Mar 24 2024

CYBERCRIMINALS ACCELERATE ONLINE SCAMS DURING RAMADAN AND EID FITR

Category: Cybercrimedisc7 @ 12:23 pm

During the month of Ramadan, Resecurity observed a significant increase in fraudulent activities and scams.

During the month of Ramadan, Resecurity observed a significant increase in fraudulent activities and scams, coinciding with a surge in retail and online transactions. Middle Eastern enterprises, facing this heightened risk, are urged to bolster consumer protection and reinforce their brand security.

Notably, in the Kingdom of Saudi Arabia (KSA), consumer spending topped regional charts, exceeding $16 billion. This spike in e-commerce activity has, unfortunately, drawn the attention of cybercriminals who exploit these platforms to execute scams, leading to substantial financial repercussions for both consumers and businesses. The estimated total financial impact of these activities ranges between $70 and $100 million, accounting for frauds perpetrated against expatriates, residents, and foreign visitors.

Due to continued efforts in brand protection for many clients in the Middle East, Resecurity has effectively blocked over 320 fraudulent resources that were impersonating key logistics providers and e-government services. Cybercriminals are aggressively exploiting platforms such as Sadad, Musaned, Ajeer, Ejar, and well-known logistics services to deceive internet users and draw them into different scams. It is strongly advised to refrain from sharing personal and payment information on questionable sites or with individuals posing as bank or government employees.

The malicious actors utilize cloud-based hosting services like Softr, Netlify, and Vercel, which offer pre-defined templates, to create websites using AI. This method allows them to scale their operations efficiently, saving time and effort while rapidly generating new fraudulent sites at an unprecedented rate.

The full report published by Resecurity is available here:

https://www.resecurity.com/blog/article/cybercriminals-accelerate-online-scams-during-ramadan-and-eid-fitr

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: EID UL FITR, RAMADAN


Mar 22 2024

Python for Cybersecurity

Category: Information Security,Pythondisc7 @ 9:08 am

Are you interested in cybersecurity?

Interested in discovering how Python can bolster your abilities in safeguarding digital assets? Delve into the potential of Python for cybersecurity.

In the current digital era, cybersecurity holds greater significance than ever before. Python, renowned for its versatility and resilience, has emerged as a fundamental tool for cybersecurity professionals globally.

🔹 How Python can streamline threat detection and analysis.
🔹 Practical examples of Python scripts for automating security tasks.
🔹 Resources and tools to kickstart your journey into Python for cybersecurity.

Regardless of whether you’re an experienced cybersecurity professional or new to the field, Python has the potential to transform your approach to security challenges.

Python for Cybersecurity Cookbook: 80+ practical recipes for detecting, defending, and responding to Cyber threats

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Python for Cybersecurity


Mar 21 2024

ChatGPT for Offensive Security

Category: ChatGPT,Information Securitydisc7 @ 7:42 am

ChatGPT for Cybersecurity 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Mar 21 2024

HACK-PROOF YOUR CLOUD: THE STEP-BY-STEP CONTINUOUS THREAT EXPOSURE MANAGEMENT CTEM STRATEGY FOR AWS & AZURE

Continuous Threat Exposure Management (CTEM) is an evolving cybersecurity practice focused on identifying, assessing, prioritizing, and addressing security weaknesses and vulnerabilities in an organization’s digital assets and networks continuously. Unlike traditional approaches that might assess threats periodically, CTEM emphasizes a proactive, ongoing process of evaluation and mitigation to adapt to the rapidly changing threat landscape. Here’s a closer look at its key components:

  1. Identification: CTEM starts with the continuous identification of all digital assets within an organization’s environment, including on-premises systems, cloud services, and remote endpoints. It involves understanding what assets exist, where they are located, and their importance to the organization.
  2. Assessment: Regular and ongoing assessments of these assets are conducted to identify vulnerabilities, misconfigurations, and other security weaknesses. This process often utilizes automated scanning tools and threat intelligence to detect issues that could be exploited by attackers.
  3. Prioritization: Not all vulnerabilities pose the same level of risk. CTEM involves prioritizing these weaknesses based on their severity, the value of the affected assets, and the potential impact of an exploit. This helps organizations focus their efforts on the most critical issues first.
  4. Mitigation and Remediation: Once vulnerabilities are identified and prioritized, CTEM focuses on mitigating or remedying these issues. This can involve applying patches, changing configurations, or implementing other security measures to reduce the risk of exploitation.
  5. Continuous Improvement: CTEM is a cyclical process that feeds back into itself. The effectiveness of mitigation efforts is assessed, and the approach is refined over time to improve security posture continuously.

The goal of CTEM is to reduce the “attack surface” of an organization—minimizing the number of vulnerabilities that could be exploited by attackers and thereby reducing the organization’s overall risk. By continuously managing and reducing exposure to threats, organizations can better protect against breaches and cyber attacks.

CTEM VS. ALTERNATIVE APPROACHES

Continuous Threat Exposure Management (CTEM) represents a proactive and ongoing approach to managing cybersecurity risks, distinguishing itself from traditional, more reactive security practices. Understanding the differences between CTEM and alternative approaches can help organizations choose the best strategy for their specific needs and threat landscapes. Let’s compare CTEM with some of these alternative approaches:

1. CTEM VS. PERIODIC SECURITY ASSESSMENTS

  • Periodic Security Assessments typically involve scheduled audits or evaluations of an organization’s security posture at fixed intervals (e.g., quarterly or annually). This approach may fail to catch new vulnerabilities or threats that emerge between assessments, leaving organizations exposed for potentially long periods.
  • CTEM, on the other hand, emphasizes continuous monitoring and assessment of threats and vulnerabilities. It ensures that emerging threats can be identified and addressed in near real-time, greatly reducing the window of exposure.

2. CTEM VS. PENETRATION TESTING

  • Penetration Testing is a targeted approach where security professionals simulate cyber-attacks on a system to identify vulnerabilities. While valuable, penetration tests are typically conducted annually or semi-annually and might not uncover vulnerabilities introduced between tests.
  • CTEM complements penetration testing by continuously scanning for and identifying vulnerabilities, ensuring that new threats are addressed promptly and not just during the next scheduled test.

3. CTEM VS. INCIDENT RESPONSE PLANNING

  • Incident Response Planning focuses on preparing for, detecting, responding to, and recovering from cybersecurity incidents. It’s reactive by nature, kicking into gear after an incident has occurred.
  • CTEM works upstream of incident response by aiming to prevent incidents before they happen through continuous threat and vulnerability management. While incident response is a critical component of a comprehensive cybersecurity strategy, CTEM can reduce the likelihood and impact of incidents occurring in the first place.

4. CTEM VS. TRADITIONAL VULNERABILITY MANAGEMENT

  • Traditional Vulnerability Management involves identifying, classifying, remediating, and mitigating vulnerabilities within software and hardware. While it can be an ongoing process, it often lacks the continuous, real-time monitoring and prioritization framework of CTEM.
  • CTEM enhances traditional vulnerability management by integrating it into a continuous cycle that includes real-time detection, prioritization based on current threat intelligence, and immediate action to mitigate risks.

KEY ADVANTAGES OF CTEM

  • Real-Time Threat Intelligence: CTEM integrates the latest threat intelligence to ensure that the organization’s security measures are always ahead of potential threats.
  • Automation and Integration: By leveraging automation and integrating various security tools, CTEM can streamline the process of threat and vulnerability management, reducing the time from detection to remediation.
  • Risk-Based Prioritization: CTEM prioritizes vulnerabilities based on their potential impact on the organization, ensuring that resources are allocated effectively to address the most critical issues first.

