InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Dark forums and Telegram channels have become great places for threat actors to sell critical vulnerabilities and exploits.
These vulnerabilities and exploits were associated with the Elevation of Privilege, Authentication Bypass, SQL Injection, and Remote Code Execution in products like Windows, JetBrains software, Microsoft Streaming Service Proxy, and Ubuntu kernels.
Recent discoveries state that these vulnerabilities were sold in underground forums even before the Vendor officially assigned them.
One such example was the Microsoft Streaming Server vulnerability (CVE-2023-36802) that was on sale in February, though the CVE was officially assigned in September 2023.
Key Vulnerabilities
According to the reports shared with Cyber Security News, several critical and high-severity vulnerabilities were sold in the underground forums, which certain ransomware groups used to gain initial access and lateral movement inside the victim network.
Critical Vulnerabilities
CVE-2023-34362: MOVEit RCE Vulnerability (Exploited By Cl0p Ransomware Group)
This vulnerability was published in NVD on June 02, 2023. However, it was observed to be exploited by threat actors since May 2023. This vulnerability had a severity of 9.8 (Critical) and was patched by Progress.
This vulnerability arises due to insufficient sanitization of user-provided data, which enables unauthenticated remote attackers to access the MOVEit application. With this vulnerability, the Cl0p ransomware group targeted more than 3000 organizations in the US and 8000 organizations worldwide.
CVE-2023-3519: Citrix ADC And Gateway Vulnerability (Exploited By Unknown Threat Actor)
NVD published this vulnerability on June 19, 2023, and Citrix patched it in July 2023. However, threat actors were seen to be exploiting this vulnerability in June 2023, which affected Netscaler ADC and Gateway versions.
A threat actor can use this vulnerability to execute remote code on affected Citrix ADC and Gateway systems to steal sensitive information without any authentication. The severity of this vulnerability was given as 9.8 (Critical).
CVE-2023-42793: JetBrains Unauthenticated RCE (Exploited By North Korean Threat Actors)
This vulnerability could allow an unauthenticated threat actor to access the TeamCity server and execute remote code,, which could compromise the source code and add to a supply chain attack.
This vulnerability was published in NVD in September 2023 and was found to be sold in the underground forums in October 2023. This authentication bypass leading to RCE vulnerability was given a severity of 9.8 (Critical).
According to Microsoft, this vulnerability was potentially used by North Korean nation-state threat actors like Diamond Sleet and Onyx Sleet to install malware and backdoors on their targets.
A complete report about the vulnerabilities sold on the underground market, their associated threat groups, and other information has been published.
Users of these products are recommended to patch the affected versions accordingly and take precautionary measures to prevent them from getting exploited by threat actors.
In a recent and alarming development, the notorious Russia-linked threat actor Sandworm executed a sophisticated cyber-physical attack targeting a critical infrastructure organization in Ukraine.
The incident, responded to by cybersecurity firm Mandiant, unfolded as a multi-event assault, showcasing a novel technique to impact Industrial control systems (ICS) and operational technology (OT).
Unraveling Russia’s Cyber-Physical Capabilities
The attack, spanning from June to October 2022, demonstrated a significant evolution in Russia’s cyber-physical attack capabilities, notably visible since the invasion of Ukraine.
Sandworm, known for its allegiance to Russia’s Main Intelligence Directorate (GRU), has historically focused on disruptive and destructive campaigns, particularly in Ukraine.
The unique aspect of this attack involved Sandworm’s utilization of living-off-the-land (LotL) techniques at the OT level, initially causing an unplanned power outage in conjunction with missile strikes across Ukraine.
The threat actor further demonstrated its adaptability by deploying a new variant of the CADDYWIPER malware in the victim’s IT environment.
Mandiant’s analysis revealed the complexity of the attack, highlighting Sandworm’s ability to recognize novel OT threat vectors, develop new capabilities, and exploit various OT infrastructures.
The threat actor’s deployment of LotL techniques indicated a streamlined approach, reducing the time and resources required for the cyber-physical assault.
Concerns Over Sandworm’s Adaptive Capabilities
Despite being unable to pinpoint the initial intrusion point, Mandiant suggested that the OT component of the attack may have been developed in as little as two months.
This raises concerns about Sandworm’s capability to rapidly adapt and deploy similar attacks against diverse OT systems worldwide.
Sandworm’s global threat activity, coupled with its novel OT capabilities, prompted a call to action for OT asset owners worldwide.
Mandiant provided detailed guidance, including detection methods, hunting strategies, and recommendations for hardening systems against such threats.
