InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Narrow AI (Weak AI): AI systems that are designed and trained for a specific task, such as facial recognition, language translation, or playing chess. These systems operate under a limited set of constraints and do not possess general intelligence. Examples include Siri, Alexa, and IBM’s Watson.
General AI (Strong AI): A theoretical form of AI that would have the ability to learn, understand, and apply intelligence across a wide range of tasks, much like a human being. General AI does not yet exist and remains a goal for future development.
Superintelligent AI: A hypothetical AI that surpasses human intelligence across all aspects, including creativity, decision-making, and emotional intelligence. This type is purely speculative at this point and often discussed in the context of ethical considerations and long-term AI safety.
2. Based on Functionality
Reactive Machines: The most basic type of AI that can only react to current situations without any memory or understanding of the past. An example is IBM’s Deep Blue, which played chess without learning from previous games.
Limited Memory: AI systems that can use past experiences or data to make decisions, albeit temporarily. Most modern AI applications, like self-driving cars, fall into this category as they use historical data to make real-time decisions.
Theory of Mind: This type of AI is in the conceptual stage and aims to understand human emotions, beliefs, and thoughts, and interact socially. Theory of Mind AI is not yet realized but is an area of active research.
Self-Aware AI: The most advanced form of AI, which would have its own consciousness, self-awareness, and emotions. This type does not currently exist and is largely a subject of science fiction and philosophical debate.
3. Based on Learning Techniques
AI comes in many forms. And while the general process of automated technology carrying out a series of tasks remains consistent, how and why this happens will vary. Here are some examples of different types of AI which you might come across.
Deep Learning
An evolution of machine learning, this more thorough approach sees AI programmed in such a way that they’re able to identify images, sounds, and text without the need for human input. While with machine learning you may have to physically describe an image to AI, with deep learning they will be able to process and understand it themselves.
Natural Language Processing (NLP)
If you’ve ever spoken to Siri, Alexa, or any other virtual assistant, you will have interacted with NLP. This technology is able to comprehend, manipulate, and generate human language in a way that allows it to have its very own “voice”. NLP can understand questions you give it, then respond accordingly. It can also be used in text form, such as a chatbot on a website.
Computer vision
This futuristic form of tech allows computers to interpret and analyze the human world through the classification of images and objects. In doing so, it allows an AI to see the world through the eyes of a living person. This kind of technology is most commonly associated with driverless cars, where the vehicle needs to be able to process the world around it as a normal driver would.
Machine Learning
This AI approach sees a series of data and algorithms run to formulate a picture of how a human would approach a situation or task. Over time, the program is able to adapt and even learn more about the human thinking process, which helps it to improve its overall accuracy.
Generative AI
A popular online fad in 2023, generative AI is the name given to technology which is able to create images, text, or other media independently. A user simply needs to input what they want created, with the AI able to draw on their input training to produce something that has similar characteristics.
Speech recognition
One of the oldest forms of AI, this tech is able to understand and interpret what you’re saying out loud, then convert it into text or audio format. This kind of technology is often confused with voice recognition – which instead of transcribing what you’re saying, will instead only be able to recognise the voice of the user.
Robotic Process Automation (RPA)
RPA technology is a software which makes it easier to build, deploy, and manage robots that emulate human interactions. The robotic helpers are able to carry out a number of tasks virtually, at speeds which humans would be incapable of replicating.
AI comes in many forms. And while the general process of automated technology carrying out a series of tasks remains consistent, how and why this happens will vary. Here are some examples of different types of AI which you might come across.
DISC LLC, situated at Sonoma county, CA, is dedicated to offering premier information security services. As a consultant specializing in information security, we pride ourselves in helping businesses across the United States build resilient security programs.
Our Expertise
vCISO Services
When are vCISO services most appropriate? Our expert virtual Chief Information Security Officer (vCISO) services are designed to build a robust security program that effectively detects and mitigates risks. Reach out to us today to develop a security program tailored to today’s challenges.
ISO 27001 and ISMS Implementation
We specialize in implementing ISO 27001 standards and establishing Information Security Management Systems (ISMS) that ensure your organization’s compliance with the highest industry standards. Achieve certification and maintain a strong competitive edge in security compliance.
Our detailed security risk assessment services identify potential threats and vulnerabilities in your systems. By understanding these risks, we develop strategic measures to counteract them, safeguarding your business from data breaches and other security incidents.
Ensuring Security Compliance – GRC Consulting
In the Information Security and Compliance industry, organizations are increasingly seeking services that help them manage the growing complexity of cyber threats and regulatory requirements.
Maintaining security compliance is crucial in today’s digital landscape. DISC LLC helps organizations navigate complex regulatory requirements, ensuring they meet all necessary standards to protect their data and operations.
Overview: As regulations and standards like GDPR, HIPAA, CCPA, and ISO 27001 become stricter, organizations seek expert advice to ensure compliance and reduce risk.
With the rapid adoption of cloud services, securing cloud environments (e.g., AWS, Azure, Google Cloud) is critical. Cloud security solutions focus on protecting data, identities, and workloads in cloud infrastructure.
With regulations like GDPR and CCPA, and with advent of an AI organizations need to implement measures that protect sensitive data, data governance and ensure that personal information is handled according to legal standards.
Protecting sensitive data and complying with privacy regulations is essential. AI systems must be designed to handle data securely and adhere to relevant legal and ethical standards
Expertise: Our team consists of experienced professionals with extensive knowledge in infosec and compliance.
Customized Solutions: We provide tailored security solutions that align with your unique business needs.
Proactive Approach: Our proactive approach ensures timely detection and mitigation of security risks.
Contact DISC LLC today at info@deurainfosec.com or call us at +17079985164 to learn more about how our services can fortify your organization’s security posture. Build a secure future with DISC LLC.
It’s predicted that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud during the next five years. This is no surprise as the cloud is one of the main digital technologies developing in today’s fast-moving world. It’s encouraging that CEOs recognize that it’s crucial for them to champion the use of digital technologies to keep up with today’s evolving business environment.
However, there are still concerns about using cloud services and determining the best approach for adoption. It’s important to acknowledge that adapting to emerging technologies can be challenging, particularly with the constantly expanding range of products and services. As a business improvement partner, DISC collaborates with clients to identify key drivers and develop best practice standards that enhance resilience.
What Influences Organizations to Store Information on the Cloud?
Organizations should align their business strategy and objectives to determine the most suitable approach to cloud computing. This could involve opting for public cloud services, a private cloud, or a hybrid cloud solution, depending on their resources and priorities.
Security concerns remain the leading barrier to cloud adoption, especially with public cloud solutions. In fact, 91% of organizations are very or moderately worried about the security of public cloud environments. These concerns are not limited to IT departments; 61% of IT professionals believe that cloud data security is also a significant concern for executives.
Despite these challenges, many organizations are influenced by the benefits of managing information on the cloud. These benefits include:
Agility: you can respond more quickly and adapt to business changes
Scalable: cloud platforms are less restrictive on storage, size, number of users
Cost savings: no physical infrastructure costs or charges for extra storage, exceeding quotas etc
Enhanced security: standards and certification can show robust security controls are in place
Adaptability: you can easily adjust cloud services to make sure they best suit your business needs
Continuity: organizations are using cloud services as a backup internal solution
Standards to help you Manage Information on the Cloud
Standards that focus on putting appropriate frameworks and controls in place to manage cloud security.
ISO/IEC 27001international standard for an Information security management system (ISMS). It is the foundation of all our cloud security solutions. It describes the requirements for a best practice system to manage information security including understanding the context of an organization, the responsibilities of top management, resource requirements, how to approach risk, and how to monitor and improve the system.
It also provides a generic set of controls required to manage information and ensures you assess your information risks and control them appropriately. It’s relevant to all types of organizations regardless of whether they are involved with cloud services or not, to help with managing information security against recognized best practices.
ISO/IEC 27017is an international code of practice for cloud security controls. It outlines cloud-specific controls to manage security, building on the generic controls described in ISO/IEC 27002. It’s applicable to both Cloud Service Providers (CSPs) and organizations procuring cloud services.
It provides support by outlining roles and responsibilities for both parties, ensuring all cloud security concerns are addressed and clearly owned. Having ISO/IEC 27017 controls in place is especially important when you procure cloud services that form part of a service you sell to clients.
