InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Oct 19 2021
Working from home comes with a slew of security concerns. Businesses planning to look at remote work as a long-term strategy should take the time to reassess any “band-aid” security solutions that may have been applied at the beginning of the pandemic and look at ways that security can be prioritized permanently.
Oct 15 2021
US Treasury says there was $590M in suspicious ransomware activity in H1 2021, exceeding the entire amount in 2020, when $416M was reported — Suspicious activity reports related to ransomware jumped significantly in 2021, according to the U.S. Treasury Department’s Financial Crimes Enforcement Network.
There was $590 million in suspicious activity related to ransomware in the first six months of 2021, exceeding the entire amount in 2020, when $416 million was reported, according to a report released Friday by the U.S. Treasury Department’s Financial Crimes Enforcement Network.
The average amount of reported ransomware transactions per month in 2021 was $102.3 million, according to the report. If the current trend continues, suspicious activity reports filed in 2021 “are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined,” according to the report. SARs is shorthand for suspicious activity reports.
U.S. based cybersecurity companies filed most of the SARs related to ransomware while banks and cryptocurrency exchanges filed more than a third of the reports. The reports reflect just how quickly ransomware attacks have grown.
The report offers new insight into the scale of ransomware attacks devastating U.S. businesses and impacting critical infrastructure. A Treasury spokesperson said the SARs don’t represent all ransomware payments.
Reporting ransomware payments to the Treasury via a suspicious activity report is often a requirement of cybersecurity insurance policies, according to a person familiar with the matter.
The Treasury Department also identified 68 ransomware variants, noting that the most commonly reported types were REvil, Conti and DarkSide. Ransomware groups often sell their malware, or variant, to affiliates who then use it to plot attacks, in what is known as ransomware-as-a-service. REvil, Conti and DarkSide are suspected by cybersecurity firms of being tied to Russia in some way — because they use the Russian language or are suspected of being based there.
The report was filed as the Treasury Department issued guidance to the virtual currency industry to prevent exploitation by entities sanctioned by the U.S. and ransomware groups. It is part of a broader effort by the Biden administration to attempt to curb ransomware attacks. In ransomware attacks, hackers encrypt a victim’s files and promise to unlock them if they are paid a fee.
Among the more notable attacks were those in May on Colonial Pipeline Co. in May that squeezed fuel supplies on the East Coast and on the meatpacker JBS SA.
The Treasury report stated that ransomware actors are increasingly requesting payment in cryptocurrencies like Monero, which are designed to enhance anonymity.
More: BleepingComputer, The Record, CNET, The Hill, PYMNTS.com, CyberScoop, and CoinDesk
Oct 13 2021
A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.
Coinbase is the world’s second-largest cryptocurrency exchange, with roughly 68 million users from over 100 countries. The now-defunct phishing domain at issue — coinbase.com.password-reset[.]com — was targeting Italian Coinbase users (the site’s default language was Italian). And it was fairly successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.
More details on: How Coinbase Phishers Steal One-Time Passwords
Oct 13 2021
It’s the second week of Cybersecurity Awareness Month 2021, and this week’s theme is an alliterative reminder: Fight the Phish!
Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think it’s what computer scientists or mathematical analysts call a solved game.
Tic-tac-toe (noughts and crosses outside North America), for example, is a solved game, because it’s easy to create a list of every possible play, and figure out the best possible move from every game position on the list. (If neither player makes a mistake then the game will always be a draw.)
Even games that are enormously more complex have been “solved” in this way too, such as checkers (draughts)…
…and in comparison to playing checkers, spotting phishing scams feels like an easy contest that the recipient of the message should always win.
And if phishing is a “solved game”, surely it’s not worth worrying about any more?
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails
Don’t Get Caught
Oct 07 2021
Experts warn of the availability of proof of concept (PoC) exploit code for a couple of authentication bypass vulnerabilities in Dahua cameras, tracked as CVE-2021-33044 and CVE-2021-33045.
A remote attacker can exploit both vulnerabilities by sending specially crafted data packets to the vulnerable cameras.
“The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.” reads the advisory published by the vendor in early September.
The flaw received a CVSS v3 score of 8.1, the vendor recommended its customers to install security updates.
The list of affected models is very long, it includes IPC-X3XXX,HX5XXX, HUM7XX, VTO75X95X, VTO65XXX, VTH542XH, PTZ Dome Camera SD1A1, SD22, SD49, SD50, SD52C, SD6AL, Thermal TPC-BF1241, TPC-BF2221, TPC-SD2221, TPC-BF5XXX, TPC-SD8X21, TPC-PT8X21B, NVR1XXX, NVR2XXX, NVR4XXX, NVR5XXX, NVR6XX.
