InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Apple has released out-of-band security patches to address a critical iOS, macOS, watchOS, and Safari web browser to address a security flaw tracked as CVE-2021-1844.
The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research. The flaw could be exploited by remote attackers to run arbitrary code on vulnerable devices by tricking users into visiting a malicious web content.
The vulnerability is caused by a memory corruption issue that could be triggered to cause arbitrary code execution when processing specially crafted web content.
“Processing maliciously crafted web content may lead to arbitrary code execution.” reads the advisory published by Apple. “Description: A memory corruption issue was addressed with improved validation.”
Apple has improved validation to address the vulnerability.
In March, Pwn20wnd, the author of the jailbreaking tool “unc0ver,” has updated their software to support iOS 14.3 and earlier releases. The last release of the jailbreaking tool, unc0ver v6.0.0, now includes the exploit code for the CVE-2021-1782 vulnerability that Apple in January claimed was actively exploited by threat actors. The CVE-2021-1782 flaw is a race condition issue that resides in the iOS operating system kernel.
When Rinki Sethi heard that her 7th grade daughter applied to take a technology innovation class as an elective, she was thrilled. Sethi, who joined Twitter in September as its chief information security officer, said one of her passions is getting more young women interested in technology.
But when her daughter found out that she didn’t get into the class, Sethi discovered a troubling statistic: 18 slots for the class went to boys, while only 9 were filled by girls. “I went and sat down with the principal and asked: ‘Why are we turning down girls if that’s what the ratio looks like?’” Sethi recounted Monday at a virtual panel centered around women in cybersecurity. “We need more women to enter this field, and I think that’s the biggest problem—how do we get more women and girls interested.”
After learning that only 9 out of 27 kids in a #STEM elective @KMSCupertino are girls, I met with principal to discuss how can we can make this ratio more equal. After my meeting, I am happy to announce the principal has agreed to balance this out. @CUSDK8@CityofCupertino
Since cryptocurrency transactions are virtually anonymous, cybercriminals use them in dark markets for illicit trading. Through ransomware attacks like WannaCry, Petya, Locky, and Cerber, hackers receive a lot of money. Moreover, we learn about cryptocurrency trading hack every so often, wherein attackers steal thousands of dollars in Bitcoin. But how they cash out or convert stolen money into fiat currency?
An example of how much hackers are after cryptocurrencies is the recent news of “thefts of 2020”. Bitcoin is one of the massively valuable cryptocurrencies in which about half a billion dollars in total stolen.
After stealing thousands of cryptocurrencies from exchanges and ransomware targets, understandably, cybercriminals will not retain them in electronic form. The next move is to turn cryptocurrency into real-world currency. Several cryptocurrency platforms enable cybercriminals to cash out their bitcoin without being detected, i.e., anonymously.
According to Google researchers, many victims buy bitcoins through Craigslist and Localbitcoins. And since 2014, more than 95% of all bitcoin payments received from ransomware targets were cashed out through a Russian bitcoin exchange called BTC-E.
As per a report by Chainalysis, cybercriminals use progressively rigorous techniques to transform illicitly acquired cryptocurrency into real money. Criminal entities sent $2.8 billion in bitcoin via cryptocurrency exchanges in 2019. And attackers utlize platforms known as “over-the-counter brokers” to turn cryptocurrency into real money.
Researchers at 360Netlab are warning of a cryptocurrency malware campaign targeting unpatched network-attached storage (NAS) devices.
via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)
Threat actors are exploiting two unauthorized remote command execution vulnerabilities, tracked as CVE-2020-2506 & CVE-2020-2507, in the Helpdesk app that have been fixed by the vendor in October 2020.
The flaws affect QNAP NAS firmware versions prior to August 2020.
The malware involved in the campaign was dubbed UnityMiner by 360 Netlab experts.
“On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507, upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities.” reads the analysis published by 360 Netlab.
Threat actors customized the program by hiding the mining process and the real CPU memory resource usage information to hide the malicious activity to QNAP owners that could check their system usage via the WEB management interface.
The mining program is composed of unity_install.sh and Quick.tar.gz. unity_install.sh downloads, set up and execute cryptocurrency miner and hijack the manaRequest.cgi program of the NAS. Quick.tar.gz contains the miner program, the miner configuration file, the miner startup script and the forged manaRequest.cgi. Unity is an XMRig cryptocurrency miner.
360 Netlab shared its findings with the vendor on March 3rd, and due to the possible big impact, the researchers publicly disclosed the attacks.
All NAS devices with QNAP firmware released before August 2020 are currently vulnerable to these attacks.
The experts reported 4,297,426 QNAP NAS potentially vulnerable devices exposed online, 951,486 having unique IP addresses, most of them are located in the United States, China, and Italy.
If you’ve ever used the Python programming language, or installed software written in Python, you’ve probably used PyPI, even if you didn’t realize it at the time.
PyPI is short for the Python Package Index, and it currently contains just under 300,000 open source add-on modules (290,614 of them when we checked [2021-03-07T00:10Z]).
You can download and install any of these modules automatically just by issuing a command such as pip install [nameofpackage], or by letting a software installer fetch the missing components for you.
Crooks sometimes Trojanise the repository of a legitimate project, typically by guessing or cracking the password of a package owner’s account, or by helpfully but dishonestly offering to “assist” with a project that the original owner no longer has time to look after.
Once the fake version is uploaded to the genuine repository, users of the now-hacked package automatically get infected as soon as they update to the new version, which works just as it did before, except that it includes hidden malware for the crooks to exploit.
Another trick involves creating Trojanised public versions of private packages that the attacker knows are used internally by a software company.
However, Espinosa’s hard-earned experience is not simply limited to the boardroom. In his latest book, ‘The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity’, Espinosa shares his decades of experience in the fast-paced world of IT Security. The decades of combined experience can practically be felt dripping through the pages as the chapters outline the essential steps to overcome the biggest adversary in cybersecurity. No, not the cybercriminals, but the toxic culture that many cybersecurity professionals find themselves in. The book takes a holistic approach to self-betterment, discussing the importance of so called ‘soft skills’ in the world of cybersecurity.
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Detection
Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.
Mitigations
Disable unnecessary external remote services.
Set account lockout policies to prevent password guessing.
Use two- or multi-factor authentication for such services.
Collect and monitor external remote services logs for unauthorized access
Group-IB published a report titled “Ransomware Uncovered 2020-2021”. analyzes ransomware landscape in 2020 and TTPs of major threat actors.
Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has presented its new report “Ransomware Uncovered 2020-2021”. The research dives deep into the global ransomware outbreak in 2020 and analyzes major players’ TTPs (tactics, techniques, and procedures).
By the end of 2020, the ransomware market, fuelled by the pandemic turbulence, had turned into the biggest cybercrime money artery. Based on the analysis of more than 500 attacks observed during Group-IB’s own incident response engagements and cyber threat intelligence activity, Group-IB estimates that the number of ransomware attacks grew by more than 150% in 2020, with many restless players having joined the Big Game Hunting last year.
In 2020, ransomware attacks on average caused 18 days of downtime for the affected companies, while the average ransom amount increased almost twofold. Ransomware operations turned into robust competitive business structures going after large enterprises, with Maze, Conti, and Egregorgangs having been at the forefront last year. North America, Europe, Latin America, and the Asia-Pacific became the most commonly attacked regions respectively.
To keep the cybersecurity professionals up to date with how ransomware gangs operate and help the defense teams thwart their attacks, Group-IB’s DFIR team has for the first time mapped the most commonly used TTPs in 2020 in accordance with MITRE ATT&CK®. If you are a cybersecurity executive, make sure your technical team receives a copy of this report for comprehensive threat hunting and detection tips.
