InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
In the past, Citrix was found to have a Zero-Day vulnerability in its Citrix NetScaler Application Delivery Controller (ADC), which made it possible for malicious actors to carry out remote code execution.
It was discovered that the zero-day vulnerability was being used in the wild, hence it was assigned the CVE ID 2023-3519 and the severity rating of 9.8 (Critical). Citrix did provide fixes to address the vulnerability, but there was no way to determine whether or not a particular Citrix appliance had been compromised.
A new report states that it has been discovered that more than 1900 NetScalers are still infected with a backdoor. This information was obtained during a recent investigation.
Mandiant has launched a tool to assist business defenders in determining whether Citrix networking devices have been hacked in light of the fact that thousands of Citrix networking products are still susceptible to a major vulnerability that has not been patched and are accessible on the internet.
Citrix ADC and Citrix Gateway version 13.1, Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and Citrix Gateway version 12.1, Citrix ADC, and Citrix Gateway version 12.0 are all compatible versions with which the IoC Scanner may be utilized.
On July 18, Citrix released a patch for the zero-day critical vulnerability (CVE-2023-3519) in its NetScaler application delivery controller and gateway products. The company also recommended that businesses that use the vulnerable products immediately deploy the fix. The vulnerability might be exploited to allow for the execution of unauthenticated remote code. The vulnerability is already being aggressively exploited by a number of threat organizations, who are doing so by establishing web shells within corporate networks and carrying out hundreds of attacks.
According to the findings of the researchers, there are still close to 7,000 examples available on the web. Around 460 of them had Web shells installed, most likely as a result of being compromised.
This application, which may be found on GitHub, was developed by Mandiant and has the ability to determine the file system paths of known malware, post-exploitation activities in shell history etc. The independent Bash script may be executed directly on a Citrix ADC device to search for known indications in files, processes, and ports. (The utility must be executed on the appliance in live mode while logged in as root.) According to Mandiant, it can also examine a forensic image that has been mounted for use in an investigation.
This application has a wide variety of functionality, such as scanning,
File system path that could be a malware Shell history for suspicious commands NetScaler directories and files that match with IOCs Suspicious file permissions or ownership Instances of Crontab Malicious processes running on the system
This solution, which was created in partnership with Citrix and Mandiant, has the only purpose of assisting enterprises in preventing compromised systems and scanning for evidence of their presence.
According to Mandiant, the IoC Scanner will do a “best-effort job” of detecting compromised items; nevertheless, it is possible that it may not be able to locate all infected devices or determine whether or not the device is susceptible to being exploited. According to the company, “This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE 2023-3519,” which is a vulnerability.
testssl.sh is a free command line tool, which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptography flaws on Linux servers, even it runs on macOS too.
It is also available in Kali Linux OS to test TLS/SSL encryption.
Key features
Clear output: you can tell easily whether anything is good or bad.
Machine readable output (CSV, two JSON formats)
No need to install or to configure something. No gems, CPAN, pip or the like.
Works out of the box: Linux, OSX/Darwin, FreeBSD, NetBSD, MSYS2/Cygwin, WSL (bash on Windows). Only OpenBSD needs bash.
A Dockerfile is provided, there’s also an official container build @ dockerhub.
Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443.
Toolbox: Several command line options help you to run your test and configure your output.
Reliability: features are tested thoroughly.
Privacy: It’s only you who sees the result, not a third party.
Freedom: It’s 100% open source. You can look at the code, see what’s going on.
The development is open (GitHub) and participation is welcome.
License
This software is free. You can use it under the terms of GPLv2, see LICENSE.
Attribution is important for the future of this project — also in the internet. Thus if you’re offering a scanner based on testssl.sh as a public and/or paid service in the internet you are strongly encouraged to mention to your audience that you’re using this program and where to get this program from. That helps us to get bugfixes, other feedback and more contributions.
Compatibility
Testssl.sh is working on every Linux/BSD distribution out of the box. Latest by 2.9dev most of the limitations of disabled features from the openssl client are gone due to bash-socket-based checks.
As a result you can also use e.g. LibreSSL or OpenSSL >= 1.1.1 . testssl.sh also works on other unixoid systems out of the box, supposed they have /bin/bash >= version 3.2 and standard tools like sed and awk installed. An implicit (silent) check for binaries is done when you start testssl.sh . System V needs probably to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
Installation
You can download testssl.sh branch 3.2 just by cloning this git repository:
git clone –depth 1 https://github.com/drwetter/testssl.sh.git 3.2 is now the latest branch which evolved from 3.1dev. It’s in the release candidate phase. For the former stable version help yourself by downloading the ZIP or tar.gz archive. Just cd to the directory created (=INSTALLDIR) and run it off there.
Docker
Testssl.sh has minimal requirements. As stated you don’t have to install or build anything. You can just run it from the pulled/cloned directory. Still if you don’t want to pull the GitHub repo to your directory of choice you can pull a container from dockerhub and run it:
docker run –rm -ti drwetter/testssl.sh <your_cmd_line>
Or if you have cloned this repo you also can just cd to the INSTALLDIR and run
Currently in the release candidate phase for version 3.2. Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
Documentation
See man page in groff, html and markdown format in ~/doc/.
https://testssl.sh/ will help to get you started for TLS/SSL encryption testing.
For the (older) version 2.8, Will Hunt provides a longer description, including useful background information.
Initially perceived as primarily targeting large corporations, advanced persistent threat (APT) attacks, often backed by state actors, have witnessed a notable surge in incidents against small and medium-sized enterprises. This expanding scope signifies that no entity is exempt, as the dynamic evolution of attack methods demands a proactive stance and ongoing fortification of security measures. This endeavor places a persistent burden on resources, especially when factoring in the diverse array of tactics, techniques, and procedures (TTPs) employed within these attacks.
Uncommon TTPs
With time, money and other resources on their side, APTs such as Cozy Bear (aka APT29), OceanLotus (aka APT32), and Grim Spider (aka APT-C-37) conduct technically intricate, cutting-edge attacks that potentially threaten any organization. One victim can also be collateral damage for an attack on a larger target.
While some of their TTPs – such as spear phishing, credential theft, living off the land (LOL), and data exfiltration – are well-known and widely documented, less common TTPs that APTs may use can wreak just as much havoc. These include:
Watering hole attacks: These attacks involve compromising websites that the target organization’s employees or individuals frequently visit. The attackers inject malicious code into these legitimate websites, causing visitors to download malware unknowingly. It’s a tactic that allows APTs to gain access to the target organization through the users’ systems without directly attacking them. One well-known attack involved the website of the US Department of Labor in 2013, where malicious code was injected to infect visitors’ systems and target government employees and contractors.
