Apr 11 2021
Googleâs Project Zero Finds a Nation-State Zero-Day Operation
Googleâs Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by âWestern government operatives actively conducting a counterterrorism operationâ:
The exploits, which went back to early 2020 and used never-before-seen techniques, were âwatering holeâ attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed.
The Stuxnet virus cyber-attack launched by the U.S. and Israel unleashed malware with unforeseen consequences. Delve deep into the burgeoning world of digital warfare in this documentary thriller from Academy AwardÂź winning filmmaker Alex Gibney.
Apr 10 2021
April 2021 Patch Tuesday forecast: Security best practices
Those of us in the security industry saw the need to identify and share incident and vulnerability information, but unfortunately âsecurity through obscurityâ was often the approach taken â operations over protection. Fast forward to today, and whether you agree or disagree with the state of software security, we at least have the forums and infrastructure to address the issues at a working level.
The Forum of Incident Response and Security Teams (FIRST) is an international organization that provides best practices and assistance when dealing with a security incident. If an attack is underway, there is often strength in numbers for all those being exploited, and this is an avenue to share that information. If you come across a vulnerability in the software you are using on your systems, you have some options on how to handle it.
Many reported vulnerabilities are characterized under the Common Vulnerabilities and Exposures tracked in the National Vulnerability Database (NVD) maintained by MITRE. You should check here first to see if the issue is already reported. If it exists in the database, then the vendor is aware of the issue and should be working to correct it. Though there is a level of confidentiality involved to prevent public disclosure and exploitation before a fix is available. While I mentioned FIRST and NVD, your company may have other reporting requirements, so check first.
In the news this week with their annual PWN2OWN 2021 competition, the Zero Day Initiative continues to discover new vulnerabilities that will need to be addressed. This is a valuable service that allows the vendors to fix the previously unknown issues, discovered by the security research experts, before they are publicly disclosed for open exploitation.
Like those experts, we have an obligation to take action on any vulnerabilities we may discover in performing our regular patch or IT activities. Take the time to see if the vulnerability has been reported and contact the vendor to see if it is a known issue. We all benefit in the long run.
April 2021 Patch Tuesday forecast: Security best practices
Apr 09 2021
How do I select an attack detection solution for my business?
When selecting an attack detection solution, no single product will provide the adequate detection needed that is required to detect and defend against the current advanced threat landscape. The holistic aspect of defending against threat actors requires technology, expertise, and intelligence.
The technology should be a platform of integrated technologies providing detection at each point of entry that a threat actor may use such as email, endpoint, network, and public cloud. These should not be disparate technologies that donât work together to holistically defend the organization.
We must use technologies that can scale against threat actors that have a very large number of resources. The technology should also be driven by intelligence cultivated from the frontlines where incident responders have an unmatched advantage. It is also important to remember that post-exploitation, threat actors masquerade as your own employeeâs making it difficult to know legitimate from non-legitimate activity occurring on the network or your endpoints.
This is where intelligence and expertise is extremely valuable to determine when a threat actor is operating within the organization. Being able to identify the threat actors âcalling cardâ and potential next moves, is paramount. While many solutions will claim they defend against advanced threats, it is important to understand the experience that a vendor has and how that is included into their product offering.
How do I select an attack detection solution for my business?
Apr 08 2021
4 things you can do to minimize cyberattacks on supply and value chains
The SolarWinds hack was a classic supply chain attack, compromising downstream organizations in order to traverse the victimâs extended enterprise of customers, suppliers, vendors and other third parties to gain unauthorized access to their on-premises and cloud systems.
The hack was unprecedented, transforming a core security product into a malware delivery system that provided unauthorized access to sensitive data for a minimum of nine months by escalating privileges, forging access tokens, and other alterations that went undetected.
Minimize supply chain cyberattacks
How can your organization protect itself from data breach by affected third parties in your supply or value chain? Apart from âbasicsâ such as enforcing least privilege for third-party users and forcing administrative password resets on initial use (to avoid âusername:admin, password:adminâ scenarios), below are four unique and effective ways your organization can mitigate access-related third-party risk.
