InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Detection
Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.
Mitigations
Disable unnecessary external remote services.
Set account lockout policies to prevent password guessing.
Use two- or multi-factor authentication for such services.
Collect and monitor external remote services logs for unauthorized access
Group-IB published a report titled “Ransomware Uncovered 2020-2021”. analyzes ransomware landscape in 2020 and TTPs of major threat actors.
Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has presented its new report “Ransomware Uncovered 2020-2021”. The research dives deep into the global ransomware outbreak in 2020 and analyzes major players’ TTPs (tactics, techniques, and procedures).
By the end of 2020, the ransomware market, fuelled by the pandemic turbulence, had turned into the biggest cybercrime money artery. Based on the analysis of more than 500 attacks observed during Group-IB’s own incident response engagements and cyber threat intelligence activity, Group-IB estimates that the number of ransomware attacks grew by more than 150% in 2020, with many restless players having joined the Big Game Hunting last year.
In 2020, ransomware attacks on average caused 18 days of downtime for the affected companies, while the average ransom amount increased almost twofold. Ransomware operations turned into robust competitive business structures going after large enterprises, with Maze, Conti, and Egregorgangs having been at the forefront last year. North America, Europe, Latin America, and the Asia-Pacific became the most commonly attacked regions respectively.
To keep the cybersecurity professionals up to date with how ransomware gangs operate and help the defense teams thwart their attacks, Group-IB’s DFIR team has for the first time mapped the most commonly used TTPs in 2020 in accordance with MITRE ATT&CK®. If you are a cybersecurity executive, make sure your technical team receives a copy of this report for comprehensive threat hunting and detection tips.
The growing threat of ransomware has put it in the spotlight of law enforcement. Some gangs operating under the Ransomware-as-a-Service (RaaS) model, such as Egregor and Netwalker, were impacted by the police efforts. Another notorious RaaS collective, Maze, called it quits at the end of 2020. Despite these events, the ransomware business continues prospering, with the Ransomware-as-a-Service model being of the driving forces behind this phenomenal growth.
Feedzai, a cloud-based risk management platform, has announced its Financial Crime Report Q1, 2021. Feedzai’s data from financial transactions across the world shows a stark difference in consumer behaviour and financial crime in the Asia-Pacific (APAC) region as compared to Europe (EU) and North America (NA). A clear image appears – a hyper-digital world where east and west are in different recovery stages, reflecting different regional financial crime trends.
Overall, 2020 allowed fraudsters to rejoice at the rapid shift to digital banking and commerce while consumers got swindled by purchase, impersonation, money mule schemes, and account takeover scams.
650% Increase in Account Takeover (ATO) Scams in Q4
In an ATO attack, fraudsters obtain stolen credentials, account information, and passwords that belong to legitimate users. Once they access the account, they can transfer funds or buy goods with stolen credentials. Transfers occur when consumers move money from one account to another. The growing popularity of real-time payment functions, combined with the expansion of online banking, means that money moves quickly, and once it’s gone, it’s almost impossible to get back.
Feedzai’s fraud experts noticed an uptick of stolen credentials for sale on the dark web in 2020. The proliferation of stolen credentials, along with the exponential rise in online transactions, provided ideal conditions for fraudsters to blend in with legitimate consumer traffic without being detected.
250% Increase in Online Banking in Attempted Fraud on Online Banking
Online banking isn’t new, but it’s newly popular. There’s been a 200% increase in mobile banking, and fraudsters worked to blend in among them. Online banking experienced a 250% increase in attempted fraud. As expected, both telephone and branch fraud rates dropped to lower levels than they had been before the pandemic.
178% Fraud Rate Increase for Digital Media
In Q2 2020, during the height of global lockdowns, demand for books and streaming services such as music and movies increased. Demand remained strong in the APAC region, but NA and EU eventually returned to pre-pandemic baseline levels. The story around fraud is quite different, at least for NA and EU. In these regions, attempted fraud attacks increased a whopping 178% since January 2020.
48% Drop in Card Present Fraud Attacks; Volume Only Drops 20%
Card present transactions dropped by about 20% at the start of the pandemic and have consistently remained around that level. However, fraud attacks tumbled by an incredible 48%.
Card not present Transactions Drive 70% of Fraud Attacks
Fraudsters love CNP transactions, and without essential security measures such as machine learning, behavioral analytics, biometrics, and two-factor authentication (2FA), they likely will continue for some time to come.