The growing threat of ransomware has put it in the spotlight of law enforcement. Some gangs operating under the Ransomware-as-a-Service (RaaS) model, such as Egregor and Netwalker, were impacted by the police efforts. Another notorious RaaS collective, Maze, called it quits at the end of 2020. Despite these events, the ransomware business continues prospering, with the Ransomware-as-a-Service model being of the driving forces behind this phenomenal growth.
Feedzai, a cloud-based risk management platform, has announced its Financial Crime Report Q1, 2021. Feedzai’s data from financial transactions across the world shows a stark difference in consumer behaviour and financial crime in the Asia-Pacific (APAC) region as compared to Europe (EU) and North America (NA). A clear image appears – a hyper-digital world where east and west are in different recovery stages, reflecting different regional financial crime trends.
Overall, 2020 allowed fraudsters to rejoice at the rapid shift to digital banking and commerce while consumers got swindled by purchase, impersonation, money mule schemes, and account takeover scams.
650% Increase in Account Takeover (ATO) Scams in Q4
In an ATO attack, fraudsters obtain stolen credentials, account information, and passwords that belong to legitimate users. Once they access the account, they can transfer funds or buy goods with stolen credentials. Transfers occur when consumers move money from one account to another. The growing popularity of real-time payment functions, combined with the expansion of online banking, means that money moves quickly, and once it’s gone, it’s almost impossible to get back.
Feedzai’s fraud experts noticed an uptick of stolen credentials for sale on the dark web in 2020. The proliferation of stolen credentials, along with the exponential rise in online transactions, provided ideal conditions for fraudsters to blend in with legitimate consumer traffic without being detected.
250% Increase in Online Banking in Attempted Fraud on Online Banking
Online banking isn’t new, but it’s newly popular. There’s been a 200% increase in mobile banking, and fraudsters worked to blend in among them. Online banking experienced a 250% increase in attempted fraud. As expected, both telephone and branch fraud rates dropped to lower levels than they had been before the pandemic.
178% Fraud Rate Increase for Digital Media
In Q2 2020, during the height of global lockdowns, demand for books and streaming services such as music and movies increased. Demand remained strong in the APAC region, but NA and EU eventually returned to pre-pandemic baseline levels. The story around fraud is quite different, at least for NA and EU. In these regions, attempted fraud attacks increased a whopping 178% since January 2020.
48% Drop in Card Present Fraud Attacks; Volume Only Drops 20%
Card present transactions dropped by about 20% at the start of the pandemic and have consistently remained around that level. However, fraud attacks tumbled by an incredible 48%.
Card not present Transactions Drive 70% of Fraud Attacks
Fraudsters love CNP transactions, and without essential security measures such as machine learning, behavioral analytics, biometrics, and two-factor authentication (2FA), they likely will continue for some time to come.
Top 5 Transfer Fraud Schemes
Across the board, the pandemic was a boon for fraudsters and a burden for consumers. When it comes to transfers fraud, criminals were more drawn to the following five fraud schemes than to all others.
Let us start with a scenario. Whenever there is an election, we always hear the rumor that there is rigging in the election. In the end, the result is either re-election or a recount of the votes. This whole process is a waste of time and money. If we cannot believe this system the first time, how can we do it a second time? And it is a great scenario where blockchain can be used in real life.
Now, what is the Blockchain?
If you search blockchain on google, you get millions of results that tell us about blockchain. Judging by these millions of findings, it turns out that blockchain technology is one of the cutting-edge and popular technologies. Blockchain is a decentralized, transparent, and trustless system in which there is no need for any middleman or central authority. The best example of this is all companies like banks, where the middleman is involved. Blockchain is a trustless system, and it uses algorithms to build trust within decentralized systems. Often, we hear a word with blockchain is unchangeable, which means that whatever is written once inside the blockchain can never be erased again. Blockchain performs two functions, reading and creating.