ISO/IEC 27018 is an international code of practice for Personally Identifiable Information (PII) on public clouds. It builds on the general controls described in ISO/IEC 27002 and is appropriate for any organization that processes PII. This is particularly important considering the changing privacy landscape and focus on protecting sensitive personal data.
All businesses need to continually evolve their cybersecurity management in order to effectively manage the cyber risks associated with cloud use. Request to learn more.
Adopt these standards today to ensure your organization effectively manages data in the cloud.
How to build a world class ISMS:
ISO 27001 serves as the foundation for ISO 27017, ISO 27018, and ISO 27701.
After conducting the risk assessment, it’s essential to compare the controls identified as necessary with those listed in Annex A to ensure no important controls were overlooked in managing the risks. This serves as a quality check for the risk assessment, not as a justification for using or not using any controls from Annex A. This process should be done for each risk identified in the assessment to see if there are opportunities to enhance it.
Any controls that you discover were unintentionally “omitted” from the risk assessment can come from any source (NIST, HIPAA, PCI, or CIS Critical Security Controls) and are not restricted to those in Annex A.
One should consider CIS Controls to strengthen one of the above frameworks when building your ISMS. CIS Controls is updated frequently than frameworks and are highly effective against the top five attack types found in industry threat data, effectively defending against 86% of the ATT&CK (sub)techniques in the MITRE ATT&CK framework.
Statement of Applicability (SoA) is typically developed after conducting a risk assessment in ISO 27001. The risk assessment identifies the information security risks that the organization faces and determines the appropriate controls needed to mitigate those risks.
In ISO 27001, the Statement of Applicability (SoA) is a key document that outlines which information security controls from Annex A ( or from (NIST, HIPAA, PCI, or CIS Critical Security Controls)) are applicable to an organization’s Information Security Management System (ISMS). The SoA provides a summary of the controls selected to address identified risks, justifies why each control is included or excluded, and details how each applicable control is implemented. It serves as a reference to demonstrate compliance with ISO 27001 requirements and helps in maintaining transparency and accountability in the ISMS.
The SoA is essential for internal stakeholders and external auditors to understand the rationale behind the organization’s approach to managing information security risks.
Cloud shared responsibilities:
Most companies appear to be operating in the hybrid or public cloud space, often without fully realizing it, and need to gain a better understanding of this environment.
Cloud shared responsibilities refer to the division of security and compliance responsibilities between a cloud service provider (CSP) and the customer. This model outlines who is responsible for specific aspects of cloud security, depending on the type of cloud service being used: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).
The division of responsibilities varies based on the cloud service model:
IaaS: The CSP manages the basic infrastructure, but the customer is responsible for everything else, including operating systems, applications, and data.
PaaS: The CSP manages the infrastructure and platform, while the customer focuses on application development, data management, and user access.
SaaS: The CSP handles most security aspects, including applications and infrastructure, while the customer is primarily responsible for data security and user access management.
Understanding the shared responsibility model is crucial for ensuring that both the CSP and the customer are aware of their respective roles in maintaining cloud security, compliance and last but not the least managing risks in the cloud environment.
In summary, The shift to cloud computing is expected to influence over $1 trillion in IT spending over the next five years as companies increasingly adopt digital technologies to stay competitive. Despite the benefits of cloud computing—such as agility, scalability, cost savings, and enhanced security—many organizations face challenges, particularly around security concerns, which are a major barrier to cloud adoption. To navigate these challenges, businesses need to align their cloud strategies with their objectives, choosing between public, private, or hybrid cloud solutions. Additionally, implementing standards like ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 can help manage cloud security and compliance effectively by providing frameworks for managing information security risks and ensuring data protection. Understanding the shared responsibility model is also crucial for cloud security, as it defines the distinct roles of cloud service providers and customers in maintaining a secure cloud environment.
Welcome to DISC LLC – Your Trusted Computer Security Service Provider
At DISC LLC, we specialize in providing top-notch computer security services to businesses across the United States. Our team of expert consultants is here to help you build a robust security program that effectively detects and mitigates risks. For those looking for comprehensive security solutions, our vCISO services are perfectly tailored to meet today’s challenges.
Why Choose Our vCISO Services?
Our expert virtual Chief Information Security Officers (vCISOs) bring a wealth of experience and knowledge to your organization. We understand the crucial role of information security and offer strategic guidance to establish a solid security foundation. Our services are most appropriate when:
Your business requires an experienced security leader but cannot afford a full-time CISO.
You need to establish or improve your Information Security Management System (ISMS).
Your organization is undergoing a security risk assessment and needs expertise to navigate the process smoothly.
Our Core Services
At DISC LLC, we focus on the most critical aspects of information security.
ISO 27001 Compliance: Achieve and maintain compliance with this international standard for information security management.
Development and implementation of a robust ISMS: We help you build a comprehensive management system to safeguard your information assets.
Comprehensive security risk assessments: Identify, evaluate, and mitigate risks that could potentially impact your organization.
Contact Us
Ready to develop a security program that meets today’s challenges? Reach out to us today.
WordPress admins using the Litespeed Cache plugin must update their sites with the latest plugin release to address a critical vulnerability. Exploiting the flaw allows an unauthenticated attacker to take control of target websites.
LiteSpeed Cache Plugin Vulnerability Could Allow Site Takeover
The security researcher John Blackbourn from PatchStack discovered a critical privilege escalation vulnerability in the LiteSpeed Cache plugin. LiteSpeed Cache for WordPress offers an exclusive server-level cache and numerous site optimization features. The plugin boasts over 5 million active installations, indicating its popularity among WordPress users. Nonetheless, it also shows how any vulnerability in the plugin potentially threatens millions of websites. Specifically, the vulnerability existed in the plugin’s crawler feature that exhibits a user simulation functionality to perform crawler requests as authenticated users. However, due to a weak security hash in this feature, the plugin allowed an unauthenticated adversary to spoof an authenticated user and gain elevated site privileges. The worst exploitation scenarios even allowed the installation of malicious plugins and a complete site takeover. This vulnerability, identified as CVE-2024-28000, received a critical severity rating and a CVSS score of 9.8. It affected all plugin releases until 6.3.0.1. Detailed technical analysis of the vulnerability is available in the recent post from PatchStack.
Vulnerability Patched With Latest Plugin Release
Upon noticing the vulnerability, Blackbourn responsibly disclosed the flaw via Patchstack to the plugin developers. In response, the developers patched the vulnerability with the LiteSpeed Cache plugin version 6.4. The researcher also received a $14,400 bounty under the Patchstack Zero Day program for this bug report. Since the patch has arrived, all WordPress admins must update their sites with the latest plugin release to avoid potential threats. Ideally, users should update to the LiteSpeed Cache plugin version 6.4.1, which appears as the latest release on the plugin’s official page.
Deura Information Security Consulting offers comprehensive vCISO services designed to build robust security programs that effectively detect and mitigate risks. Our seasoned consultants will work with you to develop a security strategy tailored to meet today’s challenges.
Achieve Compliance with ISO 27001
Securing your information assets and achieving compliance is crucial. Our experts specialize in assisting businesses with ISO 27001 implementation. Benefit from our extensive experience in information security management systems (ISMS) to ensure your organization meets the stringent requirements of ISO 27001.
Services Offered
vCISO Services: Enhance your organization’s security posture with our virtual Chief Information Security Officer services.
ISO 27001 Implementation: Guidance on compliance and certification processes to achieve ISO 27001.
Security Risk Assessment:
Information Security Management Systems (ISMS):
Security Compliance Management:
Why Choose Us
At Deura Information Security Consulting, our focus is on creating and implementing security programs that address your specific needs. Contact us at info@deurainfosec.com or call +1 707-998-5164 to schedule a consultation.
Our extensive industry knowledge ensures that your security infrastructure is built to detect and mitigate risks effectively. Choose Deura Information Security Consulting for expert vCISO services and ISO 27001 compliance support.
Google has announced the release of Chrome 128 to the stable channel for Windows, Mac, and Linux.
This update, Chrome 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac addresses a critical zero-day vulnerability actively exploited in the wild.
The update includes 38 security fixes, with particular attention to those contributed by external researchers.
Details of the Zero-Day Vulnerability
The Chrome team has been working diligently to address a zero-day vulnerability that has been actively exploited.
The vulnerability, CVE-2024-7971, involves type confusion in V8, Chrome’s open-source JavaScript engine.
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported this flaw on August 19, 2024.
While the specific details of the exploit remain restricted to protect users, the fix’s urgency underscores the vulnerability’s potential severity.