The attack’s timing, coinciding with Russian kinetic operations, suggested a strategic synchronization, indicating that the threat actor may have been waiting for a specific moment to deploy its capabilities.
As observed in this incident, the evolution of Sandworm’s tactics offers insights into Russia’s ongoing investment in OT-oriented offensive cyber capabilities.
In conclusion, this Sandworm attack serves as a stark reminder of the escalating cyber threats faced by critical infrastructure globally.
The continuous evolution of cyber adversaries necessitates a proactive approach from governments, organizations, and asset owners to secure and safeguard vital systems against such sophisticated attacks.
Hackers opt for DLL hijacking as a technique to exploit vulnerable applications because it allows them to load malicious code by tricking a legitimate application into loading a malicious DLL.
This can give them unauthorized access and control over a system or application, enabling various types of attacks like:-
Privilege escalation
Data theft
System compromise
An active threat involves an Infostealer distributing a legitimate EXE file alongside a hidden malicious DLL in the same directory.
The legitimate EXE runs the malicious DLL, a technique known as DLL hijacking, commonly used for malware distribution.
Malicious DLL With Legitimate EXE Files
Malware posing as software cracks is growing at a rapid pace and is getting distributed by the threat actors using DLL hijacking.
Users searching for cracked software leads to malicious sites, and the downloads are encrypted RAR files with passwords.
Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report.
Distribution of the malware via webpages (Source – ASEC)
Malicious DLLs tweak part of legitimate DLLs as they decrypt and run data from a nearby file. Hiding data this way avoids altering DLL appearance, reducing detection risk.
For malware to work, the following elements are required to be placed in the same folder:-
Data
EXE
Modified DLL
Unzipping the password-protected file with the code “2023” gives you the following files:-
Contents of compressed file (Source – ASEC)
The following two files are genuine VLC files with valid signatures:-
Setup.exe
libvlc.dll
The “libvlccore.dll” is altered and lacks a matching signature, due to which the extra directories like demux and lua serve to mask its malicious nature.
Running ‘Setup.exe’ activates ‘libvlccore.dll,’ triggering a modified function that reads and decrypts ‘ironwork.tiff’ in the same folder. This file holds code info. disguised as a PNG.
It loads “pla.dll” from SysWow64 and injects code into its memory differently than typical malware. This method uses NTDLL relocation, and for “cmd.exe,” it loads “pla.dll” and injects the malware into it.
A data file is written to %TEMP%. cmd.exe inherits it and has its EntryPoint changed to “pla.dll” code. This code decrypts a file, generates LummaC2 malware, and runs “explorer.exe,” injecting and executing the binary.
LummaC2 targets victims and installs malware from its C2 server, and it steals various sensitive data using JSON-formatted responses from C2.
The malware infects via legitimate EXE files, looking like original DLLs, posing a low detection risk.
According to a recent study published by the leading cybersecurity agency in France, a hacking organisation affiliated with Russia’s military intelligence agency has been spying on French colleges, corporations, think tanks, and government institutions. The research was published by the agency.
Since the second half of 2021, the group of hackers known as Fancy Bear or APT28 has been operating covertly into French computer networks in an effort to acquire a variety of sensitive sorts of data. According to the findings of the investigation conducted by the National Cybersecurity Agency of France, also known as ANSSI, the perpetrators of the attacks hacked systems that were not being actively watched, such as routers, and abstained from employing backdoors in order to avoid being discovered. These cyber attackers infiltrate peripheral devices on crucially important French organisational networks, according to a recent study published by France’s National Agency for the Security of Information Systems (ANSSI), and they do so without making use of backdoors in order to avoid detection. After conducting an analysis of the group’s Techniques, Tactics, and Procedures (TTPs), ANSSI came to the conclusion that APT28 infiltrates target networks via brute force and credential leaks in order to get access to accounts and Ubiquiti routers. In April of 2023, a phishing expedition was begun with the purpose of obtaining system settings, insights into operational operations, and other relevant data. Using the flaw identified as CVE-2023-23397, APT28 sent emails to Outlook users during the months of March 2022 and June 2023. In order to carry out reconnaissance and data collecting, the attackers made use of other vulnerabilities, such as CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in Roundcube webmail. Both of these vulnerabilities were exploited by the attackers.
In order to carry out their intrusions, the gang made use of applications such as the password harvester Mimikatz and the traffic relay tool reGeorg. Additionally, they made use of open-source services such as Mockbin and Mocky. It is important to understand that APT28 use a wide variety of different VPN clients.