Top 5 Transfer Fraud Schemes
Across the board, the pandemic was a boon for fraudsters and a burden for consumers. When it comes to transfers fraud, criminals were more drawn to the following five fraud schemes than to all others.
Let us start with a scenario. Whenever there is an election, we always hear the rumor that there is rigging in the election. In the end, the result is either re-election or a recount of the votes. This whole process is a waste of time and money. If we cannot believe this system the first time, how can we do it a second time? And it is a great scenario where blockchain can be used in real life.
Now, what is the Blockchain?
If you search blockchain on google, you get millions of results that tell us about blockchain. Judging by these millions of findings, it turns out that blockchain technology is one of the cutting-edge and popular technologies. Blockchain is a decentralized, transparent, and trustless system in which there is no need for any middleman or central authority. The best example of this is all companies like banks, where the middleman is involved. Blockchain is a trustless system, and it uses algorithms to build trust within decentralized systems. Often, we hear a word with blockchain is unchangeable, which means that whatever is written once inside the blockchain can never be erased again. Blockchain performs two functions, reading and creating.
Most people think that blockchain is bitcoin and limited to cryptocurrency or only the financial industry uses it. But in fact, blockchain can solve lots of real-world problems like we talked about voting system in the beginning. So, blockchain is an online distributed system in which you store information, and this information can also be access by other parties. All information is store inside a block or container like a register. And all the accounts we call block/register link to each other like a chain, as its name suggests blockchain.
There are three things in each block within the blockchain.
Data of the block: This block contains all information like sender, receiver, coins, source, or destination address, etc.
Hash of the block data: it is known as the backbone of blockchain. Hash is the encryption technique uses to secure the data. It is never easy to decrypt the hashes as they use a fixed length of alphanumeric for encryption. And the hash value always stays unique.
Hash of the previous block: Help to create a chain with the previous hash of the block.
Get 50% Off Our ITIL Distance Learning Training Course
ITIL qualifications are in high demand! We’re currently offering 50% off our ITIL 4 Foundation distance learning training course with promo code ITIL50. https://tidd.ly/3eb99n8
Get 30% Off Distance Learning Training Courses
ITG distance learning courses let you train at a time and place that suits you! We’re currently offering 30% off all our distance learning training courses with promo code DL30. https://tidd.ly/3sNintQ
Get 20% Off Our Live-Online Training Courses
Train from home or the office with 20% off our Live-Online training courses with promo code ONLINE20. https://tidd.ly/3rhitcT
Get 15% Off Our Toolkits Speed up your implementation and compliance projects with 15% off all our toolkits with promo code Toolkit15. https://tidd.ly/3uUB0Op
Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code.
The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
We’ve never quite understood Google’s mention of rolling out updates over “days/weeks” in an update bulletin that includes 47 security fixes, of which eight have a severity level of High.
In fact, we suggest going out manually and making sure you’ve got your Chrome update already, without waiting for those day/weeks to elapse until the update finds you.
If you’re using a Chromium-based product from another browser maker, check with that vendor for information about whether their build is affected by this bug, and if so whether the patch is downloadable yet.
Microsoft has awarded the security researcher Laxman Muthiyah $50,000 for reporting a vulnerability that could have allowed anyone to hijack users’ accounts without consent.
According to the expert, the vulnerability only impacts consumer accounts.
The vulnerability is related to the possibility to launch a bruteforce attack to guess the seven-digit security code that is sent via email or SMS as a method of verification in password reset procedure.
“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that we will be asked to select the email or mobile number that can be used to receive security code.” the expert wrote.“Once we receive the 7 digit security code, we will have to enter it to reset the password. Here, if we can bruteforce all the combination of 7 digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.”
The researcher pointed out that rate limits are implemented to limit the number of attempts and protect the accounts.
The analysis of the HTTP POST request sent to validate the code revealed that the code is encrypted before being sent, this means that in order to automate bruteforce attacks it was necessary to break the encryption.
Microsoft has released out-of-band security updates for seven bugs affecting Microsoft Exchange Servers, four of which are zero-day vulnerabilities being exploited by attackers in the wild to plunder on-premises machines.