The Chrome team has emphasized that access to bug details and links will remain restricted until most users have updated their browsers.
This precaution ensures that users are protected before the vulnerability details are public, preventing further exploitation.
In addition to the zero-day vulnerability, the Chrome 128 update includes a wide range of security fixes.
Below is a table summarizing the key vulnerabilities addressed in this update:
The configuration contained transport layer security (TLS) bootstrap tokens that the attacker could extract and use to perform a TLS bootstrap attack. This would grant the attacker the ability to read all secrets within the cluster.
Notably, the attack did not require the compromised Pod to be running with hostNetwork enabled or as the root user. This significantly expanded the attack surface.
The attack involved accessing the undocumented Azure WireServer component at http://168.63.129.16/machine/?comp=goalstate and the HostGAPlugin endpoint at http://168.63.129.16:32526/vmSettings.
The attacker could retrieve a key from the WireServer to decrypt protected settings values. They could then request the JSON document from HostGAPlugin, parse it, and Base64 decode it to obtain the encrypted provisioning script (protected_settings.bin).
Using the WireServer key, the attacker could decrypt protected_settings.bin to access the cluster’s provisioning script (cse_cmd.sh). This script contained several secrets as environment variables, including:
The Linux Foundation and OpenSSF released a report on the state of education in secure software development.
…many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment  system operations, software developers, committers, and maintainers  self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.
The report analyzes the dynamics among C-suite executives to better understand issues that prevent risk reduction, stall or complicate compliance, and create barriers to cyber resilience.
CISOs pressured with AI, cybersecurity risk tradeoffs, and budget
While CISOs are often responsible for technology implementation, they are not getting the support they need at a strategic level. Researchers found that 73% of CISOs expressed concern over cybersecurity becoming unwieldy, requiring risk-laden tradeoffs, compared to only 58% of both CIOs and CTOs.
Additionally, 73% of CISOs feel more pressure to implement AI strategies versus just 58% of CIOs and CTOs. These pressures pair with the fact that 66% of CISOs believe reactive budgets cause a lack of proactive cybersecurity measures, compared to 55% of CIOs and 53% of CTOs feeling the same way.
C-suite alignment could clarify cybersecurity priorities
Effective cybersecurity strategies require top-down leadership and alignment with the perspectives of non-C-suite professionals directly involved in technology development, security implementation, and operational support.
CISOs expressed more concern about cybersecurity’s operational and strategic challenges. The missing component is alignment among the different interests represented by the other roles: CTOs were concerned with the impact of compliance on innovation and competitiveness, aligning with their focus on technology development. Conversely, CIOs balance broader strategic perspectives, encompassing risk management, compliance, and adopting new technologies.
Based on roles, it is not surprising most CIOs (92%) are more inclined to embrace uncertainty concerning cyber threats, compared to 81% of CTOs and 75% of CISOs. These differences in tolerance are important to discuss when creating a cybersecurity strategy that considers business priorities.
“Understanding the C-suite’s business priorities is critical for shaping effective cybersecurity strategies,” said Theresa Lanowitz, Chief Evangelist of LevelBlue. “Identifying how these essential roles look at the business helps to ensure alignment among CIOs, CTOs, and CISOs, as well as the teams that report into them. It’s a key first step towards bolstering cyber defenses, especially with the CEO and Board support.”
External pressures
CTOs view compliance as an obstacle to innovation. 73% of CTOs (compared to 55% CIOs and 61% CISOs) are concerned about regulations hindering competitiveness and are more likely to perceive compliance as an obstacle to innovation. In contrast, CIOs and CISOs view compliance as an integral component of risk management and operational stability, essential for maintaining a secure and reliable organizational environment.
The supply chain has hidden risks, and the importance of those risks varies. Nearly three in four CIOs (74%) and CISOs (73%) find it challenging to assess the cybersecurity risk from their supply chain, compared to only 64% of CTOs. This suggests that CIOs and CISOs are more involved in evaluating external risks and dependencies, while CTOs focus more on internal technology infrastructure.
C-Suite alignment on cloud computing supports cybersecurity resilience. There was little difference in the perception of cloud computing’s ability to provide cybersecurity resilience among CIOs, CTOs, and CISOs, with 83%, 82%, and 80%, respectively, acknowledging its benefits. This consensus indicates a shared recognition among these executive roles of cloud solutions’ value in enhancing cybersecurity.
A sophisticated threat activity cluster, STAC6451, has been identified targeting Microsoft SQL servers.
This cluster, primarily observed by Sophos Managed Detection and Response (MDR) teams, has compromised organizations by exploiting SQL server vulnerabilities.
The attackers have been using a combination of brute-force attacks, command execution, and lateral movement techniques to infiltrate and compromise networks.
This article delves into the intricate details of the STAC6451 attacks, the techniques employed, and the implications for organizations worldwide.
Overview: Microsoft SmartScreen is a cloud-based anti-phishing and anti-malware component that comes integrated with various Microsoft products like Microsoft Edge, Internet Explorer, and Windows. It is designed to protect users from malicious websites and downloads.
Key Features:
URL Reputation:
SmartScreen checks the URL of websites against a list of known malicious sites stored on Microsoft’s servers. If the URL matches one on the list, the user is warned or blocked from accessing the site.
Application Reputation:
When a user downloads an application, SmartScreen checks its reputation based on data collected from other users who have downloaded and installed the same application. If the app is deemed suspicious, the user is warned before proceeding with the installation.
Phishing Protection:
SmartScreen analyzes web pages for signs of phishing and alerts the user if a site appears to be trying to steal personal information.
Malware Protection:
The system can identify and block potentially malicious software from running on the user’s device.
Integration with Windows Defender:
SmartScreen works in conjunction with Windows Defender to provide a layered security approach, ensuring comprehensive protection against threats.
How it Works:
URL and App Checks:
When a user attempts to visit a website or download an application, SmartScreen sends a request to the SmartScreen service with the URL or app details.
The service checks the details against its database and returns a verdict to the user’s device.
Based on the verdict, the browser or operating system either allows, blocks, or warns the user about potential risks.
Telemetry and Feedback:
SmartScreen collects telemetry data from users’ interactions with websites and applications, which helps improve the accuracy of its threat detection algorithms over time.
Smart App Control (SAC)
Overview: Smart App Control (SAC) is a security feature in Windows designed to prevent malicious or potentially unwanted applications from running on the system. It is an evolution of the earlier Windows Defender Application Control (WDAC) and provides advanced protection by utilizing cloud-based intelligence and machine learning.
Key Features:
Predictive Protection:
SAC uses machine learning models trained on a vast amount of data to predict whether an application is safe to run. It blocks apps that are determined to be risky or have no known good reputation.
Cloud-Based Intelligence:
SAC leverages Microsoft’s cloud infrastructure to continuously update its models and threat intelligence, ensuring that protection is always up-to-date.
Zero Trust Model:
By default, SAC assumes that all applications are untrusted until proven otherwise, aligning with the zero trust security model.
Seamless User Experience:
SAC operates silently in the background, allowing trusted apps to run without interruptions while blocking potentially harmful ones. Users receive clear notifications and guidance when an app is blocked.
Policy Enforcement:
Administrators can define policies to control app execution on enterprise devices, ensuring compliance with organizational security standards.
How it Works:
App Analysis:
When an app attempts to run, SAC sends its metadata to the cloud for analysis.
The cloud service evaluates the app against its machine learning models and threat intelligence to determine its risk level.
Decision Making:
If the app is deemed safe, it is allowed to run.
If the app is determined to be risky or unknown, it is blocked, and the user is notified with an option to override the block if they have sufficient permissions.
Policy Application:
SAC policies can be customized and enforced across an organization to ensure consistent security measures on all managed devices.
Integration with Windows Security:
SAC is integrated with other Windows security features like Microsoft Defender Antivirus, providing a comprehensive defense strategy against a wide range of threats.
Despite the robust protections offered by Microsoft SmartScreen and Smart App Control (SAC), some techniques can sometimes bypass these features through several sophisticated techniques.
1. Signed Malware Bypassing Microsoft SmartScreen and SAC
1. Valid Digital Signatures:
Stolen Certificates: Cybercriminals can steal valid digital certificates from legitimate software developers. By signing their malware with these stolen certificates, the malware can appear trustworthy to security features like SmartScreen and SAC.
Bought Certificates: Attackers can purchase certificates from Certificate Authorities (CAs) that might not perform thorough background checks. These certificates can then be used to sign malware.
