide timely technical and operational information, indicators of compromise, and mitigations for current major security threats, vulnerabilities, and exploits. These alerts have been edited and adapted for audio by The CyberWire as a public service.
As technology advances, so must our ability to use such technology ethically. The rise of AI (artificial intelligence) and big data raises concerns about data privacy and cyber security. ITG have combined their latest titles into one bundle, saving you 20% – ideal for bank holiday reading.
Digital Ethics Book Bundle Understand the growing social, ethical and security concerns of advancing technology with this new collection:
A survey of cybersecurity decision makers found 77 percent think the world is now in a perpetual state of cyberwarfare.
In addition, 82 percent believe geopolitics and cybersecurity are “intrinsically linked,” and two-thirds of polled organizations reported changing their security posture in response to the Russian invasion of Ukraine.
Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyberattack. Unfortunately, 63 percent of surveyed security leaders also believe that they’d never even know if a nation-state level actor pwned them.
The survey, organized by security shop Venafi, questioned 1,100 security leaders. Kevin Bocek, VP of security strategy and threat intelligence, said the results show cyberwarfare is here, and that it’s completely different to many would have imagined. “Any business can be damaged by nation-states,” he added.
According to Bocek, it’s been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, Bocek said, everyone is a target and there’s no military or government method for protecting everyone.
Nor is there going to be much financial redress available. Earlier this week Lloyd’s of London announced it would no longer recompense policy holders for certain nation-state attacks.
Late on Friday, Facebook agreed in principle to settle a US lawsuit seeking damages for letting third parties, including Cambridge Analytica, access the private data of users. The terms of the settlement have yet to be finalized.
Googlers uncover Charming email scraping tool
Researchers at Google’s Threat Analysis Group (TAG) have detailed email-stealing malware believed to be from Iranian APT Charming Kitten.
The tool, which TAG has dubbed Hyperscrape, is designed to siphon information from Gmail, Yahoo! and Outlook accounts. Hyperscrape runs locally on the infected Windows machine, and is able to iterate through the contents of a targeted inbox and individually download messages. To hide its tracks, it can, among other things, delete emails alerting users to possible intrusions.
Not to be confused with Rocket Kitten, another APT believed to be backed by Iran, Charming Kitten has been hijacking accounts, deploying malware, and using “novel techniques to conduct espionage aligned with the interests of the Iranian government” for years, TAG said.
In the case of Hyperscrape, it appears the tool is either rarely used, or still being worked on, as Google said it’s only seen fewer than two dozen instances of the software nasty, all located within Iran.
The malware is limited in terms of its ability to operate, too: it has to be installed locally on a victim’s machine and has dependencies that, if moved from its folder, will break its functionality. Additionally, Hyperscrape “requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired,” Google said.
While its use may be rare and its design somewhat restrictive, Hyperscrape is still dangerous malware that Google said it has written about to raise awareness. “We hope doing so will improve understanding of tactics and techniques that will enhance threat hunting capabilities and lead to stronger protections across the industry,” Google security engineer Ajax Bash wrote.
Security professionals can find the indicators of compromise data for Hyperscrape in Google’s report.
French agency may investigate Google – again
A French governmental agency that has twicefined Google over violations of data privacy regulations and the GDPR has been tipped off by the European Center for Digital Rights (NOYB) about another potential bad practice: dressing up adverts to look like normal email messages.
According to NOYB, Google makes ads appear in Gmail user’s inboxes that appear to be regular emails, which would be a direct violation of the EU’s ePrivacy directive, as folks may not have technically signed up or consented to see this stuff.
“When commercial emails are sent directly to users, they constitute direct marketing emails and are regulated under the ePrivacy directive,” NOYB said.
Because Google “successfully filters most external spam messages in a separate spam folder,” NOYB claims, when unsolicited messages end up in a user’s inbox it gives the impression it was something they actually signed up for, when that’s not the case.
“EU law already makes it quite clear: the use of email, for the purpose of direct marketing, requires user consent,” NOYB said, referencing an EU Court of Justice press release [PDF] from 2021 that outlines rules surrounding inbox advertising.
“It is quite simple. Spam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider,” said NOYB lawyer Romain Robert.
France’s Data Protection Authority (CNIL) has ruled in opposition to Google’s past behavior before. In February, Google was found to be breaching GDPR regulations by transmitting data to the US. Google has also been fined by the French Competition Authority for not paying French publishers when using their content.
