InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Many security engineers are already one foot out the door. Why?
The position of securityengineer has become a pivotal role for modern security teams. Practitioners are responsible for critical monitoring of networks and systems to identify threats or intrusions that could cause immense harm to an organization.
They must analyze troves of security-related data, detect immediate threats as early as possible on the cyber kill chain. From their vantage point, they are often best positioned to evaluate security monitoring solutions and recommend security operations improvement to management.
In this video for Help Net Security, Jack Naglieri, CEO of Panther Labs, discusses a recent report which found that 80% of security engineers are experiencing burnout.
Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy (BLE) relay attack that bypasses all existing protections to authenticate on target devices.
BLE technology is used in a wide spectrum of products, from electronics like laptops, mobile phones, smart locks, and building access control systems to cars like Tesla Model 3 and Model Y.
Pushing out fixes for this security problem is complicated, and even if the response is immediate and coordinated, it would still take a long time for the updates to trickle to impacted products.
How the attack works
In this type of relay attacks, an adversary intercepts and can manipulate the communication between two parties, such as the key fob that unlocks and operates the car and the vehicle itself.
This places the attacker in the middle of the two ends of the communication, allowing them to relay the signal as if they were standing right next to the car.
Products that rely on BLE for proximity-based authentication protect against known relay attack methods by introducing checks based on precise amounts of latency and also link-layer encryption.
NCC Group has developed a tool that operates at the link layer and with a latency of 8ms that is within the accepted 30ms range of the GATT (Generic ATTribute Profile) response.
âSince this relay attack operates at the link layer, it can forward encrypted link layer PDUs. It is also capable of detecting encrypted changes to connection parameters (such as connection interval, WinOffset, PHY mode, and channel map) and continuing to relay connections through parameter changes. Thus, neither link layer encryption nor encrypted connection parameter changes are defences against this type of relay attack.â –Â NCC Group
According to Sultan Qasim Khan, a senior security consultant at NCC Group, it takes about ten seconds to run the attack and it can be repeated endlessly.
Both the Tesla Model 3 and Model Y use a BLE-based entry system, so NCCâs attack could be used to unlock and start the cars.
While technical details behind this new BLE relay attack have not been published, the researchers say that they tested the method on a Tesla Model 3 from 2020 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.
“NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle” – NCC Group
During the experiment, they were able to deliver to the car the communication from the iPhone via two relay devices, one placed seven meters away from the phone, the other sitting three meters from the car. The distance between the phone and the car was 25 meters.
The experiment was also replicated successfully on a Tesla Model Y from 2021, since it uses similar technologies. Below is a demonstration of the attack:
These findings were reported to Tesla on April 21st. A week later, the company responded by saying “that relay attacks are a known limitation of the passive entry system.”
The researchers also notified Spectrum Brands, the parent company behind Kwikset (makers of the Kevo line of smart locks).
What can be done
NCC Group’s research on this new proximity attack is available in three separate advisories, for BLE in general, one for Tesla cars, and another for Kwikset/Weiser smart locks, each illustrating the issue on the tested devices and how it affects a larger set of products from other vendors.
The Bluetooth Core Specification warns device makers about relay attacks and notes that proximity-based authentication shouldnât be used for valuable assets.
This leaves users with few possibilities, one being to disable it, if possible, and switch to an alternative authentication method that requires user interaction.
Another solution would be for makers to adopt a distance bounding solution such as UWB (ultra-wideband) radio technology instead of Bluetooth.
Tesla owners are encouraged to use the âPIN to Driveâ feature, so even if their car is unlocked, at least the attacker won’t be able to drive away with it.
Additionally, disabling the passive entry functionality in the mobile app when the phone is stationary would make the relay attack impossible to carry out.
If none of the above is possible on your device, keep in mind the possibility of relay attacks and implement additional protection measures accordingly.
Abstract: Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate âbackdoor keyâ, the mechanism is hidden and cannot be detected by any computationally-bounded observer. We demonstrate two frameworks for planting undetectable backdoors, with incomparable guarantees.