Our team has been tirelessly working several intrusions since January involving multiple 0-day exploits in Microsoft Exchange. We've released the details of this threat activity alongside Microsoft's Out of Band patch. Take a look and update Exchange! https://t.co/GWGxQWAdGO
What we are observing now is the increasing proliferation of sneakerbots across all industries. As it currently stands, more than 30% of all internet traffic is generated by unwanted bots, a number which will exceed 50% within the next few years. The rapid digital transformation brought about over the past several years has acted as a catalyst for this substantial growth in synthetic traffic.
Whether they are large, organized groups or DIYers, bot operators leverage automation because it’s cheap, easy to use, generates large amounts of profit, and makes success at scale viable.
Here are some recent examples of sneakerbots being used in different industries:
The popular jailbreaking tool called “unc0ver” now supports iOS 14.3 and earlier releases, and is able to unlock almost every iPhone device.
Pwn20wnd, the author of the jailbreaking tool “unc0ver,” has updated their software to support iOS 14.3 and earlier releases. The last release of the jailbreaking tool, unc0ver v6.0.0, now includes the exploit code for the CVE-2021-1782 vulnerability that Apple in January claimed was actively exploited by threat actors.
Jailbreaking an iOS mobile device it is possible to remove hardware restrictions implemented by the Apple’s operating system, Jailbreaking gives users root access to the iOS file system and manager, this allows them to download and install applications and themes from third-party stores.
Apple did not disclose info about the attacks in the wild exploiting this vulnerability.
The CVE-2021-1782 flaw is a race condition issue that resides in the iOS operating system kernel.
“A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory. “A race condition was addressed with improved locking.”
unc0ver v6.0.0 could be used to unlock any device running iOS 11.0 through iOS 14.3, below the announcement made by Pwn20wnd on Twitter.
Ransomware gets the big headlines, because of the enormous blackmail demands that typically arrive at the end of ransomware attacks.
Indeed, the word “ransom” only expresses half the drama these days, because modern ransomware attacks usually involve the crooks making copies of all your data first before scrambling it.
The crooks then demand a combination payout, part ransom and part hush-money.
You’re not only paying to get the local copies of your data unscrambled, but also paying for a promise from the crooks that they’ll delete all the data they just stole instead of releasing it to the public.
But what about the very start of a ransomware attack?
Technically, that’s often a lot more interesting – and often more important, too, given that many ransomware attacks are merely the final blow to your network at the end of what may well have been an extended attack lasting days, weeks or even months.
Given the danger that arises as soon as the crooks sneak into your network, it’s as important to learn how malware gets delivered in the first place as it is to know what happens to your files when ransomware finally scrambles them.
With this in mind, SophosLabs has just published an intriguing report on a malware delivery ecosystem dubbed Gootloader.
You may have heard reference to Gootkit, a name given to the malware family of which Gootloader forms a part, because it’s been around for several years already.
But SophosLabs decided to give the initial delivery mechanism a name of its own and study it in its own right:
The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft. In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.
In the past, Sophos and other security experts have bundled the discussion of the malware itself with analysis of the delivery mechanism, but as this method has been adopted to deliver a wider range of malicious code, we assert that this mechanism deserves scrutiny (and its own name), distinct from its payload, which is why we’ve decided to call it Gootloader.
The report goes into the sort of detail that is well worth knowing if you’re interested in how modern malware embeds and extends itself inside a network, including a discussion of so-called “fileless” attacks.
CYBERSECURITY: It’s not just a good idea. Register to learn more.
Please join Mary Ellen Seale, Founder/CEO of NCSS, Peter Levett, Chief of Staff from the cybersecurity firm SecureCircle, and Phil Bandy, CISO Sharevault from the safety of your desk on Thursday, March 4th at 9am PST as our experts explore this ongoing threat and offer best practices for mitigation.
If cybersecurity is part of your strategic plan for 2021, and it should be, then you might want to check out the National Cybersecurity Society (NCSS).
The National Cybersecurity Society is a community of participating technology professionals focused on helping small businesses stay safe online. The NCSS is a non-profit organization that provides cybersecurity education, awareness and advocacy to its small businesses members, specifically cybersecurity education tailored to the needs of the small business owner. The NCSS assists its small business members in assessing their cybersecurity risk, distributes threat information to members so that they will be more knowledgeable about the threats facing their business, and provides advice on the type of services needed to stay safe online. You know cybersecurity is important, but where do you start? What organizational assets do you need to protect? Is it only your IT assets? Is it your IP?