NOYB said in its complaint [PDF] to CNIL that, because it accuses Google of violating the ePrivacy directive and not GDPR, the watchdog has no need to cooperate with, or wait for, the actions of other national data privacy authorities to decide to fine or otherwise penalize the American web giant.
Nobelium is back with a new post-compromise tool
Microsoft security researchers have described custom software being used by Nobelium, aka Cozy Bear aka the perpetrators of the SolarWinds attack, to maintain access to compromised Windows networks.
Dubbed MagicWeb by Redmond, this malicious Windows DLL, once installed by a high-privileged intruder on an Active Directory Federated Services (ADFS) server, can be used to ensure any user attempting to log in is accepted and authenticated. That’ll help attackers get back into a network if they somehow lose their initial access.
Microsoft noted that MagicWeb is similar to the FoggyWeb malware deployed in 2021, and added that “MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly.”
This isn’t a theoretical malware sample, either: Microsoft said it found a real-world example of MagicWeb in action during an incident response investigation. According to Microsoft, the attacker had admin access to the ADFS system, and replaced a legitimate DLL with the MagicWeb DLL, “causing malware to be loaded by ADFS instead of the legitimate binary.”
MagicWeb is a post-compromise malware that requires the attacker to already have privileged access to their target’s Windows systems. Microsoft recommends treating ADFS servers as top tier assets and protecting them just like one would a domain controller.
Additionally, Microsoft recommends domain administrators enable Inventory Certificate Issuance policies in PKI environments, use verbose event logging, and look out for Event ID 501, which indicates a MagicWeb infection.
Redmond said organizations can also avoid a MagicWeb infection by keeping an eye out for executable files located in the Global Assembly Cache (GAC) or ADFS directories that haven’t been signed by Microsoft, and adding AD FS and GAC directories to auditing scans.
Anti-cheat software hijacked for killing AV
It turns out role-playing game Genshin Impact’s anti-cheat software can be, and is being, used by miscreants to kill antivirus on victims’ Windows computers before mass-deploying ransomware across a network.
TrendMicro said it spotted mhyprot2.sys, the kernel-mode anti-cheat driver used by Genshin, being used kinda like a rootkit by intruders to turn off end-point protection on machines. The software is designed to kill off unwanted processes, such as cheat programs.
You don’t have to have the game installed on your PC to be at risk, as ransomware slingers can drop a copy of the driver on victims’ computers and use it from there.
It has the privileges, code signing, and features needed by extortionists to make their roll out of ransomware a cinch, we’re told. TrendMicro recommends keeping a look out for unexpected installations of the mhyprot2 driver, which should show up in the Windows Event Log, among other steps detailed in the link above. ®
From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data.
Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn’t received.
The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.
Cybersecurity agencies warn that despite networks being encrypted, victims shouldn’t pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.
Despite this, the unidentified organisation chose to pay the ransom after negotiating the payment down from half the original demand. But even though the company gave in to the extortion demands, the BlackMatter group still leaked the data a few weeks later – providing a lesson in why you should never trust cyber criminals.
Cybersecurity responders from Barracuda helped the victim isolate the infected systems, bring them back online, and restore them from backups.
Following an audit of the network, multi-factor authentication (MFA) was applied to accounts, suggesting that a lack of MFA was what helped the attackers gain and maintain access to accounts in the first place.
Researchers also warn that the number of recorded ransomware attacks against critical infrastructure has quadrupled over the course of the last year. However, the report suggests there are reasons for optimism.
“The good news is that in our analysis of highly publicized attacks, we saw fewer victims paying the ransom and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure,” it said.
In addition to applying MFA, organisations can take other actions to help secure their network against ransomware and cyberattacks, including setting up network segmentation, disabling macros to prevent attackers exploiting them in phishing emails, and ensuring backups are stored offline.
Find programming and software development online courses, created by experts to help you take your career to the next level.
Programming Online Courses
AWS Online Courses
You can choose the course based on your specific needs:
ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
If you have any questions, feel free to send us an email to info@deurainfosec.com
For a limited time only, ITG is offering bestselling implementation guides free with each toolkit purchase.*
All the pre-written policies and procedures you’ll ever need.
Written by our expert team of in-house consultants, who have been delivering cyber security and data privacy consultancy for years.
Reviewed throughout the year to ensure you’re always working from the most up-to-date documentation, in line with the latest guidance and standard revisions, including free upgrades.
Accessible on our Cloud-based platform, DocumentKits, so you can collaborate with team members, viewing, editing and downloading documents any time, anywhere.