First, we show how to plant a backdoor in any model, using digital signature schemes. The construction guarantees that given black-box access to the original model and the backdoored version, it is computationally infeasible to find even a single input where they differ. This property implies that the backdoored model has generalization error comparable with the original model. Second, we demonstrate how to insert undetectable backdoors in models trained using the Random Fourier Features (RFF) learning paradigm or in Random ReLU networks. In this construction, undetectability holds against powerful white-box distinguishers: given a complete description of the network and the training data, no efficient distinguisher can guess whether the model is âcleanâ or contains a backdoor.
Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, our construction can produce a classifier that is indistinguishable from an âadversarially robustâ classifier, but where every input has an adversarial example! In summary, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness.
A zero-day vulnerability in uClibc and uClibc-ng, a popular C standard library, could enable a malicious actor to launch DNS poisoning attacks on vulnerable IoT devices.
The bug, tracked as ICS-VU-638779, which has yet to be patched, could leave users exposed to attack, researchers have warned.
DNS poisoning
In a DNS poisoning attack, the target domain name is resolved to the IP address of a server thatâs under an attackerâs control.
This means at if a malicious actor were to send a âforgotten passwordâ request, they could direct it to their own email address and intercept it â allowing them to change the victimâs password and access their account.
For an IoT device, this attack could potentially be used to intercept a firmware update request and instead directing it to download malware.
The DNS poisoning vulnerability was discovered by researchers at Nozomi Networks, who revealed that the issue remains unpatched, potentially exposing multiple users to attack.
Nozomi Networks states that uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, or Linux distributions such as Embedded Gentoo. uClibc-ng is a fork specifically designed for OpenWRT, a common operating system for web routers.
The library maintainer was unable to provide a fix, according to Nozomi. The researchers said they would refrain from sharing technical details or listing vulnerable devices until a patch is available.
âItâs important to note that a vulnerability affecting a C standard library can be a bit complex,â the team wrote in a blog post this week.
âNot only would there be hundreds or thousands of calls to the vulnerable function in multiple points of a single program, but the vulnerability would affect an indefinite number of other programs from multiple vendors configured to use that library.â
A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.
Sophisticated hackers believed to be tied to the North Korean government are actively targeting journalists with novel malware dubbed Goldbackdoor. Attacks have consisted of multistage infection campaign with the ultimate goal of stealing sensitive information from targets. The campaign is believed to have started in March and is ongoing, researchers have found.
Researchers at Stairwell followed up on an initial report from South Koreaâs NK News, which revealed that a North Korean APT known as APT37 had stolen info from the private computer of a former South Korean intelligence official. The threat actorâalso known as Ricochet Collima, InkySquid, Reaper or ScarCruftâattempted to impersonate NK News and distributed what appeared to be a novel malware in an attempt to target journalists who were using the official as a source, according to the report.
NK News passed details to Stairwell for further investigation. Researchers from the cybersecurity firm uncovered specific details of the malware, called Goldbackdoor. The malware is likely a successor of the Bluelight malware, according to a report they published late last week.
âThe Goldbackdoor malware shares strong technical overlaps with the Bluelight malware,â researchers wrote. âThese overlaps, along with the suspected shared development resource and impersonation of NK News, support our attribution of Goldbackdoor to APT37.â
APT37 was previously seen using Bluelight as a secondary payload last August in a series of watering hole attacks against a South Korean newspaper that used known Internet Explorer vulnerabilities.
As Stairwell researchers noted, journalists are âhigh-value targets for hostile governments,â and often the target of cyber-espionage attacks. In fact, one of the biggest security stories of last year was various governmentsâ use of the NGO Groupâs Pegasus spyware against journalists, among other targets.