Island hopping: In these attacks, APTs target not only the primary victim organization but also other organizations within their supply chain, partners, or affiliates. By compromising less secure third-party companies first, they can use them as stepping stones to reach the ultimate target and avoid direct detection. Cozy Bear targeted the Democratic National Committee in 2016 and later used island hopping techniques to breach other US government agencies.
Fileless malware:Fileless malware resides in the system’s memory, leaving little to no trace on the hard drive. It leverages legitimate processes and tools to carry out malicious activities, making it challenging for traditional security solutions to detect. Fileless malware can be delivered through malicious scripts (such as macros and PowerShell commands), malicious registry entries, LOLBins, LOLScripts, WMI/WSH, and reflective DDL-injection (to highlight the most common ones). APT32 (OceanLotus) used fileless malware to compromise multiple organizations in Southeast Asia, including government agencies and private companies while evading detection and attribution.
Hardware-based attacks: APTs may use hardware-based attacks, such as compromising firmware, hardware implants, or manipulating peripheral devices, to gain persistence and evade traditional security measures. These attacks can be difficult to detect and remove without specialized tools and expertise. A notable example is the Equation Group‘s malware for reprogramming hard drives’ firmware.
Zero-day exploits: APTs may deploy zero-day exploits to target previously unknown vulnerabilities in software or hardware. These attacks can be highly effective as no patches or defenses against them are available. Who could forget the Stuxnet attack? Stuxnet was a sophisticated and targeted worm that exploited multiple zero-day vulnerabilities in industrial control systems, making it highly effective and challenging to detect.
Memory-based attacks: Memory-based attacks exploit vulnerabilities in software to gain access to sensitive data stored in the computer’s RAM. These attacks can bypass traditional security measures that focus on file-based threats. APT32, believed to be based in Vietnam, is known for using fileless malware and “living off the land” techniques to operate stealthily in the computer’s memory and evade traditional security measures.
DNS tunneling: APTs may use DNS tunneling to exfiltrate data from the victim’s network. This technique involves encoding data in DNS requests or responses, allowing the attackers to bypass perimeter security measures that may not inspect DNS traffic thoroughly. Cozy Bear used DNS tunneling to communicate with their command-and-control servers and steal sensitive information from targeted organizations in a stealthy manner.
Advanced anti-forensic techniques: APTs invest significant efforts in covering their tracks and erasing evidence of their presence. They may employ advanced anti-forensic techniques to delete logs, manipulate timestamps, or encrypt data to hinder investigation and response efforts. One well-known advanced anti-forensic techniques attack by the Equation Group involved using a rootkit called “DoubleFantasy” to hide and persistently maintain their presence on infected systems, making it extremely challenging for analysts to detect and analyze their activities.
Multi-platform or custom malware: APTs employ malware capable of targeting both Windows and macOS systems to maximize its reach. They can also deploy tailored malware, such as the Scanbox reconnaissance framework to gather intelligence. An example is APT1 (also known as Comment Crew or Unit 61398), which utilized custom malware to infiltrate and steal sensitive data from various organizations worldwide, particularly in the United States.
Password spraying: Password spraying attacks are used to gain initial access by attempting to use a few common passwords against multiple accounts. APT33 (Elfin) targeted organizations in the Middle East and globally, using password spraying to compromise email accounts and gain a foothold for further cyber-espionage activities.
APTs are here to stay
Organizations can make APT groups’ lives more difficult. Here’s how:
Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
These TTPs underscore the diverse and advanced technical skills exhibited by different threat groups. Organizations can bolster their defenses and protect against APT incursions by studying their tactics, techniques, and procedures.
Continuous vigilance, threat intelligence, and incident response readiness are crucial elements in preparing for and sometimes thwarting these persistent and highly skilled adversaries. Understanding real-world APT attacks’ technical intricacies and TTPs is vital for organizations to enhance their defense strategies and safeguard against these persistent threats.
Researchers found several flaws in the ScrutisWeb ATM fleet monitoring software that can expose ATMs to hack.
Researchers from the Synack Red Team found multi flaws (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189) in the ScrutisWeb ATM fleet monitoring software that can be exploited to remotely hack ATMs.
ScrutisWeb software is developed by Lagona, it allows to remotely manage ATMs fleets. Operators can use the software to send and receive files to a device, modifying data, reboot a device or shut down a terminal.
The researchers discovered multiple vulnerabilities, including Absolute Path Traversal and Authorization Bypass Through User-Controlled Key issues, Hardcoded Cryptographic Key, and Unrestricted Upload of File with Dangerous Type.
Lagona addressed the vulnerabilities in July 2023 with the release of ScrutisWeb version 2.1.38.
The CVE-2023-33871 is an Absolute Path Traversal that an allow to download configurations, logs and databases from the server.
The CVE-2023-35189 is a Remote Code Execution that could be chained with the other issues to gain user access to the ATM controller.
The CVE-2023-38257 is an Insecure Direct Object Reference that can be exploited to retrieve information about all users on the system.ì, including administrators.
The CVE-2023-35763 is Hardcoded encryption key that can allow to retrieve Plaintext administrator credentials.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory for these vulnerabilities, the agency also provides the following recommendations:
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
e. It has an impressive history that spans over 30 years, and now it serves as an effective object-relational database system that is open source. Because of its ability to store and grow even the most complex data workloads, it has become the database of choice for a wide variety of applications, ranging from websites to mobile and analytics systems.It has been discovered that the widely used open-source object-relational database system PostgreSQL has a significant security flaw. The vulnerability, identified as CVE-2023-39417, has a significant CVSS score of 7.5 and gives an attacker the ability to execute arbitrary code as the bootstrap superuser if the attacker also has the capability to create databases at the database level.The vulnerability may be exploited in the PostgreSQL extension script if an administrator has installed files of a vulnerable, trusted, non-bundled extension. The vulnerability is present in the PostgreSQL extension script. When using the @extowner@, @extschema@, or @extschema:…@ functions, there is a security flaw because user input is not properly sanitized. This flaw is the root source of the vulnerability.
An adversary may take advantage of this flaw by sending malicious data to a PostgreSQL database that is running a version of the program that is susceptible to being exploited. It’s possible that the malicious input will be in the form of a SQL query, or it may be a parameter to a function. As soon as the attacker submits the malicious input, they are able to execute arbitrary code in the context of the bootstrap superuser.
The bootstrap superuser is a unique user account that has full authority over a PostgreSQL database. This account is only accessible via the bootstrap script. This indicates that an adversary who is able to run arbitrary code as the bootstrap superuser has the ability to do whatever they want with the database. This includes stealing data, deleting data, or altering data.