4 things you can do to minimize cyberattacks on supply and value chains
Apr 08 2021
Italian charged with hiring âdark web hitmanâ to murder his ex-girlfriend
In a brief yet fascinating press release, Europol just announced the arrest of an Italian man who is accused of âhiring a hitman on the dark webâ.
According to Europol:
The hitman, hired through an internet assassination website hosted on the Tor network, was paid about âŹ10,000 worth in Bitcoins to kill the ex-girlfriend of the suspect.
Heavy stuff, though Europol isnât saying much more about how it traced the suspect other than that it âcarried out an urgent, complex crypto-analysis.â
In this case, the word crypto is apparently being used to refer to cryptocurrency, not to cryptography or cryptanalysis.
In other words, the investigation seems to have focused on unravelling the process that the suspect followed in purchasing the bitcoins used to pay for the âhitâ, rather than on decrypting the Tor connections used to locate the âhitmanâ in the first place, or in tracing the bitcoins to the alleged assassin.
Fortunately (if that is the right word), and as we have reported in the past, so-called dark web hitmen often turn out to be scammers â after all, if youâve just done a secret online deal to have someone killed, youâre unlikely to complain to the authorities if the unknown person at the other end runs off with your cryptocoins:
Apr 07 2021
Crooks use Telegram bots and Google Forms to automate phishing
Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has found that cybercriminals increasingly often use legitimate services such as Google Forms and Telegram to obtain user data stolen on phishing websites. Alternative ways to obtain data help cybercriminals keep it safe and start using the information immediately. In addition, ready-to-go platforms that automate phishing and which are available on the darknet also have Telegram bots at their core, with an admin panel that is used to manage the entire process of the phishing attack and keep financial records linked to them. Such platforms are distributed under the cybercrime-as-a-service model, which subsequently leads to more groups conducting attacks. They also widen the scope of cybercriminal activity.
Group-IBâs Computer Emergency Response Team (CERT-GIB) analyzed the tools used to create phishing web pages (phishing kits) and discovered that, in the past year, they were most often used to generate web pages mimicking online services (online tools to view documents, online shopping, streaming services, etc.), email clients, and â traditionally â financial organizations. Last year, Group-IB identified phishing kits targeting over 260 unique brands.
A phishing kit is a toolset that helps create and operate phishing web pages that mimic a specific company or even several at once. Phishing kits are usually sold on underground forums on the darknet. For cybercriminals who do not have strong coding skills, phishing kits are a way to effortlessly build infrastructure for large-scale phishing campaigns and quickly resume an operation if itâs blocked. By extracting phishing kits, cybersecurity analysts can identify the mechanism used to carry out the phishing attack and figure out where the stolen data is sent. In addition, a thorough examination of phishing kits helps analysts detect digital traces that might lead to the developers of the phishing kit.
In 2020, as in the previous year, the main target for cybercriminals were online services (30.7%). By stealing user account credentials, hackers gain access to the data of linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%. Financial institutions turned out to be the third favorite among scammers, with their share totaling above 20%. In 2020, the brands most often exploited in phishing kits were Microsoft, PayPal, Google, and Yahoo.
Apr 07 2021
Too slow! Booking.com fined for not reporting data breach fast enough
The Dutch Data Protection Authority (DPA) â the countryâs data protection regulator â has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach.
Interestingly, the fine was issued not merely because there was a breach, but because the company didnât report the breach quickly enough:
The Dutch Data Protection Authority (DPA) has imposed a âŹ475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people
According to the report, the attack was conducted against hotels in the United Arab Emirates (UAE), using social engineering tricks over the telephone.
The crooks apparently called staff at 40 different hotels in the region and talked them into handing over login details for hotel accounts on the Booking.com system.