2. Compromised Certificate Authorities:
If a Certificate Authority (CA) is compromised, attackers can issue valid certificates for their malware. Even if the malware is signed by a seemingly reputable CA, it can still be malicious.
3. Certificate Spoofing:
Advanced attackers may use sophisticated techniques to spoof digital certificates, making their malware appear as if it is signed by a legitimate source. This can deceive security features into trusting the malware.
4. Timing Attacks:
Some malware authors time their attacks to take advantage of the period between when a certificate is issued and when it is revoked or added to a blacklist. During this window, signed malware can bypass security checks.
5. Use of Legitimate Software Components:
Attackers can incorporate legitimate software components into their malware. By embedding malicious code within a signed, legitimate application, the entire package can be trusted by security features.
6. Multi-Stage Attacks:
Initial stages of the malware may appear harmless and thus be signed and trusted. Once the initial stage is executed and trusted by the system, it can download and execute the actual malicious payload.
7. Social Engineering:
Users may be tricked into overriding security warnings. For example, if SmartScreen or SAC blocks an application, an attacker might use social engineering tactics to convince the user to manually bypass the block.
2. How Reputation Hijacking Bypasses Microsoft SmartScreen and SAC
Compromised Legitimate Websites:
Method: Attackers compromise a legitimate website that has a strong reputation and inject malicious content or host malware on it.
Bypass Mechanism: Since SmartScreen relies on the reputation of websites to determine if they are safe, a website with a previously good reputation may not trigger alerts even if it starts serving malicious content. Users are not warned because the site’s reputation was established before the compromise.
Trusted Domains and Certificates:
Method: Attackers use domains with valid SSL certificates issued by trusted Certificate Authorities (CAs) to host malicious content.
Bypass Mechanism: SmartScreen and SAC check for valid certificates as part of their security protocols. A valid certificate from a trusted CA makes the malicious site appear legitimate, thus bypassing the security checks that would flag a site with an invalid or self-signed certificate.
Embedding Malware in Legitimate Software:
Method: Attackers inject malicious code into legitimate software or its updates.
Bypass Mechanism: If the legitimate software has a good reputation and is signed with a valid certificate, SmartScreen and SAC are less likely to flag it. When users update the software, the malicious payload is delivered without triggering security warnings because the update appears to be from a trusted source.
Phishing with Spoofed Emails:
Method: Attackers send phishing emails that appear to come from trusted sources, often using spoofed email addresses.
Bypass Mechanism: Users are more likely to trust and open emails from familiar and reputable sources. SmartScreen may not always catch these emails, especially if they come from legitimate domains that have been spoofed, leading users to malicious websites or downloads.
Domain and Subdomain Takeover:
Method: Attackers take over expired or unused domains and subdomains of reputable sites.
Bypass Mechanism: Since the domain or subdomain was previously associated with a legitimate entity, SmartScreen and SAC may continue to trust it based on its historical reputation. This allows attackers to serve malicious content from these domains without raising security flags.
Social Engineering Attacks:
Method: Attackers trick users into overriding security warnings by posing as legitimate sources or using persuasive tactics.
Bypass Mechanism: Even if SmartScreen or SAC warns users, skilled social engineering can convince them to bypass these warnings. Users might disable security features or proceed despite warnings if they believe the source is trustworthy.
3. How Reputation Seeding Bypasses Microsoft SmartScreen and SAC
Reputation seeding is a tactic where attackers build a positive reputation for malicious domains, software, or email accounts over time before launching an attack. This can effectively bypass security measures like Microsoft SmartScreen and Smart App Control (SAC) because these systems often rely on reputation scores to determine the trustworthiness of an entity. Here’s how reputation seeding works and strategies to mitigate it:
How Reputation Seeding Works
Initial Clean Activity:
Method: Attackers initially use their domains, software, or email accounts for legitimate activities. This involves hosting benign content, sending non-malicious emails, or distributing software that performs as advertised without any harmful behavior.
Bypass Mechanism: During this period, SmartScreen and SAC observe and record these entities as safe and build a positive reputation for them. Users interacting with these entities during the seeding phase do not encounter any security warnings.
Gradual Introduction of Malicious Content:
Method: Over time, attackers start to introduce malicious content slowly. This might involve adding malware to software updates, injecting harmful code into websites, or sending phishing emails from trusted accounts.
Bypass Mechanism: Because the entities have already established a positive reputation, initial malicious activities may not be immediately flagged by SmartScreen or SAC, allowing the attackers to reach their targets.
Leveraging Established Trust:
Method: Once a strong reputation is established, attackers conduct large-scale malicious campaigns. They leverage the trust built over time to bypass security checks and deceive users.
Bypass Mechanism: The established positive reputation causes security systems to consider these entities as low-risk, allowing malware or phishing attempts to bypass filters and reach users without triggering alarms.
Typical Timeframes for Reputation Seeding
Websites:
Short-Term (Weeks): Initial establishment of a website with benign content and basic user interactions.
Medium-Term (Months): Gaining backlinks, increasing traffic, and more extensive content creation.
Long-Term (6+ Months): Strong reputation with significant traffic, positive user interactions, and established trust.
Software:
Short-Term (Weeks): Initial distribution and passing basic security checks.
Medium-Term (Months): Accumulating downloads, positive user reviews, and routine updates.
Long-Term (6+ Months): Strong reputation with widespread usage and consistently positive feedback.
Email Accounts:
Short-Term (Weeks): Initial legitimate emails and normal interactions.
Medium-Term (1-2 Months): Building trust through regular, benign communication.
Long-Term (3+ Months): Established trust with consistent, non-malicious activity.
4 .How Reputation Tampering Bypasses Microsoft SmartScreen and SAC
Reputation tampering, particularly in the context of Smart App Control (SAC), can exploit the way SAC assesses and maintains the reputation of files. Given that SAC might use fuzzy hashing, feature-based similarity comparisons, and machine learning models to evaluate file reputation, attackers can manipulate certain segments of a file without changing its perceived reputation. Here’s a deeper dive into how this works and the potential implications:
How Reputation Tampering Works in SAC
Fuzzy Hashing:
Method: Unlike traditional cryptographic hashing, which changes completely with any alteration to the file, fuzzy hashing allows for minor changes without drastically altering the hash value. This means that files with small modifications can still be considered similar to the original.
Attack: Attackers modify segments of the file that do not significantly affect the fuzzy hash value, allowing the file to retain its reputation.
Feature-Based Similarity Comparisons:
Method: SAC may use feature-based similarity comparisons to evaluate files. These features could include metadata, structural attributes, or specific code patterns that are consistent with known good files.
Attack: By understanding which features are used and ensuring that these remain unchanged while modifying other parts of the file, attackers can maintain the file’s good reputation.
Machine Learning Models:
Method: Machine learning models in the cloud may analyze files based on patterns learned from a large dataset of known good and bad files. These models might use a variety of indicators beyond simple hashes.
Attack: Through trial and error, attackers identify which code sections can be altered without changing the overall pattern recognized by the ML model as benign. They can then inject malicious code into these sections.
5. How LNK stomping Bypasses Microsoft SmartScreen and SAC
LNK stomping is a technique where attackers modify LNK (shortcut) files to execute malicious code while appearing legitimate to users and security systems. By leveraging the flexibility and capabilities of LNK files, attackers can disguise their malicious intentions and bypass security features such as Microsoft SmartScreen and Smart App Control (SAC). Here’s how LNK stomping works and how it can bypass these security features:
How LNK Stomping Works
Creating a Malicious LNK File:
Method: Attackers create an LNK file that points to a legitimate executable or document but includes additional commands or scripts that execute malicious code.
Example: An LNK file might appear to open a PDF document, but in reality, it executes a PowerShell script that downloads and runs malware.
Modifying Existing LNK Files:
Method: Attackers modify existing LNK files on a target system to include malicious commands while retaining their original appearance and functionality.
Example: An LNK file for a commonly used application (e.g., a web browser) is modified to first execute a malicious script before launching the application.
Embedding Malicious Code:
Method: Attackers embed malicious code directly within the LNK file, taking advantage of the file’s structure and features.
Example: An LNK file might contain embedded shell commands that execute when the shortcut is opened.