All of the PostgreSQL versions 11, 12, 13, 14, and 15 are susceptible to the CVE-2023-39417 issue. The fixed versions are 11.21, 12.16, 13.12, 14.9, and 15.4. PostgreSQL has made available a patch that prevents this attack from taking place at the fundamental level of the server. The process of remediation is made more straightforward by the fact that users do not have to edit individual extensions. It is imperative that you install this necessary update as soon as possible since the safety of your data relies on it.
Ford recently identified a buffer overflow flaw in the Wi-Fi driver used by it in the SYNC 3 infotainment system. After the discovery, Ford quickly alerted about this flaw and disclosed the vulnerability publicly.
Car hijacking by hackers exploiting various functions of the car is known, but the real-world execution of such attacks remains challenging.
While there are certain vulnerabilities that cause immediate serious consequences, enabling threat actors to open and start the cars by exploiting the vulnerabilities remotely.
Since this system is used in the Ford and Lincoln vehicles, so, the successful exploitation of this flaw could enable threat actors to perform remote code execution.
This vulnerability has been tracked as “CVE-2023-29468,” and it was detected by a researcher who reported this flaw to the Wi-Fi module supplier, Texas Instruments (TI).
Summary: The TI WiLink WL18xx MCP driver does not limit the number of information elements (IEs) of type XCC_EXT_1_IE_ID or XCC_EXT_2_IE_ID that can be parsed in a management frame. Using a specially crafted frame, a buffer overflow can be triggered which can potentially lead to remote code execution.
TI PSIRT ID: TI-PSIRT-2022-120160
CVSS Score: The CVSS base score for this issue can range from 8.8 to 9.6.
Affected Products: WILINK8-WIFI-MCP8 version 8.5_SP3 and earlier
Ford’s Response
The SYNC3 infotainment system offers in-car WiFi, connectivity, voice commands, and third-party apps. The vulnerability concerns Ford customers, but no known exploits were reported.
Moreover, the attackers need physical proximity to an exposed, running engine with Wi-Fi enabled for a successful attack.
Ford’s investigation concludes that this vulnerability won’t impact vehicle safety, as the infotainment system firewall prevents control interference with steering, throttling, and braking.
Besides this, Ford assured that soon it will release the online software patch for USB installation. Meanwhile, customers who are concerned about the flaw can disable the Wi-Fi via SYNC 3’s Settings menu or check the vehicle’s SYNC 3 status online.
Researchers in the field of information security at Horizon3 have made public the proof-of-concept (PoC) code for a major privilege escalation vulnerability (CVE-2023-26067) found in Lexmark printers. On a device that has not been patched, this vulnerability, which has a CVSS score of 8.0, might enable an attacker to get elevated access if the device is not updated.
Incorrect validation of user-supplied information is what led to the vulnerability in the system. This vulnerability might be exploited by the attacker by having the attacker make a specially crafted request to the printer. Once the vulnerability has been exploited, the attacker has the potential to get escalated rights on the device, which might give them the ability to execute arbitrary code, spill credentials, or obtain a reverse shell.
Configurations prone to vulnerability An initial Setup Wizard is shown on the display of the user’s Lexmark printer the very first time it is turned on by the user. This wizard walks the user through the process of configuring several system settings, such as the language, as well as giving them the opportunity to setup an administrative user. If the user makes the selection “Set Up Later,” the printer will provide “Guest” users access to all of the features and pages available through the web interface of the printer. If the user selects “Set up Now,” the printer will prevent them from accessing a significant portion of their accessible capability until they have authenticated themselves.
Even if the user chooses to “Set Up Later,” they still have the option of configuring their credentials using the web interface if they so want. On the other hand, a credential that is set up in this way will not, by default, impose any limits on the “Guest” account. This indicates that several critical functions, such as access to the vulnerable endpoint /cgi-bin/fax_change_faxtrace_settings, are still available to the public.
He looked at devices that were listed on Shodan as well as those that were in our client base when we were trying to determine what configuration was the one that was used in the real world the most. When you search “Lexmark 3224” on Shodan, it will display all of the printers that have the online interface accessible. The vast majority of these accessible printers were configured in a way that made them susceptible to attack. The similar pattern was seen with each of customers that integrate Lexmark printers into their own corporate networks.
Horizon3 has conducted extensive research on this vulnerability and discovered many different ways that it may be chained by cunning and smart adversaries. A article on Horizon3’s blog that was written on Friday and published on Friday gives insight on the layered complexity of this vulnerability. Take a look at the following to get an idea of what prospective attackers may do:
Credential Dumping: By exploiting this weakness, attackers are able to obtain sensitive credentials, which is the first step that might lead to more extensive and destructive breaches.
Gain Access to Reverse Shells Attackers are able to build a reverse shell after they have gained control of a device. This allows them to further extend the extent of their control and access inside a network.
Surprisingly, this vulnerability even gives attackers the ability to play music on the devices that are afflicted by the issue. Despite the fact that this may appear little, it serves to highlight the degree of power that might be achieved by exploiting this vulnerability.
Horizon3 has taken things a step further by posting a Proof-of-Concept (PoC) code on their website, which illustrates how the CVE-2023-26067 vulnerability may be exploited maliciously. The disclosure of the proof-of-concept code is a double-edged sword, despite the fact that there have been no efforts made publically known or reported to exploit this in the wild.
Firmware upgrades have been made available by Lexmark in order to fix this issue. If you own a Lexmark printer, you need to check the firmware version and make sure it is updated to the most recent version as soon as you can. On the Lexmark website, you’ll be able to discover the most recent firmware update for your printer. The vulnerability posed by this issue poses a significant risk to Lexmark printers. It is quite possible that threat actors who are resourceful and motivated will move fast to exploit this vulnerability. If you want to keep your printers safe from harm, it is essential to keep the firmware on them up to date as quickly as possible.
A white hat hacker, with over 30 years of experience as a cybersecurity analyst at a major Silicon Valley company, talks about why he turned his back on black hat hacking for the greater good. He talks about the reality of just how vulnerable our systems are – from the very real threat of hackers taking the American power grid or medical facilities offline to how easily accessible our private information is to anyone with Wi-Fi and some time on their hands.
The number of businesses falling victim to ransomware attacks each year is snowballing. Hackers have realized how lucrative these attacks are, with ransoms in the millions regularly being paid out. This documentary examines how hackers make their money and how much a victim can lose. Cyber security experts tell us how cybercriminals carry out the attacks and who is helping them.