CTEM offers a comprehensive and continuous approach to cybersecurity, focusing on reducing exposure to threats in a dynamic and ever-evolving threat landscape. While alternative approaches each have their place within an organization’s overall security strategy, integrating them with CTEM principles can provide a more resilient and responsive defense mechanism against cyber threats.

CTEM IN AWS

Implementing Continuous Threat Exposure Management (CTEM) within an AWS Cloud environment involves leveraging AWS services and tools, alongside third-party solutions and best practices, to continuously identify, assess, prioritize, and remediate vulnerabilities and threats. Here’s a detailed example of how CTEM can be applied in AWS:

1. IDENTIFICATION OF ASSETS

  • AWS Config: Use AWS Config to continuously monitor and record AWS resource configurations and changes, helping to identify which assets exist in your environment, their configurations, and their interdependencies.
  • AWS Resource Groups: Organize resources by applications, projects, or environments to simplify management and monitoring.

2. ASSESSMENT

  • Amazon Inspector: Automatically assess applications for vulnerabilities or deviations from best practices, especially important for EC2 instances and container-based applications.
  • AWS Security Hub: Aggregates security alerts and findings from various AWS services (like Amazon Inspector, Amazon GuardDuty, and IAM Access Analyzer) and supported third-party solutions to give a comprehensive view of your security and compliance status.

3. PRIORITIZATION

  • AWS Security Hub: Provides a consolidated view of security alerts and findings rated by severity, allowing you to prioritize issues based on their potential impact on your AWS environment.
  • Custom Lambda Functions: Create AWS Lambda functions to automate the analysis and prioritization process, using criteria specific to your organization’s risk tolerance and security posture.

4. MITIGATION AND REMEDIATION

  • AWS Systems Manager Patch Manager: Automate the process of patching managed instances with both security and non-security related updates.
  • CloudFormation Templates: Use AWS CloudFormation to enforce infrastructure configurations that meet your security standards. Quickly redeploy configurations if deviations are detected.
  • Amazon EventBridge and AWS Lambda: Automate responses to security findings. For example, if Security Hub detects a critical vulnerability, EventBridge can trigger a Lambda function to isolate affected instances or apply necessary patches.

5. CONTINUOUS IMPROVEMENT

  • AWS Well-Architected Tool: Regularly review your workloads against AWS best practices to identify areas for improvement.
  • Feedback Loop: Implement a feedback loop using AWS CloudWatch Logs and Amazon Elasticsearch Service to analyze logs and metrics for security insights, which can inform the continuous improvement of your CTEM processes.

IMPLEMENTING CTEM IN AWS: AN EXAMPLE SCENARIO

Imagine you’re managing a web application hosted on AWS. Here’s how CTEM comes to life:

  • Identification: Use AWS Config and Resource Groups to maintain an updated inventory of your EC2 instances, RDS databases, and S3 buckets critical to your application.
  • Assessment: Employ Amazon Inspector to regularly scan your EC2 instances for vulnerabilities and AWS Security Hub to assess your overall security posture across services.
  • Prioritization: Security Hub alerts you to a critical vulnerability in an EC2 instance running your application backend. It’s flagged as high priority due to its access to sensitive data.
  • Mitigation and Remediation: You automatically trigger a Lambda function through EventBridge based on the Security Hub finding, which isolates the affected EC2 instance and initiates a patching process via Systems Manager Patch Manager.
  • Continuous Improvement: Post-incident, you use the AWS Well-Architected Tool to evaluate your architecture. Insights gained lead to the implementation of stricter IAM policies and enhanced monitoring with CloudWatch and Elasticsearch for anomaly detection.

This cycle of identifying, assessing, prioritizing, mitigating, and continuously improving forms the core of CTEM in AWS, helping to ensure that your cloud environment remains secure against evolving threats.

CTEM IN AZURE

Implementing Continuous Threat Exposure Management (CTEM) in Azure involves utilizing a range of Azure services and features designed to continuously identify, assess, prioritize, and mitigate security risks. Below is a step-by-step example illustrating how an organization can apply CTEM principles within the Azure cloud environment:

STEP 1: ASSET IDENTIFICATION AND MANAGEMENT

  • Azure Resource Graph: Use Azure Resource Graph to query and visualize all resources across your Azure environment. This is crucial for understanding what assets you have, their configurations, and their interrelationships.
  • Azure Tags: Implement tagging strategies to categorize resources based on sensitivity, department, or environment. This aids in the prioritization process later on.

STEP 2: CONTINUOUS VULNERABILITY ASSESSMENT

  • Azure Security Center: Enable Azure Security Center (ASC) at the Standard tier to conduct continuous security assessments across your Azure resources. ASC provides security recommendations and assesses your resources for vulnerabilities and misconfigurations.
  • Azure Defender: Integrated into Azure Security Center, Azure Defender provides advanced threat protection for workloads running in Azure, including virtual machines, databases, and containers.

STEP 3: PRIORITIZATION OF RISKS

  • ASC Secure Score: Use the Secure Score in Azure Security Center as a metric to prioritize security recommendations based on their potential impact on your environment’s security posture.
  • Custom Logic with Azure Logic Apps: Develop custom workflows using Azure Logic Apps to prioritize alerts based on your organization’s specific criteria, such as asset sensitivity or compliance requirements.

STEP 4: AUTOMATED REMEDIATION

  • Azure Automation: Employ Azure Automation to run remediation scripts or configurations management across your Azure VMs and services. This can be used to automatically apply patches, update configurations, or manage access controls in response to identified vulnerabilities.
  • Azure Logic Apps: Trigger automated workflows in response to security alerts. For example, if Azure Security Center identifies an unprotected data storage, an Azure Logic App can automatically initiate a workflow to apply the necessary encryption settings.

STEP 5: CONTINUOUS MONITORING AND INCIDENT RESPONSE

  • Azure Monitor: Utilize Azure Monitor to collect, analyze, and act on telemetry data from your Azure resources. This includes logs, metrics, and alerts that can help you detect and respond to threats in real-time.
  • Azure Sentinel: Deploy Azure Sentinel, a cloud-native SIEM service, for a more comprehensive security information and event management solution. Sentinel can collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

STEP 6: CONTINUOUS IMPROVEMENT AND COMPLIANCE

  • Azure Policy: Implement Azure Policy to enforce organizational standards and to assess compliance at scale. Continuous evaluation of your configurations against these policies ensures compliance and guides ongoing improvement.
  • Feedback Loops: Establish feedback loops using the insights gained from Azure Monitor, Azure Security Center, and Azure Sentinel to refine and improve your security posture continuously.

EXAMPLE SCENARIO: SECURING A WEB APPLICATION IN AZURE

Let’s say you’re managing a web application hosted in Azure, utilizing Azure App Service for the web front end, Azure SQL Database for data storage, and Azure Blob Storage for unstructured data.

  • Identification: You catalog all resources related to the web application using Azure Resource Graph and apply tags based on sensitivity and function.
  • Assessment: Azure Security Center continuously assesses these resources for vulnerabilities, such as misconfigurations or outdated software.
  • Prioritization: Based on the Secure Score and custom logic in Azure Logic Apps, you prioritize a detected SQL injection vulnerability in Azure SQL Database as critical.
  • Mitigation: Azure Automation is triggered to isolate the affected database and apply a patch. Concurrently, Azure Logic Apps notifies the security team and logs the incident for review.
  • Monitoring: Azure Monitor and Azure Sentinel provide ongoing surveillance, detecting any unusual access patterns or potential breaches.
  • Improvement: Insights from the incident lead to a review and enhancement of the application’s code and a reinforcement of security policies through Azure Policy to prevent similar vulnerabilities in the future.

By following these steps and utilizing Azure’s comprehensive suite of security tools, organizations can implement an effective CTEM strategy that continuously protects against evolving cyber threats.