Understanding the MotW Bypass via LNK File Manipulation
The Mark of the Web (MotW) is a critical security feature used to flag files downloaded from the internet, making them subject to additional scrutiny by antivirus (AV) and endpoint detection and response (EDR) systems, including Microsoft SmartScreen and Smart App Control (SAC). However, certain techniques can bypass this feature, allowing potentially malicious files to evade detection. Here, we’ll explore how manipulating LNK (shortcut) files can bypass MotW checks
Manually Creating an LNK File with a Non-Standard Target Path
Locate the PowerShell Script:
Ensure you have the path to the PowerShell script, for example, C:\Scripts\MyScript.ps1.
Create the Shortcut:
Right-click on the desktop or in the folder where you want to create the shortcut.
Select New > Shortcut.
Enter the Target Path:
In the “Type the location of the item” field, enter the following command with a non-standard path:
powershell.exe -File "C:\Scripts\MyScript.ps1."
Notice the extra dot at the end of the script path.
Name the Shortcut:
Enter a name for your shortcut (e.g., Run MyScript Non-Standard).
Click Finish.
Verify the Target Path:
Right-click the newly created shortcut and select Properties.
In the Target field, you should see:
powershell.exe -File "C:\Scripts\MyScript.ps1."
Click OK to save the changes.
By following these steps, you can create an LNK file that points to a PowerShell script with a non-standard target path. This can be used for testing how such files interact with security features like SmartScreen and Smart App Control.
Manually Creating an LNK File with a Relative Path
Locate the PowerShell Script:
Ensure you have the relative path to the PowerShell script within its directory structure, for example, .\Scripts\MyScript.ps1.
Create the Shortcut:
Right-click on the desktop or in the folder where you want to create the shortcut.
Select New > Shortcut.
Enter the Target Path:
In the “Type the location of the item” field, enter the following command with a relative path:
powershell.exe -File ".\Scripts\MyScript.ps1"
Click Next.
Name the Shortcut:
Enter a name for your shortcut (e.g., Run MyScript Relative).
Click Finish.
Verify the Target Path:
Right-click the newly created shortcut and select Properties.
In the Target field, you should see:
powershell.exe -File ".\Scripts\MyScript.ps1"
Click OK to save the changes.
Manually Creating an LNK File with a multi-level path
To create an LNK file with a multi-level path in the target path array, we need to manipulate the internal structure of the LNK file to contain a non-standard target path. This involves using a utility or script that can handle the creation and modification of LNK files with detailed control over their internal structure.
Here’s a step-by-step guide to creating such an LNK file using PowerShell and a specialized library for handling LNK files, pylnk3, which is a Python-based library. For this example, you will need to have Python installed along with the pylnk3 library.
Step-by-Step Guide
Prerequisites
Install Python:
If you don’t have Python installed, download and install it from the official website: Python.org.
Install pylnk3 Library:
Open a command prompt or terminal and run the following command to install pylnk3:shCopy codepip install pylnk3
Creating a Multi-Level Path LNK File
Create a Python Script to Generate the LNK File:
Create a Python script (e.g., create_lnk.py) with the following content:
import lnk
# Define the path for the new shortcut
shortcut_path = "C:\\Users\\Public\\Desktop\\MyScriptShortcutMultiLevel.lnk"
# Create a new LNK file
lnk_file = lnk.lnk_file()
# Set the target path with multi-level path entries
lnk_file.add_target_path_entry("..\\..\\Scripts\\MyScript.ps1")
# Set the arguments for the target executable
lnk_file.command_line_arguments = "-File .\\Scripts\\MyScript.ps1"
# Save the LNK file
with open(shortcut_path, "wb") as f:
lnk_file.write(f)
print(f"Shortcut created at: {shortcut_path}")
Run the Python Script:
Open a command prompt or terminal and navigate to the directory where your Python script is located.
Run the script using the following command:shCopy codepython create_lnk.py
Explanation
lnk.lnk_file(): Creates a new LNK file object.
add_target_path_entry: Adds entries to the target path array. Here, we use a relative path (..\\..\\Scripts\\MyScript.ps1) to simulate a multi-level path.
command_line_arguments: Sets the arguments passed to the target executable. In this case, we pass -File .\Scripts\MyScript.ps1.
write: Saves the LNK file to the specified path.
Additional Notes
Relative Paths: The use of relative paths (..\\..\\) in the target path entries allows us to create a multi-level path structure within the LNK file.
Non-Standard Structures: By manipulating the internal structure of the LNK file, we can craft paths that might bypass certain security checks.
Running the LNK File
After creating the LNK file, you can test its behavior by double-clicking it. The crafted LNK file should follow the relative path and execute the target PowerShell script, demonstrating how non-standard paths can be used within an LNK file.
The article “Dismantling Smart App Control” by Elastic Security Labs explores the vulnerabilities and bypass techniques of Windows Smart App Control (SAC) and SmartScreen. For more details, you can read the full article here.
What key factors have contributed to increased personal liability risks for CISOs?
The role of the CISO has evolved significantly over the past year. The notable shift toward increased personal liability is largely the result of three factors:
First, organizations are at greater cybersecurity risk than ever. Attackers and their wares are growing more advanced by the day. At the same time, for all their benefits, new technologies, such as AI, often result in increasingly complex digital infrastructures that may hide security vulnerabilities ripe for the picking.
Second, the evolving regulatory landscape. Laws such as the Digital Operations Resiliency Act (DORA) in Europe and various new regulations from the US Securities and Exchange Commission (SEC) legally place personal responsibility for data breaches squarely on the shoulders of the CISO.
Finally, broader public awareness of security lapses. The SEC now requires publicly traded companies to disclose material cybersecurity incidents within four days. This is on top of the Strengthening American Cybersecurity Act that requires entities that own or operate critical infrastructure to report cyber incidents and ransom payments within 24 to 72 hours.
How have high-profile cyber incidents influenced the perception and reality of personal liability for CISOs?
Even if many organizations are now required to disclose cybersecurity incidents in a timely manner—as I just mentioned—that doesn’t mean all of those incidents become common knowledge. In fact, relatively few do. High-profile cybersecurity breaches—the incidents that most affect the general public—are those that drive intensified public scrutiny. As these incidents grab headlines, customers demand change. Unfortunately for the CISO, in these cases, perception is reality, and they often become the sacrificial lamb even if a broader set of executives and board members should share liability.
What proactive steps can CISOs take to mitigate the risk of personal liability?
As the saying goes, “an ounce of prevention is worth a pound of cure.” So, first and foremost, do your core job by strengthening your organization’s cyber resilience. Ensure your team has the resources, skills and guidance to maintain visibility into all of your assets; properly configure perimeter defenses; protect business-critical data and apps with a robust backup and recovery strategy; enforce strong security policies for things like passwords, the principle of least privilege and remote and personal device access; conduct effective employee cybersecurity awareness training; and finally, test and rehearse, test and rehearse, test and rehearse.
It also helps to fight fire with fire. Cybercriminals are using AI to improve their tactics. Implementing AI-powered technology to improve the effectiveness of each of the above cyber resilience steps will help ensure you stay one step ahead of bad actors and avoid the risk of being held personally liable for a successful breach.
Another key is establishing clear lines of communication with other executive leaders and board members. Be completely transparent and avoid the temptation to paper over emerging and potential issues you don’t quite yet understand or have the resources to deal with. It’s much better to be able to say, “I told you so,” than, “should have, could have, would have.”
How effective are directors and officers insurance policies in protecting CISOs from personal liability?
Directors and officers (D&O) liability insurance can offer some protection for the CISO, but its effectiveness in the dynamic realm of cybersecurity is not 100% certain. These policies typically cover legal fees and damages resulting from lawsuits against executives for decisions made in their professional capacities, but regulations that include personal accountability for cybersecurity failures might challenge the scope and limits of traditional D&O coverage. Insurance providers may need to adjust their policies to address the specific risks faced by CISOs. While this will lead to more effective, tailored coverage, it could also potentially lead to higher premiums or so many exclusions that it becomes impractical.
How can organizations better support their CISOs to ensure they are not unfairly held liable for cyber incidents?
Organizations need to develop a culture of welcomed transparency. If the CISO is afraid to bring hard truths to the executive leadership team and board, there’s a problem. On our team, we tend not really even talk about the things that are going well. Instead, we focus almost exclusively on what we need to improve. Red flags aren’t something we avoid, but embrace, so everyone is aware of risks and potential vulnerabilities.
Just as important, even the best security team will fail if not given necessary resources. This includes not just ongoing budgetary support to execute the above cyber resilience strategies, but also the authority to implement critical security measures. If security recommendations are consistently overridden or ignored by other parts of the organization, the CISO’s efforts become futile.
What advice would you give to current and aspiring CISOs in navigating the complexities of personal liability?
The biggest area of improvement needed for most CISOs is communication skills. As I stated, transparency is just as important as anything else in avoiding cybersecurity breaches and the resulting risk of personal liability, and transparency requires effective communication. Not only that, but negotiating for the resources you need to execute the cyber resilience strategies that will protect both your organization and you also requires effective communication. Lastly, effective communication plays a key role in your ability to get organization-wide buy-in to cybersecurity best practices by positioning cybersecurity as a business enabler rather than hindrance.
Injecting spoofed headers with email relaying involves manipulating the email headers to disguise the true origin of an email, making it appear as if it was sent from a legitimate source. Here’s a detailed explanation of how this process works:
1. Understanding Email Headers
Email headers contain vital information about the sender, recipient, and the path an email takes from the source to the destination. Key headers include:
From: The email address of the sender.
To: The recipient’s email address.
Subject: The subject line of the email.
Received: Information about the mail servers that handled the email as it traveled from sender to recipient.
Return-Path: The email address where bounces and error messages should be sent.
2. Email Relaying
Email relaying is the process of sending an email from one server to another. This is typically done by SMTP (Simple Mail Transfer Protocol) servers. Normally, email servers are configured to relay emails only from authenticated users to prevent abuse by spammers.
3. Spoofing Headers
Spoofing email headers involves altering the email headers to misrepresent the email’s source. This can be done for various malicious purposes, such as phishing, spreading malware, or bypassing spam filters. Here’s how it can be done:
a. Crafting the Spoofed Email
An attacker can use various tools and scripts to create an email with forged headers. They might use a command-line tool like sendmail, mailx, or a programming language with email-sending capabilities (e.g., Python’s smtplib).
b. Setting Up an Open Relay
An open relay is an SMTP server configured to accept and forward email from any sender to any recipient. Attackers look for misconfigured servers on the internet to use as open relays.
c. Injecting Spoofed Headers
The attacker crafts an email with forged headers, such as a fake “From” address, and sends it through an open relay. The open relay server processes the email and forwards it to the recipient’s server without verifying the authenticity of the headers.
d. Delivery to Recipient
The recipient’s email server receives the email and, based on the spoofed headers, believes it to be from a legitimate source. This can trick the recipient into trusting the email’s content.
4. Example of Spoofing Email Headers
Here’s an example using Python’s smtplib to send an email with spoofed headers:
import smtplib
from email.mime.text import MIMEText
# Crafting the email
msg = MIMEText("This is the body of the email")
msg['Subject'] = 'Spoofed Email'
msg['From'] = 'spoofed.sender@example.com'
msg['To'] = 'recipient@example.com'
# Sending the email via an open relay
smtp_server = 'open.relay.server.com'
smtp_port = 25
with smtplib.SMTP(smtp_server, smtp_port) as server:
server.sendmail(msg['From'], [msg['To']], msg.as_string())
via Frontend Transport
The statement about the term “via Frontend Transport” in header values refers to a specific configuration in Microsoft Exchange Server that could suggest a misconfiguration allowing email relaying without proper verification. Let’s break down the key elements of this explanation:
1. Frontend Transport in Exchange
In Microsoft Exchange Server, the Frontend Transport service is responsible for handling client connections and email traffic from the internet. It acts as a gateway, receiving emails from external sources and forwarding them to the internal network.
2. Email Relaying
Email relaying is the process of forwarding an email from one server to another, eventually delivering it to the final recipient. While this is a standard part of the SMTP protocol, it becomes problematic if a server is configured to relay emails without proper authentication or validation.
3. The Term “via Frontend Transport”
When email headers include the term “via Frontend Transport”, it indicates that the email passed through the Frontend Transport service of an Exchange server. This can be seen in the Received headers of the email, showing the path it took through various servers.
4. Suggestion of Blind Email Relaying
The concern arises when these headers suggest that Exchange is configured to relay emails without altering them or without proper checks. This could imply that:
The Exchange server is not adequately verifying the sender’s authenticity.
The server might be forwarding emails without checking if they come from trusted sources.
Such a configuration can be indicative of an open relay, where the server forwards any email it receives, which is highly vulnerable to abuse.
5. Abuses of Open Relays
Open relays are notorious for being exploited by spammers and malicious actors because they can be used to send large volumes of unsolicited emails while obscuring the true origin of the message. This makes it difficult to trace back to the actual sender and can cause the relay server’s IP address to be blacklisted.
Attackers Use a Genuine Microsoft Office 365 Account
The attackers have managed to send an email from a genuine Microsoft Office 365 account. This could be through compromising an account or using a trial account.
Email Branded as Disney
The email is branded as coming from Disney (disney.com). This branding could involve setting the “From” address to appear as if it’s from a Disney domain, which can trick recipients into believing the email is legitimate.
Gmail’s Handling of Outlook’s Servers
Gmail has robust mechanisms to handle high volumes of emails from trusted servers like Outlook’s (Microsoft’s email service). These servers are built to send millions of emails per hour, so Gmail will not block them due to rate limits.
SPF (Sender Policy Framework)
SPF is a protocol that helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on their behalf. The attackers benefit from this because:
The email is sent through Microsoft’s official relay server, protection.outlook.com.Disney’s SPF record includes spf.protection.outlook.com, which means emails sent through this relay server are authorized by Disney’s domain.
.
Spoofed Headers
Spoofed headers involve altering the email headers to make the email appear as if it originated from a different source. In this scenario, the attackers have spoofed headers to make the email look like it’s from Disney.
SPF Check Passed
Since the email is sent via a server included in Disney’s SPF record (protection.outlook.com), it will pass the SPF check, making it seem legitimate to the recipient’s email server.
DKIM (DomainKeys Identified Mail)
DKIM is another email authentication method that allows the receiver to check if an email claiming to come from a specific domain was indeed authorized by the owner of that domain. This is done by verifying a digital signature added to the email.
Points of Concern
SPF Check Passed
The email passed the SPF check because it was sent through an authorized server (protection.outlook.com) included in Disney’s SPF record.
Spoofed Headers
The headers were manipulated to make the email appear as if it came from Disney, which can deceive recipients.
Gmail Handling
Gmail will trust and not rate-limit emails from Outlook’s servers, ensuring the email is delivered without being flagged as suspicious due to high sending volumes.
Potential for DKIM
To fully understand if the email can pass DKIM checks, we would need to know if the attackers can sign the email with a valid DKIM key. If they manage to:
DKIM Alignment
Ensure the DKIM signature aligns with the domain in the “From” header (disney.com).
Valid DKIM Signature
Use a valid DKIM signature from an authorized domain (which would be difficult unless they have compromised Disney’s signing keys or a legitimate sending infrastructure).
Proofpoint and similar services are email security solutions that offer various features to protect organizations from email-based threats, such as phishing, malware, and spam. They act as intermediaries between the sender and recipient, filtering and relaying emails. However, misconfigurations or overly permissive settings in these services can be exploited by attackers. Here’s an explanation of how these services work, their roles, and how they can be exploited:
Roles and Features of Proofpoint-like Services
Email Filtering and Protection
Spam and Phishing Detection: Filters out spam and phishing emails.
Malware Protection: Scans and blocks emails containing malware or malicious attachments.
Content Filtering: Enforces policies on email content, attachments, and links.
Email Relay and Delivery
Inbound and Outbound Filtering: Manages and filters both incoming and outgoing emails to ensure compliance and security.
Email Routing: Directs emails to the appropriate recipients within an organization.
DKIM Signing: Adds DKIM signatures to outgoing emails to authenticate them.
Authentication and Authorization
IP-Based Authentication: Uses IP addresses to authenticate incoming email servers.
SPF, DKIM, and DMARC Support: Implements these email authentication protocols to prevent spoofing.
How Misconfigurations Allow Exploitation
Permissive IP-Based Authentication
Generic Configuration: Proofpoint is often configured to accept emails from entire IP ranges associated with services like Office365 or Google Workspace without specifying particular accounts.
IP Range Acceptance: Once a service like Office365 is enabled, Proofpoint accepts emails from any IP within the Office365 range, regardless of the specific account.
Exploitation StepsStep 1: Setting Up the Attack
Attacker’s Office365 Account: The attacker sets up or compromises an Office365 account.
Spoofing Email Headers: The attacker crafts an email with headers that mimic a legitimate sender, such as Disney.
Step 2: Leveraging Proofpoint Configuration
Sending Spoofed Emails: The attacker sends the spoofed email from their Office365 account.
Proofpoint Relay Acceptance: Proofpoint’s permissive configuration accepts the email based on the IP range, without verifying the specific account.
Step 3: Proofpoint Processing
DKIM Signing: Proofpoint processes the email, applying DKIM signatures and ensuring it passes SPF checks because it comes from an authorized IP range.
Email Delivery: The email is then delivered to the target’s inbox, appearing legitimate due to the DKIM signature and SPF alignment.
Example of a Permissive Configuration in Proofpoint
Admin Setup
Adding Hosted Services: Proofpoint allows administrators to add hosted email services (e.g., Office365) with a single-click configuration that relies on IP-based authentication.
No Specific Account Configuration
Generic Acceptance: The setup does not specify which particular accounts are authorized, leading to a scenario where any account within the IP range is accepted.
Exploitation of Misconfiguration
Blind Relay: Due to this broad acceptance, attackers can send emails through Proofpoint’s relay, which then processes and delivers them as if they were legitimate.
A recent attack exploited a misconfiguration in Proofpoint’s email routing, allowing millions of spoofed phishing emails to be sent from legitimate domains like Disney and IBM. The attackers used Microsoft 365 tenants to relay emails through Proofpoint, bypassing SPF and DKIM checks, which authenticate emails. This “EchoSpoofing” method capitalized on Proofpoint’s broad IP-based acceptance of Office365 emails. Proofpoint has since implemented stricter configurations to prevent such abuses, emphasizing the need for vigilant security practices.
A hacktivist entity known as USDoD has asserted that it has leaked CrowdStrike’s “entire threat actor list” and claims to possess the company’s “entire IOC [indicators of compromise] list,” which purportedly contains over 250 million data points.
Details of the Alleged Leak
On July 24, 2024, the USDoD group announced an English-language cybercrime forum, stating that they had obtained and leaked CrowdStrike’s comprehensive threat actor database.
The group provided a link to download the alleged list and shared sample data fields to substantiate their claims.
The leaked information reportedly includes:
Adversary aliases
Adversary status
The last active dates for each adversary
Region/Country of Adversary Origin
Number of targeted industries and countries
Actor type and motivation
Claim of the breach
The sample data contained “LastActive” dates up to June 2024, while the Falcon portal’s last active dates for some actors extend to July 2024, suggesting the potential timeframe of the data acquisition.
Cyber Press researchers stated that they were able to view some of the documents leaked.
Background on USDoD
USDoD has a history of exaggerating claims, likely to enhance its reputation within hacktivist and eCrime communities.
For example, they previously claimed to have conducted a hack-and-leak operation targeting a professional networking platform, which was later debunked by industry sources as mere web scraping.
Since 2020, USDoD has engaged in both hacktivism and financially motivated breaches, primarily using social engineering tactics.
In recent years, they have focused on high-profile targeted intrusion campaigns and have sought to expand their activities into administering eCrime forums.
USDoD also claimed to possess “two big databases from an oil company and a pharmacy industry (not from the USA).” However, the connection between these claims and the alleged CrowdStrike data acquisition remains unclear.
The potential leak of CrowdStrike’s threat actor database could have significant implications for cybersecurity:
Compromise of ongoing investigations
Exposure of tracking methods for malicious actors
Potential advantage for cybercriminals in evading detection
This story unfolds following a CrowdStrike update that caused Windows machines to experience the Blue Screen of Death (BSOD) error.
CrowdStrike’s Response
CrowdStrike, a leading cybersecurity firm known for its threat intelligence and incident response services, has responded to the claims. The company stated:
“The threat intel data noted in this report is available to tens of thousands of customers, partners, and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain committed to sharing data with the community.”
While USDoD has been involved in legitimate breaches, its credibility in this specific case is questionable.
Their history of exaggeration, the inconsistencies in the leaked data, and CrowdStrike’s response all cast doubt on the authenticity and severity of the claimed leak.
The Regional Transportation Commission of Southern Nevada, which includes Las Vegas, will be the first transit system in the U.S. to implement system-wide AI weapons scans.
Transit systems nationwide are grappling with ways to reduce violence.
AI-linked cameras and acoustic technology are seen as viable options to better respond to mass shootings in public places across the U.S., according to law enforcement and public safety teams, though both approaches have downsides.
A sign promoting safety is seen on the Regional Transportation Commission 109 Maryland Parkway bus in Las Vegas Thursday, June 8, 2023. Las Vegas Review-journal | Tribune News Service | Getty Images
On your next visit to Vegas, an extra set of eyes will be watching you if you decide to hop onto the local transit system.
As part of a $33 million multi-year upgrade to fortify its security, the Regional Transportation Commission of Southern Nevada is set to add a system-wide AI from gun detection software vendor ZeroEyes that scans riders on its over 400 buses in an attempt to identify anyone brandishing a firearm.
Tom Atteberry, RTC’s director of safety and security operations, said that seconds matter in a situation where an active shooting unfolds, and implementing the system could give authorities an edge. “Time is of the essence; it gives us time to identify a firearm being brandished, so they can be notified and get to the scene and save lives,” he said.
Monitoring and preventing mass shooting is one that public places across the country grapple with daily. Violent crime on transit systems, specifically, remains an issue in major metro areas, with a report released in late 2023 by the Department of Transportation detailing concerns from transit agency officials around the U.S. about rising violence on their transit systems. According to a database maintained by the Bureau of Transportation Statistics, assaults on transit systems have spiked, and there has been a rise in public fears about transportation safety.
As an Applied Cryptographer, you will research about various cryptographic protocols and have knowledge of cryptographic primitives or concepts, like elliptic curve cryptography, hash functions, and PCPs. You should have experience with at least one major language, like Rust, Python, Java, or C; the exact language is not too important. You should be familiar with versioning software (specifically, GitHub), testing, and a familiarity with algorithms and data structures.
As a Cloud Security Specialist, you will design, implement, and manage Azure and Microsoft 365 security solutions. Monitor security alerts, lead incident response, and conduct regular assessments. Ensure compliance with ISO 27001, SOC2 Type II and NIST standards.
As a CISO, you will develop and implement comprehensive cybersecurity policies and procedures. Ensure compliance with relevant regulations and standards (e.g., GDPR, ISO 27001). Conduct risk assessments and develop mitigation strategies. Advise on security best practices and emerging threats. Collaborate with clients to enhance their security posture.
Cyber Range Lead
Booz Allen Hamilton | Japan | On-site – No longer accepting applications
As a Cyber Range Lead, you will lead a team of professionals as they use cyberspace capabilities to evaluate potential weaknesses as well as the effectiveness of mitigations for cyber security solutions. You will leverage cyberspace operations systems to aggregate threat feeds that inform briefings for senior leadership aligned to our client’s mission area.
As a Cybersecurity Technical Consultant, you will provide onsite or remote consulting services and support to Thales customer with a focus on high quality, accuracy and customer satisfaction. Develop and deliver technical hands-on product deep knowledge transfer to customers. Track and ensure successful completion of high impact projects by creating project scoping plans, design guides and relevant documentation.
As a Cyber Security Advisor, you will conduct security assessment of in-house developed and/or by third-party provided solutions in order to ensure that they are in compliance with H&M’s security standards. Conduct security maturity and risk assessment for internal and external partners.
As a Cyber Security Engineer, you will develop and implement cyber security policies, procedures, and controls to protect the company’s digital assets. Conduct Pen-tests, monitor network traffic and security alerts to detect and respond to potential security breaches. Perform vulnerability assessments and penetration testing to identify and remediate security vulnerabilities. Conduct regular audits of security systems and processes to ensure compliance with industry standards and regulations.
As a Cyber Security Governance Risk & Compliance Manager, you will develop, implement, and maintain a robust IT governance, risk, and compliance framework in line with industry best practices and regulatory requirements. Drive risk maturity through project lifecycle and provide independent assessments, challenge inherent risks in material changes e.g., business decisions, projects, process changes, implementation of new systems, applications, and infrastructure.
As a Cyber Security Instructor, you will create dynamic classroom learning experiences using various teaching strategies to facilitate adult learners in achieving learning objectives in accordance with the program objectives as set out in the curriculum. Ensure students are motivated to learn and to maximize their potential. Develop different classroom strategies to ensure knowledge and skills acquisition and retention.