For weeks, a cyberattack paralyzed the German district of Anhalt-Bitterfeld in 2021, bringing its whole administration to a standstill. It was a stark illustration of how hackers can knock out entire communities in milliseconds — and how digital technology has become vital for running our societies. DW investigates how a criminal industry makes billions by taking computers hostage — and how governments can use similar methods as a political weapon.
A shadow war is a war that, officially, does not exist. Shadow wars are rising as mercenaries, hackers, and drones take over the role armies once played. States are evading their responsibilities and driving the privatization of violence. War in the grey zone is a booming business: Mercenaries and digital weaponry regularly carry out attacks while those giving orders remain in the shadows.
Millions of Australians have had their data stolen in malicious attacks, costing some businesses tens of millions of dollars in ransom. Four Corners investigates the cyber gangs behind these assaults, cracking open their inner operations and speaking to a hacker who says he targets Australians.
Look behind the cheerful veneer of social media, communication apps, and platforms that have made our lives easier and more connected, and you’ll find criminals using the same apps and platforms to run illicit and dangerous activities.
Singapore aims to be a “Smart Nation” but the more it depends on IT, the more it opens itself to cyber threats. This is the cybersecurity dilemma. Explore global incidents of cyber espionage, disinformation, disruption and pandemics and how they endanger nations.
In this documentary, learn about white hat hackers, and the U.S. Secret Service’s cybercrime division working to protect us from the risks associated with persistent connectivity.
The rise of cyber conflict as the primary way nations now compete and sabotage each other.
The term “virtual private network,” or VPN for short, has become almost synonymous with “online privacy and security.” VPNs function by creating an encrypted tunnel through which your data may transit as it moves over the internet. They are designed to protect your privacy and make it impossible for anyone to monitor or access your activity while you are online. But what happens if the same instrument that was supposed to keep your privacy safe turns out to be a conduit for attacks? Introduce yourself to “TunnelCrack,” a frightening discovery that has sent shockwaves across the world of cybersecurity. Nian Xue from New York University, Yashaswi Malla and Zihang Xia from New York University Abu Dhabi, Christina Popper from New York University, and Mathy Vanhoef from KU Leuven University were the ones that carried out the study.
Two serious vulnerabilities in virtual private networks (VPNs) have been discovered by a research team . These vulnerabilities had been dormant since 1996. It is possible to leak and read user traffic, steal information, or even conduct attacks on user devices by exploiting these vulnerabilities, which are present in practically every VPN product across all platforms. TunnelCrack is a combination of two common security flaws found in virtual private networks (VPNs). Even though a virtual private network (VPN) is designed to safeguard all of the data that a user sends, these attacks are able to circumvent this security. An enemy, for example, may take advantage of the security flaws to steal information from users, read their communications, attack their devices, or even just spill it all. Regardless of the security protocol that is utilized by the VPN, the uncovered flaws may be exploited and used maliciously. In other words, even Virtual Private Networks (VPNs) that claim to utilize “military grade encryption” or that use encryption methods that they themselves invented are vulnerable to attack. When a user joins to an unsecured Wi-Fi network, the initial set of vulnerabilities, which they refer to as LocalNet attacks, is susceptible to being exploited. The second group of vulnerabilities, which are known as ServerIP attacks, are susceptible to being exploited by shady Internet service providers as well as by unsecured wireless networks. Both of these attacks involve manipulating the routing table of the victim in order to deceive the victim into sending traffic outside the secured VPN tunnel. This enables an adversary to read and intercept the data that is being sent.
The video that may be seen below demonstrates three different ways in which an attacker might take advantage of the disclosed vulnerabilities. In the first step of the attack, the LocalNet vulnerability is exploited to force the target to leak communications. This is used to intercept sensitive information that is being transferred to websites that do not have enough security, such as the victim’s account and password being exposed. They also demonstrate how an adversary may determine which websites a user is accessing, which is something that is not generally achievable when utilizing a virtual private network (VPN). Last but not least, a modification of the LocalNet attack is used in order to prevent a surveillance camera from alerting its user to any unexpected motion.
As the demonstration indicates, the vulnerabilities in the VPN may be exploited to trivially leak traffic and identify the websites that an individual is accessing. In addition, any data that is transferred to websites with inappropriate configurations or that is supplied by applications that are not secure may be intercepted.
Users may protect themselves by keeping the software for their VPNs up to date. Additionally, any data that is transferred cannot be stolen if a website is correctly set using HTTP Strict Transport protection (HSTS) to always utilize HTTPS as an additional layer of protection. These days, around 25 percent of websites are built in this manner. In addition, a few of browsers will now display a warning to the user if HTTPS is not being utilized. Last but not least, while they are not always error-free, most current mobile applications employ HTTPS by default and, as a result, also use this additional security.
In addition to being exploited to attack websites, virtual private networks (VPNs) sometimes defend outdated or less secure protocols, which presents an additional danger. These attacks now make it possible for an adversary to circumvent the security provided by a virtual private network (VPN), which means that attackers may target any older or less secure protocols that are used by the victim, such as RDP, POP, FTP, telnet, and so on.
LocalNet Attacks
The adversary in a LocalNet attack pretends to be a hostile Wi-Fi or Ethernet network, and they deceive the victim into joining to their network by using social engineering techniques. Cloning a well-known Wi-Fi hotspot, such as the one offered by “Starbucks,” is a straightforward method for achieving this goal. As soon as a victim establishes a connection to this malicious network, the attacker allots the victim a public IP address as well as a subnet. An illustration of this may be seen in the graphic below; the objective of the opponent in this case is to prevent traffic from reaching the website target.com: The website target.com, which can be seen in the picture to the right, uses the IP address 1.2.3.4. The adversary will convince the victim that the local network is utilizing the subnet 1.2.3.0/24 in order to intercept traffic that is headed toward this website. The victim is told, in other words, that IP addresses in the range 1.2.3.1-254 are immediately accessible inside the local network. A web request will be sent to the IP address 1.2.3.4 if the victim navigates to target.com at this time. The victim will submit the web request outside the secured VPN tunnel because it believes that this IP address is immediately available inside the local network.
An adversary may potentially leak practically all of the victim’s traffic by assigning bigger subnets to the local network they have access to. In addition, although while the LocalNet attack’s primary objective is to send data outside the VPN tunnel, it may also be exploited in such a way as to prevent some traffic from passing through while the VPN is in operation.
ServerIP Attacks
In order to execute a ServerIP attack, the attacker has to have the ability to spoof DNS responses before the VPN is activated, and they also need to be able to monitor traffic going to the VPN server. Acting as a hostile Wi-Fi or Ethernet network is one way to achieve this goal; in a manner similar to the LocalNet attacks, this may also be done. The attacks may also be carried out via an Internet service provider (ISP) that is hostile or by a core Internet router that has been hacked.
The fundamental premise is that the attacker will attempt to impersonate the VPN server by forging its IP address. An attacker may fake the DNS answer to have a different IP address if, for instance, the VPN server is recognized by the hostname vpn.com but its actual IP address is 2.2.2.2. An illustration of this may be seen in the following image, in which the adversary’s objective is to intercept communication sent towards target.com, which has the IP address 1.2.3.4:
The attacker begins by forging the DNS reply for vpn.com such that it returns the IP address 1.2.3.4. This IP address is identical to the IP address of target.com. To put it another way, if you wish to leak traffic towards a certain IP address, you fake that address. After that, the victim will connect to the VPN server that is located at 1.2.3.4. This traffic is then redirected to the victim’s actual VPN server by the adversary, who does this to ensure that the victim is still able to successfully build a VPN connection. As a consequence of this, the victim is still able to successfully build the VPN tunnel even if they are using the incorrect IP address while connecting to the VPN server. In addition to this, the victim will implement a routing rule that will direct all traffic destined for 1.2.3.4 to be routed outside of the VPN tunnel.
A web request is now made to 1.2.3.4 whenever the victim navigates to target.com on their web browser. This request is routed outside of the secured VPN tunnel because of the routing rule that prevents packets from being re-encrypted when they are submitted to the VPN server. As a direct consequence of this, the web request is exposed.
The built-in VPN clients of Windows, macOS, and iOS were discovered to have security flaws by this study. Android versions 12 and above are not impacted by this issue. A significant portion of Linux-based virtual private networks (VPNs) are also susceptible. In addition, they discovered that the majority of OpenVPN profiles, when used with a VPN client that is susceptible to vulnerabilities, utilize a hostname to identify the VPN server, which may lead to behavior that is susceptible to vulnerabilities.
In order to keep customers safe, they worked together with CERT/CC and a number of other VPN providers to develop and release security upgrades over the course of a coordinated disclosure period of ninety days. Mozilla VPN, Surfshark, Malwarebytes, Windscribe (which can import OpenVPN profiles), and Cloudflare’s WARP are a few examples of VPNs that have been updated with patches. You can protect yourself against the LocalNet attack even if updates for your VPN are not currently available by turning off connection to your local network. You may further reduce the risk of attacks by ensuring that websites utilize HTTPS, a protocol that is supported by the majority of websites today.
PHP is a widely used programming language that is put to use in the production of dynamic web pages. On the other hand, much like any other program, it is not completely safe from security flaws. CVE-2023-3823 and CVE-2023-3824 are the names of two new security flaws that have been identified in PHP during the course of the last several months.
CVE-2023-3823 (SCORE OF 8.6 ON THE CVSS SCALE): INFORMATION DISCLOSURE
An information disclosure vulnerability known as CVE-2023-3823 exists in PHP applications and makes it possible for a remote attacker to access sensitive data stored inside such applications. Inadequate validation of the XML input given by the user is the root cause of the vulnerability. This vulnerability might be exploited by the attacker by having them transmit a specially designed piece of XML code to the program. The program would then proceed to parse the code, at which point the attacker would be able to obtain access to sensitive information such as the contents of arbitrary files on the system or the results of queries made to external sources.
This issue may affect any program, library, or service that interacts with XML documents in any way, including processing or communicating with them. Because to the hard work done by nickvergessen, a security researcher, who also released the proof-of-concept.
CVE-2023-3824 IS A BUFFER OVERFLOW VULNERABILITY THAT HAS A CVSS SCORE OF 9.4.
A remote attacker might execute arbitrary code on a PHP system if they exploited the buffer overflow vulnerability known as CVE-2023-3824. This issue is tracked by the CVE identifier. The insufficient bounds checking performed by the phar_dir_read() method is the root cause of the vulnerability. By submitting a request to the application that has been carefully designed, an adversary might take advantage of this vulnerability. The request would then result in a buffer overflow, which would give the adversary the ability to take control of the system and run whatever code they pleased.
The difficulty of exploiting this vulnerability stems from the fact that it involves a number of faulty checks and overflows. For instance, it was discovered that the condition “to_read == 0 || count ZSTR_LEN(str_key)” was flawed and should not have been used. This has a number of repercussions in the code, one of which is that there is a problem with the line ((php_stream_dirent *) buf)->d_name[to_read + 1] = ‘0’;. This piece of code has the potential to overflow, and it does not NUL-terminate the filename in the correct manner. The issue has been compared to a stack information leak as well as a buffer write overflow, which only serves to exacerbate the situation.In addition to that, there may be potential worries over a buffer overflow in the memset. Even though there have been no such occurrences detected inside PHP itself, third-party extensions might still be impacted.
Although the exploitation is certainly difficult and is contingent on the particular application that is being targeted, it is nevertheless theoretically possible. According to the alert issued by the security team, “People who inspect the contents of untrusted phar files could be affected.”
The proof-of-concept was also released thanks to the efforts of security researcher nielsdos, who is credited for his work.
In PHP 8.0.30, the vulnerabilities CVE-2023-3823 and CVE-2023-3824 have also been addressed. If you are still using an earlier version of PHP, you should consider upgrading as soon as you can to the 8.0.30 release.
CODESYS, a widely-used integrated environment for controller programming, holds a strong presence in Operational Technology across diverse industries, such as:-
Factory automation
Energy
Mobile
Building
Embedded
Process
Backed by more than 500 manufacturers (including Schnieder Electric, Beckhoff, Wago, Eaton, ABB, Festo, etc.) and spanning various architectures that we have mentioned below, CODESYS powers millions of global devices:-
MIPS
Renesas
ARM
PowerPC
TriCore
Cybersecurity Researcher at Microsoft, Vladimir Eliezer Tokarev, recently identified several high-severity vulnerabilities and 16 zero-day vulnerabilities in CODESYS (CODESYS V3 SDK).
Microsoft’s cyberphysical system researchers identified high-severity vulnerabilities in CODESYS V3 SDK that could lead to security risks for OT infrastructure. If you’re at #BHUSA, you can attend this session on August 10 to learn more: https://msft.it/60199ynQT
Besides this, Vladimir Eliezer Tokarev dubbed the 16 zero-day vulnerabilities that he found in CODESYS as “CoDe16,” a code name for this complete set of CODESYS zero-day vulnerabilities.
While the OT infrastructure could be affected severely by successfully exploiting all these high-severity vulnerabilities discovered in CODESYS V3 SDK.
Moreover, the Microsoft Threat Intelligence team also prompted and recommended that users at the BHUSA event (Black Hat USA 2023) attend their official session related to this vulnerability profile on August 10.
BHUSA Event Session
Cybersecurity researchers will detail the following key things during this event session:-
Exciting findings
Share technical insights into vulnerability discovery
Firmware extraction
Analysis
Apart from this, all the challenges, like proprietary network protocols and debugger-free analysis, will also be explored.
Security analysts will also unveil the root-cause for key flaws, and demonstrate the remote code execution chain to implant malicious payload, gaining full PLC control and factory floor manipulation.
Closing remarks will include the mitigation strategies, an open-source validation tool for CODESYS devices, and a live demo of successful RCE on an exposed system.
Incident response refers to the process followed by an organization to address and manage the aftermath of a security breach or cyber attack. The goal of incident response is to handle the situation in a way that limits damage, reduces recovery time and costs, and ensures that the incident is properly documented and reported to meet regulatory requirements.
In the simplest of terms, incident response is like a well-organized fire drill for cyber attacks. It’s a set of instructions that help IT staff and business owners identify, respond to, and recover from network security incidents. These instructions include steps to take when an attack is identified, who should be involved, how data should be collected and analyzed, and how to learn from the incident to prevent future attacks. See this detailed blog post for more background about incident response.
IMPORTANCE OF INCIDENT RESPONSE IN CYBERSECURITY
MINIMIZING IMPACT OF ATTACKS
One of the primary reasons for having an incident response plan is to minimize the impact of attacks. Cyber attacks can lead to significant financial losses, especially for businesses that rely heavily on online transactions. An effective incident response plan can help businesses identify attacks early, contain them quickly, and minimize potential damage.
Moreover, incident response is not just about dealing with the attack itself but also about dealing with the aftermath of the attack. This includes notifying affected parties, managing public relations, and fulfilling any legal obligations. Having a plan in place ensures that these tasks are handled efficiently and effectively, reducing the overall impact of the attack.
RECOVERY AND RESTORATION
Another critical aspect of incident response is recovery and restoration. After a cyber attack, it’s essential to restore systems and operations to normal as quickly as possible. Incident response teams work to eliminate the threat from the company’s systems, repair any damage, and restore data from backups.
The speed and efficiency of recovery can significantly impact a business’s bottom line. The longer it takes to recover, the more revenue is lost. Furthermore, prolonged recovery times can also damage a company’s reputation, leading to loss of customers and potential future business.
LEGAL AND REGULATORY COMPLIANCE
Cybersecurity incidents can have serious legal and regulatory implications for businesses. In many jurisdictions, businesses are required to report breaches to regulatory bodies and affected individuals. Failure to comply with these requirements can result in hefty fines and legal proceedings.
An incident response plan helps businesses meet their legal and regulatory obligations by ensuring that incidents are properly documented and reported. This includes keeping detailed records of the incident, the response actions taken, and the lessons learned. Such documentation can be crucial in defending against lawsuits or regulatory actions.
REDUCING DOWNTIME
Downtime is costly for any business. It leads to lost productivity, lost revenue, and can damage a company’s reputation. A well-prepared incident response team can significantly reduce the amount of downtime a business experiences after a cyber attack.
By quickly identifying and containing an attack, the team can minimize the amount of time systems are down. Moreover, by having a plan for recovery and restoration, the team can ensure that systems are back up and running as quickly as possible.
Artificial intelligence (AI) and machine learning (ML) are changing the face of incident response. These technologies can automate many of the tasks involved in incident response, allowing teams to respond more quickly and effectively to attacks.
AI and ML can be used to detect anomalies in network traffic, identify malicious activity, and even predict future attacks. They can also automate the process of collecting and analyzing data, freeing up incident response teams to focus on more strategic tasks.
EXTENDED DETECTION AND RESPONSE (XDR)
Extended Detection and Response (XDR) is another technology that is shaping the future of incident response. XDR is a security approach that integrates multiple security tools into a single platform. This allows incident response teams to have a more holistic view of their environment and respond more effectively to threats.
XDR platforms can collect data from a wide range of sources, including network traffic, endpoint devices, and cloud services. This data is then analyzed to detect threats and automate response actions.
SIEM
Security Information and Event Management (SIEM) systems are another crucial tool in incident response. SIEM systems collect and analyze log data from various sources within an organization’s IT infrastructure. They provide real-time analysis of security alerts and can automate response actions.
By providing a centralized view of an organization’s security landscape, SIEM systems can help incident response teams identify, investigate, and respond to security incidents more efficiently.
THREAT INTELLIGENCE PLATFORMS
Threat Intelligence Platforms (TIPs) provide incident response teams with information about known threats and threat actors. This information can help teams identify attacks more quickly and respond more effectively.
TIPs collect and analyze data from a variety of sources, including open-source intelligence, social media, and internal data. They provide actionable intelligence that can be used to enhance an organization’s security posture and improve incident response efforts.
KEY TRENDS IN INCIDENT RESPONSE FOR 2023
INCREASE IN REMOTE WORK AND ITS IMPACT ON INCIDENT RESPONSE
The shift to remote work has had a significant impact on incident response. With more employees working from home, the attack surface for cyber criminals has expanded. This has made incident response more challenging, as teams must now deal with threats on a wide range of devices and networks.
In 2023, we can expect to see more tools and strategies aimed at dealing with the challenges posed by remote work. This may include increased use of cloud-based incident response tools, as well as strategies for securing remote devices and networks.
SHIFT FROM REACTIVE TO PROACTIVE INCIDENT RESPONSE
Traditionally, incident response has been a reactive process. Teams would wait for an attack to occur and then respond. However, this approach is no longer sufficient in today’s threat landscape.
In 2023, we can expect to see a shift towards more proactive incident response. This means identifying and addressing vulnerabilities before an attack occurs. It also means monitoring for signs of an attack and taking action before the attack has a chance to cause damage.
EMPHASIS ON INCIDENT RESPONSE TESTING AND SIMULATION
Another trend we can expect to see in 2023 is an increased emphasis on incident response testing and simulation. Testing and simulation are crucial for ensuring that an incident response plan is effective.
Through testing, teams can identify gaps in the plan and make necessary adjustments. Simulation exercises can also help teams practice their response to an attack, ensuring that they are prepared when a real attack occurs.
GREATER REGULATORY SCRUTINY AND ITS IMPACT ON INCIDENT RESPONSE
Finally, in 2023, we can expect to see greater regulatory scrutiny of incident response. As cyber attacks continue to increase in frequency and severity, regulators are becoming more interested in how businesses respond to these incidents.