IMPLEMENTING CTEM IN CLOUD ENVIRONMENTS LIKE AWS AND AZURE

Implementing Continuous Threat Exposure Management (CTEM) in cloud environments like AWS and Azure involves a series of strategic steps, leveraging each platform’s unique tools and services. The approach combines best practices for security and compliance management, automation, and continuous monitoring. Here’s a guide to get started with CTEM in both AWS and Azure:

COMMON STEPS FOR BOTH AWS AND AZURE

  1. Understand Your Environment
    • Catalogue your cloud resources and services.
    • Understand the data flow and dependencies between your cloud assets.
  2. Define Your Security Policies and Objectives
    • Establish what your security baseline looks like.
    • Define key compliance requirements and security objectives.
  3. Integrate Continuous Monitoring Tools
    • Leverage cloud-native tools for threat detection, vulnerability assessment, and compliance monitoring.
    • Integrate third-party security tools if necessary for enhanced capabilities.
  4. Automate Security Responses
    • Implement automated responses to common threats and vulnerabilities.
    • Use cloud services to automate patch management and configuration adjustments.
  5. Continuously Assess and Refine
    • Regularly review security policies and controls.
    • Adjust based on new threats, technological advancements, and changes in the business environment.

IMPLEMENTING CTEM IN AWS

  1. Enable AWS Security Services
    • Utilize AWS Security Hub for a comprehensive view of your security state and to centralize and prioritize security alerts.
    • Use Amazon Inspector for automated security assessments to help find vulnerabilities or deviations from best practices.
    • Implement AWS Config to continuously monitor and record AWS resource configurations.
  2. Automate Response with AWS Lambda
    • Use AWS Lambda to automate responses to security findings, such as isolating compromised instances or automatically patching vulnerabilities.
  3. Leverage Amazon CloudWatch
    • Employ CloudWatch for monitoring and alerting based on specific metrics or logs that indicate potential security threats.

IMPLEMENTING CTEM IN AZURE

  1. Utilize Azure Security Tools
    • Activate Azure Security Center for continuous assessment and security recommendations. Use its advanced threat protection features to detect and mitigate threats.
    • Implement Azure Sentinel for SIEM (Security Information and Event Management) capabilities, integrating it with other Azure services for a comprehensive security analysis and threat detection.
  2. Automate with Azure Logic Apps
    • Use Azure Logic Apps to automate responses to security alerts, such as sending notifications or triggering remediation processes.
  3. Monitor with Azure Monitor
    • Leverage Azure Monitor to collect, analyze, and act on telemetry data from your Azure and on-premises environments, helping you detect and respond to threats in real-time.

BEST PRACTICES FOR BOTH ENVIRONMENTS

  • Continuous Compliance: Use policy-as-code to enforce and automate compliance standards across your cloud environments.
  • Identity and Access Management (IAM): Implement strict IAM policies to ensure least privilege access and utilize multi-factor authentication (MFA) for enhanced security.
  • Encrypt Data: Ensure data at rest and in transit is encrypted using the cloud providers’ encryption capabilities.
  • Educate Your Team: Regularly train your team on the latest cloud security best practices and the specific tools and services you are using.

Implementing CTEM in AWS and Azure requires a deep understanding of each cloud environment’s unique features and capabilities. By leveraging the right mix of tools and services, organizations can create a robust security posture that continuously identifies, assesses, and mitigates threats.

AWS Security

Azure Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: AWS, AWS security, Azure, Azure Security, cloud security


Mar 20 2024

Data Breaches and Cyber Attacks in the USA in February 2024 – 621,095,066 Records Breached

Category: Data Breachdisc7 @ 7:16 am
https://www.itgovernanceusa.com/blog/data-breaches-and-cyber-attacks-in-the-usa-in-february-2024-621095066-records-breached?

Data Breaches and Cyber Attacks in the USA in February 2024 – 621,095,066 Records Breached

 Kyna Kosling  March 14, 2024

IT Governance USA’s research found the following for February 2024:

  • 322 publicly disclosed security incidents (45% of all incidents globally)
  • 621,095,066 records known to be breached

This month, globally, 719,366,482 records were known to be breached – 86% of them were in the USA.

This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.

This month is different due to two outlier breaches:

  1. Zenlayer’s publicly exposed database, which contained 384,658,212 records
  2. Pure Incubation Ventures, which allegedly* had 183,754,481 records go up for sale

*The threat actor provided 100,000 records as a sample.


Free PDF download: Data Breach Dashboard

For a quick, one-page overview of this month’s findings, please use our Data Breach Dashboard:

Data Breaches and Cyber Attacks in the USA in February 2024 – 621,095,066 Records Breached

 Kyna Kosling  March 14, 2024

IT Governance USA’s research found the following for February 2024:

  • 322 publicly disclosed security incidents (45% of all incidents globally)
  • 621,095,066 records known to be breached

This month, globally, 719,366,482 records were known to be breached – 86% of them were in the USA.

This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.

This month is different due to two outlier breaches:

  1. Zenlayer’s publicly exposed database, which contained 384,658,212 records
  2. Pure Incubation Ventures, which allegedly* had 183,754,481 records go up for sale

*The threat actor provided 100,000 records as a sample.


Free PDF download: Data Breach Dashboard

For a quick, one-page overview of this month’s findings, please use our Data Breach Dashboard:

You can also download this and previous months’ Dashboards as free PDFs here.

This blog provides further analysis of the data we’ve collected. We also provide an annual overview and analyze the longer-term trends in our 2024 overview of publicly disclosed data breaches and cyber attacks in the USA.

You can learn more about our research methodology here.

Note 1: Where ‘around,’ ‘about,’ etc. is reported, we record the rounded number. Where ‘more than,’ ‘at least,’ etc. is reported, we record the rounded number plus one. Where ‘up to,’ etc. is reported, we record the rounded number minus one.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.

Big Breaches: Cybersecurity Lessons for Everyone 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Attacks in the USA


Mar 19 2024

PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153)

Category: Security vulnerabilitiesdisc7 @ 6:21 pm

Proof-of-concept (PoC) exploit code for a critical RCE vulnerability (CVE-2024-25153) in Fortra FileCatalyst MFT solution has been published.

About CVE-2024-25153

Fortra FileCatalyst is an enterprise managed file transfer (MFT) software solution that includes several components: FileCatalyst Direct, Workflow, and Central.

CVE-2024-25153 is a directory traversal vulnerability in FileCatalyst Workflow’s web portal that could allow a remote authenticated threat actor to execute arbitrary code on vulnerable servers.

“A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells,” the company noted in the advisory.

The vulnerability was first discovered in August 2023 and patched a few days later in the FileCatalyst version 5.1.6 Build 114, but had no CVE identifier at the time.

The identifier was assigned after Fortra became a CVE Numbering Authority (CNA) in December 2023.

The company and Tom Wedgbury, the security researcher that discovered and reported the flaw, planned its coordinated disclosure in March 2024.

CVE-2024-25153 PoC exploit released

Fortra’s security advisory and Wedgbury’s blog post with technical details and the PoC have been published on Wednesday.

There are currently no indications of the vulnerability being exploited in the wild, but organizations are nevertheless advised to apply the available patch (if they haven’t already).

When a PoC for a critical authentication bypass vulnerability (CVE-2024-0204) in Fortra’s GoAnywhere MFT solution was recently made public, exploit attempts began soon after.

In late January 2023, the Cl0p ransomware group leveraged a zero-day vulnerability (CVE-2023-0669) in the same solution, and stole data of over 130 victim organizations.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: PoC exploit code


Mar 19 2024

APT28 Hacker targeting in widespread Phishing Scheme

Category: APT,Phishingdisc7 @ 7:20 am

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

“The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production,” IBM X-Force said in a report published last week.

The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.

APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.

Widespread Phishing Scheme

The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 take advantage of the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.

The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

“In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations,” security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.

The climax of APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.

“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: APT28


Mar 18 2024

Hackers Trick Users To Install Malware Via Weaponized PDF

Category: Malwaredisc7 @ 7:19 am

In a sophisticated cyberattack campaign, malicious actors impersonating Colombian government agencies target individuals across Latin America.

The attackers are distributing emails containing PDF attachments, falsely accusing recipients of traffic violations or other legal infractions.

These deceptive communications are designed to coerce victims into downloading an archive that harbors a VBS script, initiating a multi-stage infection process.

Upon execution, the obfuscated VBS script triggers a PowerShell script, retrieving the final malware payload from legitimate online storage services through a two-step request process.

Infection Process

According to the ANY.RUN report was shared with GBHackers on Security; initially, the script acquires the payload’s address from resources such as textbin.net. It then proceeds to download and execute the payload from the provided address, which could be hosted on various platforms including cdn.discordapp(.)com, pasteio(.)com, hidrive.ionos.com, and wtools.io.

The attackers’ execution chain follows a sequence from PDF to ZIP, then to VBS and PowerShell, and finally to the executable file (EXE).

The culminating payload is identified as one of several known remote access trojans (RATs), specifically AsyncRATnjRAT, or Remcos.

These malicious programs are notorious for their ability to provide unauthorized remote access to the infected systems, posing significant risks to the victims’ privacy and data security.

Here are some notable samples of this campaign: 1234.

sample1

This campaign has been meticulously documented, with over 50 operation samples being analyzed.

Cybersecurity professionals and researchers are encouraged to consult the TI Lookup tool for detailed information on these samples, aiding in identifying and mitigating threats related to this campaign.

The Cyberspace Battlefield: A Contemporary Look at Weaponized Cyber Warfare

The technique demonstrated by the attackers in this campaign is not exclusive to Latin American targets and may be adapted for use against various targets in other regions.

The cybersecurity community is urged to remain vigilant and employ robust security measures to protect against such sophisticated threats.

Cybersecurity Threats, Malware Trends, and Strategies – Second Edition: Discover risk mitigation strategies for modern threats to your organization 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Weaponized PDF


Mar 15 2024

Linux Networking Commands

Category: Linux Securitydisc7 @ 7:14 am

☝️ Pdf download ☝️

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Linux Networking Commands


Mar 14 2024

TUNNELCRACK: TWO SERIOUS VULNERABILITIES IN VPNS DISCOVERED, HAD BEEN DORMANT SINCE 1996

Category: VPNdisc7 @ 9:01 am

The term “virtual private network,” or VPN for short, has become almost synonymous with “online privacy and security.” VPNs function by creating an encrypted tunnel through which your data may transit as it moves over the internet. They are designed to protect your privacy and make it impossible for anyone to monitor or access your activity while you are online. But what happens if the same instrument that was supposed to keep your privacy safe turns out to be a conduit for attacks? Introduce yourself to “TunnelCrack,” a frightening discovery that has sent shockwaves across the world of cybersecurity. Nian Xue from New York University, Yashaswi Malla and Zihang Xia from New York University Abu Dhabi, Christina Popper from New York University, and Mathy Vanhoef from KU Leuven University were the ones that carried out the study.

Two serious vulnerabilities in virtual private networks (VPNs) have been discovered by a research team . These vulnerabilities had been dormant since 1996. It is possible to leak and read user traffic, steal information, or even conduct attacks on user devices by exploiting these vulnerabilities, which are present in practically every VPN product across all platforms. TunnelCrack is a combination of two common security flaws found in virtual private networks (VPNs). Even though a virtual private network (VPN) is designed to safeguard all of the data that a user sends, these attacks are able to circumvent this security. An enemy, for example, may take advantage of the security flaws to steal information from users, read their communications, attack their devices, or even just spill it all. Regardless of the security protocol that is utilized by the VPN, the uncovered flaws may be exploited and used maliciously. In other words, even Virtual Private Networks (VPNs) that claim to utilize “military grade encryption” or that use encryption methods that they themselves invented are vulnerable to attack. When a user joins to an unsecured Wi-Fi network, the initial set of vulnerabilities, which they  refer to as LocalNet attacks, is susceptible to being exploited. The second group of vulnerabilities, which are known as ServerIP attacks, are susceptible to being exploited by shady Internet service providers as well as by unsecured wireless networks. Both of these attacks involve manipulating the routing table of the victim in order to deceive the victim into sending traffic outside the secured VPN tunnel. This enables an adversary to read and intercept the data that is being sent.

The video that may be seen below demonstrates three different ways in which an attacker might take advantage of the disclosed vulnerabilities. In the first step of the attack, the LocalNet vulnerability is exploited to force the target to leak communications. This is used to intercept sensitive information that is being transferred to websites that do not have enough security, such as the victim’s account and password being exposed. They also demonstrate how an adversary may determine which websites a user is accessing, which is something that is not generally achievable when utilizing a virtual private network (VPN). Last but not least, a modification of the LocalNet attack is used in order to prevent a surveillance camera from alerting its user to any unexpected motion.

As the demonstration indicates, the vulnerabilities in the VPN may be exploited to trivially leak traffic and identify the websites that an individual is accessing. In addition, any data that is transferred to websites with inappropriate configurations or that is supplied by applications that are not secure may be intercepted.

Users may protect themselves by keeping the software for their VPNs up to date. Additionally, any data that is transferred cannot be stolen if a website is correctly set using HTTP Strict Transport protection (HSTS) to always utilize HTTPS as an additional layer of protection. These days, around 25 percent of websites are built in this manner. In addition, a few of browsers will now display a warning to the user if HTTPS is not being utilized. Last but not least, while they are not always error-free, most current mobile applications employ HTTPS by default and, as a result, also use this additional security.

In addition to being exploited to attack websites, virtual private networks (VPNs) sometimes defend outdated or less secure protocols, which presents an additional danger. These attacks now make it possible for an adversary to circumvent the security provided by a virtual private network (VPN), which means that attackers may target any older or less secure protocols that are used by the victim, such as RDP, POP, FTP, telnet, and so on.


LocalNet Attacks

The adversary in a LocalNet attack pretends to be a hostile Wi-Fi or Ethernet network, and they deceive the victim into joining to their network by using social engineering techniques. Cloning a well-known Wi-Fi hotspot, such as the one offered by “Starbucks,” is a straightforward method for achieving this goal. As soon as a victim establishes a connection to this malicious network, the attacker allots the victim a public IP address as well as a subnet. An illustration of this may be seen in the graphic below; the objective of the opponent in this case is to prevent traffic from reaching the website target.com:
The website target.com, which can be seen in the picture to the right, uses the IP address 1.2.3.4. The adversary will convince the victim that the local network is utilizing the subnet 1.2.3.0/24 in order to intercept traffic that is headed toward this website. The victim is told, in other words, that IP addresses in the range 1.2.3.1-254 are immediately accessible inside the local network. A web request will be sent to the IP address 1.2.3.4 if the victim navigates to target.com at this time. The victim will submit the web request outside the secured VPN tunnel because it believes that this IP address is immediately available inside the local network.

An adversary may potentially leak practically all of the victim’s traffic by assigning bigger subnets to the local network they have access to. In addition, although while the LocalNet attack’s primary objective is to send data outside the VPN tunnel, it may also be exploited in such a way as to prevent some traffic from passing through while the VPN is in operation.

ServerIP Attacks

In order to execute a ServerIP attack, the attacker has to have the ability to spoof DNS responses before the VPN is activated, and they also need to be able to monitor traffic going to the VPN server. Acting as a hostile Wi-Fi or Ethernet network is one way to achieve this goal; in a manner similar to the LocalNet attacks, this may also be done. The attacks may also be carried out via an Internet service provider (ISP) that is hostile or by a core Internet router that has been hacked.

The fundamental premise is that the attacker will attempt to impersonate the VPN server by forging its IP address. An attacker may fake the DNS answer to have a different IP address if, for instance, the VPN server is recognized by the hostname vpn.com but its actual IP address is 2.2.2.2. An illustration of this may be seen in the following image, in which the adversary’s objective is to intercept communication sent towards target.com, which has the IP address 1.2.3.4:

The attacker begins by forging the DNS reply for vpn.com such that it returns the IP address 1.2.3.4. This IP address is identical to the IP address of target.com. To put it another way, if you wish to leak traffic towards a certain IP address, you fake that address. After that, the victim will connect to the VPN server that is located at 1.2.3.4. This traffic is then redirected to the victim’s actual VPN server by the adversary, who does this to ensure that the victim is still able to successfully build a VPN connection. As a consequence of this, the victim is still able to successfully build the VPN tunnel even if they are using the incorrect IP address while connecting to the VPN server. In addition to this, the victim will implement a routing rule that will direct all traffic destined for 1.2.3.4 to be routed outside of the VPN tunnel.

A web request is now made to 1.2.3.4 whenever the victim navigates to target.com on their web browser. This request is routed outside of the secured VPN tunnel because of the routing rule that prevents packets from being re-encrypted when they are submitted to the VPN server. As a direct consequence of this, the web request is exposed.

The built-in VPN clients of Windows, macOS, and iOS were discovered to have security flaws by this study. Android versions 12 and above are not impacted by this issue. A significant portion of Linux-based virtual private networks (VPNs) are also susceptible. In addition, they discovered that the majority of OpenVPN profiles, when used with a VPN client that is susceptible to vulnerabilities, utilize a hostname to identify the VPN server, which may lead to behavior that is susceptible to vulnerabilities.

In order to keep customers safe, they worked together with CERT/CC and a number of other VPN providers to develop and release security upgrades over the course of a coordinated disclosure period of ninety days. Mozilla VPN, Surfshark, Malwarebytes, Windscribe (which can import OpenVPN profiles), and Cloudflare’s WARP are a few examples of VPNs that have been updated with patches. You can protect yourself against the LocalNet attack even if updates for your VPN are not currently available by turning off connection to your local network. You may further reduce the risk of attacks by ensuring that websites utilize HTTPS, a protocol that is supported by the majority of websites today.

Internet Security VPN!

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: TUNNELCRACK, VPN attacks


Mar 13 2024

Keyloggers, spyware, and stealers dominate SMB malware detections

Category: Cybercrime,Malware,Spywaredisc7 @ 10:56 am

In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.

SMBs ransomware cyberthreat

Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more.

Ransomware remains primary cyberthreat for SMBs

The Sophos report also analyses initial access brokers (IABs)—criminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs they’ve already cracked.

“The value of ‘data,’ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, let’s say attackers deploy an infostealer on their target’s network to steal credentials and then get hold of the password for the company’s accounting software. Attackers could then gain access to the targeted company’s financials and have the ability to funnel funds into their own accounts,” said Christopher Budd, director of Sophos X-Ops research at Sophos.

“There’s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,” added Budd.

While the number of ransomware attacks against SMBs has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack, LockBit was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.

BEC attacks grow in sophistication

Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targeting managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryption—when attackers use an unmanaged device on organizations’ networks to encrypt files on other systems in the network—increased by 62%.

In addition, this past year, Sophos’s Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPs’ remote monitoring and management (RMM) software.

Following ransomware, business email compromise (BEC) attacks were the second highest type of attacks that Sophos IR handled in 2023, according to the report.

These BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.

In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an “invoice.” The download button contained a link to a malicious website.

Mastering Cyber Security Defense to Shield Against Identity Theft, Data breaches, Hackers, and more in the Modern Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: keylogger, Malware, SMB


Mar 12 2024

CloudGrappler: Open Source Tool That Detects Hacking Activity

Category: OSINT,Security Toolsdisc7 @ 12:49 pm

CloudGrappler is an innovative open-source tool designed to detect the presence of notorious threat actors in cloud environments.

This tool is a beacon of hope for security teams struggling to keep pace with the sophisticated tactics of groups like LUCR-3, also known as Scattered Spider.

CloudGrappler leverages the power of CloudGrep, a tool developed by Cado Security, to offer high-fidelity, single-event detections of activities associated with well-known threat actors in popular cloud platforms such as AWS and Azure.

It acts as a cyber detective, sifting through the vast amounts of data in cloud environments to identify suspicious and malicious activities that often go unnoticed.

Key Features Of CloudGrappler

  • Threat Actor Querying: CloudGrappler excels in identifying activities demonstrated by some of the most notorious cloud threat actors. It utilizes a subset of activities from Permiso’s extensive library of detections to help organizations pinpoint threats targeting their cloud infrastructure.
  • Single-Event Detections: The tool provides a granular view of potential security incidents, enabling security teams to quickly and easily identify specific anomalies within their AWS and Azure environments.
  • Integration with CloudGrep: By incorporating a set of Tactics, Techniques, and Procedures (TTPs) observed in the modern threat landscape, CloudGrappler enhances its threat detection capabilities.

How CloudGrappler Works

CloudGrappler includes several components designed to streamline the threat detection process:

  • Scope Selector: Users can define the scope of their scanning through an integrated data_sources.json file, choosing to scan specific resources or a broader range of cloud infrastructure services.
  • Query Selector: The tool comes with a queries.json file containing predefined TTPs commonly used by threat actors. Users can modify these queries or add custom ones to tailor the scanning process.
  • Report Generator: After scanning, CloudGrappler produces a comprehensive report in JSON format, offering detailed insights into the scan results and enabling security teams to address potential threats swiftly.

It is based on a subset of activity from Permiso’s library of hundreds of detections, and it helps organizations detect threats targeting their cloud infrastructure.

Users have the ability to scan specific resources within their environment
Users can scan specific resources within their environment

Practical Applications

CloudGrappler is not just about detecting suspicious activities. it also provides valuable threat intelligence to help security professionals understand the risks in their environment and develop targeted response strategies.

Threat Activity
Threat Activity

The tool’s output includes information on the threat actor involved, the severity of the detected activity, and a description of the potential implications.

For those interested in enhancing their cloud security posture, CloudGrappler is available on GitHub.

The repository includes detailed instructions on setting up and using the tool, making it accessible to security teams of all sizes.

As cloud environments become increasingly complex and threat actors’ activities more sophisticated, tools like CloudGrappler are essential for maintaining a robust security posture.

CloudGrappler represents a significant step forward in the fight against cybercrime by offering an open-source solution for detecting and analyzing threats in cloud environments.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Open Source Tool


Mar 11 2024

10 free cybersecurity guides you might have missed

Category: Security trainingdisc7 @ 2:13 pm

Cybersecurity resource and reference guide

This guide compiles U.S. and International resources for developing cybersecurity programs and establishing robust network protection. It covers trusted network operation and information systems security materials, focusing on confidentiality, integrity, and other key aspects. Aimed at fostering security cooperation, it includes information on cybersecurity norms, best practices, policies, and standards.

free cybersecurity guides

Cyber Security Toolkit for Boards

The Board Toolkit from the NCSC assists boards in embedding cyber resilience and risk management across an organization, encompassing its personnel, systems, processes, and technologies. The toolkit is designed for board members of medium to large organizations in any sector, including Boards of Directors, Boards of Governors/Advisors, Non-executive Directors, or Boards of Trustees.