â[Journalists] often are aggregators of stories from many individualsâsometimes including those with sensitive access,â Stairwell researchers wrote. âCompromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.â
Ransomware is a type of malicious program that demands payment after launching a cyber attack on a computer system. This type of malware has become increasingly popular among criminals, costing organizations millions each year.
Security experts recognise that ransomware is one of the fastest-growing forms of cyber attack. Its prevalence and reach was emphasised when WannaCry, and more recently, NotPetya, exploited a flaw in Microsoftâs SMB software and spread rapidly across networks, locking away files.
For a quick guide to ransomware and what you can do to protect your business, download our free infographic.
Editorâs Note: When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. âI had no success really,â said its founder, who goes by the online moniker smelly_vx.
But over the last couple of years, the siteâs popularity has soared thanks in part to its robust Twitter presence that mixes breaking cybersecurity news with memes. The site now bills itself as âthe largest collection of malware source code, samples, and papers on the internet,â with about 35 million samples overall.
vx-undergound operator smelly_vx recently talked to Recorded Future analyst and product manager Dmitry Smilyanets about the siteâs goals, finances, and plans for the future. The interview, which was conducted over email in English, has been lightly edited for clarity.
Dmitry Smilyanets: I would like to start from the very beginning â please introduce yourself.
smelly_vx: Hi. I am âsmelly__vxâ. I am the creator of vx-underground and the guy who runs/maintains a good portion of vx-undergroundâs website and the vx-underground Twitter account.
I am in my early 30s. I have a wife. I have a dog. I donât think I can say anything else which is interesting or important.
DS: Tell me about the siteâs background â how did it start, how did you build it into what it is today?
VX: About vx-underground â it was created to act as the successor to the legendary vxHeaven (created by the Ukrainian dude herm1t). When I was a teenager I discovered vxHeaven and learned tons from it. It was an invaluable asset. Around 2017 or so, when I was a software engineer, I got tired of writing malware (as a hobbyist) by myself.
I began looking for vxHeaven, or whatever it had become. I was unable to find anything, to my disappointment, and one day on some random IRC server I discovered, I was conveying my disappointment to a guy named Phaith and he said to me, âWell, if you miss it so much, why donât you make your own?â I thought this was a good idea â why not make my own? And that is precisely what I decided to do. The issue I faced was that my background was in low-level development, I primarily did C/C++ development on the Windows platform. I did not have any skills in web development, web security, system administration, etc. I also did not have any contacts, I had been a âlone wolfâ for nearly a decade at this point â I was a ânobody.â However, I decided this shouldnât be a restraining factor so I bought some random bullshit hosting, purchased the domain name âvx-undergroundâ and got to work.
I officially made vx-underground in May 2019. I had no success really, I did not have a Twitter account or any contacts or any relationships in the information security industry. I made the vx-underground Twitter account in August 2019 and, interestingly, shortly after I made the account I was contacted by a guy named Bane. Bane was a member of a group called ThugCrowd. They had a large follower base on Twitter (20,000+), they had connections, they knew their way around things, blah blah blah. ThugCrowd was very kind to me and supported the idea of a new vxHeaven. They introduced me to some people who also liked the idea of a new vxHeaven.
Unsurprisingly, in October 2019, vx-underground was banned from a lot of web hosts. I had places which housed neo-Nazis, pornography, and gambling, deny my hosting.
Nobody wanted to house malware samples, the only way I was going to get the ability to house malware samples was if I had become a company, and did paperwork and all sorts of bullshit. I did not like this idea. Luckily, and to my surprise, the people over at ThugCrowd introduced me to a group of people behind TCP.DIRECT. They also liked the idea of a new vxHeaven, as the main group of people behind it also had been on the vxHeaven forums ages ago. They assisted me with hosting, handling the web security, etc. This was very beneficial for me because, as TCP.DIRECT will confirm, I am a complete idiot with anything system administrative/web security related.