It could be quite easy for threat actors in the wild to find exposed Dahua devices using a search engine like Shodan and attempt to hack them using the available PoC code. In order to protect Dahua devices, users have to install the latest firmware version.
Oct 04 2021
As you probably know (or, at least, as you know now!), October is Cybersecurity Awareness Month, which means it’s a great opportunity to do three things: Stop. Think. Connect.
Those three words were chosen many years ago by the US public service as a short and simple motto for cybersecurity awareness.
Cybersecurity Awareness Month 2021 Toolkit: Key messaging, articles, social media, and more to promote Cybersecurity Awareness Month 2021
![Cybersecurity Awareness Month 2021 Toolkit: Key messaging, articles, social media, and more to promote Cybersecurity Awareness Month 2021 by [Cybersecurity and Infrastructure Security Agency]](https://m.media-amazon.com/images/I/41qNh1aMMNL._SX260_.jpg)
Cybersecurity Awareness Month 2021 has officially begun! join CISA in spreading cybersecurity awareness and encourage everyone to own their role in protecting Internet-connected devices. “Do Your Part. #BeCyberSmart.”
Visit www.cisa.gov/cybersecurity-awareness-month for more information.
#BeCyberSmart #CyberMonth
Week 1
The focus of Cybersecurity Awareness Month’s first week is “Do Your Part. #BeCyberSmart.”
Cybersecurity starts with YOU and is everyone’s responsibility. There are currently an estimated 5.2 billion Internet users—over 65% of the world’s population![1] This number will only grow, making the need to #BeCyberSmart more important than ever.
Join us and get involved by visiting www.cisa.gov/cybersecurity-awareness-month for more information.
#BeCyberSmart #CyberMonth
This year has seen an increase in phishing incidents that often lead to ransomware attacks. These attacks disrupt the way we work, learn, and socialize. With our homes, schools, and business more connected than ever, it’s vital to #BeCyberSmart.
Learn how to #FightThePhish and report suspicious emails by visiting www.cisa.gov/cybersecurity-awareness-month for more information.
#BeCyberSmart #CyberMonth
Cybersecurity Awareness Month’s third week is Cybersecurity Career Awareness Week. This week, learn the vital role cybersecurity professionals play in global society and security. Also, learn how you can explore #Cybersecurity as your next career.
For professional development and educational resources visit www.cisa.gov/cybersecurity-awareness-month.
#BeCyberSmart #CyberMonth
For ways on how organizations and individuals can incorporate cybersecurity best practices into their decision making processes, visit www.cisa.gov/cybersecurity-awareness-month.
#BeCyberSmart #CyberMonth
Oct 01 2021
First appearing in March, the group has been leveraging ProxyShell against targets in 10 countries and employs a variety of malware to steal data from compromised networks.
A new APT group has emerged that’s specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks.
Researchers at security firm Positive Technologies have been tracking the group, dubbed ChamelGang for its chameleon-like capabilities, since March. Though attackers mainly have been seen targeting Russian organizations, they have attacked targets in 10 countries so far, researchers said in a report by company researchers Aleksandr Grigorian, Daniil Koloskov, Denis Kuvshinov and Stanislav Rakovsky published online Thursday.
To avoid detection, ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM and Google in a couple of unique ways, researchers observed.
more detail analysis on: New APT ChamelGang Targets Russian Energy, Aviation Orgs
Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools
Sep 30 2021
Researchers have demonstrated that someone could use a stolen, unlocked iPhone to pay for thousands of dollars of goods or services, no authentication needed.
An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning.
The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.’s National Cyber Security Centre (NCSC). But Visa, for its part, said that Apple Pay payments are secure and that any real-world attacks would be difficult to carry out.
The team explained that fraudulent tap-and-go payments at card readers can be made using any iPhone that has a Visa card set up in “Express Transit” mode. Express Transit allows commuters around the world, including those riding the New York City subway, the Chicago El and the London Underground, to tap their phones on a reader to pay their fares without unlocking their devices.
“An attacker only needs a stolen, powered-on iPhone,” according to a writeup (PDF) published this week. “The transactions could also be relayed from an iPhone inside someone’s bag, without their knowledge. The attacker needs no assistance from the merchant.”
In a proof-of-concept video, the researchers showed a £1,000 payment being sent from a locked iPhone to a standard, non-transit Europay, Mastercard and Visa (EMV) credit-card reader.
The attack is an active man-in-the-middle replay and relay attack, according to the paper. It requires an iPhone to have a Visa card (credit or debit) set up as a transit card in Apple Pay.
The attackers would need to set up a terminal that emulates a legitimate ticket barrier for transit. This can be done using a cheap, commercially available piece of radio equipment, researchers said. This tricks the iPhone into believing it’s connecting to a legitimate Express Transit option, and so, therefore, it doesn’t need to be unlocked.