Apr 05 2021
Encryption is either secure or itâs not â there is no middle ground
Adopting new rules
We remain deeply concerned, therefore, that the Council of the European Union is seeking to adopt new rules that would effectively do away with encryption. At the end of last year, they released a five-page resolution that called for the EU to pass new rules to govern the use of end-to-end encryption in Europe. We are completely against this resolution as it effectively ends the notion of true encryption.
Thereâs no such thing as strong encryption if you allow the institution of backdoors for government or law enforcement officials â and donât believe any politicians who say otherwise â they are, at best, ill-informed. The most important takeaway here is that encryption is either secure or it is not. Users either have privacy or they do not.
Encryption is either secure or itâs not â there is no middle ground
Apr 05 2021
List of data breaches and cyber attacks in March 2021 â 21 million records breached
Donât be fooled by the fact that we only recorded 20,995,371 breached records in March; it was one of the leakiest months weâve ever seen, with 151 recorded incidents.
By comparison, there was a seemingly Lilliputian 82 recorded breaches in January and 118 in February.
The issue is that in far more cases than weâd expect, the number of breached records wasnât included in the notification, so we canât include it here.
We typically expect ambiguity when it comes to ransomware, because organisations are locked out of their files and canât calculate whatâs been affected. But there were dozens of other cyber attacks and data breaches where the organisation either didnât know or reveal the extent of the damage.
You can find our full list of incidents below, with those affecting UK organizations listed in bold.
Contents
- Cyber attacks
- Ransomware
- Data breaches
- Financial information
- Malicious insiders and miscellaneous incidents
- In other newsâŠ
Apr 04 2021
Malware attack on Applus blocked vehicle inspections in some US states
Applus Technologies is a worldwide leader in the testing, inspection and certification sector, the company was recently hit by a malware cyberattack that impacted vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin.
The attack took place on March 30th, in response to the infection the company was forced to disconnect its IT systems from the Internet to prevent the malware from spreading. The company did not reveal the type of malware that infected its systems, but experts speculate the involvement of a ransomware attack.
âUnfortunately, incidents such as this are fairly common and no one is immune,â said Darrin Greene, CEO of the US entity, Applus Technologies, Inc. âWe apologize for any inconvenience this incident may cause. We know our customers and many vehicle owners rely on our technology and we are committed to restoring normal operations as quickly as possible.â
The company will spend some time to fully restore the operations and continue the vehicle inspections, at the time of this writing it has yet to provide a timetable. According to the Department of Motor Vehicle (DMV), inspections will likely be suspended at least for another couple of days.
âDue to the enhanced technology and programming required to operate the program, it is imperative that we ensure every component of the program is free from malware, thoroughly tested and operating normally before bringing the program back online. The testing process will involve all of our agencies as well as the station owners who own and operate the computerized workstation equipment used to perform the motor vehicle inspections.â continues Applus Technologies.
âWe will routinely update the return to service status as additional information becomes available. It is important to note that we want to make sure we have resolved all issues before restarting the system in order to avoid any additional delays or inconvenience once the program is back up and running.â
The Applus team is collaborating with the DMV providing frequent updates on the status of the incident response, it is also working with the DMV on the 60-day retest requirement and free retest policy to extend both during this time.
Apr 03 2021
Applications Are Everything and Everywhere â Does Whack-a-Mole Security Work?
The SolarWinds digital supply chain attack began by compromising the âheartâ of the CI/CD pipeline and successfully changing application code. It highlighted the major challenges organizations face in securing their applications across the software development lifecycle and is driving increased attention at the highest levels of enterprise and government. In fact, Reuters recently reported that the Biden administration is preparing an executive order outlining new software security and breach disclosure requirements.
As organizations look to strengthen their digital supply chain and protect the applications they develop and use, many are focusing on application secrets â which are ripe targets for attackers and can provide unrestricted privileged access to sensitive systems.
Cloud-Native Apps Expand Security Needs
Today, many organizations are taking a cloud-native approach to building, testing and deploying new applications â whether front- or back-office, consumer-facing, web or mobile. And by embracing DevOps methodologies and automation, theyâre quickly moving along the digital maturity curve.