Following this introduction to TCP.DIRECT, vx-underground had essentially zero restraint. I was able to upload malware samples, malware papers, malware source code, etc. as much as I liked. The only thing I had to do then was add content and be consistent. Along the way I met a guy from the [Commonwealth of Independent States], Neogram, who assisted me with Russian translations and giving me a (metaphorical) tour of the CIS malware scene. This expanded my horizon and gave vx-underground better insight into current malware trends.
All of this happened very quickly, this âstoryâ encapsulates what happened between August 2019 and December 2019.
DS: What are your mission and goals?
VX: I donât know. vx-underground is a library, our goal is basically to⊠collect malware samples, papers, and code? It exists and that is it. The closest thing to a âgoalâ we have is simple: âmore papers, more samples, more code.â It is as simple as that.
DS: Are you financially motivated? How do you monetize your work? Is it lucrative?
VX: No, we are not financially motivated. vx-underground is fueled by passion and love for the âgame.â In 2021 vx-underground made $13,000 all from donations. Every time I tell people vx-underground does not make money I am always greeted with shock and surprise. It appears people are unable to comprehend someone would do something for passion rather than financial gain. This is disappointing.
vx-underground is now in the process of becoming a non-profit. We will be a 501(c)(3) non-profit educational institute for computer malware education, literacy, and advancement (offensively and/or defensively).
In this video for Help Net Security, Paul Calatayud, CISO at Aqua Security, talks about cloud native security and the problem with the lack of understanding of risks to this environment.
A recent survey of over 100 cloud professionals revealed that often businesses lead the charge in cloud, they see the opportunity, they move forward, but more and more critical compute finds its way into these cloud environments, and the security teams start to take notice. Often too late, though.
The survey shows that the awareness is starting to become a problem, and the risks are not fully understood. Organizations need to get ahead of these things. To be able to apply a good cloud native security strategy, understanding the risks is imperative.
The Federal Communications Commission (FCC) added Kaspersky to its Covered List because it poses unacceptable risks to U.S. national security.
The Federal Communications Commission (FCC) added multiple Kaspersky products and services to its Covered List saying that they pose unacceptable risks to U.S. national security.
âThe Federal Communications Commissionâs Public Safety and Homeland Security Bureau today added equipment and services from three entities â AO Kaspersky Lab, China Telecom (Americas) Corp, and China Mobile International USA Inc. â to its list of communications equipment and services that have been deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019.â reads the FCCâs press release.
The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.
The US commission also added Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas to the list. Below is the list of Covered Equipment or Services added on March 25, 2022:
Information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.
International telecommunications services provided by China Mobile International USA Inc. subject to section 214 of the Communications Act of 1934.
Telecommunications services provided by China Telecom (Americas) Corp. subject to section 214 of the Communications Act of 1934.
FCC banned Kaspersky security solutions and services supplied by Kaspersky or any linked companies.
âThe FCCâs decision to add these three entities to our Covered List is welcome news. The FCC plays a critical role in securing our nationâs communications networks, and keeping our Covered List up to date is an important tool we have at our disposal to do just that. In particular, I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list. Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm Americaâs interests.â said FCC Commissioner Brendan Carr. âI applaud Chairwoman Rosenworcel for working closely with our partners in the Executive Branch on these updates. As we continue our work to secure Americaâs communications networks, I am confident that we will have more entities to add to our Covered List.â
In Mid March, the German Federal Office for Information Security agency, aka BSI, recommended consumers uninstall Kaspersky anti-virus software. The Agency warns the cybersecurity firm could be implicated in hacking attacks during the ongoing Russian invasion of Ukraine.
According to §7 BSI law, the BSI warns against the use of Kaspersky Antivirus and recommends replacing it asap with defense solutions from other vendors.
Nach §7 BSI-Gesetz warnen wir vor dem Einsatz von Virenschutzsoftware des russischen Herstellers Kaspersky. Wir empfehlen, solche Anwendungen durch Produkte anderer Hersteller zu ersetzen.
President Joe Biden on Tuesday signed into law a $1.5 million government funding bill that includes legislation mandating critical infrastructure owners report if their organization has been hacked or made a ransomware payment.