“If a non-standard sequence of bytes (Magic Bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this [to be] a transaction with a transport EMV reader,” the team explained.
Apple Pay with Visa Hacked to Make Payments via Unlocked iPhones
Sep 27 2021
While 92 percent of people know that using the same password or a variation is a risk, 65 percent still re-use passwords across accounts, drastically increasing the risks to their sensitive information, a LastPass report revealed.
While consumers have a solid understanding of proper password security and the actions necessary to minimize risk, they still pick and choose which information they apply that knowledge to, according to the report.
Strong cybersecurity habits are more important than ever this year, given the sheer volume of time individuals have spent online in the last 18 months and the corresponding spike in cyber-attacks. Yet the survey revealed that despite 71 percent of people working wholly or partly remote and 70 percent spending more time online for personal entertainment during the pandemic, people were still exhibiting poor password behavior.
Password Authentication for Web and Mobile Apps
Sep 20 2021
These scams can take many different forms, including:
Sep 17 2021
Download Modern Pentesting for security and development team
Find out how Cobalt service protect your Apps: Cobalt’s Pentest as a Service (PtaaS) platform coupled with an exclusive community of testers delivers the real-time insights you need to remediate risk quickly and innovate securely.
Please email with the subject “Beginner’s Guide to Compliance-Driven Pentesting” if interested to read this guide: Info@deurainfosec.com
Sep 14 2021
Forbidden Stories, a Paris-based non-profit organisation that seeks to ensure the freedom of speech of journalists, recently announced that the Pegasus Project surveillance solution by the Israeli NSO Group selected 50,000 phone numbers for surveillance by its customers following a data leak.
The NSO Group has always maintained that the purpose of the Pegasus Project was for governments to monitor terrorist activity. However, this recent story, if true, could suggest that the solution has been abused for a long period of time and used for other nefarious purposes.
As reported by Forbidden Stories, the leaked data suggests the wide misuse of Pegasus Project and a range of surveillance targets that include human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of states. The NSO Group continues to contend these assertions are based on wrong assumptions and uncorroborated theories. Whether these statements are true or false, they raise interesting considerations for enterprises and government organisations that have a requirement to protect the smartphones of employees who have access to sensitive information.
Pegasus Project is reported to provide NSO Group customers full control of target devices, which makes it a threat of interest. However, it is not the first mobile threat that organisations should be concerned about. In another contested case, SNYK suggested that the Sour Mint threat, a Software Development Kit (SDK) developed by the Chinese mobile ad platform provider Mintegral and used by more than 1,200 apps in the Apple App Store, was responsible for spying on users by activity logging URL-based requests through the app. It was reported that user activity is logged to a third-party server that could potentially include personally identifiable information (PII).
Where things get interesting with Sour Mint is its ability to evade defences by slipping through the Quality Assurance (QA) process of the Apple App Store, which goes to show that even the thoroughness of Apple’s processes were not sufficient to detect malicious code in the case of this threat.
So, with the rise of mobile threats such as Pegasus Project and Sour Mint, how should organisations defend against such threats?
Mobile security solution review in light of the
WhatsApp Pegasus hack
Sep 10 2021
Maryland recently joined seven other U.S. states to permit users to carry “digital driver’s licenses.” Under the program—which initially will work with Apple devices like iPhones—users can download a digital credential—a digital driver’s license—to their phones. The digital ID would be carried in the Apple digital wallet in much the same way as a regular ID is carried in a regular wallet. The digital driver’s license is based on the International Standards Organization (ISO) standard which is described more fully here.
Obviously, there are issues here related to the security of the credential, the degree of authentication necessary to obtain the credential, whether the credential can be simultaneously loaded into multiple devices and whether I can “loan” my driver’s license to my identical twin brother (yes, I have an identical twin brother). Moreover, for the credential to be meaningful, it must permit both local and connected validation—that is, a police officer needs to be able to check to see if you have an apparently valid ID at the scene of a violation or accident without access to online verification and they must also be able to validate the ID against some online database. In addition, we need to decide who has access to the digital validation protocols—police and other traffic enforcement officials? TSA or transportation security officials? The dude at the front desk of the office building? The bouncer at the bar? The server serving alcohol? The resident associate (RA) checking people in at the college dorm? Are there any controls on who can access these credential validation services and for what purpose? A digital credential is much easier to spoof (simply do a screenshot) if there is no ability to validate online. Moreover, the validation must be robust enough to work reasonably well offline—things like a photo ID, a watermark, etc. You know, all the stuff we put on the “real ID” driver’s license.
