InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Jan 27 2021
This must-have guide features simple explanations, examples, and advice to help you be security-aware online in the digital age. Learn how to:
* Keep your information secure
* Put the necessary controls on your home network, protecting your family from cyber crime
* Prevent identity theft when shopping online or using contactless payment
* Keep your children safe when using the Internet.
Jan 27 2021
Law enforcement authorities in the U.S. and Europe have seized the dark web sites used by NetWalker ransomware operators. The authorities also charged a Canadian national involved in the NetWalker ransomware operations.
“The Department of Justice today announced a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.” reads the press release published by DoJ.
“NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.”
The group has been active since 2019, the NetWalker ransomware has been offered with the Ransomware-as-a-Service (RaaS) model.
The list of victims of the group is long, it includes Pakistan’s largest private power company K-Electric, Argentina’s official immigration agency, Dirección Nacional de Migraciones, and the University of California San Francisco (UCSF), the latter paid a $1.14 million ransom to recover its files.
Jan 27 2021
ISO Self assessment tools list includes but not limited to Privacy, ISO 27001, ISO 9001 and ISO 14001 & ISO/IEC 27701 2019 Standard and Toolkit
Jan 27 2021
EU police agency Europol has boasted of taking down the main botnet powering the Emotet trojan-cum-malware dropper, as part of a multinational police operation that included raids on the alleged operators’ homes in the Ukraine.
“To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside,” said Europol in a jubilant statement this afternoon.
Police forces from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine all took part in the takedown.
“Analysis of accounts used by the group behind Emotet showed $10.5m being moved over a two-year period on just one Virtual Currency platform,” said Britain’s National Crime Agency, which added: “NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.”
Jan 27 2021
MARITIME CYBER SECURITY
Although acknowledging previous relevant cases, the chosen starting point will be June, 16th 2017, when the International Maritime Organization (IMO) formally adopts the recommendations included in the three declarations of principles in the Resolution MSC.428 (98) entitled Cyber Risk Management in Safety Management System.
In this sense, the cyber security risk assessment becomes integral part of the objective (Art.1.2) included in the ISM Code; according to which the management of the cyber security risk must be included in the general objective, for this reason shipping companies must “…ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment, in particular to the marine environment and to property“. In particular, these objectives are identified in the pursue of the following obligations:
1. provide for safe practices in ship operation and a safe working environment;
2. assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards; and
3. continuously improve safety management skills of personnel ashore and aboard ships, including preparing for emergencies related both to safety and environmental protection.
In the declarations related to the MSC.428 (98), the IMO introduces for the first time the date of Jan., 1st 2021, stating that: “…Administrations (are encouraged) to ensure that cyber risks are appropriately addressed in safety management system no later than the first annual verification of the company’s Document of Compliance after 1 January 2021“.
The second date to remember is Jul. 5th 2017, when the IMO, through the Maritime Safety Committee released the Guidelines on Maritime Cyber Risk Management included in the MSC-FAL.1/Circ.3. These guidelines suggest recommendations identified as “high level“ for the management of cyber risk in the maritime sector, with special reference to shipping. The pursued aim is to promote the mitigation of cyber risks, through the adjustment of the safety management system, included in the ISM Code framework.
Jan 26 2021
Many, if not most, organisations will tell you that they have processes and procedures that they follow when employees leave.
In particular, most companies have a slick and quick procedure for removing ex-staff from the payroll.
Firstly, it doesn’t make economic sense to pay someone who is no longer entitled to the money; secondly, many countries require employers to withold payroll taxes automatically, to pay them in promptly, and to account for them accurately.
Why get into trouble with the tax office over former employees when you can have a simple “staff leaving” checklist that will help to keep you compliant and solvent at the same time?
Unfortunately, we’re not always quite so switched on (or, to be more precise, not quite so good at switching things off) when it comes to ex-staff and cybersecurity.
History is full of stories of havoc wreaked by ex-employees who maintained both their grudges and their paswords or access tokens after being fired or laid off.
Some of these revenge attacks have acquired legendary status, like the man from the splendidly named town of Maroochydore in Maroochy Shire in Queensland, Australia, who used insider information and a purloined computer to “hack” the council’s waste management system.
This crook quite literally, if you will pardon the expression, showered the shire with… well, with 1,000,000 litres of raw sewage, by operating all the right pumps in all the wrong ways.
As amusing as this crime sounds with 20 years of hindsight – it happened in the year 2000 – the disgruntled former contractor caused an environmental hazard, including polluting a tidal canal, that took days to clean up.
He was caught, tried and convicted of 27 counts of unauthorised computer access, and one count of wilfully and unlawfully causing serious environmental harm:
“Marine life died, the creek water turned black and the stench was unbearable for residents,” said Janelle Bryant, investigations manager for the Australian Environmental Protection Agency.
Then there was the US sysadmin who was fired in 2009 and decided to get his own back by planting keyloggers on his former employee’s network, harvesting passwords until he had access to the accounts of senior staff, and then remotely hacking into a presentation by the CEO to the board of directors.
Source: Ghost hack
Jan 25 2021
Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit. On Jan 14, 2021, the actors shared via Twitter a YouTube video they uploaded that proclaimed to exploit CVE-2021-1647, a recently patched Windows Defender vulnerability. In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake. Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was “not a fake video.”
Source: New campaign targeting security researchers
Jan 25 2021
TL;DR: SonicWall “Virtual Office” SSL-VPN Products ship an ancient version of Bash vulnerable to ShellShock, and are therefore vulnerable to unauthenticated remote code execution (as a “nobody” user) via the /cgi-bin/jarrewrite.sh URL.
The exploit is incredibly trivial. We simply spaff a shellshock payload containing a bash /dev/tcp backconnect at it, and we get a shell. Now, the environment on these things is incredibly limited – its stripped down Linux. But we have bash, openssl, and FTP. So you could always download your own toolkit for further exploitation.
Anyway, here is the public exploit. It is incredibly trivial and recycles the telnetlib handler for reverse shells from exploits released by Stephen Seeley. https://github.com/darrenmartyn/visualdoor.
Source: VisualDoor: SonicWall SSL-VPN Exploit
Jan 23 2021
Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks.
But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.
The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim’s account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections.
“The adversary can sign in to the victim’s application account without the U2F device, and without the victim noticing,” NinjaLab researchers Victor Lomne and Thomas Roche said in a 60-page analysis.
“In other words, the adversary created a clone of the U2F device for the victim’s application account. This clone will give access to the application account as long as the legitimate user does not revoke its second factor authentication credentials.”
Source: New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys
Jan 23 2021
Source: Hacker blunder leaves stolen passwords exposed via Google search
Hackers hitting thousands of organizations worldwide in a massive phishing campaign forgot to protect their loot and let Google the stolen passwords for public searches.
The phishing campaign has been running for more than half a year and uses dozens of domains that host the phishing pages. It received constant updates to make the fraudulent Microsoft Office 365 login requests look more realistic.
Despite relying on simple techniques, the campaign has been successful in bypassing email protection filters and collected at least 1,000 login credentials for corporate Office 365 accounts.
Researchers at cybersecurity companies Check Point and Otorio analyzing this campaign discovered that the hackers exposed the stolen credentials to the public internet.
In a report published today, they explain that the attackers exfiltrated the information to domains they had registered specifically for the task. Their mistake was that they put the data in a publicly visible file that Google indexed.
As a result, Google could show results for queries of a stolen email address or password, as seen in the screenshot above:
