InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
Google has announced the release of Chrome 128 to the stable channel for Windows, Mac, and Linux.
This update, Chrome 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac addresses a critical zero-day vulnerability actively exploited in the wild.
The update includes 38 security fixes, with particular attention to those contributed by external researchers.
Details of the Zero-Day Vulnerability
The Chrome team has been working diligently to address a zero-day vulnerability that has been actively exploited.
The vulnerability, CVE-2024-7971, involves type confusion in V8, Chrome’s open-source JavaScript engine.
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported this flaw on August 19, 2024.
While the specific details of the exploit remain restricted to protect users, the fix’s urgency underscores the vulnerability’s potential severity.
The Chrome team has emphasized that access to bug details and links will remain restricted until most users have updated their browsers.
This precaution ensures that users are protected before the vulnerability details are public, preventing further exploitation.
In addition to the zero-day vulnerability, the Chrome 128 update includes a wide range of security fixes.
Below is a table summarizing the key vulnerabilities addressed in this update:
The configuration contained transport layer security (TLS) bootstrap tokens that the attacker could extract and use to perform a TLS bootstrap attack. This would grant the attacker the ability to read all secrets within the cluster.
Notably, the attack did not require the compromised Pod to be running with hostNetwork enabled or as the root user. This significantly expanded the attack surface.
The attack involved accessing the undocumented Azure WireServer component at http://168.63.129.16/machine/?comp=goalstate and the HostGAPlugin endpoint at http://168.63.129.16:32526/vmSettings.
The attacker could retrieve a key from the WireServer to decrypt protected settings values. They could then request the JSON document from HostGAPlugin, parse it, and Base64 decode it to obtain the encrypted provisioning script (protected_settings.bin).
Using the WireServer key, the attacker could decrypt protected_settings.bin to access the cluster’s provisioning script (cse_cmd.sh). This script contained several secrets as environment variables, including:
The Linux Foundation and OpenSSF released a report on the state of education in secure software development.
…many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment system operations, software developers, committers, and maintainers self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.
The report analyzes the dynamics among C-suite executives to better understand issues that prevent risk reduction, stall or complicate compliance, and create barriers to cyber resilience.
CISOs pressured with AI, cybersecurity risk tradeoffs, and budget
While CISOs are often responsible for technology implementation, they are not getting the support they need at a strategic level. Researchers found that 73% of CISOs expressed concern over cybersecurity becoming unwieldy, requiring risk-laden tradeoffs, compared to only 58% of both CIOs and CTOs.
Additionally, 73% of CISOs feel more pressure to implement AI strategies versus just 58% of CIOs and CTOs. These pressures pair with the fact that 66% of CISOs believe reactive budgets cause a lack of proactive cybersecurity measures, compared to 55% of CIOs and 53% of CTOs feeling the same way.
C-suite alignment could clarify cybersecurity priorities
Effective cybersecurity strategies require top-down leadership and alignment with the perspectives of non-C-suite professionals directly involved in technology development, security implementation, and operational support.
CISOs expressed more concern about cybersecurity’s operational and strategic challenges. The missing component is alignment among the different interests represented by the other roles: CTOs were concerned with the impact of compliance on innovation and competitiveness, aligning with their focus on technology development. Conversely, CIOs balance broader strategic perspectives, encompassing risk management, compliance, and adopting new technologies.
Based on roles, it is not surprising most CIOs (92%) are more inclined to embrace uncertainty concerning cyber threats, compared to 81% of CTOs and 75% of CISOs. These differences in tolerance are important to discuss when creating a cybersecurity strategy that considers business priorities.
“Understanding the C-suite’s business priorities is critical for shaping effective cybersecurity strategies,” said Theresa Lanowitz, Chief Evangelist of LevelBlue. “Identifying how these essential roles look at the business helps to ensure alignment among CIOs, CTOs, and CISOs, as well as the teams that report into them. It’s a key first step towards bolstering cyber defenses, especially with the CEO and Board support.”
External pressures
CTOs view compliance as an obstacle to innovation. 73% of CTOs (compared to 55% CIOs and 61% CISOs) are concerned about regulations hindering competitiveness and are more likely to perceive compliance as an obstacle to innovation. In contrast, CIOs and CISOs view compliance as an integral component of risk management and operational stability, essential for maintaining a secure and reliable organizational environment.
The supply chain has hidden risks, and the importance of those risks varies. Nearly three in four CIOs (74%) and CISOs (73%) find it challenging to assess the cybersecurity risk from their supply chain, compared to only 64% of CTOs. This suggests that CIOs and CISOs are more involved in evaluating external risks and dependencies, while CTOs focus more on internal technology infrastructure.
C-Suite alignment on cloud computing supports cybersecurity resilience. There was little difference in the perception of cloud computing’s ability to provide cybersecurity resilience among CIOs, CTOs, and CISOs, with 83%, 82%, and 80%, respectively, acknowledging its benefits. This consensus indicates a shared recognition among these executive roles of cloud solutions’ value in enhancing cybersecurity.
A sophisticated threat activity cluster, STAC6451, has been identified targeting Microsoft SQL servers.
This cluster, primarily observed by Sophos Managed Detection and Response (MDR) teams, has compromised organizations by exploiting SQL server vulnerabilities.
The attackers have been using a combination of brute-force attacks, command execution, and lateral movement techniques to infiltrate and compromise networks.
This article delves into the intricate details of the STAC6451 attacks, the techniques employed, and the implications for organizations worldwide.
Overview: Microsoft SmartScreen is a cloud-based anti-phishing and anti-malware component that comes integrated with various Microsoft products like Microsoft Edge, Internet Explorer, and Windows. It is designed to protect users from malicious websites and downloads.
Key Features:
URL Reputation:
SmartScreen checks the URL of websites against a list of known malicious sites stored on Microsoft’s servers. If the URL matches one on the list, the user is warned or blocked from accessing the site.
Application Reputation:
When a user downloads an application, SmartScreen checks its reputation based on data collected from other users who have downloaded and installed the same application. If the app is deemed suspicious, the user is warned before proceeding with the installation.
Phishing Protection:
SmartScreen analyzes web pages for signs of phishing and alerts the user if a site appears to be trying to steal personal information.
Malware Protection:
The system can identify and block potentially malicious software from running on the user’s device.
Integration with Windows Defender:
SmartScreen works in conjunction with Windows Defender to provide a layered security approach, ensuring comprehensive protection against threats.
How it Works:
URL and App Checks:
When a user attempts to visit a website or download an application, SmartScreen sends a request to the SmartScreen service with the URL or app details.
The service checks the details against its database and returns a verdict to the user’s device.
Based on the verdict, the browser or operating system either allows, blocks, or warns the user about potential risks.
Telemetry and Feedback:
SmartScreen collects telemetry data from users’ interactions with websites and applications, which helps improve the accuracy of its threat detection algorithms over time.
Smart App Control (SAC)
Overview: Smart App Control (SAC) is a security feature in Windows designed to prevent malicious or potentially unwanted applications from running on the system. It is an evolution of the earlier Windows Defender Application Control (WDAC) and provides advanced protection by utilizing cloud-based intelligence and machine learning.
Key Features:
Predictive Protection:
SAC uses machine learning models trained on a vast amount of data to predict whether an application is safe to run. It blocks apps that are determined to be risky or have no known good reputation.
Cloud-Based Intelligence:
SAC leverages Microsoft’s cloud infrastructure to continuously update its models and threat intelligence, ensuring that protection is always up-to-date.
Zero Trust Model:
By default, SAC assumes that all applications are untrusted until proven otherwise, aligning with the zero trust security model.
Seamless User Experience:
SAC operates silently in the background, allowing trusted apps to run without interruptions while blocking potentially harmful ones. Users receive clear notifications and guidance when an app is blocked.
Policy Enforcement:
Administrators can define policies to control app execution on enterprise devices, ensuring compliance with organizational security standards.
How it Works:
App Analysis:
When an app attempts to run, SAC sends its metadata to the cloud for analysis.
The cloud service evaluates the app against its machine learning models and threat intelligence to determine its risk level.
Decision Making:
If the app is deemed safe, it is allowed to run.
If the app is determined to be risky or unknown, it is blocked, and the user is notified with an option to override the block if they have sufficient permissions.
Policy Application:
SAC policies can be customized and enforced across an organization to ensure consistent security measures on all managed devices.
Integration with Windows Security:
SAC is integrated with other Windows security features like Microsoft Defender Antivirus, providing a comprehensive defense strategy against a wide range of threats.
Despite the robust protections offered by Microsoft SmartScreen and Smart App Control (SAC), some techniques can sometimes bypass these features through several sophisticated techniques.
1. Signed Malware Bypassing Microsoft SmartScreen and SAC
1. Valid Digital Signatures:
Stolen Certificates: Cybercriminals can steal valid digital certificates from legitimate software developers. By signing their malware with these stolen certificates, the malware can appear trustworthy to security features like SmartScreen and SAC.
Bought Certificates: Attackers can purchase certificates from Certificate Authorities (CAs) that might not perform thorough background checks. These certificates can then be used to sign malware.
2. Compromised Certificate Authorities:
If a Certificate Authority (CA) is compromised, attackers can issue valid certificates for their malware. Even if the malware is signed by a seemingly reputable CA, it can still be malicious.
3. Certificate Spoofing:
Advanced attackers may use sophisticated techniques to spoof digital certificates, making their malware appear as if it is signed by a legitimate source. This can deceive security features into trusting the malware.
4. Timing Attacks:
Some malware authors time their attacks to take advantage of the period between when a certificate is issued and when it is revoked or added to a blacklist. During this window, signed malware can bypass security checks.
5. Use of Legitimate Software Components:
Attackers can incorporate legitimate software components into their malware. By embedding malicious code within a signed, legitimate application, the entire package can be trusted by security features.
6. Multi-Stage Attacks:
Initial stages of the malware may appear harmless and thus be signed and trusted. Once the initial stage is executed and trusted by the system, it can download and execute the actual malicious payload.
7. Social Engineering:
Users may be tricked into overriding security warnings. For example, if SmartScreen or SAC blocks an application, an attacker might use social engineering tactics to convince the user to manually bypass the block.
2. How Reputation Hijacking Bypasses Microsoft SmartScreen and SAC
Compromised Legitimate Websites:
Method: Attackers compromise a legitimate website that has a strong reputation and inject malicious content or host malware on it.
Bypass Mechanism: Since SmartScreen relies on the reputation of websites to determine if they are safe, a website with a previously good reputation may not trigger alerts even if it starts serving malicious content. Users are not warned because the site’s reputation was established before the compromise.
Trusted Domains and Certificates:
Method: Attackers use domains with valid SSL certificates issued by trusted Certificate Authorities (CAs) to host malicious content.
Bypass Mechanism: SmartScreen and SAC check for valid certificates as part of their security protocols. A valid certificate from a trusted CA makes the malicious site appear legitimate, thus bypassing the security checks that would flag a site with an invalid or self-signed certificate.
Embedding Malware in Legitimate Software:
Method: Attackers inject malicious code into legitimate software or its updates.
Bypass Mechanism: If the legitimate software has a good reputation and is signed with a valid certificate, SmartScreen and SAC are less likely to flag it. When users update the software, the malicious payload is delivered without triggering security warnings because the update appears to be from a trusted source.
Phishing with Spoofed Emails:
Method: Attackers send phishing emails that appear to come from trusted sources, often using spoofed email addresses.
Bypass Mechanism: Users are more likely to trust and open emails from familiar and reputable sources. SmartScreen may not always catch these emails, especially if they come from legitimate domains that have been spoofed, leading users to malicious websites or downloads.
Domain and Subdomain Takeover:
Method: Attackers take over expired or unused domains and subdomains of reputable sites.
Bypass Mechanism: Since the domain or subdomain was previously associated with a legitimate entity, SmartScreen and SAC may continue to trust it based on its historical reputation. This allows attackers to serve malicious content from these domains without raising security flags.
Social Engineering Attacks:
Method: Attackers trick users into overriding security warnings by posing as legitimate sources or using persuasive tactics.
Bypass Mechanism: Even if SmartScreen or SAC warns users, skilled social engineering can convince them to bypass these warnings. Users might disable security features or proceed despite warnings if they believe the source is trustworthy.
3. How Reputation Seeding Bypasses Microsoft SmartScreen and SAC
Reputation seeding is a tactic where attackers build a positive reputation for malicious domains, software, or email accounts over time before launching an attack. This can effectively bypass security measures like Microsoft SmartScreen and Smart App Control (SAC) because these systems often rely on reputation scores to determine the trustworthiness of an entity. Here’s how reputation seeding works and strategies to mitigate it:
How Reputation Seeding Works
Initial Clean Activity:
Method: Attackers initially use their domains, software, or email accounts for legitimate activities. This involves hosting benign content, sending non-malicious emails, or distributing software that performs as advertised without any harmful behavior.
Bypass Mechanism: During this period, SmartScreen and SAC observe and record these entities as safe and build a positive reputation for them. Users interacting with these entities during the seeding phase do not encounter any security warnings.
Gradual Introduction of Malicious Content:
Method: Over time, attackers start to introduce malicious content slowly. This might involve adding malware to software updates, injecting harmful code into websites, or sending phishing emails from trusted accounts.
Bypass Mechanism: Because the entities have already established a positive reputation, initial malicious activities may not be immediately flagged by SmartScreen or SAC, allowing the attackers to reach their targets.
Leveraging Established Trust:
Method: Once a strong reputation is established, attackers conduct large-scale malicious campaigns. They leverage the trust built over time to bypass security checks and deceive users.
Bypass Mechanism: The established positive reputation causes security systems to consider these entities as low-risk, allowing malware or phishing attempts to bypass filters and reach users without triggering alarms.
Typical Timeframes for Reputation Seeding
Websites:
Short-Term (Weeks): Initial establishment of a website with benign content and basic user interactions.
Medium-Term (Months): Gaining backlinks, increasing traffic, and more extensive content creation.
Long-Term (6+ Months): Strong reputation with significant traffic, positive user interactions, and established trust.
Software:
Short-Term (Weeks): Initial distribution and passing basic security checks.
Medium-Term (Months): Accumulating downloads, positive user reviews, and routine updates.
Long-Term (6+ Months): Strong reputation with widespread usage and consistently positive feedback.
Email Accounts:
Short-Term (Weeks): Initial legitimate emails and normal interactions.
Medium-Term (1-2 Months): Building trust through regular, benign communication.
Long-Term (3+ Months): Established trust with consistent, non-malicious activity.
4 .How Reputation Tampering Bypasses Microsoft SmartScreen and SAC
Reputation tampering, particularly in the context of Smart App Control (SAC), can exploit the way SAC assesses and maintains the reputation of files. Given that SAC might use fuzzy hashing, feature-based similarity comparisons, and machine learning models to evaluate file reputation, attackers can manipulate certain segments of a file without changing its perceived reputation. Here’s a deeper dive into how this works and the potential implications:
How Reputation Tampering Works in SAC
Fuzzy Hashing:
Method: Unlike traditional cryptographic hashing, which changes completely with any alteration to the file, fuzzy hashing allows for minor changes without drastically altering the hash value. This means that files with small modifications can still be considered similar to the original.
Attack: Attackers modify segments of the file that do not significantly affect the fuzzy hash value, allowing the file to retain its reputation.
Feature-Based Similarity Comparisons:
Method: SAC may use feature-based similarity comparisons to evaluate files. These features could include metadata, structural attributes, or specific code patterns that are consistent with known good files.
Attack: By understanding which features are used and ensuring that these remain unchanged while modifying other parts of the file, attackers can maintain the file’s good reputation.
Machine Learning Models:
Method: Machine learning models in the cloud may analyze files based on patterns learned from a large dataset of known good and bad files. These models might use a variety of indicators beyond simple hashes.
Attack: Through trial and error, attackers identify which code sections can be altered without changing the overall pattern recognized by the ML model as benign. They can then inject malicious code into these sections.
5. How LNK stomping Bypasses Microsoft SmartScreen and SAC
LNK stomping is a technique where attackers modify LNK (shortcut) files to execute malicious code while appearing legitimate to users and security systems. By leveraging the flexibility and capabilities of LNK files, attackers can disguise their malicious intentions and bypass security features such as Microsoft SmartScreen and Smart App Control (SAC). Here’s how LNK stomping works and how it can bypass these security features:
How LNK Stomping Works
Creating a Malicious LNK File:
Method: Attackers create an LNK file that points to a legitimate executable or document but includes additional commands or scripts that execute malicious code.
Example: An LNK file might appear to open a PDF document, but in reality, it executes a PowerShell script that downloads and runs malware.
Modifying Existing LNK Files:
Method: Attackers modify existing LNK files on a target system to include malicious commands while retaining their original appearance and functionality.
Example: An LNK file for a commonly used application (e.g., a web browser) is modified to first execute a malicious script before launching the application.
Embedding Malicious Code:
Method: Attackers embed malicious code directly within the LNK file, taking advantage of the file’s structure and features.
Example: An LNK file might contain embedded shell commands that execute when the shortcut is opened.
Understanding the MotW Bypass via LNK File Manipulation
The Mark of the Web (MotW) is a critical security feature used to flag files downloaded from the internet, making them subject to additional scrutiny by antivirus (AV) and endpoint detection and response (EDR) systems, including Microsoft SmartScreen and Smart App Control (SAC). However, certain techniques can bypass this feature, allowing potentially malicious files to evade detection. Here, we’ll explore how manipulating LNK (shortcut) files can bypass MotW checks
Manually Creating an LNK File with a Non-Standard Target Path
Locate the PowerShell Script:
Ensure you have the path to the PowerShell script, for example, C:\Scripts\MyScript.ps1.
Create the Shortcut:
Right-click on the desktop or in the folder where you want to create the shortcut.
Select New > Shortcut.
Enter the Target Path:
In the “Type the location of the item” field, enter the following command with a non-standard path:
powershell.exe -File "C:\Scripts\MyScript.ps1."
Notice the extra dot at the end of the script path.
Name the Shortcut:
Enter a name for your shortcut (e.g., Run MyScript Non-Standard).
Click Finish.
Verify the Target Path:
Right-click the newly created shortcut and select Properties.
In the Target field, you should see:
powershell.exe -File "C:\Scripts\MyScript.ps1."
Click OK to save the changes.
By following these steps, you can create an LNK file that points to a PowerShell script with a non-standard target path. This can be used for testing how such files interact with security features like SmartScreen and Smart App Control.
Manually Creating an LNK File with a Relative Path
Locate the PowerShell Script:
Ensure you have the relative path to the PowerShell script within its directory structure, for example, .\Scripts\MyScript.ps1.
Create the Shortcut:
Right-click on the desktop or in the folder where you want to create the shortcut.
Select New > Shortcut.
Enter the Target Path:
In the “Type the location of the item” field, enter the following command with a relative path:
powershell.exe -File ".\Scripts\MyScript.ps1"
Click Next.
Name the Shortcut:
Enter a name for your shortcut (e.g., Run MyScript Relative).
Click Finish.
Verify the Target Path:
Right-click the newly created shortcut and select Properties.
In the Target field, you should see:
powershell.exe -File ".\Scripts\MyScript.ps1"
Click OK to save the changes.
Manually Creating an LNK File with a multi-level path
To create an LNK file with a multi-level path in the target path array, we need to manipulate the internal structure of the LNK file to contain a non-standard target path. This involves using a utility or script that can handle the creation and modification of LNK files with detailed control over their internal structure.
Here’s a step-by-step guide to creating such an LNK file using PowerShell and a specialized library for handling LNK files, pylnk3, which is a Python-based library. For this example, you will need to have Python installed along with the pylnk3 library.
Step-by-Step Guide
Prerequisites
Install Python:
If you don’t have Python installed, download and install it from the official website: Python.org.
Install pylnk3 Library:
Open a command prompt or terminal and run the following command to install pylnk3:shCopy codepip install pylnk3
Creating a Multi-Level Path LNK File
Create a Python Script to Generate the LNK File:
Create a Python script (e.g., create_lnk.py) with the following content:
import lnk
# Define the path for the new shortcut
shortcut_path = "C:\\Users\\Public\\Desktop\\MyScriptShortcutMultiLevel.lnk"
# Create a new LNK file
lnk_file = lnk.lnk_file()
# Set the target path with multi-level path entries
lnk_file.add_target_path_entry("..\\..\\Scripts\\MyScript.ps1")
# Set the arguments for the target executable
lnk_file.command_line_arguments = "-File .\\Scripts\\MyScript.ps1"
# Save the LNK file
with open(shortcut_path, "wb") as f:
lnk_file.write(f)
print(f"Shortcut created at: {shortcut_path}")
Run the Python Script:
Open a command prompt or terminal and navigate to the directory where your Python script is located.
Run the script using the following command:shCopy codepython create_lnk.py
Explanation
lnk.lnk_file(): Creates a new LNK file object.
add_target_path_entry: Adds entries to the target path array. Here, we use a relative path (..\\..\\Scripts\\MyScript.ps1) to simulate a multi-level path.
command_line_arguments: Sets the arguments passed to the target executable. In this case, we pass -File .\Scripts\MyScript.ps1.
write: Saves the LNK file to the specified path.
Additional Notes
Relative Paths: The use of relative paths (..\\..\\) in the target path entries allows us to create a multi-level path structure within the LNK file.
Non-Standard Structures: By manipulating the internal structure of the LNK file, we can craft paths that might bypass certain security checks.
Running the LNK File
After creating the LNK file, you can test its behavior by double-clicking it. The crafted LNK file should follow the relative path and execute the target PowerShell script, demonstrating how non-standard paths can be used within an LNK file.
The article “Dismantling Smart App Control” by Elastic Security Labs explores the vulnerabilities and bypass techniques of Windows Smart App Control (SAC) and SmartScreen. For more details, you can read the full article here.
What key factors have contributed to increased personal liability risks for CISOs?
The role of the CISO has evolved significantly over the past year. The notable shift toward increased personal liability is largely the result of three factors:
First, organizations are at greater cybersecurity risk than ever. Attackers and their wares are growing more advanced by the day. At the same time, for all their benefits, new technologies, such as AI, often result in increasingly complex digital infrastructures that may hide security vulnerabilities ripe for the picking.
Second, the evolving regulatory landscape. Laws such as the Digital Operations Resiliency Act (DORA) in Europe and various new regulations from the US Securities and Exchange Commission (SEC) legally place personal responsibility for data breaches squarely on the shoulders of the CISO.
Finally, broader public awareness of security lapses. The SEC now requires publicly traded companies to disclose material cybersecurity incidents within four days. This is on top of the Strengthening American Cybersecurity Act that requires entities that own or operate critical infrastructure to report cyber incidents and ransom payments within 24 to 72 hours.
How have high-profile cyber incidents influenced the perception and reality of personal liability for CISOs?
Even if many organizations are now required to disclose cybersecurity incidents in a timely manner—as I just mentioned—that doesn’t mean all of those incidents become common knowledge. In fact, relatively few do. High-profile cybersecurity breaches—the incidents that most affect the general public—are those that drive intensified public scrutiny. As these incidents grab headlines, customers demand change. Unfortunately for the CISO, in these cases, perception is reality, and they often become the sacrificial lamb even if a broader set of executives and board members should share liability.
What proactive steps can CISOs take to mitigate the risk of personal liability?
As the saying goes, “an ounce of prevention is worth a pound of cure.” So, first and foremost, do your core job by strengthening your organization’s cyber resilience. Ensure your team has the resources, skills and guidance to maintain visibility into all of your assets; properly configure perimeter defenses; protect business-critical data and apps with a robust backup and recovery strategy; enforce strong security policies for things like passwords, the principle of least privilege and remote and personal device access; conduct effective employee cybersecurity awareness training; and finally, test and rehearse, test and rehearse, test and rehearse.
It also helps to fight fire with fire. Cybercriminals are using AI to improve their tactics. Implementing AI-powered technology to improve the effectiveness of each of the above cyber resilience steps will help ensure you stay one step ahead of bad actors and avoid the risk of being held personally liable for a successful breach.
Another key is establishing clear lines of communication with other executive leaders and board members. Be completely transparent and avoid the temptation to paper over emerging and potential issues you don’t quite yet understand or have the resources to deal with. It’s much better to be able to say, “I told you so,” than, “should have, could have, would have.”
How effective are directors and officers insurance policies in protecting CISOs from personal liability?
Directors and officers (D&O) liability insurance can offer some protection for the CISO, but its effectiveness in the dynamic realm of cybersecurity is not 100% certain. These policies typically cover legal fees and damages resulting from lawsuits against executives for decisions made in their professional capacities, but regulations that include personal accountability for cybersecurity failures might challenge the scope and limits of traditional D&O coverage. Insurance providers may need to adjust their policies to address the specific risks faced by CISOs. While this will lead to more effective, tailored coverage, it could also potentially lead to higher premiums or so many exclusions that it becomes impractical.
How can organizations better support their CISOs to ensure they are not unfairly held liable for cyber incidents?
Organizations need to develop a culture of welcomed transparency. If the CISO is afraid to bring hard truths to the executive leadership team and board, there’s a problem. On our team, we tend not really even talk about the things that are going well. Instead, we focus almost exclusively on what we need to improve. Red flags aren’t something we avoid, but embrace, so everyone is aware of risks and potential vulnerabilities.
Just as important, even the best security team will fail if not given necessary resources. This includes not just ongoing budgetary support to execute the above cyber resilience strategies, but also the authority to implement critical security measures. If security recommendations are consistently overridden or ignored by other parts of the organization, the CISO’s efforts become futile.
What advice would you give to current and aspiring CISOs in navigating the complexities of personal liability?
The biggest area of improvement needed for most CISOs is communication skills. As I stated, transparency is just as important as anything else in avoiding cybersecurity breaches and the resulting risk of personal liability, and transparency requires effective communication. Not only that, but negotiating for the resources you need to execute the cyber resilience strategies that will protect both your organization and you also requires effective communication. Lastly, effective communication plays a key role in your ability to get organization-wide buy-in to cybersecurity best practices by positioning cybersecurity as a business enabler rather than hindrance.
Injecting spoofed headers with email relaying involves manipulating the email headers to disguise the true origin of an email, making it appear as if it was sent from a legitimate source. Here’s a detailed explanation of how this process works:
1. Understanding Email Headers
Email headers contain vital information about the sender, recipient, and the path an email takes from the source to the destination. Key headers include:
From: The email address of the sender.
To: The recipient’s email address.
Subject: The subject line of the email.
Received: Information about the mail servers that handled the email as it traveled from sender to recipient.
Return-Path: The email address where bounces and error messages should be sent.
2. Email Relaying
Email relaying is the process of sending an email from one server to another. This is typically done by SMTP (Simple Mail Transfer Protocol) servers. Normally, email servers are configured to relay emails only from authenticated users to prevent abuse by spammers.
3. Spoofing Headers
Spoofing email headers involves altering the email headers to misrepresent the email’s source. This can be done for various malicious purposes, such as phishing, spreading malware, or bypassing spam filters. Here’s how it can be done:
a. Crafting the Spoofed Email
An attacker can use various tools and scripts to create an email with forged headers. They might use a command-line tool like sendmail, mailx, or a programming language with email-sending capabilities (e.g., Python’s smtplib).
b. Setting Up an Open Relay
An open relay is an SMTP server configured to accept and forward email from any sender to any recipient. Attackers look for misconfigured servers on the internet to use as open relays.
c. Injecting Spoofed Headers
The attacker crafts an email with forged headers, such as a fake “From” address, and sends it through an open relay. The open relay server processes the email and forwards it to the recipient’s server without verifying the authenticity of the headers.
d. Delivery to Recipient
The recipient’s email server receives the email and, based on the spoofed headers, believes it to be from a legitimate source. This can trick the recipient into trusting the email’s content.
4. Example of Spoofing Email Headers
Here’s an example using Python’s smtplib to send an email with spoofed headers:
import smtplib
from email.mime.text import MIMEText
# Crafting the email
msg = MIMEText("This is the body of the email")
msg['Subject'] = 'Spoofed Email'
msg['From'] = 'spoofed.sender@example.com'
msg['To'] = 'recipient@example.com'
# Sending the email via an open relay
smtp_server = 'open.relay.server.com'
smtp_port = 25
with smtplib.SMTP(smtp_server, smtp_port) as server:
server.sendmail(msg['From'], [msg['To']], msg.as_string())
via Frontend Transport
The statement about the term “via Frontend Transport” in header values refers to a specific configuration in Microsoft Exchange Server that could suggest a misconfiguration allowing email relaying without proper verification. Let’s break down the key elements of this explanation:
1. Frontend Transport in Exchange
In Microsoft Exchange Server, the Frontend Transport service is responsible for handling client connections and email traffic from the internet. It acts as a gateway, receiving emails from external sources and forwarding them to the internal network.
2. Email Relaying
Email relaying is the process of forwarding an email from one server to another, eventually delivering it to the final recipient. While this is a standard part of the SMTP protocol, it becomes problematic if a server is configured to relay emails without proper authentication or validation.
3. The Term “via Frontend Transport”
When email headers include the term “via Frontend Transport”, it indicates that the email passed through the Frontend Transport service of an Exchange server. This can be seen in the Received headers of the email, showing the path it took through various servers.
4. Suggestion of Blind Email Relaying
The concern arises when these headers suggest that Exchange is configured to relay emails without altering them or without proper checks. This could imply that:
The Exchange server is not adequately verifying the sender’s authenticity.
The server might be forwarding emails without checking if they come from trusted sources.
Such a configuration can be indicative of an open relay, where the server forwards any email it receives, which is highly vulnerable to abuse.
5. Abuses of Open Relays
Open relays are notorious for being exploited by spammers and malicious actors because they can be used to send large volumes of unsolicited emails while obscuring the true origin of the message. This makes it difficult to trace back to the actual sender and can cause the relay server’s IP address to be blacklisted.
Attackers Use a Genuine Microsoft Office 365 Account
The attackers have managed to send an email from a genuine Microsoft Office 365 account. This could be through compromising an account or using a trial account.
Email Branded as Disney
The email is branded as coming from Disney (disney.com). This branding could involve setting the “From” address to appear as if it’s from a Disney domain, which can trick recipients into believing the email is legitimate.
Gmail’s Handling of Outlook’s Servers
Gmail has robust mechanisms to handle high volumes of emails from trusted servers like Outlook’s (Microsoft’s email service). These servers are built to send millions of emails per hour, so Gmail will not block them due to rate limits.
SPF (Sender Policy Framework)
SPF is a protocol that helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on their behalf. The attackers benefit from this because:
The email is sent through Microsoft’s official relay server, protection.outlook.com.Disney’s SPF record includes spf.protection.outlook.com, which means emails sent through this relay server are authorized by Disney’s domain.
.
Spoofed Headers
Spoofed headers involve altering the email headers to make the email appear as if it originated from a different source. In this scenario, the attackers have spoofed headers to make the email look like it’s from Disney.
SPF Check Passed
Since the email is sent via a server included in Disney’s SPF record (protection.outlook.com), it will pass the SPF check, making it seem legitimate to the recipient’s email server.
DKIM (DomainKeys Identified Mail)
DKIM is another email authentication method that allows the receiver to check if an email claiming to come from a specific domain was indeed authorized by the owner of that domain. This is done by verifying a digital signature added to the email.
Points of Concern
SPF Check Passed
The email passed the SPF check because it was sent through an authorized server (protection.outlook.com) included in Disney’s SPF record.
Spoofed Headers
The headers were manipulated to make the email appear as if it came from Disney, which can deceive recipients.
Gmail Handling
Gmail will trust and not rate-limit emails from Outlook’s servers, ensuring the email is delivered without being flagged as suspicious due to high sending volumes.
Potential for DKIM
To fully understand if the email can pass DKIM checks, we would need to know if the attackers can sign the email with a valid DKIM key. If they manage to:
DKIM Alignment
Ensure the DKIM signature aligns with the domain in the “From” header (disney.com).
Valid DKIM Signature
Use a valid DKIM signature from an authorized domain (which would be difficult unless they have compromised Disney’s signing keys or a legitimate sending infrastructure).
Proofpoint and similar services are email security solutions that offer various features to protect organizations from email-based threats, such as phishing, malware, and spam. They act as intermediaries between the sender and recipient, filtering and relaying emails. However, misconfigurations or overly permissive settings in these services can be exploited by attackers. Here’s an explanation of how these services work, their roles, and how they can be exploited:
Roles and Features of Proofpoint-like Services
Email Filtering and Protection
Spam and Phishing Detection: Filters out spam and phishing emails.
Malware Protection: Scans and blocks emails containing malware or malicious attachments.
Content Filtering: Enforces policies on email content, attachments, and links.
Email Relay and Delivery
Inbound and Outbound Filtering: Manages and filters both incoming and outgoing emails to ensure compliance and security.
Email Routing: Directs emails to the appropriate recipients within an organization.
DKIM Signing: Adds DKIM signatures to outgoing emails to authenticate them.
Authentication and Authorization
IP-Based Authentication: Uses IP addresses to authenticate incoming email servers.
SPF, DKIM, and DMARC Support: Implements these email authentication protocols to prevent spoofing.
How Misconfigurations Allow Exploitation
Permissive IP-Based Authentication
Generic Configuration: Proofpoint is often configured to accept emails from entire IP ranges associated with services like Office365 or Google Workspace without specifying particular accounts.
IP Range Acceptance: Once a service like Office365 is enabled, Proofpoint accepts emails from any IP within the Office365 range, regardless of the specific account.
Exploitation StepsStep 1: Setting Up the Attack
Attacker’s Office365 Account: The attacker sets up or compromises an Office365 account.
Spoofing Email Headers: The attacker crafts an email with headers that mimic a legitimate sender, such as Disney.
Step 2: Leveraging Proofpoint Configuration
Sending Spoofed Emails: The attacker sends the spoofed email from their Office365 account.
Proofpoint Relay Acceptance: Proofpoint’s permissive configuration accepts the email based on the IP range, without verifying the specific account.
Step 3: Proofpoint Processing
DKIM Signing: Proofpoint processes the email, applying DKIM signatures and ensuring it passes SPF checks because it comes from an authorized IP range.
Email Delivery: The email is then delivered to the target’s inbox, appearing legitimate due to the DKIM signature and SPF alignment.
Example of a Permissive Configuration in Proofpoint
Admin Setup
Adding Hosted Services: Proofpoint allows administrators to add hosted email services (e.g., Office365) with a single-click configuration that relies on IP-based authentication.
No Specific Account Configuration
Generic Acceptance: The setup does not specify which particular accounts are authorized, leading to a scenario where any account within the IP range is accepted.
Exploitation of Misconfiguration
Blind Relay: Due to this broad acceptance, attackers can send emails through Proofpoint’s relay, which then processes and delivers them as if they were legitimate.
A recent attack exploited a misconfiguration in Proofpoint’s email routing, allowing millions of spoofed phishing emails to be sent from legitimate domains like Disney and IBM. The attackers used Microsoft 365 tenants to relay emails through Proofpoint, bypassing SPF and DKIM checks, which authenticate emails. This “EchoSpoofing” method capitalized on Proofpoint’s broad IP-based acceptance of Office365 emails. Proofpoint has since implemented stricter configurations to prevent such abuses, emphasizing the need for vigilant security practices.
A hacktivist entity known as USDoD has asserted that it has leaked CrowdStrike’s “entire threat actor list” and claims to possess the company’s “entire IOC [indicators of compromise] list,” which purportedly contains over 250 million data points.
Details of the Alleged Leak
On July 24, 2024, the USDoD group announced an English-language cybercrime forum, stating that they had obtained and leaked CrowdStrike’s comprehensive threat actor database.
The group provided a link to download the alleged list and shared sample data fields to substantiate their claims.
The leaked information reportedly includes:
Adversary aliases
Adversary status
The last active dates for each adversary
Region/Country of Adversary Origin
Number of targeted industries and countries
Actor type and motivation
Claim of the breach
The sample data contained “LastActive” dates up to June 2024, while the Falcon portal’s last active dates for some actors extend to July 2024, suggesting the potential timeframe of the data acquisition.
Cyber Press researchers stated that they were able to view some of the documents leaked.
Background on USDoD
USDoD has a history of exaggerating claims, likely to enhance its reputation within hacktivist and eCrime communities.
For example, they previously claimed to have conducted a hack-and-leak operation targeting a professional networking platform, which was later debunked by industry sources as mere web scraping.
Since 2020, USDoD has engaged in both hacktivism and financially motivated breaches, primarily using social engineering tactics.
In recent years, they have focused on high-profile targeted intrusion campaigns and have sought to expand their activities into administering eCrime forums.
USDoD also claimed to possess “two big databases from an oil company and a pharmacy industry (not from the USA).” However, the connection between these claims and the alleged CrowdStrike data acquisition remains unclear.
The potential leak of CrowdStrike’s threat actor database could have significant implications for cybersecurity:
Compromise of ongoing investigations
Exposure of tracking methods for malicious actors
Potential advantage for cybercriminals in evading detection
This story unfolds following a CrowdStrike update that caused Windows machines to experience the Blue Screen of Death (BSOD) error.
CrowdStrike’s Response
CrowdStrike, a leading cybersecurity firm known for its threat intelligence and incident response services, has responded to the claims. The company stated:
“The threat intel data noted in this report is available to tens of thousands of customers, partners, and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain committed to sharing data with the community.”
While USDoD has been involved in legitimate breaches, its credibility in this specific case is questionable.
Their history of exaggeration, the inconsistencies in the leaked data, and CrowdStrike’s response all cast doubt on the authenticity and severity of the claimed leak.
The Regional Transportation Commission of Southern Nevada, which includes Las Vegas, will be the first transit system in the U.S. to implement system-wide AI weapons scans.
Transit systems nationwide are grappling with ways to reduce violence.
AI-linked cameras and acoustic technology are seen as viable options to better respond to mass shootings in public places across the U.S., according to law enforcement and public safety teams, though both approaches have downsides.
A sign promoting safety is seen on the Regional Transportation Commission 109 Maryland Parkway bus in Las Vegas Thursday, June 8, 2023. Las Vegas Review-journal | Tribune News Service | Getty Images
On your next visit to Vegas, an extra set of eyes will be watching you if you decide to hop onto the local transit system.
As part of a $33 million multi-year upgrade to fortify its security, the Regional Transportation Commission of Southern Nevada is set to add a system-wide AI from gun detection software vendor ZeroEyes that scans riders on its over 400 buses in an attempt to identify anyone brandishing a firearm.
Tom Atteberry, RTC’s director of safety and security operations, said that seconds matter in a situation where an active shooting unfolds, and implementing the system could give authorities an edge. “Time is of the essence; it gives us time to identify a firearm being brandished, so they can be notified and get to the scene and save lives,” he said.
Monitoring and preventing mass shooting is one that public places across the country grapple with daily. Violent crime on transit systems, specifically, remains an issue in major metro areas, with a report released in late 2023 by the Department of Transportation detailing concerns from transit agency officials around the U.S. about rising violence on their transit systems. According to a database maintained by the Bureau of Transportation Statistics, assaults on transit systems have spiked, and there has been a rise in public fears about transportation safety.
As an Applied Cryptographer, you will research about various cryptographic protocols and have knowledge of cryptographic primitives or concepts, like elliptic curve cryptography, hash functions, and PCPs. You should have experience with at least one major language, like Rust, Python, Java, or C; the exact language is not too important. You should be familiar with versioning software (specifically, GitHub), testing, and a familiarity with algorithms and data structures.
As a Cloud Security Specialist, you will design, implement, and manage Azure and Microsoft 365 security solutions. Monitor security alerts, lead incident response, and conduct regular assessments. Ensure compliance with ISO 27001, SOC2 Type II and NIST standards.
As a CISO, you will develop and implement comprehensive cybersecurity policies and procedures. Ensure compliance with relevant regulations and standards (e.g., GDPR, ISO 27001). Conduct risk assessments and develop mitigation strategies. Advise on security best practices and emerging threats. Collaborate with clients to enhance their security posture.
Cyber Range Lead
Booz Allen Hamilton | Japan | On-site – No longer accepting applications
As a Cyber Range Lead, you will lead a team of professionals as they use cyberspace capabilities to evaluate potential weaknesses as well as the effectiveness of mitigations for cyber security solutions. You will leverage cyberspace operations systems to aggregate threat feeds that inform briefings for senior leadership aligned to our client’s mission area.
As a Cybersecurity Technical Consultant, you will provide onsite or remote consulting services and support to Thales customer with a focus on high quality, accuracy and customer satisfaction. Develop and deliver technical hands-on product deep knowledge transfer to customers. Track and ensure successful completion of high impact projects by creating project scoping plans, design guides and relevant documentation.
As a Cyber Security Advisor, you will conduct security assessment of in-house developed and/or by third-party provided solutions in order to ensure that they are in compliance with H&M’s security standards. Conduct security maturity and risk assessment for internal and external partners.
As a Cyber Security Engineer, you will develop and implement cyber security policies, procedures, and controls to protect the company’s digital assets. Conduct Pen-tests, monitor network traffic and security alerts to detect and respond to potential security breaches. Perform vulnerability assessments and penetration testing to identify and remediate security vulnerabilities. Conduct regular audits of security systems and processes to ensure compliance with industry standards and regulations.
As a Cyber Security Governance Risk & Compliance Manager, you will develop, implement, and maintain a robust IT governance, risk, and compliance framework in line with industry best practices and regulatory requirements. Drive risk maturity through project lifecycle and provide independent assessments, challenge inherent risks in material changes e.g., business decisions, projects, process changes, implementation of new systems, applications, and infrastructure.
As a Cyber Security Instructor, you will create dynamic classroom learning experiences using various teaching strategies to facilitate adult learners in achieving learning objectives in accordance with the program objectives as set out in the curriculum. Ensure students are motivated to learn and to maximize their potential. Develop different classroom strategies to ensure knowledge and skills acquisition and retention.
As a Digital Forensics and Incident Response Analyst, you will perform incident response to cybersecurity incidents, including but not limited to APT & Nation State attacks, Ransomware infections and Malware outbreaks, Insider Threats, BEC, DDOS, Security and Data breach, etc. Conduct in-depth investigations of cybersecurity incidents, identifying the root cause, the extent of the impact, and recommended actions for containment, eradication, and recovery, and providing a final report that contains recommendations on how to prevent the same attack in the future by strengthening security posture.
Director of Information Security, Cyber Risk and Compliance
S&P Global | Italy | On-site – No longer accepting applications
As a Director of Information Security, Cyber Risk and Compliance, you will become familiar with the Cyber Risk and Compliance team activities and Market Intelligence regarding SOC reporting, relevant regulatory requirements, control frameworks, internal and external audit processes, customer interactions including security questions and audits, and overall company and divisional cyber security processes and controls. Make recommendations related to balancing requirements and deadlines made by corporate departments with human resource and technical capabilities that exist in Market Intelligence. Negotiate differences to find and implement solutions acceptable to both corporate groups and Market Intelligence.
As Head of Identity Management Platform, you will leverage your strong background in Identity and Privileged Access Management, expertise in IT technologies, and in-depth knowledge of IT security to organize and lead complex projects, manage third-party teams, and oversee platform lifecycle activities such as upgrades and integrations.
As a Head of Consulting, you will lead, mentor, and develop a team of cybersecurity consultants, fostering a culture of excellence and continuous improvement. Define and implement the consultancy department’s strategy in alignment with the company’s goals, ensuring the delivery of innovative and effective cybersecurity solutions. Ensure that all consultancy activities adhere to industry standards, regulatory requirements, and best practices, mitigating risks to both clients and the company.
As a Head of Security CU TH, you will facilitate execution of and follow up on security strategy, policies & instructions, governance model and frameworks. Support the business in implementation and maintenance of ISO 27001 controls across the CU as per the MA scope and Ericsson Global ISO 27001 control framework. Manage local security incidents and support investigations.
As an IT Program Manager, you will develop, implement, and manage cybersecurity programs in alignment with the organization’s strategic objectives. Oversee the security projects related to enterprise applications, with a focus on safeguarding sensitive data and ensuring compliance with regulatory standards. Facilitate regular security assessments and audits to identify vulnerabilities and implement corrective actions.
As a Penetration Tester, you will manage penetration tests from inception through delivery. Identify and prescribe remediation for vulnerabilities in NFCU applications, systems, and networks. Leverage complex tactics including, but not limited to, lateral movement, network tunneling/pivoting, credential compromise, and hash cracking.
As a Principal Data Security Specialist, you will focus on delivering technical and procedural guidance to assist customers in defining the platform requirement though to realisation of the subscription value. Research and evaluate emerging solutions and services to drive continuous improvement.
As a Senior Architect – Cyber Security, you will develop and implement security architecture solutions to secure the organization’s IT infrastructure. Design and review security policies, standards, and procedures. Conduct security assessments and risk analysis to identify vulnerabilities and recommend mitigation strategies. Lead security projects and collaborate with cross-functional teams to integrate security measures.
Senior CyberSecurity Architect
Hexagon Geosystems | European Economic Area | Remote – View job details
As a Senior CyberSecurity Architect, you will plan, organize, test, and document the implementation of new security systems and tools; define the success criteria and security requirements, and develop reference architecture, functional and non-functional requirements for proof-of-concept efforts and projects. Lead in performing threat modeling, security architecture review, and risk assessments of new and existing technical solutions.
As a (Senior) Information Security Officer, you will develop, implement, and monitor a strategic, comprehensive company information security and IT risk management program, based on the Oetker Group-wide security directive. Manage and assist in the development in implementation of the information security policies, procedures, and guidelines. Provide guidance and counsel to the C-Level, the senior management team, and staff about information security and its alignment with business objectives and risk management.
As a Technology & Cyber Risk: Senior Officer – Cybersecurity Risk, you will review and evaluate compliance and cyber policies and procedures, technology and tools, and governance processes to provide credible challenge for minimizing losses from cyber risks. Assess cyber risks and evaluates actions to address the root causes that persistently lead to operational risk losses by challenging both historical and proposed practices. Support independent assurance activities to assess areas of concern including substantive and controls testing.
As a Vulnerability Manager, you will be responsible for identifying, assessing, prioritizing, and managing vulnerabilities across our systems and networks. Conduct regular vulnerability assessments and penetration tests across our systems, applications, and networks.
By now, most people are aware of – or have been personally affected by – the largest IT outage the world have ever witnessed, courtesy of a defective update for Crowdstrike Falcon Sensors that threw Windows hosts into a blue-screen-of-death (BSOD) loop.
“We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” David Weston, Microsoft’s VP of Enterprise and OS Security, stated on Saturday.
CrowdStrike claimed earlier today that “a significant number” of affected systems are back online and operational.
“Together with customers, we tested a new technique to accelerate impacted system remediation. We’re in the process of operationalizing an opt-in to this technique,” they noted on their remediation and guidance hub. “Customers are encouraged to follow the Tech Alerts for latest updates as they happen and they will be notified when action is needed.”
Microsoft collaborates with Crowdstrike, provides recovery tool
Microsoft is, understandably, doing everything it can to speed up worldwide recovery from the issue, has deployed hundreds of Microsoft engineers and experts to work with customers to restore services, and is collaborating with CrowdStrike.
“CrowdStrike has helped us develop a scalable solution that will help Microsoft’s Azure infrastructure accelerate a fix for CrowdStrike’s faulty update. We have also worked with both AWS and GCP to collaborate on the most effective approaches,” Weston explained.
Microsoft has also released a recovery tool that can be downloaded and used by IT admins to make the repair process less time-consuming.
The tool provides two repair options.
The first one – Recover from WinPE (Preinstallation Environment) – does not require local admin privileges, but requires the person to manually enter the BitLocker recovery key (if BitLocker is used on the device).
The second one – Recover from safe mode – may allow recovery without entering the BitLocker recovery keys.
“For this option, you must have access to an account with local administrator rights on the device. Use this approach for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker recovery key is unknown,” the Intune Support Team noted.
They also included detailed recovery steps for Windows clients, servers, and OSes hosted on Hyper-V.
Microsoft has previously confirmed that the buggy CrowdStrike update affected Windows 365 Cloud PCs and that users “may restore their Windows 365 Cloud PC to a known good state prior to the release of the update (July 19, 2024)”. The company has also provided guidance for restoring affected Azure virtual machines.
Cloud security company Orca has released a script that automates the remediation of Windows virtual machines hosted on AWS.
Threat actor exploiting the situation
As expected, scammers and threat actors have immediately started taking advantage of the chaos that resulted from the faulty update.
Trend Micro researchers provided examples of tech support scams doing the rounds, and even legal scams.
A tech support scam exploiting the situation (Source: Trend Micro)
Phishers and vishers impersonating CrowdStrike support and contacting customers
Scammers posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
“CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels,” the company said.
UPDATE (July 23, 2024, 05:15 a.m. ET):
CrowdStrike has provided a way for remediating affected systems more quickly. Customers must opt in to use the technique via the support portal. (A Reddit user has explained the process involved.)
The company has also released a video explaining how users can self-remediate affected remote Windows laptops.
Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.
Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.
The SEG Versus SEG Threat
The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.
“We do not have access to the internals of SEGs, so I can’t say for certain,” Gannon says. “But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the [receiving] SEG assumes the URL itself is legitimate.”
In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender’s SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.
In these situations, problems can arise if the recipient’s secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient’s SEG scans the URL, but only sees the sending email gateway’s domain and not the final destination.
“Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination,” Cofense wrote in its report this week. “As a result, when an email already has SEG-encoded URLs, the recipient’s SEG often allows the email through without properly checking the embedded URLs.”
A Substantial Increase
Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.
According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.
Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.
Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. “Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with,” he says. “For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp[:]//badplace[.]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect[.]cudasvc[.]com/url?a=hxxp[:]//badplace[.]com/.”
Gannon says one reason why threat actors likely aren’t using the tactic on a much broader scale is because it involves additional work. “The biggest thing it comes down to is effort,” he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to.”
Protecting against the tactic can be relatively difficult, as most SEGs don’t have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. “A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG.”
Incorporating artificial intelligence (AI) seems like a logical step for businesses looking to maximize efficiency and productivity. But the adverse effects of AI use, such as data security risk and misinformation, could bring more harm than good.
According to the World Economic Forum’s Global Risks Report 2024, AI-generated misinformation and disinformation are among the top global risks businesses face today.
To address the security risks posed by the increasing use of AI technologies in business processes, the National Institute of Standards and Technology (NIST) released the Artificial Intelligence Risk Management Framework (AI RMF 1.0) in January 2023.
Adhering to this framework not only puts your organization in strong position to avoid the dangers of AI-based exploits, it also adds an impressive type of compliance to your portfolio, instilling confidence in external stakeholders. Moreover, while NIST AI RMF is more of a guideline than a regulation, today there are several AI laws in the process of being enacted, so adhering to NIST’s framework helps CISOs to future-proof their AI compliance postures.
Let’s examine the four key pillars of the framework – govern, map, measure and manage – and see how you can incorporate them to better protect your organization from AI-related risks.
1.Establish AI Governance Structures
In the context of NIST AI RMF, governance is the process of establishing processes, procedures, and standards that guide responsible AI development, deployment, and use. Its main goal is to connect the technical aspect of AI system design and development with organizational goals, values, and principles.
Strong governance starts from the top, and NIST recommends establishing accountability structures with the appropriate teams responsible for AI risk management, under the framework’s “Govern” function. These teams will be responsible for putting in place structures, systems and processes, with the end goal of establishing a strong culture of responsible AI use throughout the organization.
Using automated tools is a great way to streamline the often tedious process of policy creation and governance. “We view it as our responsibility to help organizations maximize the benefits of AI while effectively mitigating the risks and ensuring compliance with best practices and good governance,” said Arik Solomon, CEO of Cypago, a SaaS platform that automates governance, risk management, and compliance (GRC) processes in line with the latest frameworks.
“These latest features ensure that Cypago supports the newest AI and cyber governance frameworks, enabling GRC and cybersecurity teams to automate GRC with the most up-to-date requirements.”
Rather than existing as a stand-alone component, governance should be incorporated into every other NIST AI RMF function, particularly those associated with assessment and compliance. This will foster a strong organizational risk culture and improve internal processes and standards.
2.Map And Categorize AI Systems
The framework’s “Map” function supports governance efforts while also providing a foundation for measuring and managing risk. It’s here that the risks associated with an AI system are put into context, which will ultimately determine the appropriateness or need for the given AI solution.
As Opice Blum data privacy expert Henrique Fabretti Moraes explained, “Mapping the tools in use – or those intended for use – is crucial for understanding and fine-tuning acceptable use policies and potential mitigation measures to decrease the risks involved in their utilization.”
But how do you actually put this mapping process into practice?
NIST recommends the following approach:
Clearly establish why you need or want to implement the AI system. What are the expectations? What are the prospective settings where the system will be deployed? You should also determine the organizational risk tolerance for operating the system.
Map all of the risks and benefits associated with using the system. Here is where you should also determine your risk tolerance, not only with monetary costs but also those stemming from AI errors or malfunctions.
Analyze the likelihood and magnitude of the impact the AI system will have on the organization, including employees, customers, and society as a whole.
3.Measure AI Performance and Risk
The “Measure” function utilizes qualitative and quantitative techniques to analyze and monitor the AI-related risks identified in the “Map” function.
AI systems should be tested before deployment and frequently thereafter. But measuring risk with AI systems can be tricky. The technology is fairly new, so there are no standardized metrics yet. This might change in the near future, as developing these metrics is a high priority for many consulting firms. For example, Ernst & Young (EY) is developing an AI Confidence Index.
“Our confidence index is founded on five criteria – privacy and security, bias and fairness, reliability, transparency and explainability, and the last is accountability,” noted Kapish Vanvaria, EY Americas Risk Market Leader. The other axis includes regulations and ethics.
“Then you can have a heat map of the different processes you’re looking at and the functions in which they’re deployed,” he says. “And you can go through each one and apply a weighted scoring method to it.”
In the NIST framework’s priorities, there are three main components of an AI system that must be measured: trustworthiness, social impact, and how humans interact with the system. The measuring process will likely consist of extensive software testing, performance assessments and benchmarks, along with reporting and documentation of results.
4.Adopt Risk Management Strategies
The “Manage” function puts everything together by allocating the necessary resources to regularly attend to uncovered risks during the previous stages. The means to do so are typically determined with governance efforts, and can be in the form of human intervention, automated tools for real-time detection and response, or other strategies.
To manage AI risks effectively, it’s crucial to maintain ongoing visibility across all organizational tools, applications, and models. AI should not be handled as a separate entity but integrated seamlessly into a comprehensive risk management framework.
Ayesha Gulley, an AI policy expert from Holistic AI, urges businesses to adopt risk management strategies early, taking into account five factors: robustness, bias, privacy, exploitability and efficacy. Holistic’s software platform includes modules for AI auditing and risk posture reporting.
“While AI risk management can be started at any point in the project development,” she said, “implementing a risk management framework sooner than later can help enterprises increase trust and scale with confidence.”
Evolve With AI
The NIST AI Framework is not designed to restrict the efficient use of AI technology. On the contrary, it aims to encourage adoption and innovation by providing clear guidelines and best practices for developing and using AI securely and responsibly.
Implementing the framework will not only help you reach compliance standards but also make your organization much more capable of maximizing the benefits of AI technologies without compromising on risk.
Microsoft has given administrators plenty of work to do with July’s security update that contains patches for a brutal 139 unique CVEs, including two that attackers are actively exploiting and one that’s publicly known but remains unexploited for the moment.
The July update contains fixes for more vulnerabilities than the previous two monthly releases combined and addresses issues that left unmitigated could enable remote code execution, privilege escalation, data theft, security feature bypass, and other malicious activities. The update included patches for four non-Microsoft CVEs, one of which is a publicly known Intel microprocessor vulnerability.
Lack of Details Heighten Urgency to Fix Zero-Days
One of the zero-day vulnerabilities (CVE-2024-38080) affects Microsoft’s Windows Hyper-V virtualization technology and allows an authenticated attacker to execute code with system-level privileges on affected systems. Though Microsoft has assessed the vulnerability as being easy to exploit and requiring no special privileges or user interaction to exploit, the company has given it only a moderate — or important — severity rating of 6.8 on the 10-point CVSS scale.
As is typical, Microsoft provided scant information on the flaw in its release notes. But the fact that attackers are already actively exploiting the flaw is reason enough to patch now, said Kev Breen, senior director threat research at Immersive Labs, in an emailed comment. “Threat hunters would benefit from additional details, so that they can determine if they have already been compromised by this vulnerability,” he said.
The other zero-day bug, tracked as CVE-2024-38112, affects the Windows MSHTML Platform (aka Trident browser engine) and has a similarly moderate CVSS severity rating of 7.0. Microsoft described the bug as a spoofing vulnerability that an attacker could exploit only by convincing a user to click on a malicious link.
That description left some wondering about the actual nature of the threat it represented. “This bug is listed as ‘spoofing’ for the impact, but it’s not clear exactly what is being spoofed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), wrote in a blog post. “Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here.”
Rob Reeves, principal cybersecurity engineer at Immersive Labs, viewed the vulnerability as likely enabling remote code execution but potentially complex to exploit, based on Microsoft’s sparse description. “Exploitation also likely requires the use of an ‘attack chain’ of exploits or programmatic changes on the target host,” he said in prepared comments. “But without further information from Microsoft or the original reporter … it is difficult to give specific guidance.”
Other High-Priority Bugs
The two bugs that were publicly known prior to Microsoft’s July update — and hence are also technically zero-day flaws — are CVE-2024-35264, a remote code execution vulnerability in .Net and Visual Studio, and CVE-2024-37985, which actually is a third-party (Intel) CVE that Microsoft has integrated into its release.
In all, Microsoft rated just four of the flaws in its enormous update as being of critical severity. Three are of them, each with a near maximum severity rating of 9.8 on 10, affect the Windows Remote Desktop Licensing Service component that manages client access licenses (CALs) for remote desktop services. The vulnerabilities, identified as CVE-2024-38076, CVE-2024-38077, and CVE-2024-38089, all enable remote code execution and should be on the top of the list of bugs to prioritize this month. “Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server,” Child said in his post.
Microsoft wants organizations to disable the Remote Desktop Licensing Service if they are not using it. The company also recommends organizations immediately install the patches for the three vulnerabilities even if they plan to disable the service.
One eyebrow-raising aspect in this month’s Microsoft security update is the number of unique CVEs that affect Microsoft SQL Server — some 39, or more than a quarter of the 139 disclosed vulnerabilities. “Thankfully, none of them are critical based on their CVSS scores and they’re all listed as ‘Exploitation Less Likely,'” saysTyler Reguly, associate director of security R&D at Fortra. “Even with those saving graces, there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will be looking to patch,” he noted.
As has been the trend in recent months, there were 20 elevation of privilege (EoP) bugs in this month’s update, slightly outnumbering remote code execution vulnerabilities (18). Though Microsoft and other software vendors often tend to rate EoP bugs overall as being less severe than remote code execution vulnerabilities, security researchers have advocated that security teams pay equal attention to both. That’s because privilege escalation bugs often allow attackers to take complete admin control of affected systems and wreak the same kind of havoc as they would by running arbitrary code on it remotely.
In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure.
Greer also discusses common vulnerabilities in government IT systems and the potential of AI and public-private collaborations to enhance cybersecurity defenses.
How do nation-state attacks affect the public sector and services provided to citizens?
All attacks, nation-state or not, have the potential to impact public sector services and the citizens who rely on them.
Just recently on June 3, 2024, Synnovis, a provider to the UK National Health Service (NHS), suffered a cyber attack preventing the processing of blood test results and impacting thousands of patient appointments and surgeries. In 2017, the WannaCry attack, which spread to 150 countries across the world, disrupted the UK NHS, limiting ambulance service, patient appointments, medical tests and results, and forcing the closure of various facilities.
In the United States, many private sector organizations that provide public or critical infrastructure services have been significantly affected by cyberattacks. In 2021, JBS Foods, the largest US meat processor, was breached, forcing it to cease operations at 13 of its meat processing plants, impacting the US meat supply. One month prior, Colonial Pipeline was hit with a ransomware cyberattack, causing a run on gas in the eastern seaboard and requiring a presidential executive order to allow gas transport via semi-trucks.
A cyber attack in the Ukraine in 2015 brought down power for 230,000 customers, and such attacks have continued to disrupt the Ukrainian power grid since then.
In the US, we have seen the same nation-states employ less aggressive but potentially more disruptive strategies of espionage and misinformation in an effort to undermine the public’s trust in the electoral system.
While these are just a few notable examples, the impact ranges from delays and inconveniences to more significant repercussions like reduced capacity of healthcare services and other critical infrastructure. What’s harder to calculate is the degradation of trust when the public sector is compromised due to a cyber attack.
What are the most common vulnerabilities within government IT systems that cyber attackers exploit?
Many of the attack techniques that we see nation-states use are picked up by more common cyber criminals shortly after. While nation-states do have advanced capabilities and visibility that are hard or impossible for cyber criminals to replicate, the general strategy for attackers is to target vulnerable perimeter devices such as VPNs or firewalls as an entry point to the network. Next they focus on obtaining privileged credentials while leveraging legitimate software to masquerade as normal activity while they scout the environments for valuable data or large repositories to disrupt.
It’s important to note that the commonly exploited vulnerabilities in government IT systems are not distinctly different from the vulnerabilities exploited more broadly. Government IT systems are often extremely diverse and thus, subject to a variety of exploits. CISA actively maintains a Known Exploited Vulnerabilities (KEV) Catalog. These are vulnerabilities known to be exploited in the wild and pose an increased risk of exploitation for government organizations using any of the technologies cataloged.
How can governments use AI to strengthen cybersecurity defenses against sophisticated attacks?
AI has been in use for more than a decade in state-of-the-art security technologies, primarily to detect novel and constantly evolving attacks. Detecting the sheer volume of attacks today, as well as finding the singular “needle in a haystack” cannot be done by classic technologies, but is possible with sophisticated AI techniques. As a baseline, governments should evaluate their security technology to understand how effective AI and machine learning are at detecting the latest threats.
The more advanced capabilities can analyze the infrastructure to determine typical behavior and usage patterns and auto-configure security settings and policies, providing adaptive security that is even more efficient at detecting anomalous activities.
The latest generative AI technologies are also helping drive efficiency in the Security Operations Center (SOC). GenAI can help SOC analysts more quickly and fully understand attacks, and provide guidance to analysts using natural language. This is especially important as we face continued challenges staffing security professionals.
Are there any specific regulatory frameworks or policies that must be implemented or improved?
Currently, there are numerous policies and regulations, both domestically and internationally, which are inconsistent and vary in their requirements. These administrative requirements take significant resources which could otherwise be used to strengthen a company’s cybersecurity program. Therefore, it is imperative that existing and forthcoming cybersecurity regulations be harmonized and policies be considered comprehensively.
The recent summary from the Office of the National Cyber Director (ONCD) on the 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI) shows that the U.S. Government understands this problem. The report finds that the “lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.” The ONCD is working with other federal agencies as well as the private sector to address these issues by seeking to “simplify oversight and regulatory responsibilities of cyber regulators” and “substantially reduce the administrative burden and cost on regulated entities.”
This is a much-needed exercise and it’s encouraging to see steps being taken to ensure that cybersecurity regulations are comprehensive, effective, and efficient.
What role should the private sector play in supporting government cybersecurity efforts?
The private sector has threat intelligence that the government often doesn’t have. This makes the bidirectional sharing of information between the private and public sectors essential in combating bad actors. Partnerships between leading cybersecurity research groups and vendors like the Cyber Threat Alliance (CTA), as well as public and private sector partnerships like the Joint Cyber Defense Collaborative (JCDC), help the cybersecurity community at large bring its combined intelligence to bear to help defend our global digital ecosystem.
Beyond the devices that use them, Wi-Fi hubs themselves can leak interesting data, thanks to some quirks in Apple’s geolocation system.
SOURCE: FRANTIC VIA ALAMY STOCK PHOTO
Apple’s Wi-Fi Positioning System (WPS) can be used to map and track Wi-Fi access points (APs) around the globe. But in a presentation at Black Hat 2024, University of Maryland researcher Erik Rye will demonstrate how he mapped hundreds of millions of APs in a matter of days, without even needing an Apple device or any kind of permissions along the way.
How Apple Exposes Global APs
Have you ever wondered how your phone knows where it is in the world?
The Global Positioning System (GPS) is one tool it uses, of course, but it’s not a perfect one. It becomes less effective when the device loses a clear line to the sky, and it consumes a good deal of power, which isn’t ideal for such a persistent task.
That’s where the Wi-Fi Positioning System comes in. WPS works a bit like GPS, if you substitute the satellites with Wi-Fi access points (APs).
You Can’t Keep Up with Emerging Threats or Technologies
Business Impact: Staying ahead of emerging threats and technologies is essential for protecting your business from cyberattacks. Falling behind can leave your business vulnerable to breaches, resulting in data loss, financial damage, and reputational harm. A cybersecurity consultant can help you stay current and implement the latest defenses, ensuring your business remains secure and competitive.
Expectation: CEOs should expect cybersecurity consultants to provide continuous education and training programs for their staff, ensuring the team stays updated with the latest cybersecurity trends and technologies. This empowers employees to recognize and respond to threats more effectively and reinforces a culture of security within the organization.
You Need an Impartial Security Assessment
Business Impact: Internal disagreements about security protocols can lead to inefficiencies and increased risk. An impartial assessment from a cybersecurity consultant can provide clarity, help to align your team and ensure that security measures are effective and unbiased. This can lead to a more cohesive security strategy and a more robust overall security posture.
Expectation: CEOs should expect cybersecurity consultants to conduct regular third-party security audits. These audits maintain an unbiased perspective on the company’s cybersecurity posture, uncover hidden vulnerabilities, and ensure that security measures evolve with the changing threat landscape.
You’re Lacking Innovation in Your Security Strategies
Business Impact: Innovation in security strategies is vital to staying ahead of cyber threats. A consultant brings fresh perspectives and innovative solutions that can enhance your existing security measures, leading to improved efficiency and effectiveness. This can result in cost savings, better resource allocation, and a more robust defense against cyber threats.
Expectation: CEOs should expect consultants to help establish a dedicated innovation team within the security department. This team should explore and integrate new technologies and methodologies, collaborating with the consultants to bring cutting-edge solutions to the organization.
You’re Unable to Meet Your Security Goals
Business Impact: Failing to meet security goals can expose your business to risks and hinder growth. A consultant can help identify the root causes of these challenges and provide actionable insights to achieve your objectives. Meeting security goals can enhance your business’s credibility, reduce the risk of breaches, and support overall business growth.
Expectation: CEOs should expect cybersecurity consultants to implement a structured framework like the NIST Cybersecurity Framework. This framework guides the security strategy and goal-setting processes, helping to identify gaps, set realistic goals, and track progress effectively.
Your Business Isn’t Growing, and You Don’t Know Why
Business Impact: Stagnant growth can indicate underlying security issues that are not immediately apparent. A cybersecurity consultant can conduct a thorough analysis to uncover hidden problems and provide solutions. Addressing these issues can remove barriers to growth, improve operational efficiency, and enhance your business’s financial performance.
Expectation: CEOs should expect cybersecurity consultants to perform a comprehensive security health check during the business strategy review. This health check identifies unseen security issues that may be hindering growth, and addressing them can streamline operations and enhance overall performance.
You’re Stalling on Implementing New Security Measures
Business Impact: Delaying important security initiatives can leave your business vulnerable and impede progress. A consultant can provide the expertise and resources needed to implement new security measures promptly. This can improve your security posture, reduce risk, and enable you to confidently take advantage of new business opportunities.
Expectation: CEOs should expect cybersecurity consultants to develop a clear, phased implementation plan for new security measures, prioritizing critical vulnerabilities first. This plan should include milestones and timelines to ensure steady progress and accountability.
You’re Working Outside Your Expertise
Business Impact: Focusing on areas outside your expertise can lead to suboptimal decisions and wasted resources. By hiring a cybersecurity consultant, you can ensure that specialized tasks are handled by experts, allowing you to focus on your strengths. This can lead to better decision-making, increased efficiency, and a higher quality of security measures.
Expectation: CEOs should expect cybersecurity consultants to establish a strategic partnership to handle specialized tasks. This ensures reliance on expert advice and services, allowing the CEO to focus on core business activities and leading to better overall outcomes.
You Lack In-House Security Expertise
Business Impact: A lack of in-house cybersecurity expertise can leave your business vulnerable to attacks and regulatory non-compliance. A consultant can fill this gap, providing the necessary skills and knowledge to protect your business. This can enhance your security posture, ensure compliance with industry regulations, and reduce the risk of costly breaches.
Expectation: CEOs should expect cybersecurity consultants to help implement an MSSP to supplement in-house capabilities. An MSSP provides continuous monitoring, threat detection, and response services, ensuring robust security even with limited internal resources.
You Have Tunnel Vision Regarding Security Issues
Business Impact: Working too closely on security problems can limit your perspective and lead to missed solutions. A consultant brings fresh eyes and can identify issues and solutions you might overlook. This can lead to more effective problem-solving, reduced risk, and improved overall security.
Expectation: CEOs should expect cybersecurity consultants to host regular brainstorming sessions with cross-functional teams. These sessions encourage diverse insights into security challenges, helping to uncover innovative solutions and prevent oversight.
You’re Working on a Time-Sensitive Security Project
Business Impact: Urgent security projects require expertise and efficiency to ensure success. A consultant can provide support to meet tight deadlines and achieve project goals.
Expectation: CEOs should expect cybersecurity consultants to utilize project management tools and methodologies like Agile to manage time-sensitive security projects efficiently. These tools streamline workflows, enhance collaboration, and meet critical deadlines without compromising quality.
FAQ’s
How do you verify the credentials and experience of a cybersecurity consultant?
To verify a cybersecurity consultant’s credentials and experience, you can:
Check Certifications: Look for reputable certifications like CISSP, CISM, CEH, or others recognized in the industry.
Review Past Projects: Ask for case studies or examples of past work that demonstrate their ability to handle challenges similar to yours.
Seek References: Contact previous clients to get feedback on their experiences with the consultant.
Interview Thoroughly: Conduct in-depth interviews to assess their knowledge, approach, and how they keep up with industry changes.
Assess Continuous Learning: Inquire about their commitment to ongoing education and professional development.
What are the typical costs associated with hiring a cybersecurity consultant?
The cost can vary widely based on factors such as the scope of work, the consultant’s experience, and the duration of the engagement. Typical costs might include:
Hourly Rates: Ranging from $150 to $500+ per hour.
Project-Based Fees: Project fees can range from a few thousand dollars to hundreds of thousands, depending on the complexity.
Retainer Agreements: Monthly retainers can range from $5,000 to $20,000 or more for ongoing support.
Discussing and agreeing on the fee structure upfront is essential to ensure it aligns with your budget and expectations.
What are the common red flags when interviewing potential cybersecurity consultants?
Some red flags to watch out for include:
Lack of Specific Experience: They must provide detailed examples of past projects or relevant experience.
Overemphasis on Certifications: While important, certifications alone don’t guarantee practical expertise.
Poor Communication Skills: Inability to clearly explain complex concepts or their approach to your specific issues.
Vague proposals lack details about how they will address your needs or what deliverables you can expect.
Unrealistic Promises: Guarantees of absolute security or immediate fixes are often unrealistic and should be scrutinized.
Can you provide examples of successful cybersecurity consultant engagements?
Examples of successful engagements include:
Incident Response: A consultant helped a mid-sized company recover from a ransomware attack by quickly identifying the breach, containing the threat, and restoring data from backups, minimizing downtime and data loss.
Security Program Development: A consultant worked with a healthcare provider to develop a comprehensive security program, achieving regulatory compliance and significantly reducing the risk of data breaches.
Vulnerability Assessment: For a financial services firm, a consultant conducted a thorough vulnerability assessment, identifying and addressing critical security gaps that previously went unnoticed, enhancing overall security posture.
.
How do cybersecurity consultants stay updated on the latest threats and technologies?
Cybersecurity consultants stay current by:
Continuous Education: Regularly attend training sessions and webinars and obtain advanced certifications.
Professional Networks: Being active in professional organizations like (ISC)², ISACA, and others, which offer resources and networking opportunities.
Industry Conferences: Participating in conferences such as Black Hat, DEF CON, and RSA Conference to learn about the latest trends and technologies.
Research and Publications: I read industry publications and research papers and participated in cybersecurity forums and discussions.
Hands-On Experience: Engaging in ongoing practical work and simulations to apply new techniques and tools in real-world scenarios.
This commitment to continuous learning ensures they can provide up-to-date and effective security solutions.
A malware campaign of huge magnitude, and perhaps run by just one group, is using artificially nested files for distribution named ‘WEXTRACT.EXE .MUI’.
More than 50,000 files worldwide featuring this method are delivered by different stealers and loaders such as Redline, RisePro, and Amadey.
Several samples are associated with an Eastern European cybercriminal-linked Autonomous System.
Cybersecurity researchers at OutPost24 recently detected that a new hacker group has been attacking the system with 1o malware at the same time.
10 Malware At Same Time
The “WEXTRACT.EXE .MUI” malware distribution system is one that makes use of nested cabinet files to distribute a number of malware samples such as stealers and loaders.
This method’s complex execution sequence drops and runs malware in reverse order, which may result in bypassing security measures.
The technique could cause multiple infections as the loaders may download more malware.
From February 2023 through the start of 2024, a massive malware distribution campaign nested multiple malware families, such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.
The campaign developed over time, incorporating obfuscation tools and different distribution methods.
An examination of over two thousand one hundred examples showed some malware combinations in which victims might be infected by several stealers and loaders simultaneously.
This suggests that there was a single actor behind the infrastructure and tactics for this campaign.
Distribution steps of one sample of WEXTRACT (Source – OutPost24)
It is likely that the campaign to distribute malware called “Unfurling Hemlock” buys distribution services from other actors.
Its earliest phases were in email attachments and downloads from hacked or hoax websites.
The infrastructure, mostly based on AS 203727, uses both exclusive and shared IPs for distributing WEXTRACT and other malware.
This indicates one actor or entity that is responsible for the campaign but delegates some of its distribution aspects to others.
The malware campaign uses different C2 URLs and IP addresses, some of which are specific to the WEXTRACT-related malware and others that are common to other campaigns.
The diversity in infrastructure supports the insight that this actor could be supplying samples from other campaigns, possibly encouraged by financial interest.
While the upload locations may not indicate the actual infection sites, the infection sources cut across several countries.
Here below we have mentioned the countries:-
Origin of the samples (Source – OutPost24)
Unlike the usual trend, this huge malware attack mainly targets Western institutions, including Russia.
This operation launched different types of malware simultaneously to increase the possibilities of infection and diversify potential paybacks.
Though not highly developed, this “cluster bomb” method may be adopted by threat actors in the future.
Researchers recommended using the latest anti-malware tools, performing analysis of packed files, and user alertness to be cautious about suspicious downloads and emails.
.webp)
.webp)