Digital Driver’s Licenses: Unintended Consequences
Sep 07 2021
There are analysts around the globe who are continually being jolted awake in the middle of the night to respond to ransomware attacks. Because WordPress is the market share leader (39.5% of all websites are powered by WordPress; that number jumps to 64.1% for content management systems), my team of SOC analysts aren’t strangers to responding to WordPress security issues. The one lesson we’ve learned time and time again: Preventative security measures are the most effective steps you can take against ransomware attacks.
For businesses currently on the WordPress platform, we’ve put together five easy-to-follow tips:
Sep 03 2021
A set of 16 security flaws in commercial Bluetooth stacks, collectively tracked as BrakTooth, can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.
The issues were discovered by the ASSET (Automated Systems SEcuriTy) Research Group from the Singapore University of Technology and Design (SUTD), their name comes from the Norwegian word “Brak” which translates to ‘crash’.
The BrakTooth flaws impact 13 Bluetooth chipsets from 11 vendors, including Intel, Qualcomm, and Texas Instruments, experts estimated that more than 1,400 commercial products may be impacted.
As of today, the researchers discovered 16 security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four vulnerabilities are pending CVE assignment from Intel and Qualcomm.
“we disclose BrakTooth, a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs.” reads the post published by the researchers. “All the vulnerabilities are already reported to the respective vendors, with several vulnerabilities already patched and the rest being in the process of replication and patching. Moreover, four of the BrakTooth vulnerabilities have received bug bounty from Espressif System and Xiaomi. “
The attack scenario tested by the experts only requires a cheap ESP32 development kit (ESP-WROVER-KIT) with a custom (non-compliant) LMP firmware and a PC to run the PoC tool they developed. The tool communicates with the ESP32 board via serial port (/dev/ttyUSB1) and launches the attacks targeting the BDAddress (<target bdaddr>) using the specific exploit (<exploit_name>).
The ASSET group has released the PoC tool to allow vendors to test their devices against the vulnerabilities
Guide to Bluetooth Security: Recommendations of the National Institute of Standards and Technology (Special Publication 800-121 Revision 1)
Sep 01 2021
Feds Warn of Ransomware Attacks Ahead of Labor Day
Though lots of people might be taking some time off over the Labor Day weekend, threat actors likely won’t — which means organizations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.
Citing historical precedence, the FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity.
While the agencies said they haven’t discovered “any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday,” they are working on the idea that it’s better to be safe than sorry given that some major cyber-attacks have occurred over holidays and weekends during the past few months.
Indeed, attackers recently have taken advantage of the fact that many extend holiday weekends to four days or more, leaving a skeleton crew behind to oversee IT and network infrastructure and security, security professionals observed.
“Modern cyber criminals use some pretty sneaky tactics to maximize the damage and collect the most money per attack,” noted Erich Kron, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.
Because organizations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times “will be impacted,” he said.
That’s mainly because the absence of key personnel make it less likely that organizations that are targeted can quickly detect and contain attacks once launched, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.
“This additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,” he said in an email to Threatpost.
The Ransomware Threat Landscape: Prepare for, recognize and survive ransomware attacks
Aug 31 2021
Windows 11 won’t auto-update on slightly old PCs. It appears this includes security updates—although Microsoft PR is doing its usual trick of ghosting reporters who ask.
This sounds like a terrible idea: A fleet of unpatched Windows 11 PCs connected to the internet? That’s a recipe for disaster.
Stand by for Redmond to walk this one back in an embarrassing climbdown. In today’s SB Blogwatch, we hope against hope.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Olivia vs. Paramore.
What’s the craic? Sean Hollister reports—“Microsoft is threatening to withhold Windows 11 updates if your CPU is old”:
Why leave us in the dark?”
Windows 11 won’t technically leave millions of PCs behind … so long as you download and manually install an ISO file. … But it turns out even that technicality has a technicality: Microsoft is now threatening to withhold Windows Updates … potentially even security updates.
…
It’s quite possible this is just a cover-your-ass measure. … But it’s also possible Microsoft genuinely does mean to withhold patches. … Microsoft declined to clarify things further.
…
Windows 11 could theoretically be an operating system where you go back to the days of manually downloading [security] updates. … Feature updates are probably less of a big deal. [But] why leave us in the dark?
Aug 26 2021
There are numerous ways of approaching the implementation of an ISMS. The most common method to follow is a ‘Plan Do Check Act’ process.
ISO 27001 is the international security standard that details the requirements of an ISMS.
ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.
The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.
The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).
ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.
ISO 27001 Risk Assessment and Gap Assessment
Aug 26 2021
The hacker who is taking responsibility for breaking into T-Mobile US Inc.’s TMUS -1.63% systems said the wireless company’s lax security eased his path into a cache of records with personal details on more than 50 million people and counting.
John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.
The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.