Biden signed the legislation during a White House ceremony that was attended by administration officials and top Democratic lawmakers, including including House Speaker Nancy Pelosi (Calif.), Senate Majority Leader Chuck Schumer (N.Y.).
The Strengthening American Cybersecurity Act â which was attached to the spending deal that keeps the federal government open until September â requires that critical infrastructure operators alert the Homeland Security Departmentâs Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization made a ransomware payment. It also grants CISA the power to subpoena entities that donât report a cyber incident or ransomware payment.
CISA will have up to two years to publish a notice in the Federal Register on proposed rulemaking to implement the reporting effort, though it may move faster due to heightened concerns about Russian cyberattacks bleeding out of Moscowâs invasion of Ukraine.
âThis historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in America is reporting cyber-attacks and ransomware payments to the federal government,â Senate Homeland Security Committee Chair Gary Peters (D-Mich.), who authored and championed the legislation along with Sen. Rob Portman (R-Ohio), said in a statement.
Portman, the panelâs top Republican said the legislation will âgive the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks.â
While some applications are still being built on a monolithic (all-in-one) architecture â i.e., all components in a single code base, on a single server, connected to the internet â an increasing number of them is now based on the microservices architecture, with each application microservice a self-contained functionality, âhousedâ in a container managed by an orchestrator like Kubernetes, deployed on the cloud (public or private), and communicating with other application microservices over the network in runtime.
But with applications no longer self-contained, security vulnerabilities are no longer present just in the code; vulnerabilities can âstartâ on one microservice, go through multiple components, and âfinishâ on a different microservice.
âWe are no longer dealing with just vulnerabilities, but also with vulnerable flows between microservices. On top of that, as cloud-native applications are built on multiple infrastructure layers â the container, the cluster, and the cloud â they way these layers are configured affects what a hacker can do with these vulnerabilities,â notes Ron Vider, one of the co-founders and the CTO of Oxeye.
Modern architectures require modern AppSec testing solutions
This dramatic change in how applications are structured has made traditional approaches to application security ineffectual and has created security blind spots for AppSec and DevOps teams.
âOld-schoolâ software composition analysis (SCA) and static, dynamic, and interactive application security testing (SAST, DAST, IAST) tools are run independently, are not synchronized with one another, and are unable to cross-reference and use enriched data from other code layers in the environment. The incomplete and inaccurate results they provide when testing cloud-native apps have made it obvious that a new approach and new, better tools are needed.
Oxeye is one such tool. It essentially combines all AST methodologies with a new generation of security control assessment capabilities and, as a result, excels in finding and correctly prioritizing vulnerabilities in cloud-native applications that need to be addressed. It helps clear the noise of false positives/negatives delivered by legacy solutions, and allows developers and AppSec teams to focus on high-risk, critical vulnerabilities.
Getting started with Oxeye is fantastically easy: you need to deploy a single component (Oxeye Observer) into your staging or testing environment, and you do it by using a single YAML file containing its definitions.
âThe Oxeye Observer immediately starts running within the cluster and starts it automatic discovery process,â Vider told Help Net Security.
âFirst it analyzes the infrastructure to understand how the application is configured, and it does that by communicating with the with the Docker API, the containerd API, the Kubernetes API and the cloud provider API, and fetching the relevant configuration. Then, it detects potential vulnerabilities in the code (the applicationâs code and the third-party components). Next, it analyzes the communication between the different components and traces their flow. Finally, it validates the found vulnerabilities by sending payloads to the application and analyzing its behavior, to understand whether itâs exploitable or not.â
The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel.
The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel.
The Ukrainian agency attributes the campaign to the Belarus-linked cyberespionage group tracked as UNC1151.
In mid-January, the government of Kyiv attributed the defacement of tens of Ukrainian government websites to Belarusian APT group UNC1151. Defaced websites were displaying the following message in Russian, Ukrainian and Polish languages.
âUkrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.â reads a translation of the message.
In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus. In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites. According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesnât spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
Now Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters, that the Ukrainian government blamed the UNC1151 APT group. Demedyuk explained that the attacks were carried out to cover for more destructive actions behind the scenes.
The nation-state group is using the compromised accounts to target contacts in the victimsâ address books. Attackers spear-phishing messages have been sent from email accounts using the domainsÂ
i.ua-passport.space
 andÂ
id.bigmir.space
.
The phishing messages used a classic social engineering technique in the attempt to trick victims into providing their information to avoid the permanent suspension of their email accounts.
The phishing attacks are also targeting Ukrainian citizens, reported the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).
Warning â ïž A phishing #attack has started against Ukrainians! Citizens' e-mail addresses receive letters with attached files of uncertain nature. The mass distribution of such messages to messengers may happen. #cyberattacks#Ukrainepic.twitter.com/YPvFH2oNk0
Advanced Techniques like âLiving off the Landâ
AV Bypass Tools
Using IoT Devices in Security
and much, much more!!
Learning attacker Tactics, Techniques and Procedures (TTPs) are imperative in defending modern networks. This hands on guide will help guide you through these with step by step tutorials using numerous pictures for clarity.
Almost every part of our everyday lives is closely connected to the internet â we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, weâve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
The master decryption keys for the Maze, Egregor, and Sekhmet ransomware families were released on the BleepingComputer forums by the alleged malware developer.
The Maze group was considered one of the most prominent ransomware operations since it began operating in May 2019. The gang was the first to introduce a double-extortion model in the cybercrime landscape at the end of 2019. At the end of 2019, the Maze ransomware implemented data harvesting capabilities and started threatening the victims to release the stolen data for all those victims who refuse to pay the ransom.
In November 2020, the Maze ransomware operators announced that they have officially shut down their operations and denied the creation of a cartel.
Maze operation then rebranded in September as Egregor, but on February 2021 several members of the Egregor group were arrested in Ukraine.
The Sekhmet operation was launched in March 2020 and it has some similarities with the above ransomware operations.
While TTPâs of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during an incident response conducted by Group-IB revealed that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique. Egregor source code bears similarities with Maze ransomware as well.
Now the decryption keys for these operations have now been leaked in theBleepingComputer forums. The keys were shared by a user named âTopleakâ who claims to be the developer for all three operations.
âHello, Itâs developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families. also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat.â the user wrote on the forum.
âEach archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config. In the âOLDâ folder of maze leak is keys for itâs old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version. Enjoy!â
TopLeak user pointed out that it is a planned leak, and is not linked to recent arrests and takedowns conducted by law enforcement. The alleged ransomware developer added that none of the ransomware gang will ever return in ransomware operation and that the source code of tools ever made is wiped out.
In one of the archives leaked by the user there is the source code for a malware dubbed âM0yvâ that was part of the gangâs arsenal.
The popular malware researchers Michael Gillespie and Fabian Wosar confirmed to BleepingComputer that they are decryption keys are legitimate and allow to decrypt files encrypted by the three ransomware families for free.
Emsisoft has released a decryptor a free decryption tool for the Maze, Egregor, and Sekhmet ransomware
The world relies on technology. So, a strong cybersecurity program is more important than ever. The challenge of achieving good cyber hygiene can be especially acute for small- and medium-sized businesses. This is particularly true for those with fully remote or hybrid work environments. Add to the mix limited resources and limited talent focused on cybersecurity, and the challenges can seem overwhelming.