Most people think that blockchain is bitcoin and limited to cryptocurrency or only the financial industry uses it. But in fact, blockchain can solve lots of real-world problems like we talked about voting system in the beginning. So, blockchain is an online distributed system in which you store information, and this information can also be access by other parties. All information is store inside a block or container like a register. And all the accounts we call block/register link to each other like a chain, as its name suggests blockchain.
There are three things in each block within the blockchain.
Data of the block: This block contains all information like sender, receiver, coins, source, or destination address, etc.
Hash of the block data: it is known as the backbone of blockchain. Hash is the encryption technique uses to secure the data. It is never easy to decrypt the hashes as they use a fixed length of alphanumeric for encryption. And the hash value always stays unique.
Hash of the previous block: Help to create a chain with the previous hash of the block.
Get 50% Off Our ITIL Distance Learning Training Course
ITIL qualifications are in high demand! We’re currently offering 50% off our ITIL 4 Foundation distance learning training course with promo code ITIL50. https://tidd.ly/3eb99n8
Get 30% Off Distance Learning Training Courses
ITG distance learning courses let you train at a time and place that suits you! We’re currently offering 30% off all our distance learning training courses with promo code DL30. https://tidd.ly/3sNintQ
Get 20% Off Our Live-Online Training Courses
Train from home or the office with 20% off our Live-Online training courses with promo code ONLINE20. https://tidd.ly/3rhitcT
Get 15% Off Our Toolkits Speed up your implementation and compliance projects with 15% off all our toolkits with promo code Toolkit15. https://tidd.ly/3uUB0Op
Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code.
The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
We’ve never quite understood Google’s mention of rolling out updates over “days/weeks” in an update bulletin that includes 47 security fixes, of which eight have a severity level of High.
In fact, we suggest going out manually and making sure you’ve got your Chrome update already, without waiting for those day/weeks to elapse until the update finds you.
If you’re using a Chromium-based product from another browser maker, check with that vendor for information about whether their build is affected by this bug, and if so whether the patch is downloadable yet.
Microsoft has awarded the security researcher Laxman Muthiyah $50,000 for reporting a vulnerability that could have allowed anyone to hijack users’ accounts without consent.
According to the expert, the vulnerability only impacts consumer accounts.
The vulnerability is related to the possibility to launch a bruteforce attack to guess the seven-digit security code that is sent via email or SMS as a method of verification in password reset procedure.
“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that we will be asked to select the email or mobile number that can be used to receive security code.” the expert wrote.“Once we receive the 7 digit security code, we will have to enter it to reset the password. Here, if we can bruteforce all the combination of 7 digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.”
The researcher pointed out that rate limits are implemented to limit the number of attempts and protect the accounts.
The analysis of the HTTP POST request sent to validate the code revealed that the code is encrypted before being sent, this means that in order to automate bruteforce attacks it was necessary to break the encryption.
Microsoft has released out-of-band security updates for seven bugs affecting Microsoft Exchange Servers, four of which are zero-day vulnerabilities being exploited by attackers in the wild to plunder on-premises machines.
Our team has been tirelessly working several intrusions since January involving multiple 0-day exploits in Microsoft Exchange. We've released the details of this threat activity alongside Microsoft's Out of Band patch. Take a look and update Exchange! https://t.co/GWGxQWAdGO
What we are observing now is the increasing proliferation of sneakerbots across all industries. As it currently stands, more than 30% of all internet traffic is generated by unwanted bots, a number which will exceed 50% within the next few years. The rapid digital transformation brought about over the past several years has acted as a catalyst for this substantial growth in synthetic traffic.
Whether they are large, organized groups or DIYers, bot operators leverage automation because it’s cheap, easy to use, generates large amounts of profit, and makes success at scale viable.
Here are some recent examples of sneakerbots being used in different industries:
![The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity by [Christian Espinosa]](https://m.media-amazon.com/images/I/41KIWmjt6sL.jpg)