As applications are increasingly built using microservices and run in dynamic, short-lived containerized environments, everything needs to interact with each other â sharing secrets and credentials to securely access resources. The result: a lot more secrets that need to be secured.
Whatâs more, the powerful DevOps and automation tools developers use such as Jenkins and Ansible to build applications store massive amounts of credentials and secrets within them. This allows the projects, playbooks and scripts managed by these mission-critical âTier 0â assets to access other tools, services and platforms. All of these tools also require high levels of privilege.
Apr 03 2021
Malware Hidden in Call of Duty Cheating Software
Part of the reason this attack could work so well is that game cheats typically require a user to disable key security features that would otherwise keep a malicious program out of their system. The hacker is basically getting the victim to do their own work for them.
âIt is common practice when configuring a cheat program to run it the with the highest system privileges,â the report notes. âGuides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code signing, etc.â
Detailed report.
Apr 03 2021
Decrypting Cryptocurrencies
Cryptocurrencies are a topic that touches many areas; not only finance and investing but technology and even political arenas. Although apolitical in itself, it is the structure behind these cryptocurrencies that make them a much talked about subject amongst political purists from across the political spectrum. This structure can be boiled down to the following; think of cryptocurrencies as a âbig spreadsheetâ, and when you âmineâ crypto you essentially fill in the spreadsheet, keeping the ledger up to date on who is transferring currency to another party.
It is perhaps this decentralised nature which has contributed to the meteoric rise of cryptocurrency value. Modern investors see the value in having an immutable ledger, meaning that external users or third-parties cannot tamper with previous transactions. This becomes more crucial when you consider the impact that quantitative easing has had on the economy over the past several decades. Cryptocurrencies, compared to their physical counterparts, are practically immune from quantitative easing as there is a predetermined number of coins in circulation at one time meaning that they are impervious to inflation. This has contributed to more individuals over the years turning to cryptocurrencies as a âsafe-haven assetâ in the same way that investors would traditionally turn to gold. In my eyes, I see Bitcoin as better at being Gold than Gold itself, because of its ability to be infinitely divisible into micro units and decimal points of a Bitcoin rather than a single gold coin. It also inherits another important characteristic of Gold which has fuelled its rise in price, it is finite â there will only ever be 21 million of them in circulation (once all mined). Compare this to standard modern currency, on money printing and inflation consider this: a fifth of all US Dollars were created in 2020, and now in 2021 President Biden is considering a $1.9 Trillion stimulus plan. Indeed, it is this effort by central banks across the globe to print their way out of a pandemic/unstable economy that â in my opinion â has led to the exponential price increase in Bitcoin during 2020 rather than any other factor. As long as this continues (which it almost certainly will), faith in fiat currency will wane and interest in âunprintableâ cryptocurrencies will only increase.
more on: Decrypting Cryptocurrencies
Blockchain Bubble or Revolution:
Apr 03 2021
Attackers are abusing GitHub infrastructure to mine cryptocurrency
Code repository hosting service GitHub launched an investigation in a series of attacks aimed at abusing its infrastructure to illicitly mine cryptocurrency.
Such kind of attacks was reported at least since the end of 2020, when some software developers reported the malicious activity on their repositories.
âI was attacked by a github user that crafted a malicious github action to start a crypto-mining program inside an action run. He triggered it in my github actions thanks to a shitty pull request.â reads a post reporting a similar attack.
The Record reported that threat actors are abusing the GitHub Actions feature which was implemented to allow the automatic execution of software workflows.
Experts warn that threat actors are targeting repositories that have this feature enabled to add malicious GitHub Actions and fill malicious Pull Requests to execute the malicious attackerâs code.
âIn a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.â reported The Record.
âBut the attack doesnât rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said.â
In recent attacks, threat actors are executing their own malicious code to mine cryptocurrency miners on the infrastructure of the code repository hosting service, in some cases, attackers could deploy hundreds of miners in a single attack.
« Previous Page — Next Page »