Considering this, weâve simplified things down to three key elements of a strong cybersecurity program. You need to know how to assess, remediate, and implement security best practices at scale. In more detail, this means:
Assessing your organizationâs current cybersecurity program and its prioritization
Remediating endpoints at scale, bringing them into compliance with security best practices
Implementing cybersecurity policies and monitoring them to stay in compliance
1. Assess your organizationâs current cybersecurity program
Taking the first step toward better cyber hygiene means understanding where your organization stands today. Conduct an honest assessment of your strengths and weaknesses in order to prioritize where to focus your efforts for your cybersecurity program. The challenge here is finding the right bar to measure yourself against. There are several frameworks that will do the job. Thus, it can be daunting to figure out which one is the right fit, especially if this is the first time youâre doing an assessment. Starting with the CIS Controls and CIS Benchmarks can help take the guesswork out of your assessment and provide peace of mind that youâre covering all of your bases.
Hereâs what makes these two sets of best practices especially useful:
They tell you the âwhatâ and the âhowâ: Many frameworks tell you what you should do, but not how to do it. CIS best practices give you both.
They are comprehensive and consensus-based: CIS best practices are developed in collaboration with a global community of cybersecurity experts. Theyâre also data-driven as explained in the CIS Community Defense Model.
They are mapped to other industry regulatory frameworks: CIS best practices have been mapped or referenced by several other industry regulatory requirements, including: NIST, FINRA, PCI DSS, FedRAMP, DISA STIGs, and many others. This means you can get the proverbial âtwo birds with one stoneâ by assessing against CIS best practices.
The CIS Controls are a prioritized and prescriptive set of safeguards that mitigate the most common cyber-attacks against systems and networks. The CIS Benchmarks are more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against todayâs evolving cyber threats. Both are available as free PDF downloads to help you get started.
2. Remediate endpoints at scale with CIS Build Kits
One of the challenges in applying any best practice framework is dedicating the time and resources to do the work. Luckily, CIS offers tools and resources to help automate and track the assessment process. The CIS Controls Self Assessment Tool (CIS CSAT) helps organizations assess the implementation of the CIS Controls. Additionally, the CIS Configuration Assessment Tool (CIS-CAT Pro Assessor) scans target systems for conformance to the CIS Benchmarks. CIS-CAT Pro Assessor allows you to move more quickly toward analyzing results and setting a strategy to remediate your gaps.
CIS resources and tools are designed to help you move toward compliance with best practices by remediating the gaps. Once you understand where your gaps are and how to fix them, you can use CIS Build Kits to achieve compliance at scale. CIS Build Kits are automated, efficient, repeatable, and scalable resources for rapid implementation of CIS Benchmark recommendations. You can apply them via the group policy management console in Windows, or through a shell script in Linux (Unix,*nix) environments.
Interested in trying out a Build Kit? CIS offers sample Build Kits that contain a subset of the recommendations within the CIS Benchmark. They provide you a snapshot of what to expect with the full CIS Build Kit.
3. Implement cybersecurity policies and monitor for compliance
Lastly, creating strong policies and monitoring conformance helps ensure that an organization is working toward a more robust cybersecurity program. Regularly monitoring conformance over time is critical. It helps you avoid configuration drift, and helps identify any new issues quickly. CIS tools can help monitor conformance and identify gaps.
CIS-CAT Pro Dashboard provides an easy-to-use graphical user interface for viewing CIS Benchmark conformance assessment results over time. Similarly, CIS CSAT Pro enables an organization to monitor implementation of the CIS Controls over time.
A strong cybersecurity program with CIS SecureSuite Membership
Any organization can start improving its cyber hygiene by downloading CISâs free best practices, like the PDF versions of the CIS Benchmarks. But itâs important to know that you donât have to go it alone. A cost-effective CIS SecureSuite Membership can be both a solution to your immediate security needs, as well as a long-term resource to help optimize your organizationâs cybersecurity program.
Youâll get access to:
CIS-CAT Pro Assessor and Dashboard
CIS CSAT Pro
CIS Build Kits
CIS Benchmarks in various formats (Microsoft Word, Microsoft Excel, XCCDF, OVAL, XML) and more
Get the most out of CIS best practices for your cybersecurity program by signing up for a cost-effective CIS SecureSuite Membership.