Guide for Users of C2M2 and CMMC

This guide is designed for users of the Cybersecurity Capability Maturity Model (C2M2) seeking Cybersecurity Maturity Model Certification (CMMC) to fulfill DoD contractual obligations. It aims to assist these users in utilizing their existing C2M2 experience while pinpointing further actions needed for CMMC certification compliance.

free cybersecurity guides

Department of Defense (DoD) Cybersecurity Reference Architecture

The Cybersecurity Reference Architecture (CSRA) outlines principles, components, and design patterns for combating internal and external network threats, ensuring cyberspace survivability and operational resilience. Designed for entities needing access to DoD resources, the CSRA guides the establishment of cybersecurity, promoting integrated deterrence and strategic procurement planning.

Guide to Securing Remote Access Software

Authored by CISA, NSA, FBI, MS-ISAC, and INCD, this guide offers insights into prevalent exploitations and their related tactics, techniques, and procedures (TTPs). It also presents recommendations for IT/OT and ICS professionals and organizations on best practices in employing remote capabilities, along with strategies to identify and counteract malicious actors exploiting this software.

Incident Response Guide: Water and Wastewater Sector

In collaboration with the EPA, FBI, and sector partners, CISA has developed this Incident Response Guide (IRG) specifically for the Water and Wastewater Systems (WWS) Sector. This unique IRG offers vital information on federal roles, resources, and responsibilities throughout the cyber incident response lifecycle, enabling WWS Sector owners and operators to enhance their incident response plans and overall cyber resilience.

NIST Phish Scale User Guide

The NIST Phish Scale provides a system for those implementing cybersecurity and phishing awareness training to assess the difficulty of detecting phishing attempts in emails. This guide explains the Phish Scale and offers step-by-step instructions for applying it to phishing emails. Additionally, it includes appendices with worksheets to help trainers use the Phish Scale effectively, as well as detailed information about email characteristics and relevant research findings.

Phishing guidance: Stopping the attack cycle at phase one

This guide details common phishing techniques used by attackers and offers strategies for network defenders and software manufacturers to mitigate the impact of these attacks, including credential theft and malware deployment. Recognizing the resource constraints of some organizations, it includes specific recommendations for SMBs that lack dedicated IT staff for continuous phishing defense.

free cybersecurity guides

#StopRansomware Guide

This guide serves as a resource for organizations to mitigate the risk of ransomware attacks. It offers best practices for detection, prevention, response, and recovery, including detailed strategies to tackle potential threats. It was developed through the Joint Ransomware Task Force (JRTF), an interagency body established by Congress in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Using online services safely

This guide offers practical advice for securely utilizing online services, reducing the risk of cyber attacks for small organizations. It covers essential online tools such as email, instant messaging, cloud storage, online accounting and invoice management, website or online shop hosting, and social media interaction, which are crucial for daily operations even if their use isn’t always obvious.

Explore further on Cyber Security Guides

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cybersecurity guides


Mar 10 2024

ISO 27001 standards and training

Category: Information Security,ISO 27kdisc7 @ 9:29 pm

There’s more to cyber security than just ISO 27001. Protect your business with the full family of ISO standards.

Protect your organisation from cyber crime with ISO 27001 Training – Instructor-led live online, self-paced online and classroom.

Equip your staff to identify and address cyber security and privacy risks.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: iso 27001, ISO 27001 training


Mar 08 2024

Immediate AI risks and tomorrow’s dangers

Category: AIdisc7 @ 11:29 am

“At the most basic level, AI has given malicious attackers superpowers,” Mackenzie Jackson, developer and security advocate at GitGuardian, told the audience last week at Bsides Zagreb.

These superpowers are most evident in the growing impact of fishing, smishing and vishing attacks since the introduction of ChatGPT in November 2022.

And then there are also malicious LLMs, such as FraudGPTWormGPT, DarkBARD and White Rabbit (to name a few), that allow threat actors to write malicious code, generate phishing pages and messages, identify leaks and vulnerabilities, create hacking tools and more.

AI has not necessarily made attacks more sophisticated but, he says, it has made them more accessible to a greater number of people.

The potential for AI-fueled attacks

It’s impossible to imagine all the types of AI-fueled attacks that the future has in store for us. Jackson outlined some attacks that we can currently envision.

One of them is a prompt injection attack against a ChatGPT-powered email assistant, which may allow the attacker to manipulate the assistant into executing actions such as deleting all emails or forwarding them to the attacker.

Inspired by a query that resulted in ChatGPT outright inventing a non-existent software package, Jackson also posited that an attacker might take advantage of LLMs’ tendency to “hallucinate” by creating malware-laden packages that many developers might be searching for (but currently don’t exist).

The immediate threats

But we’re facing more immediate threats right now, he says, and one of them is sensitive data leakage.

With people often inserting sensitive data into prompts, chat histories make for an attractive target for cybercriminals.

Unfortunately, these systems are not designed to secure the data – there have been instances of ChatGTP leaking users’ chat history and even personal and billing data.

Also, once data is inputted into these systems, it can “spread” to various databases, making it difficult to contain. Essentially, data entered into such systems may perpetually remain accessible across different platforms.

And even though chat history can be disabled, there’s no guarantee that the data is not being stored somewhere, he noted.

One might think that the obvious solution would be to ban the use of LLMs in business settings, but this option has too many drawbacks.

Jackson argues that those who aren’t allowed to use LLMs for work (especially in the technology domain) are likely to fall behind in their capabilities.

Secondly, people will search for and find other options (VPNs, different systems, etc.) that will allow them to use LLMs within enterprises.

This could potentially open doors to another significant risk for organizations: shadow AI. This means that the LLM is still part of the organization’s attack surface, but it is now invisible.

How to protect your organization?

When it comes to protecting an organization from the risks associated with AI use, Jackson points out that we really need to go back to security basics.

People must be given the appropriate tools for their job, but they also must be made to understand the importance of using LLMs safely.

He also advises to:

  • Put phishing protections in place
  • Make frequent backups to avoid getting ransomed
  • Make sure that PII is not accessible to employees
  • Avoid keeping secrets on the network to prevent data leakage
  • Use software composition analysis (SCA) tools to avoid AI hallucinations abuse and typosquatting attacks

To make sure your system is protected from prompt injection, he believes that implementing dual LLMs, as proposed by programmer Simon Willison, might be a good idea.

Despite the risks, Jackson believes that AI is too valuable to move away from.

He anticipates a rise in companies and startups using AI toolsets, leading to potential data breaches and supply chain attacks. These incidents may drive the need for improved legislation, better tools, research, and understanding of AI’s implications, which are currently lacking because of its rapid evolution. Keeping up with it has become a challenge.

AI Scams:

Are chatbots the new weapon of online scammers?

AI used to fake voices of loved ones in “I’ve been in an accident” scam

Story of Attempted Scam Using AI | C-SPAN.org

Woman loses Rs 1.4 lakh to AI voice scam

Kidnapping scam uses artificial intelligence to clone teen girl’s voice, mother issues warning

First-Ever AI Fraud Case Steals Money by Impersonating CEO

AI Scams Mitigation:

A.I. Scam Detector

Every country is developing AI laws, standards, and specifications. In the US, states are introducing 50 AI related regulations a week (Axios 0 2024). Each of the regulations see AI through the lens for social and technical risk.

Trust Me: AI Risk Management is a book of AI Risk Controls that can be incorporated into the NIST AI RMF guidelines or NIST CSF. Trust Me looks at the key attributes of AI including trust, explainability, and conformity assessment through an objective-risk-control-why lens. If you’re developing, designing, regulating, or auditing AI systems, Trust Me: AI Risk Management is a must read.

👇 Do you place your trust in AI?? 👇

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: AI risks


Mar 07 2024

Cyber Pros Turn to Cybercrime as Salaries Stagnate

Category: Cyber crime,Cybercrimedisc7 @ 8:31 am
https://www.infosecurity-magazine.com/news/cyber-pros-cybercrime-salaries/

Cybersecurity professionals are increasingly prepared to moonlight as cybercriminals in a bid to top up their salaries, according to new research from the Chartered Institute of Information Security (CIISec).