As a cyber-espionage group, APT28’s primary mission is to gain unauthorised access and steal information from its targets. The hackers stole sensitive information from email accounts and stole authentication details by using common tools. The hackers also stole emails that were full of personal information. The Command and Control (C2) architecture is rooted on cloud services such as Google Drive and Microsoft OneDrive, which makes it more difficult to identify them.
ANSSI has mapped the TTPs (techniques, tactics, and procedures) of APT28 and found that the threat organisation breaches accounts and Ubiquiti routers on targeted networks by using brute-force attacks and leaked databases holding passwords.
In one incident that occurred in April 2023, the adversaries carried out a phishing effort that duped the receivers into executing PowerShell, which revealed their system settings, running processes, and other OS-related information.
APT28 is responsible for sending emails to Outlook users that attacked a zero-day vulnerability that is now known as CVE-2023-23397. These emails were sent between March 2022 and June 2023, which places the first exploitation a month earlier than what was previously revealed.
The ANSSI emphasises taking a comprehensive approach to security, which includes conducting risk assessments. In light of the dangers posed by APT28, there should be a special focus on ensuring the safety of email communications. The following is a list of the most important suggestions that the organisation has about the safety of email:
Protecting the privacy of email communications and preventing their disclosure via adopting secure exchange systems as a means of preventing the diversion or acquisition of email traffic. Reducing the potential points of attack on email online interfaces and managing the dangers posed by servers such as Microsoft Exchange and putting in place mechanisms that can identify malicious emails.
Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering Open ports, troubleshooting live systems, and services, and grabbing system banners.
The pen-testing helps the administrator to close unused ports, additional services, Hide or customize banners, troubleshoot services, and to calibrate firewall rules.
You should test in all ways to guarantee there is no security loophole.
Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.
The goal of a network penetration test is to identify vulnerabilities and weaknesses in the network’s defenses that malicious actors could potentially exploit.
Let’s see how we conduct step-by-step Network penetration testing by using some famous network scanners.
1. Host Discovery
Footprinting is the first and most important phase where one gathers information about their target system.
DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.
A – A record is used to point the domain name such as gbhackers.com to the IP address of its hosting server.
MX – Records responsible for Email exchange.
NS – NS records are to identify DNS servers responsible for the domain.
SRV – Records to distinguish the service hosted on specific servers.
PTR – Reverse DNS lookup, with the help of IP you can get domains associated with it.
SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
CNAME – Cname record maps a domain name to another domain name.
We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.
Perform port scanning using tools such as Nmap, Hping3, Netscan tools, and Network monitor. These tools help us to probe a server or host on the target network for open ports.
Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, and NMAP determines the operating system of the target host and the operating system.
Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.
Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.
These tools help us find vulnerabilities in the target and operating systems. With these steps, you can find loopholes in the target network system.
GFILanguard
It acts as a security consultant and offers patch management vulnerability assessment, and network auditing services.
Nessus
Nessus is a vulnerability scanner tool that searches for bugs in software and finds a specific way to violate the security of a software product.
Data gathering.
Host identification.
Port scan.
Plug-in selection.
Reporting of data.
5. Draw Network Diagrams
Draw a network diagram about the organization that helps you understand the logical connection path to the target host in the network.
The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.
6. Prepare Proxies
Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.
With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads and many others.
Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide from being caught.
6. Document All Findings
The last and very important step is to document all the findings from penetration testing.
This document will help you find potential vulnerabilities in your network. Once you determine the Vulnerabilities, you can plan counteractions accordingly.
You can download the rules and scope Worksheet here: Rules and Scope sheet
Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in terms of value and finance.
An ongoing attack on government agencies in the APAC region has been claimed to have compromised a secure USB device with hardware encryption.
The nation’s government agencies utilize these safe USB devices to transfer and save data between computer systems.
The attacks had a very small number of victims and were highly targeted. The attacks are believed to have been conducted by a highly experienced and resourceful threat actor interested in conducting espionage operations in secure and private government networks.
Cyber Espionage Via Secure USBs
According to the Kaspersky APT trends report for Q3 2023, this long-running campaign comprises several malicious modules that may execute commands, gather data from infected workstations, and transfer it to further machines using the same or different secure USB drives.
On the infected computers, the attacks can also carry out additional harmful files.
The attack uses sophisticated tools and methods, such as virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to spread to other air-gapped systems, and code injection into a legitimate access management program on the USB drive that serves as a loader for the malware on a new machine.
BlindEagle, a financially motivated threat group, has targeted both people and governmental organizations in South America. Although espionage is the threat actor’s main objective, it has demonstrated interest in obtaining financial data.