The NCSS website provides several helpful guides to get you started on your cybersecurity journey. At the top of the list is simply understanding and identifying what is vital to protect. It starts with employing a Risk Assessment Methodology This involves identifying your organizational assets (people, information, technology, facilities) and assigning the responsibility of those assets in order to protect them appropriately.
Once organizational assets are defined, the next step is to define the relationship between those assets and the high-value services they support. This requires a process that examines and validates this relationship through periodic reviews. Lastly, it requires your organization to maintain and sustain an inventory of these assets and high-value services. It’s important to keep this information up to date and modified when circumstances or events change.
STEP 1: INVENTORY
Create an inventory of your people – not just your employees, but your suppliers and partners, the data you need to run your business, the technology assets you need (computers, servers – the entire infrastructure), and the facilities needed to house and operate your business.
STEP 2: HIGH-VALUE SERVICES
Create a list of high-value services that keep your business functioning – logistics, financial, service delivery, assembly, manufacturing. Define what are the key services you need – those services that if lost, delayed or compromised would impact your business.
STEP 3: MAPPING
Create a mapping of people, data, technology and facilities to the high-value services they support. Define the relationship between these assets and the high-value services. Validate the relationship through periodic reviews. As an example, if the supplier for your medical equipment changes, and this supplier has been identified as key personnel, have you updated your mapping relationships? Did you review the contract with the new medical supplier to determine if anything has changed that would affect your service delivery? Leveraging your people to take responsibility for certain high-value services and keeping the critical information current is key to protecting your assets.
STEP 4: INVENTORY PLAN
A plan is only useful if it is kept current and up-to-date. Schedule an annual inventory and mapping exercise to ensure that the protection mechanisms you employ support valid assets. A good rule of thumb: Once a year.
STEP 5: CONTINUITY PLAN
A sound business strategy includes continuity plans. For all your high-value services that depend on critical people, data, technology and facilities, you will need a contingency plan in place in the event any of these assets is compromised. The NCSS also has helpful resources on how to develop a Continuity Plan.
If you’d like to learn more about The NCSS and best practices for cybersecurity for your business, please join ShareVault for our upcoming webinar on cybersecurity. For this webinar we’ve assembled a panel of cybersecurity experts (including the founder of The National Cybersecurity Society) to discuss the current cyberthreat landscape, the bad actors, and best practices for preventing a devastating breach that could cost your company millions.
The panel includes Mary Ellen Seale, Founder/CEO of NCSS, Peter Levett, Chief of Staff from the cybersecurity firm SecureCircle, and Phil Bandy, ShareVault’s Chief Information Security Officer who formerly provided information security to NASA.
We are living in a world of innovations. Now, imagine innovative technologies with zero security is such a big nightmare. Cybersecurity comes here for the rescue. Cybersecurity is an immense ocean of various fields. Many skillful fishes are living in this ocean with lots of expertise. Cybersecurity is what keeps all organizations sane and safe. For that reason, I will discuss the fields that outgrown currently and the certifications that help in those fields.
Before diving into the ocean of cybersecurity, let us understand why to choose cybersecurity. Imagine being the CEO of a digital children’s toy-making corporate, promising every parent that the information provided about children inside the toys will stay safe. And the organization faces a cyber-attack that leaks all information about the children. That is the big downfall of the organization’s reputation.
Cybersecurity promises to secure the organization system’s from cyberattacks yet to keep user information safe. Cybersecurity professionals put all their efforts to create a secure and protect the environment, not only for organizations as well for all the users connected to the network/internet.
The world is becoming digital day-by-day, the growth in cybersecurity is not coming slow. The rates of cybercrime are also increasing yet bringing many opportunities for jobs in cybersecurity.
According to New York Times,3.5 million cybersecurity jobs are available this year. United States Bureau of Labor Statistics (BLS) contemplate that in the next ten years, cybersecurity jobs will increase 30% compared to other computing jobs.
Job performance is another category where cybersecurity staff performs well. The (ISC)2 Cybersecurity Workforce Report in 2019 showed that 71% of cybersecurity professionals in the United States are happy with their employment.
Initial investigation suggested that the password “solarwinds123” was publicly accessible via a misconfigured GitHub repository since June 17, 2018. The issue was addressed on November 22, 2019.
New details emerged about the security breach, in a hearing before the House Committees on Oversight and Reform and Homeland Security, CEO Sudhakar Ramakrishna confirmed that the password had been in use as early as 2017.