The institute enlisted the help of a former police officer and covert operative to analyze dark web forum job adverts from June to December 2023.

What he found was a surprising number of what seemed to be cybersecurity professionals at various stages of their career prepared to sell their skills for nefarious ends.

“After years of working in the cybersecurity and law enforcement fields, it becomes relatively easy to spot cybercriminals from professionals moonlighting from other industries,” he explained.

“These adverts might allude to current legitimate professional roles, or be written in the same way as someone advertising their services on platforms like LinkedIn. In an industry that is already struggling to stop adversaries, it’s worrying to see that bright, capable people have been enticed to the criminal side.”

Read more on security skills shortages: #InfosecurityEurope: It’s Time to Think Creatively to Combat Skills Shortages

The study revealed three types of professional touting for business on underground sites:

  • Experienced IT and cybersecurity professionals, including pen testers, AI prompt engineers and web developers. Some claimed to work for a “global software agency” while others stated they needed a “second job”
  • New starters in cybersecurity looking for both work and training. Professional hacking groups also advertise for young talent, with some offering on-the-job training in areas such as OSINT and social media hacking
  • Professionals from industries outside cybersecurity/IT, including PR, content creation and even one out-of-work voice actor advertising for work on phishing campaigns

CIISec warned that, in many cases, salaries do not reflect the long hours and high-stress environments that many security professionals find themselves in. CIISec CEO, Amanda Finch, cited Gartner research revealing that 25% of security leaders will leave the industry by 2025 due to work-related stress.

“Our analysis shows that highly skilled individuals are turning to cybercrime. And given the number of people projected to leave the industry, many of those will be desperate enough to seek work in an area that promises large rewards for their already-existing skills and knowledge,” she argued.

“Preventing this means ensuring we are doing all we can as an industry to attract and retain talent.”

Finch called on the industry to increase salaries and improve working conditions, or risk as many as 10% of the workforce leaving a profession already experiencing persistent skills shortages.

Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Pros


Mar 06 2024

How Security Leaders Can Break Down Barriers to Enable Digital Trust

Category: CISO,Digital Trustdisc7 @ 8:11 am
https://www.infosecurity-magazine.com/news/security-leaders-digital-trust/

The term “digital trust” has gained traction in the business landscape, but many people hear “digital trust” and equate it to avoiding cybersecurity incidents.

In reality, security leaders hold a significant role in this mission, but building digital trust requires much more than a high-performing security team.

Viewed in this broader sense, digital trust is defined by ISACA as the confidence in the relationship and transactions among providers and consumers within the digital ecosystem, including the ability of people, organizations, processes, information and technology to create and maintain a trustworthy digital world.

Customers expect a reasonable degree of digital trust from every organization with a digital footprint – at least the ones with which they will be willing to do business. Although they might not consciously frame it in these terms, these fundamental elements of digital trust serve as the foundation upon which consumers base their judgments about an enterprise’s trustworthiness:

  • Quality: Quality must meet or exceed consumer expectations. 
  • Availability: Consumers need to be able to access accurate information in a timely manner. 
  • Security and privacy: Consumers need assurance that their data and information are safe and protected. 
  • Ethics and integrity: Enterprises should live up to their promised values. 
  • Transparency and honesty: Consumers should be informed about how their information is being used. If personal information has been compromised, consumers should know how the enterprise is addressing the current situation and preventing it from happening again. 
  • Resiliency: Enterprises must provide assurances that they are stable and can withstand adverse circumstances while simultaneously evolving to leverage new technologies and advancements.  

Although commonly associated with cybersecurity, digital trust extends far beyond that realm. It can be thought of as the invisible thread that establishes a common goal and focus among several distinct organizational roles.

Within the domain of security, one question that often arises is whether zero trust equates to digital trust. The answer is no, however, zero trust can be used as a technique to reach digital trust. It is a building block or a thread that is woven throughout the digital trust ecosystem. Digital trust allows individuals and businesses to engage online with confidence that their data and digital identity are safeguarded. 

Implementing zero trust processes contributes to the protection of such information.

In the context of the modern business environment, how well companies manage customers’ data and the extent to which they can securely and responsibly implement emerging technology are key steps toward delivering digital trust.

Trust: The Core of All Interactions

Throughout human history, trust has formed the fundamental basis of nearly every human interaction we experience. This significance is particularly pronounced in our rapidly evolving, digitized world, where multiple parties frequently do not have in-person interactions to exchange the sensitive and confidential information necessary for transactional purposes.

Therefore, every interaction must reinforce that the organization cares about – and has instituted effective practices in – all areas of digital trust.  

Trust is not a one-time achievement; it must be consistently earned, effectively communicated and actively reinforced. This creates a fertile environment to conduct business, which in turn fuels innovation, drives economic expansion and, ultimately, generates value for all parties engaged in the interactions. Trust becomes the bedrock upon which successful and mutually beneficial relationships are built.  

Edelman, which has studied trust for 20 years, puts it this way: “Trust is the foundation that allows an organization to take responsible risk, and, if it makes mistakes, to rebound from them. For a business, especially, lasting trust is the strongest insurance against competitive disruption, the antidote to consumer indifference, and the best path to continued growth. Without trust, credibility is lost and reputation can be threatened.”

Consider any consumer-driven sector and you’ll likely recognize the significant advantage that major, well-known brands have due to the trust they have painstakingly cultivated with customers. Think about how frequently you have been willing to pay a higher price for a purchase because you trust the provider to deliver on their promises, especially when compared to various competitors with less established reputations.

This trust factor often becomes a compelling driver of consumer choices, reflecting the value of a well-earned reputation for reliability and quality.

A digitally trustworthy organization understands the importance of upholding customer trust. Digital trust must be instilled throughout the organization, and initiatives should be built with digital trust in mind. This trust accrues over time. Establishing digital trust is an ongoing process that involves the continuing efforts not only regarding the creation but the maintenance of the larger ecosystem.

“Digital trust is the logical progression on the digital transformation path”

The Business Benefits of Digital Trust

Digital trust is the logical progression on the digital transformation path – in fact, three quarters of respondents to ISACA’s State of Digital Trust 2023 research indicate that digital trust is very or extremely important to digital transformation.

As businesses undergo digital transformation, customer expectations are evolving accordingly. While IT plays a pivotal role in this transformation, the shift toward prioritizing digital trust is largely being driven by businesses to benefit businesses.

Given its paramount importance to consumers and overall brand reputation, digital trust should be a central consideration across all facets of an enterprise. According to the State of Digital Trust research, the top benefits of digital trust include a positive reputation, fewer privacy breaches, fewer cybersecurity incidents, more reliable data, stronger customer loyalty, faster innovation and higher revenues.

With a list of benefits this impactful, digital trust should command the attention of boardrooms across all industries and geographies.

Digital trust involves all of us as stakeholders – including security leaders responsible for preventing data breaches that undermine trust, IT professionals who support information and systems integrity, marketing professionals who champion and promote an organization’s brand, and third-party providers upon whom the organization is reliant.

Digital trust serves as a significant catalyst for consumers’ decisions which will ultimately manifest – for better or worse – in a company’s financial performance.

Leadership’s Responsibility in the Trust Ecosystem

Leadership plays a crucial role in establishing digital trust through a concerted, organization-wide push. As with most elements that dictate a company’s success, leadership matters.

Everyone in the organization has a role in building and maintaining digital trust, but the responsibility for setting the direction and governance needs to start with senior executives.