BlindEagle is characterized by its capacity to cycle through different open-source remote access Trojans (RATs), including AsyncRAT, Lime-RAT, and BitRAT, and utilize them as the ultimate payload to accomplish its goals.
The gang sends spear-phishing emails with Microsoft Office documents attached to its victims. This starts a multi-level infection strategy that results in installing a new Trojan that is primarily made to steal data from the victim’s computer and take over by executing arbitrary commands.
APT campaigns are still widely spread geographically. Attackers have targeted Europe, South America, the Middle East, and other regions of Asia this quarter.
Government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing are just a few of the industries being attacked.
Cyber espionage continues to be a top priority of APT campaigns, and geopolitics continues to be a major factor in APT development.
“It is therefore very important to build a deep understanding of the TTPs of this threat actor and to watch out for future attacks,” reads the report.
A new campaign has been discovered that uses XorDDoS Trojan, which affects Linux systems and devices, turning them into zombies that can be controlled by threat actors remotely.
Moreover, these compromised systems can later be used for DDoS(Distributed Denial-of-Service) attacks.
Comparing this current campaign with the campaign conducted in 2022, there was only one change found, which was the configuration of the C2 hosts.
However, the attacking domains were still unchanged. The threat actors seem to have migrated their offensive infrastructure to hosts running on legitimate public hosting services.
Additionally, with respect to the 2022 campaign, many security vendors have already classified the C2 domains as malicious and barred them but still the current active malware traffic is being directed to new IPs.
As part of the initial access vector, the threat actors scanned for hosts with HTTP service, vulnerable to directory traversal attacks that can enable access to arbitrary files on the server.
Threat actors specifically targeted the /etc/passwd file to read passwords. However, since the file has only encrypted passwords, they were forced to gain initial access through SSH brute-force attacks. Once they gained access, they downloaded malware from remote servers and owned the system.
XorDDoS Infects Linux Devices
XorDDoS Trojan uses an XOR encryption key (BB2FA36AAA9541F0) to encrypt all the execution-related data which are then decrypted using a decryption function. Once the malware is activated on the victim machine, it retrieves essential information such as /var/run/gcc.pid, the OS version, malware version, memory status, and CPU information.
The malware also used the decrypt_remotestr() function to decrypt the C2 domains embedded inside the executable. The C2 endpoints are,
ppp.gggatat456[.]com:53
ppp.xxxatat456[.]com:53
p5.dddgata789[.]com:53
P5.lpjulidny7[.]com:53
C2 decryption function (Source: Palo Alto Unit42)
Persistence
As a means of persistence, the malware creates scheduled autorun tasks, which will run every three minutes, along with an autorun service configured during startup.
Detection evasion is achieved by turning its process into a background service that can disguise itself as a legitimate process.
C2 Network Infrastructure
A list of C2 domains that were registered and used by the threat actors is as follows:
Furthermore, a comprehensive report about this new campaign and the trojan has been published by Unit42 of Palo Alto, which provides detailed information about the campaign, code analysis, obfuscation techniques, and other information.
The National Student Clearinghouse (NSC) reported that nearly 900 colleges and universities across the U.S. had data stolen during attacks by a Russia-based ransomware gang exploiting the popular MOVEit file-sharing tool.
The nonprofit manages educational reporting, data exchange, verification, and research services for 3,600 colleges and universities as well as 22,000 high schools.
In June, the organization first confirmed that it was affected by exploitation of the tool, which was targeted via several critical vulnerabilities by the ransomware gang Clop.
Dozens of schools published notices confirming that student and alumni data was accessed in the breach but it was never clear just how many colleges or universities were affected.
In filings with California regulators last week, the National Student Clearinghouse provided a list of affected schools totalling nearly 890 — covering almost every state and including several of the largest, most prominent universities in the U.S.
The U.S. Department of Education requires 3,600 colleges and universities nationwide to use the MOVEit tool to share information with the NSC, which provides this data to the National Student Loan Data System (NSLDS) on behalf of the schools.
The stolen information includes personally identifiable information such as Social Security numbers and dates of birth.
NSC says it notified law enforcement after discovering the incident and told regulators in Maine on August 31 that it is sending breach notification letters to 51,689 people. NSC also sent letters to each school affected by the breach.
“The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students,” NSC said in an advisory released this summer. “We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”
Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. Several class action lawsuits have been filed against Progress Software, the company behind MOVEit.
Sean Matt, one of the lawyers behind the lawsuits, called it a “cybersecurity disaster of staggering proportions.”
“Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software. The data compromised in this incident — social security numbers, banking information and even the names of people’s children — will undoubtedly lead to years of strife and concern,” he said.
“This is not just a data breach, but an unacceptable breach of the public’s trust in Progress and other companies that have a responsibility to protect the private data they collect.”
Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.
As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.
These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.
The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.
This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.
By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.
Who is a CISO?
Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.
A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.
They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.
CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.
They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.
In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.
They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.
The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.
CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.
What are all the Roles and Responsibilities of CISO?
Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organization’s business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organization’s assets.
Risk Management: The CISO is responsible for identifying and assessing security risks to the organization’s information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
Security Incident Response: The CISO leads the organization’s response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
Security Governance and Reporting: The CISO provides regular reports and updates on the organization’s security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.
Security Challenges CISOs Face
CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:
Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industry’s rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.
Over the years, numerous individuals have sounded the alarm about the increasing cyber threats, and several have provided insightful guidance on enhancing an organization’s security and resilience. To gauge the adequacy of your efforts, consider the following three questions: Firstly, have you recently engaged in a cyber tabletop exercise? Secondly, is the contact information for your chief information security officer stored in a location other than your work phone or computer? (Keep in mind that if your company’s networks fall victim to a ransomware attack, your work devices might be unreachable.) Lastly, are you aware of your government liaison in the event of a cybersecurity incident?
On May 7, 2021, Colonial Pipeline, a crucial fuel supply network for the eastern United States, suffered a ransomware attack and chose to halt its operations. This decision triggered a broader crisis, resulting in fuel shortages and skyrocketing gas prices at thousands of gas stations. The incident highlighted the intricate connection between physical and digital infrastructures.
In response, the U.S. government took action, with Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Energy Jennifer Granholm addressing the public on May 11, 2021. They reassured the American people and explained the government’s efforts to mitigate the attack’s impact, urging against panic buying of gasoline as the pipeline was expected to be operational again soon. This incident underscored the vulnerability of critical infrastructure to cyber threats and the importance of a coordinated response.
Significant Implications:
The Colonial Pipeline ransomware attack had significant geopolitical implications. It prompted direct engagement between President Biden and Russian President Vladimir Putin, highlighting the seriousness of the situation. This incident emphasized the critical need for stronger cybersecurity measures, especially for vital infrastructure like Colonial Pipeline. It served as a stark reminder that cyber threats can have far-reaching real-world consequences. The incident has had lasting effects, reshaping the roles of CEOs and industry leaders and influencing future cybersecurity considerations.
One notable outcome is the way CEOs are reevaluating their roles and responsibilities. The CEO of Colonial Pipeline, Joseph Blount, faced the difficult decision of paying a $4.3 million Bitcoin ransom to hackers, describing it as the most challenging choice in his 39-year career. This dilemma of whether to pay ransom or risk severe disruption has garnered attention from CEOs, who are keen to avoid public scrutiny and congressional hearings.
In light of this and other recent incidents, here are six recommendations for CEOs to consider:
Prioritize cybersecurity as a top-level concern.
Invest in robust cybersecurity measures and incident response plans.
Foster a culture of cybersecurity awareness within the organization.
Establish clear communication channels and relationships with relevant authorities.
Assess the potential impact of cyber incidents on critical operations.
Develop a strategy for handling ransomware demands that aligns with both legal and ethical considerations.
These recommendations are essential in an era where cyber incidents can quickly escalate to national security crises, demanding the attention of the U.S. president, and where the role of CEOs in responding to such threats is under increased scrutiny.
Exercise caution when communicating with the public.
A run on banks is a classic example of how public reactions and group psychology can exacerbate a crisis. Recent instances such as the rush for toilet paper during the Covid-19 pandemic and the panic at gas stations following the ransomware attack demonstrate that this issue goes beyond financial institutions.
Being cautious in how and what you communicate to the public doesn’t mean avoiding public communication altogether; it’s a necessity. However, companies must approach this with careful consideration. The Colonial Pipeline incident serves as an example, highlighting that even companies not accustomed to regular public engagement may suddenly find it necessary.
Collaborate with government authorities.
Colonial Pipeline’s swift decision to shut down its pipeline system was necessary, but it could have allowed for consultation with U.S. government experts. The shutdown, regardless of infection, would lead to days of disruption in the fuel supply chain, necessitating government intervention due to the serious consequences. Effective coordination with the government is crucial to prevent an unintentional worsening of a crisis.
Be aware of who to get in touch with.Updated Incident handling decision tree.