This means that businesses will need to ensure that their incident response plans meet regulatory standards. They will also need to be prepared to provide documentation of their response efforts in the event of a regulatory investigation.
CONCLUSION
In conclusion, mastering incident response is crucial for businesses in today’s digital world. By understanding what incident response is, recognizing its importance, staying up-to-date with emerging technologies, and keeping an eye on key trends, businesses can protect their digital assets, minimize the impact of attacks, and comply with legal and regulatory requirements.
Cloud misconfiguration — incorrect control settings applied to both hardware and software elements in the cloud — are threat vectors that amplify the risk of data breaches. A new report from cloud security vendor Qualys, authored by Travis Smith, vice president of the company’s Threat Research Unit lifts the lid on risk factors for three major cloud service providers.
About the report
Smith wrote that Qualys researchers, analyzing misconfiguration issues at Amazon Web Services, Microsoft Azure and Google Cloud Platform, found that within Azure, 99% of the disks are either not encrypted or aren’t using customer-managed keys that give users control of encryption keys that protect data in software as a service applications.
The study, which reviewed encryption, identity and access management and failures to monitor external-facing assets examined risks to unauthorized access due to:
The complexity of cloud environments
Lack of expertise in keeping up with evolving technologies
Insecure settings and permissions caused by human errors
Lack of control and visibility of cloud-resident unencrypted or sensitive data due to the dynamic nature of cloud environments
Smith wrote that the company’s reachers found that 85% of the keys aren’t rotated, meaning automatic key rotation isn’t enabled. Amazon offers automatic key rotation — generating new cryptographic material — on a 365 day cycle for keys.
Qualys also reported that in GCP environments, 97.5% of virtual machine disks for critical virtual machines lack encryption using customer-supplied encryption keys.
Qualys found poor implementation levels of IAM in all three major providers:
Multifactor authentication: AWS isn’t enabled for 44% of IAM users with console passwords. IAM Access Analyzer isn’t enabled in 96% of the accounts scanned by Qualys.
In Azure, scans for enabling authentication and configuring client certificates within Azure App Service fail 97% of the time.
Exposure of external-facing assets from leaky S3 buckets
Qualys noted that a common mistake by users across the three platforms is public exposure of data:
Qualys reported 31% of S3 buckets are publicly accessible.
The misconfiguration of leaving public network access enabled was seen in 75% of the Azure databases.
Center for Internet Security work offers insights to remediation
Recommendations by the firm included reviewing research by the Center for Internet Security including work Qualys participated in: mapping of individual controls to the MITRE ATT&CK tactics and techniques.
Qualys contributed to developing these CIS benchmarks for AWS, Azure and GCP. The benchmarks will help offer some valuable insight and context for defenders to better prioritize the hundreds of hardening controls available in cloud environments.
Qualys also looked at how firms are deploying controls to harden their cloud postures across the three major platforms, noting that privilege escalation (96.03%), initial access (84.97%) and discovery (84.97%) are passing at the highest rates.
Efforts to control attacks early are helping to ameliorate more harmful consequences further along the the kill chain:
Impact passed at only 13.67%
Exfiltration at only 3.70%.
Exploitation of public facing apps passed at only 28.54%.
Exploitation of remote services, at only 17.92%, are failing at high rates.
Resource hijacking is passing at just 22.83%.
Smith wrote that since crypto mining malware is a threat to cloud environments, organizations should consider mitigating such controls to reduce their organizational risk in the cloud.
“The lesson from these data points is that almost every organization needs to better monitor cloud configurations,” said Smith, adding that scans for CIS controls failed 34% of the time for AWS, 57% for Microsoft Azure and 60% for GCP (Figure A).
“Even if you believe your cloud configurations are in order, the data tells us that not regularly confirming status is a risky bet. Scan the configurations often and make sure the settings are correct. It takes just one slip-up to accidentally open your organization’s cloud to attackers,” wrote Smith.
Advances in graphics processing technology and AI have slashed the time needed to crack a password using brute force techniques, says Hive Systems.We may be compensated by vendors who appear on this page through methods such as affiliate links or sponsored partnerships. This may influence how and where their products appear on our site, but vendors cannot pay to influence the content of our reviews. For more info, visit our Terms of Use page.
Security experts keep advising us to create strong and complex passwords to protect our online accounts and data from savvy cybercriminals. And “complex” typically means using lowercase and uppercase characters, numbers, and even special symbols. But, complexity by itself can still open your password to cracking if it doesn’t contain enough characters, according to research by security firm Hive Systems.
SpecterOps released version 5.0 of BloodHound Community Edition (CE), a free and open-source penetration testing solution that maps attack paths in Microsoft Active Directory (AD) and Azure (including Azure AD/Entra ID) environments. It is available for free on GitHub.
Identifying simple Attack Paths between two objects is a straightforward “search and click” exercise
This update brings many enterprise-grade usability features to BloodHound CE, like containerized deployment, REST APIs, user management, and access control. It also significantly improves performance while streamlining development allowing for faster development and incorporation of community contributions.
“The way that BloodHound Community Edition maps out Attack Paths in AD and Azure is unique – there isn’t another tool (or feature within either of those) that can find hidden and unintentional relationships to identify complex Attack Paths that attackers can exploit. After this update, the tool will offer a user experience closer to an enterprise-grade product than an open-source tool,” Andy Robbins, co-creator of BloodHound and a Principal Product Architect at SpecterOps, told Help Net Security.
The entire UI is driven via RESTful APIs and includes a full Swagger spec within the application
New features
Support for REST APIs – BloodHound CE is a three-tier application with a database, an API layer, and a web-based user interface. Users can now use REST APIs to interact with data rather than needing to write queries directly to the database.
Containerized deployment – The tool will deploy as a containerized product. This much simpler process will reduce deployment time by 80%. This also makes it easier for users with different sized environments to manipulate the resources assigned to BloodHound.
Enterprise-grade user management – This update adds built-in full multi-user support with RBAC, the ability to create and assign user roles, and support for two-factor authentication and SAML to BloodHound CE.
Protected Cypher searches – Cypher queries will include available guardrails to automatically cancel queries that will cause performance or security issues.
Reliability and performance upgrade – Routine maintenance updates will make the tool faster, more resilient, and more reliable.
More frequent updates and community contributions – These changes will allow SpecterOps to increase the rate of updates and new features added to BloodHound CE going forward and will increase the number of pull requests from the community that can be implemented.