As a Digital Forensics and Incident Response Analyst, you will perform incident response to cybersecurity incidents, including but not limited to APT & Nation State attacks, Ransomware infections and Malware outbreaks, Insider Threats, BEC, DDOS, Security and Data breach, etc. Conduct in-depth investigations of cybersecurity incidents, identifying the root cause, the extent of the impact, and recommended actions for containment, eradication, and recovery, and providing a final report that contains recommendations on how to prevent the same attack in the future by strengthening security posture.
Director of Information Security, Cyber Risk and Compliance
S&P Global | Italy | On-site – No longer accepting applications
As a Director of Information Security, Cyber Risk and Compliance, you will become familiar with the Cyber Risk and Compliance team activities and Market Intelligence regarding SOC reporting, relevant regulatory requirements, control frameworks, internal and external audit processes, customer interactions including security questions and audits, and overall company and divisional cyber security processes and controls. Make recommendations related to balancing requirements and deadlines made by corporate departments with human resource and technical capabilities that exist in Market Intelligence. Negotiate differences to find and implement solutions acceptable to both corporate groups and Market Intelligence.
As Head of Identity Management Platform, you will leverage your strong background in Identity and Privileged Access Management, expertise in IT technologies, and in-depth knowledge of IT security to organize and lead complex projects, manage third-party teams, and oversee platform lifecycle activities such as upgrades and integrations.
As a Head of Consulting, you will lead, mentor, and develop a team of cybersecurity consultants, fostering a culture of excellence and continuous improvement. Define and implement the consultancy department’s strategy in alignment with the company’s goals, ensuring the delivery of innovative and effective cybersecurity solutions. Ensure that all consultancy activities adhere to industry standards, regulatory requirements, and best practices, mitigating risks to both clients and the company.
As a Head of Security CU TH, you will facilitate execution of and follow up on security strategy, policies & instructions, governance model and frameworks. Support the business in implementation and maintenance of ISO 27001 controls across the CU as per the MA scope and Ericsson Global ISO 27001 control framework. Manage local security incidents and support investigations.
As an IT Program Manager, you will develop, implement, and manage cybersecurity programs in alignment with the organization’s strategic objectives. Oversee the security projects related to enterprise applications, with a focus on safeguarding sensitive data and ensuring compliance with regulatory standards. Facilitate regular security assessments and audits to identify vulnerabilities and implement corrective actions.
As a Penetration Tester, you will manage penetration tests from inception through delivery. Identify and prescribe remediation for vulnerabilities in NFCU applications, systems, and networks. Leverage complex tactics including, but not limited to, lateral movement, network tunneling/pivoting, credential compromise, and hash cracking.
As a Principal Data Security Specialist, you will focus on delivering technical and procedural guidance to assist customers in defining the platform requirement though to realisation of the subscription value. Research and evaluate emerging solutions and services to drive continuous improvement.
As a Senior Architect – Cyber Security, you will develop and implement security architecture solutions to secure the organization’s IT infrastructure. Design and review security policies, standards, and procedures. Conduct security assessments and risk analysis to identify vulnerabilities and recommend mitigation strategies. Lead security projects and collaborate with cross-functional teams to integrate security measures.
Senior CyberSecurity Architect
Hexagon Geosystems | European Economic Area | Remote – View job details
As a Senior CyberSecurity Architect, you will plan, organize, test, and document the implementation of new security systems and tools; define the success criteria and security requirements, and develop reference architecture, functional and non-functional requirements for proof-of-concept efforts and projects. Lead in performing threat modeling, security architecture review, and risk assessments of new and existing technical solutions.
As a (Senior) Information Security Officer, you will develop, implement, and monitor a strategic, comprehensive company information security and IT risk management program, based on the Oetker Group-wide security directive. Manage and assist in the development in implementation of the information security policies, procedures, and guidelines. Provide guidance and counsel to the C-Level, the senior management team, and staff about information security and its alignment with business objectives and risk management.
As a Technology & Cyber Risk: Senior Officer – Cybersecurity Risk, you will review and evaluate compliance and cyber policies and procedures, technology and tools, and governance processes to provide credible challenge for minimizing losses from cyber risks. Assess cyber risks and evaluates actions to address the root causes that persistently lead to operational risk losses by challenging both historical and proposed practices. Support independent assurance activities to assess areas of concern including substantive and controls testing.
As a Vulnerability Manager, you will be responsible for identifying, assessing, prioritizing, and managing vulnerabilities across our systems and networks. Conduct regular vulnerability assessments and penetration tests across our systems, applications, and networks.
By now, most people are aware of – or have been personally affected by – the largest IT outage the world have ever witnessed, courtesy of a defective update for Crowdstrike Falcon Sensors that threw Windows hosts into a blue-screen-of-death (BSOD) loop.
“We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” David Weston, Microsoft’s VP of Enterprise and OS Security, stated on Saturday.
CrowdStrike claimed earlier today that “a significant number” of affected systems are back online and operational.
“Together with customers, we tested a new technique to accelerate impacted system remediation. We’re in the process of operationalizing an opt-in to this technique,” they noted on their remediation and guidance hub. “Customers are encouraged to follow the Tech Alerts for latest updates as they happen and they will be notified when action is needed.”
Microsoft collaborates with Crowdstrike, provides recovery tool
Microsoft is, understandably, doing everything it can to speed up worldwide recovery from the issue, has deployed hundreds of Microsoft engineers and experts to work with customers to restore services, and is collaborating with CrowdStrike.
“CrowdStrike has helped us develop a scalable solution that will help Microsoft’s Azure infrastructure accelerate a fix for CrowdStrike’s faulty update. We have also worked with both AWS and GCP to collaborate on the most effective approaches,” Weston explained.
Microsoft has also released a recovery tool that can be downloaded and used by IT admins to make the repair process less time-consuming.
The tool provides two repair options.
The first one – Recover from WinPE (Preinstallation Environment) – does not require local admin privileges, but requires the person to manually enter the BitLocker recovery key (if BitLocker is used on the device).
The second one – Recover from safe mode – may allow recovery without entering the BitLocker recovery keys.
“For this option, you must have access to an account with local administrator rights on the device. Use this approach for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker recovery key is unknown,” the Intune Support Team noted.
They also included detailed recovery steps for Windows clients, servers, and OSes hosted on Hyper-V.
Microsoft has previously confirmed that the buggy CrowdStrike update affected Windows 365 Cloud PCs and that users “may restore their Windows 365 Cloud PC to a known good state prior to the release of the update (July 19, 2024)”. The company has also provided guidance for restoring affected Azure virtual machines.
Cloud security company Orca has released a script that automates the remediation of Windows virtual machines hosted on AWS.
Threat actor exploiting the situation
As expected, scammers and threat actors have immediately started taking advantage of the chaos that resulted from the faulty update.
Trend Micro researchers provided examples of tech support scams doing the rounds, and even legal scams.
A tech support scam exploiting the situation (Source: Trend Micro)
Phishers and vishers impersonating CrowdStrike support and contacting customers
Scammers posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
“CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels,” the company said.
UPDATE (July 23, 2024, 05:15 a.m. ET):
CrowdStrike has provided a way for remediating affected systems more quickly. Customers must opt in to use the technique via the support portal. (A Reddit user has explained the process involved.)
The company has also released a video explaining how users can self-remediate affected remote Windows laptops.
Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.
Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.
The SEG Versus SEG Threat
The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.
“We do not have access to the internals of SEGs, so I can’t say for certain,” Gannon says. “But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the [receiving] SEG assumes the URL itself is legitimate.”
In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender’s SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.
In these situations, problems can arise if the recipient’s secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient’s SEG scans the URL, but only sees the sending email gateway’s domain and not the final destination.
“Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination,” Cofense wrote in its report this week. “As a result, when an email already has SEG-encoded URLs, the recipient’s SEG often allows the email through without properly checking the embedded URLs.”
A Substantial Increase
Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.
According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.
Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.
Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. “Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with,” he says. “For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp[:]//badplace[.]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect[.]cudasvc[.]com/url?a=hxxp[:]//badplace[.]com/.”
Gannon says one reason why threat actors likely aren’t using the tactic on a much broader scale is because it involves additional work. “The biggest thing it comes down to is effort,” he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to.”
Protecting against the tactic can be relatively difficult, as most SEGs don’t have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. “A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG.”