CEOs must have the knowledge of the appropriate government contacts to facilitate informed decision-making and effective coordination. Contacting entities like NATO or the military, as some anecdotes have indicated, is not the correct approach. However, at times, the government may not make it straightforward for external parties to determine the right person or agency to reach out to, underscoring the government’s responsibility to offer clear guidance in this regard.
Establish a Incident Handling plan and put it into practice.
This point is paramount, as it serves as the foundation for achieving other objectives. Besides creating and maintaining a plan, ideally under the CEO’s supervision, it’s crucial to conduct annual practice sessions, such as tabletop exercises. These exercises help company leaders and employees develop the necessary “muscle memory” for responding efficiently during actual crises.
Know your infrastructure.
Ideally, a CEO should possess a high-level understanding of how a company’s business IT networks and operational technology (OT) networks interact. In cases where systems are isolated (air-gapped), it may not be necessary to shut down the OT network if a compromise is limited to the IT network. However, the Colonial Pipeline ransomware attack illustrated that even the incapacitation of business IT networks can have substantial repercussions. In scenarios where a company is unable to generate invoices, identify customers, or establish contact with them, the resulting disruption can be as disruptive as a complete production halt. This was evident to anyone who has been stranded at an airport due to an airline’s IT system outage, experiencing firsthand the disruptive consequences.
Demonstrate humility and actively seek expertise from professionals.
Cybersecurity is a complex and multifaceted challenge that varies significantly across different sectors, such as pipelines, finance, healthcare, education, and transportation. Recognizing the limits of expertise, including that of cybersecurity professionals, is a crucial insight gained from years of cross-sector cyber incidents. CEOs should not hesitate to seek external assistance when developing, testing, or refining cybersecurity plans or reviewing existing processes and policies within their organizations. Additionally, there are numerous detailed resources available, including guides and checklists tailored for CEOs, board members, and Chief Information Security Officers (CISOs). The U.S. government, through agencies like the Cybersecurity and Infrastructure Security Agency (CISA), offers resources like Stopransomware.gov and Shields Up, designed to cater to companies at different levels of cybersecurity maturity. These resources are valuable tools for enhancing cybersecurity preparedness.
An Executive Self-Assessment:
In addition to the numerous warnings and valuable advice regarding the growing cyber threats, three key questions can serve as a practical self-check to assess an organization’s cybersecurity readiness:
Have you recently participated in a cyber tabletop exercise?
Is the contact information of your chief information security officer stored outside your work phone or computer to ensure accessibility during a network compromise?
Do you have IHP one page summary and know your contact for cybersecurity incident reporting?
If the response to any of these questions is “no,” it’s essential to take action to enhance your organization’s cybersecurity preparedness. This proactive approach can significantly improve protection, prevent potential crises, and contribute to national security.
The need for cybersecurity professionals is at an all-time high in our rapidly evolving digital landscape. As cyber threats continue to advance and grow in frequency, businesses are showing a strong commitment to safeguarding their valuable data and networks, resulting in a significant rise in job openings within the cybersecurity field, some of which come with attractive compensation packages. In this article, author delve into the ten highest-paying positions within the cybersecurity sector, shedding light on the specific roles, duties, and salary brackets linked to each role.
IS27002 Control:-Vulnerability Management Why penetration test is important for an organization. Ensuring the protection of user data in real-time, effectively prioritizing risk, fostering security awareness, devising strategies to identify vulnerabilities, and implementing an incident response protocol aligned with vulnerability management. Following compliance protocols becomes crucial in order to abide by and fulfil regulatory standards. #informationsecurity#cyberdefense#cybersecurity Cheat sheet for pentester Image credit:-https://lnkd.in/eb2HRA3n
Windows Forensics, include the process of conducting or performing forensic investigations of systems which run on Windows operating systems, It includes analysis of incident response, recovery, and auditing of equipment used in executing any criminal activity.
The cybersecurity insurance sector is experiencing swift expansion, with its value surging from around $13 billion in 2022 to a projected $84 billion by 2030, reflecting a robust 26% compound annual growth rate (CAGR). However, insurance providers are encountering challenges when it comes to accurately assessing the potential hazards associated with providing coverage for this category of risk.
Conventional actuarial models are ill-suited for an arena where exceptionally driven, innovative, and astute attackers are actively engaged in orchestrating events that lead to insurable incidents. Precisely gauging potential losses holds utmost importance in establishing customer premiums. However, despite a span of twenty years, there exists a substantial variance in loss ratios across insurance providers, ranging from a deficit of 0.5% to a surplus of 130.6%. The underwriting procedures lack the necessary robustness to effectively appraise these losses and set premiums that reflect a reasonable pricing.