Organizational leaders set and communicate the culture, priorities and expectations of digital trust through policies and structures, which are disseminated throughout the organization. From a governance perspective, either the full board of directors or a board committee needs to be given responsibility for governance and oversight of digital trust.

It is critically important that a focal point is created for the management team to provide updates on the advancement of digital trust to the board, similar to the practices of cybersecurity or IT audit teams. In doing so, a connection point is established for the management team to report in on digital trust progress at the board level, much like how cybersecurity or IT audit teams operate.

A Digital Trust Executive Council is a valid option to ensure proper direction and control over digital trust efforts. This would serve as a management council that should report into the executive management team and then ultimately to the board or designated committee that oversees digital trust.

The purpose of the digital trust council is to address the needs of an organization’s digital product and service consumers through the appropriate evaluation, prioritization and direction of digital trust activities, funding and programs that ultimately contribute to a trusted relationship. Consider this council the expert review panel and point of contact on digital trust decisions, measurements, guidance and alignment with the organization’s goals and objectives.

This governance connection is critically important. If organizations merely give superficial acknowledgment to the pursuit of digital trust without a governance structure and framework that is accountable to the board, then they are deceiving themselves into believing that they are making any meaningful efforts toward establishing genuine digital trust.

This is reminiscent of the old days when many companies were convinced that they were doing a great job on security without anything in the organization having a true security focus or investment – it was really just IT personnel running the show. We have learned and evolved a great deal since then, and digital trust will have to go through a similar transformation.

The role of security leadership is also crucial in establishing digital trust as a business imperative. To be effective, today’s CISOs must demonstrate their capability to wield influence and make a meaningful impact across the business.

“I think that’s the most important trait right now, because there are many security jobs that are technical analysis or coding, but to be a CISO, you have to be business-focused and be an executive leader because you’re going to be interfacing with the board, CEOs and other executives,” wrote 2021 CISO of the Year, Brennan P. Baybeck, VP & CISO for Customer Services, Oracle.

“You can’t just be talking about compliance and security all the time. You have to be helping to drive the business and directly aligning the security strategy activities to the business strategy, with a focus on enabling business,” he added.

Digital trust serves as a significant avenue for security leaders, especially CISOs, to break away from the perception that they are solely engrossed in cybersecurity with limited perspective. CISOs can effectively achieve this by championing a cross-functional digital trust team (more on this below) and ensuring that the team is resourced and supported appropriately.

ZERO TRUST SECURITY DEMYSTIFIED: Expert Insights, Proven Strategies, and Real World Implementations for Digital Defense: Your Roadmap to a Resilient Network and Unparalleled Data Protection

Trust: The wining formula for digital Leaders

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISO, Enable Digital Trust, Security Leaders, Zero Trust


Mar 05 2024

Facebook, Instagram and Threads kicking users off with password reset

Category: Social networkdisc7 @ 10:56 am
https://www.theregister.com/2024/03/05/facebook_instagram_outage/

Millions of voices suddenly cried out in terror and were suddenly silenced

Tue 5 Mar 2024 // 16:16 UTC

UPDATED Those trying to log into Meta’s Facebook, Instagram, and Threads for their social media fixes are facing panic this morning after being locked out of their accounts.

“We’re aware people are having trouble accessing our services. We are working on this now,” Meta spokesperson Andy Stone said in a post on the social media site formerly known at Twitter. The latter site still up and running, presumably much to Elon’s delight.

“We are aware of an issue impacting Facebook Login. Our engineering teams are actively looking to resolve the issue as quickly as possible,” Meta said on its status page in a post timestamped at 0717 PT.

Folks trying to log into the Meta-owned accounts are told their passwords are wrong. Those trying to reset their password using two-factor authentication are told there’s an error and to try again. Needless to say it isn’t working.

According to Downdetector over half a million users logged complaints, a huge number given the reports are usually counted in the low thousands. The problems appear to have kicked off around 0700 PT (1500 UTC) but now appear to be dropping very slightly.

We’ll update this article as the situation progresses but in the meantime don’t panic – you haven’t been hacked. On the balance of probabilities it’s probably someone pushing the wrong button.

Let’s not forget, we’ve been here before and these things sort themselves out (usually). ®

Updated to add

The US Cybersecurity and Infrastructure Security Agency (CISA) was holding pre-scheduled press briefings this morning on election security and naturally the outage was one of the first questions asked.

“We are aware of the incident and at this time we are not aware of any specific election nexus or any specific malicious cyber activity nexus to the outage. But we are aware of the incident and the global scope of it,” a CISA spokesperson said.

It’s a big day for the US today: Super Tuesday, where 15 states elect delegates to decide which candidates will run for the presidency (Hint: It’s Trump v Biden). The outage has already set conspiracy theorists all aflutter, and some hacking groups are claiming responsibility for a cyber attack, in both cases without any evidence.

Final update

All services now appears to be coming back online.

“We are recovering from an earlier outage impacting Facebook Login, and services are in the process of being restored. We apologize for any inconvenience that this may have caused,” Meta said at 0907 PT.

Tags: facebook, Meta, outage


Mar 05 2024

ARE YOU AFFECTED? AMERICAN EXPRESS CREDIT CARDS COMPROMISED IN MASSIVE DATA LEAK

Category: Data Breach,pci dssdisc7 @ 7:26 am

In a recent unsettling development, American Express has confirmed that sensitive information related to its credit cards has been compromised due to a data breach at a third-party service provider. This incident has raised serious concerns about the security of financial data and the implications for customers worldwide.

THE BREACH EXPLAINED

The breach was reportedly executed by a third-party merchant processor, which inadvertently allowed the sensitive information of American Express cardholders to leak onto the dark web. This exposed data includes American Express Card account numbers, expiration dates, and possibly other personal information, putting customers at risk of fraud and identity theft.

American Express has been proactive in addressing the situation, notifying affected customers and urging them to remain vigilant for signs of unauthorized activity on their accounts. Despite the breach, American Express has emphasized that its own systems were not compromised, pointing to the external nature of the security lapse.

IMPACT ON CUSTOMERS

The exposure of credit card details in a third-party data breach is a stark reminder of the vulnerabilities that exist within the digital financial ecosystem. For customers, this incident underscores the importance of monitoring their financial statements regularly and reporting any suspicious transactions immediately.

American Express has assured its customers that it is taking the necessary steps to mitigate the impact of the breach. This includes offering free credit monitoring services to affected individuals to help protect their financial information from further misuse.

INDUSTRY-WIDE CONCERNS

This incident is not isolated, as data breaches involving third-party service providers have become increasingly common. The reliance on external vendors for processing financial transactions and handling sensitive data introduces additional risks that companies must manage. It highlights the need for stringent security measures and continuous vigilance to protect against cyber threats.

MOVING FORWARD

In response to the breach, American Express and other financial institutions are likely to reassess their relationships with third-party vendors and enhance their security protocols to prevent similar incidents in the future. This may involve more rigorous vetting processes, the implementation of advanced cybersecurity technologies, and closer collaboration between companies and their service providers to ensure the highest standards of data protection.

For customers, the breach serves as a critical reminder of the need to be proactive in safeguarding their personal and financial information. This includes using strong, unique passwords for online accounts, enabling two-factor authentication where available, and being cautious of phishing attempts and other online scams.

The exposure of American Express credit card details in a third-party data breach is a concerning event that highlights the ongoing challenges in securing financial data. As the digital landscape evolves, so too do the tactics of cybercriminals, making it imperative for both companies and consumers to remain vigilant and proactive in their cybersecurity efforts. American Express’s commitment to addressing the breach and supporting its customers is a positive step, but it also serves as a call to action for the industry to strengthen its defenses against future threats.

Big Breaches: Cybersecurity Lessons for Everyone

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CREDIT CARDS COMPROMISED



« Previous PageNext Page »