A preliminary investigation revealed that the threat actors behind the SolarWinds attack compromised the SolarWinds Orion supply chain as early as October 2019, but later Crowdstrikes’ researchers dated the initial compromise on September 4, 2019.
“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” Representative Katie Porter of California said. “You and your company were supposed to be preventing the Russians from reading Defense Department emails.”
“I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed,” Ramakrishna said in response to Porter.
Paired longevity solutions in hardware and software
There is a solution to both these issues – durability and security.
Rugged devices are designed specifically for your hardworking enterprise operations. They integrate seamlessly into UEM and MDM platforms, can be trained to only engage with secure networks, and can be geofenced to turn themselves into expensive paperweights if taken off-property.
Rugged devices are not only trusted for their durability and performance, but their security capabilities are also unparalleled when it comes to providing your IT security team with top-down controls over device management and data security.
Their sturdy construction, replaceable shift batteries, and stable software platform ensures that your investment will last for years and will eliminate “down-time” (if used correctly).
What’s more, a survey conducted by Samsung found that employees were not only open to using ruggedized devices, over 90% of respondents currently using rugged tech – and over half of non-user respondents – wanted management to invest more into such devices.
During the recent video conference of the members of the European Council (25-26 February 2021), NATO chief Jens Stoltenberg highlighted the importance to define a strategy to boost defense and security.
“We want to act more strategically, to defend our interests and to promote our values.” said Charles Michel, President of the European Council.“We will step up our cooperation and our coordination to combat hybrid threats and disinformation.”
Member states highlighted the importance of close cooperation with NATO and strengthening partnerships with the UN and key regional partners. The EU leaders emphasized that they looked forward to cooperating with the new US administration on a strong and ambitious transatlantic agenda that included a close dialogue on security and defence.
Participants are committed to providing secure European access to space, cyberspace and the high seas.
“In light of the growing number and complexity of cyber threats, we aim to strengthen European cyber resilience and responsiveness and to improve the cybersecurity crisis management framework. Following the Cybersecurity Strategy presented in December 2020, we invite the Commission and the High Representative to report on implementation by June 2021.” reads a statement from EU leaders. “In addition, we invite the co-legislators to swiftly take work forward, particularly on the revised Directive on security of network and information systems (NIS 2 Directive). We also call for greater cooperation and coordination to prevent and respond to hybrid threats, including disinformation, inter alia by involving the private sector and relevant international actors.”
EU leaders invited the Commission and the High Representative, Josep Borrell, to work on the implementation of the Cybersecurity Strategy by June 2021.
The U.S. Court of Appeals for the 5th Circuit just issued a blistering attack on HIPAA enforcement by the U.S. Department of Health and Human Services (HHS). In University of Texas M.D. Anderson Cancer v. Department of Health and Human Services (No. 19-60226, Jan. 14, 2001), the 5th Circuit struck down a fine and enforcement action by HHS as arbitrary and capricious. This case has significant implications for HHS enforcement — and for agency enforcement more generally.
My reactions to the case are mixed. The court makes a number of good points, and it identifies flaws with HHS’s interpretation of HIPAA and with its enforcement approach. But there are parts of the opinion that overreach and that are unrealistic.
The case arises out of an HHS civil monetary penalty (CMP) against the University of Texas M.D. Anderson Cancer Center for $4,348,000 for a series of incidents involving unencrypted portable electronic devices being lost or stolen. In 2012, a faculty member had ePHI of 29,021 people on an unencrypted laptop that was stolen. Subsequently, in 2013, a trainee and visiting researcher lost unencrypted USB drives with ePHI of thousands of patients on them. HHS imposed a fine of $1.348 million for violating the HIPAA Encryption Rule for the 2012 incident and $1.5 million for each of the 2013 incidents, adding up to a total of $4.348 million.
Applying the Administrative Procedure Act (APA), the Fifth Circuit concluded that HHS’s enforcement was “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2). There are several parts of the court’s decision that are worth discussing.
(1) Interpretation of the Encryption Rule
The court held that HHS misinterpreted the HIPAA Encryption Rule. The rule states that covered entities must “implement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv). HHS contended that the rule was violated because the devices weren’t encrypted. The court, however, emphasized that the rule used the words “implement a mechanism to encrypt” rather than to ensure that devices were encrypted:
![Breaking IN: A Practical Guide to Starting a Career in Information Security by [Ayman Elsawah]](https://m.media-amazon.com/images/I/51d-r8hESmL.jpg)