Why is the insurance industry struggling with this?
The problem is with the nature of the threat. Cyber attackers escalate and adapt quickly, which undermines the historical-based models that insurance companies rely on. Attackers are continually shifting their maneuvers that identify victims, cause increasing loss, and rapidly shift to new areas of impact.
Denial of service attacks were once popular but were superseded by data breaches, which cause much more damage. Recently, attackers expanded their repertoire to include ransomware-style attacks that increased the insurable losses ever higher.
Trying to predict the cornerstone metrics for actuary modelers – the Annual Loss Expectancy and Annual Rate of Occurrence – with a high degree of accuracy is beyond the current capabilities of insurers. The industry currently conducts assessments for new clients to understand their cybersecurity posture to determine if they are insurable, what should be included/excluded from policies, and to calculate premiums. The current process is to weigh controls against best practices or peers to estimate the security posture of a policyholder.
However, these rudimentary practices are not delivering the necessary level of predictive accuracy.
The loss ratio for insurance firms has been volatile, in a world where getting the analysis wrong can be catastrophic. Variances and unpredictability make insurers nervous. At maximum, they want a 70% loss ratio to cover their payouts and expenses and, according to the National Association of Insurance Commissioners Report on the Cyber Insurance Market in 2021, nearly half of the top 20 insurers, representing 83% of the market, failed to achieve the desired loss ratio.
In response to failures to predict claims, insurers have been raising premiums to cover the risk gap. In Q4 2021 the renewals for premiums were up a staggering 34%. In Q4 2022 premiums continued to rise an additional 15%.
There are concerns that many customers will be priced out of the market and the insurance industry and left without a means of transferring risk. To the detriment of insurers, the companies may make their products so expensive that they undermine the tremendous market-growth opportunity. Additionally, upper limits for insurability and various exception clauses are being instituted, which diminish the overall value proposition for customers.
The next generation of cyber insurance
What is needed are better tools to predict cyber attacks and estimate losses. The current army of insurance actuaries has not delivered, but there is hope. It comes from the cyber risk community that looks to manage these ambiguous and chaotic risks by avoiding and minimizing losses.
These cybersecurity experts are motivated by optimizing limited resources to prevent or quickly undermine attacks. As part of that continuous exercise, there are opportunities to apply best practices to the insurance model to identify the most relevant aspects that include defensive postures (technology, behaviors, and processes) and understanding the relevant threat actors (targets, capabilities, and methods) to determine the residual risks.
The goal would be to develop a unified standard for qualifying for cyber insurance that would adapt to the rapid changes in the cyber landscape. More accurate methodologies will improve assessments to reduce insurers’ ambiguity so they may competitively price their offerings.
In the future, such calculations will be continuous and showcase how a company will benefit by properly managing security in alignment with shifting threats. This should bring down overall premium costs.
The next generation of cyber insurance will rise on the foundations of new risk analysis methodologies to be more accurate and sustain the mutual benefits offered by the insurance industry.
Cloud Hosting Provider Lost all Customer Data Following Ransomware Attack
There has been a cyber attack on two cloud hosting providers, namely CloudNordic and Azero Cloud, which Certiqa Holding owns. The cyberattack has resulted in complete data loss for all their customers.
The cloud attack was reportedly on Friday, April 18, 2023, at around 4 AM when CloudNordic and Azero cloud were exposed to a ransomware attack in which the threat actors shut down all the systems, including customer systems, e-mail systems, customers’ websites, and everything they gained access to.
Both companies mentioned that they could not and didn’t want to pay the ransom demanded by the threat actors. However, the IT teams of CloudNordic and Azero Cloud are working with external experts to get complete information about the attack and possible recreation.
Unfortunately, the companies could not recover or recreate any customer data, and they have lost every piece of data on their customers, mail servers, web servers, etc.
Current Status
CloudNordic and Azero Cloud are highly affected by this cyber attack, and they have lost largely critical customer data but have re-established communications.
This means they have now deployed blank systems, including name servers, web servers, and mail servers. However, none of them contain any previous data.
The company has sorted out a way to restore the DNS administration interface that can enable users to get email and the web working again.
Attack Explanation
As per the reportsubmitted to Cyber Security News, both companies attempted to migrate between data centers and had some infected systems before the migration, which the company did not know.
Nevertheless, some servers used to manage all the servers were still wired to the previous network. Threat actors gained access to the administration systems with this network misconfiguration, which paved their way toward the backup systems (both primary and secondary backup).
The attackers encrypted all the systems they had access to, including all the virtual machines. Large amounts of data were reported to have been encrypted by the ransomware, but there seems to be no evidence of data being copied.
Both companies claimed there seemed to be no evidence of a data breach and regretted the inconvenience caused to their customers.
With the rise in cyberattacks and cybercriminals, every organization must implement multiple security measures and monitor every piece of traffic to prevent these kinds of cyberattacks.
The OWASP Amass project performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.
Osmedeus
Osmedeus is a workflow engine for offensive security that allows you to build and run a reconnaissance system on a wide range of targets, including domains, URLs, CIDRs, and GitHub repositories. It was designed to establish a strong foundation and can adapt and function automatically to perform reconnaissance tasks.
PhoneInfoga
PhoneInfoga is an advanced tool to scan international phone numbers. It allows you to gather basic information such as country, area, carrier, and line type, then use various techniques to find the VoIP provider or identify the owner. It works with a collection of scanners that must be configured for the tool to be effective.
Sherlock
Sherlock allows you to search social media accounts by username across social networks.
Shodan
Shodan is a search engine for Internet-connected devices. Discover how internet intelligence can help you make better decisions. The entire Shodan platform (crawling, IP lookups, searching, and data streaming) is available to developers. Use their API to understand whether users connect from a VPN, whether the website you’re visiting has been compromised, and more.
Social Analyzer
Social Analyzer is an API, CLI, and web app for analyzing and finding a person’s profile across social media and websites. It includes different analysis and detection modules; you can choose which modules to use during the investigation process. The analysis and public extracted information from this OSINT tool could help investigate profiles related to suspicious or malicious activities such as cyberbullying, cyber grooming, cyberstalking, and spreading misinformation.
SpiderFoot
SpiderFoot is an OSINT automation tool. It integrates with just about every data source available and utilizes a range of methods for data analysis, making that data easy to navigate. SpiderFoot has an embedded web-server for providing a clean and intuitive web-based interface but can also be used completely via the command-line.
theHarvester
theHarvester is a simple to use, yet powerful tool designed to be used during the reconnaissance stage of a red team assessment or penetration test. It performs OSINT gathering to help determine a domain’s external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources.
One of Mississippi’s largest hospital systems, Singing River Health System, suffered a cyberattack last week, leading to the shutdown of various internal services. The hospital system, which operates multiple hospitals and clinics along the Gulf Coast, detected unusual activity on its network and is cooperating with law enforcement. As a result of the attack, certain internal systems were taken offline to ensure their integrity during the investigation. The hospital’s IT security team is working to restore the offline systems, but the process is expected to take time. The hospital has not confirmed whether the attack involved ransomware or if a ransom will be paid. Patient services, including lab test results and radiology exams, are facing delays due to the attack. The incident highlights the ongoing challenges that hospitals face from cyberattacks, as this year has seen several healthcare institutions targeted by such attacks.
Someone at Microsoft has some explaining to do after a messed up DNS record caused emails sent from Hotmail accounts using Microsoft’s Outlook service to be rejected and directed to spam folders starting on Thursday.
Late on Thursday evening, Hotmail users began reporting that some emails were being returned with errors related to Sender Policy Framework (SPF), and thus recipient email services were unable “to confirm that [a] message came from a trusted location.”
SPF, for those unfamiliar with it, is a method of outbound email authentication that helps avoid email spoofing, impersonation and phishing. If, for example, a service like Hotmail were to have one of its subdomains removed from the DNS TXT record that stores its SPF list, then recipient services may assume it’s junk.
And that appears to be just what happened.
Reddit users posting to the Sysadmin subreddit verified they were experiencing SPF issues with Hotmail. One user pulled up Hotmail’s SPF record and found that Redmond had made two changes: removing spf.protection.outlook.com from the record, and changing the SPF failure condition from soft to hard. That meant any suspicious messages from Hotmail should be rejected rather than just sent to spam.
Microsoft support forum advisors confirmed that the issue was known, which was further confirmed by a look at the Office service status page. Per Microsoft: “Some users may receive non-delivery reports when attempting to send emails from hotmail.com.”
At time of writing, the status page indicated that “a recent change to email authentication” was the potential root cause of the outage. Microsoft said it made a configuration change to remediate impact, but shortly after said the problem may have been worse than it appeared at first glance.
“We’ve identified that additional configuration entries are impacted, and we’re implementing further configuration changes to resolve the issue,” Microsoft said. Not long after that was posted, Microsoft indicated configuration changes were complete and the problem was fixed.
Microsoft didn’t respond to our questions about the incident, only saying the issue had been resolved.