Better community support – More similarities between BloodHound CE and BloodHound Enterprise under the hood means users will have better access to support and documentation for both.
BloodHound was created in 2016 by Rohan Vazarkar, Will Schroeder, and Andy Robbins. It has been downloaded nearly 500,000 times and has over 12,000 users in the BloodHound Community Slack. The tool has been recommended by CISA and Microsoft to help secure Microsoft Active Directory and Azure AD.
BEC, an acronym for Business Email Compromise, is a sophisticated form of cybercrime. Cyber threats have become a pressing concern in a world where almost every aspect of our lives is digitized. One of these threats that have been growing exponentially in recent years is the BEC attacks.
What Are BEC Attacks?
These attacks are carefully orchestrated scams perpetrated by cybercriminals to trick businesses into transferring money or sensitive information. The attackers usually impersonate a high-ranking official in the company, such as the CEO or CFO, and send an email request for a wire transfer or confidential data to another employee.
They’re not just any random email scams; BEC attacks are highly targeted and involve a great deal of planning and research. The cybercriminals behind them often know a lot about their targets and use this information to make their fraudulent requests seem legitimate. So, it’s no surprise that these attacks pose a significant threat to businesses of all sizes and industries worldwide.
Understanding BEC Attacks
Process and Mechanics of a BEC Attack
Understanding how BEC attacks work is the first step in preventing them. The process often starts with extensive research. The attackers gather information about the target company and its employees. They look for information such as who is in charge of finances, who they report to, and when these officials will likely be out of the office.
Once they’ve gathered enough information, they craft a convincing email. This email is usually disguised as originating from a high-ranking official and sent to an employee with the authority to transfer funds or access sensitive information. The email will request a wire transfer, often with a sense of urgency to pressure the employee into acting quickly without questioning the request’s legitimacy.
The mechanics of these attacks are what makes them so effective. The attackers exploit the trust and authority of high-ranking officials to bypass traditional security measures. And because the emails are so well-crafted, they can be tough to detect.
Common Forms of BEC Attacks
There are several common forms of BEC attacks. The most common is ‘CEO Fraud,’ where the attacker impersonates the CEO or another top executive. They send an email to an employee in finance, requesting an urgent wire transfer.
Another form is ‘Invoice Scams.’ In these cases, attackers impersonate a vendor or supplier and send a fake invoice to the company. The invoice will typically request payment to a new account controlled by the attacker.
There’s also ‘Account Compromise.’ Here, an attacker hacks into an employee’s email account and sends fraudulent emails to vendors listed in their email contacts. The email will request that future payments are sent to a new account.
The Targets and Motives Behind BEC Attacks
The targets of BEC attacks are typically businesses that work with foreign suppliers or regularly perform wire transfer payments. However, any business can be a target. The motive behind these attacks is simple: money. Cybercriminals are looking for the easiest way to get their hands on your cash.
Prevention of BEC Attacks
The best way to deal with BEC attacks is to prevent them from happening in the first place. Prevention requires a multi-faceted approach that includes technical, administrative, and human elements.
Email Security Measures
The first line of defense against BEC attacks is implementing robust email security measures. It is essential to use email filtering solutions that can detect and block phishing emails. These solutions can flag emails from outside your organization that are crafted to look like they’re from within.
Furthermore, you should also implement Domain-based Message Authentication, Reporting & Conformance (DMARC), an email authentication protocol. DMARC can prevent attackers from spoofing your organization’s domain in their phishing attempts, significantly reducing the chances of a successful BEC attack.
Multi-Factor Authentication (MFA)
Multi-factor authentication is another crucial element in preventing BEC attacks. MFA requires users to provide two or more forms of identification before they can access their email accounts or other sensitive systems. This could be something they know (like a password), something they have (like a physical token or a smartphone), or something they are (like a fingerprint or other biometric data).
By implementing MFA, even if a criminal manages to steal an employee’s login credentials through a phishing attack, they would still need the additional factor(s) to access the account. This significantly increases the difficulty for attackers, often deterring them from attempting to compromise your business.
Employee Training
The human element is often the weakest link in cybersecurity. Therefore, regular employee training is essential in preventing BEC attacks. Employees should be taught to identify phishing emails and be aware of the tactics used by cybercriminals in these attacks.
Moreover, it should be emphasized that everyone, regardless of their position in the company, could be a target. Regularly updated training programs can help employees stay abreast of the latest threats and the best practices to mitigate them.
Verify Requests
Given the nature of BEC attacks, it is crucial to establish a process to verify requests for funds or sensitive information, especially if they are unexpected or come from high-ranking individuals. This could be as simple as making a phone call to the person making the request.
The more significant the request, the more critical it is to verify it through multiple channels. This practice can significantly reduce the chances of an employee inadvertently complying with a fraudulent request.
Incident Response Plan
Even with the best preventative measures in place, it’s essential to be prepared for the worst-case scenario—a successful BEC attack. This is where an incident response plan comes into play.
An effective incident response plan should outline the steps immediately after detecting a BEC attack. This includes identifying and isolating affected systems, investigating the breach, notifying affected parties, and reporting the incident to the relevant authorities.
Use of Secure Email Gateways
Secure email gateways can be a valuable tool in the fight against BEC attacks. These solutions provide an additional layer of security, filtering incoming and outgoing emails to identify potential threats.
They use techniques such as link protection and attachment sandboxing to protect against malicious content. Moreover, they can also detect and block emails that attempt to spoof your organization’s domain, reducing the risk of BEC attacks.
Regular Monitoring
Last, regular monitoring of your email systems and network activity can help detect unusual behavior that may indicate a BEC attack. This could include abnormal login patterns, unexpected email forwarding rules, or sudden changes in email volume.
Monitoring tools can automate this process, alerting your IT team to potential threats so they can take swift action. Regular auditing of your systems can also help identify any security gaps that must be addressed.
Conclusion
To summarize, understanding and preventing BEC attacks is critical in today’s digital world. It requires a combination of robust technical measures, comprehensive employee training, and vigilant monitoring. Remember, the cost of preventing these attacks is far less than the potential financial and reputational damage they can cause. So, stay informed, stay prepared, and stay safe.
The project aims to educate developers, designers, architects, managers, and organizations about the security issues when deploying Large Language Models (LLMs).
The organization is committed to raising awareness of the vulnerabilities and providing recommendations for hardening LLM applications.
“The OWASP Top 10 for LLM Applications Working Group is dedicated to developing a Top 10 list of vulnerabilities specifically applicable to applications leveraging Large Language Models (LLMs).” reads the announcement of the Working Group. “This initiative aligns with the broader goals of the OWASP Foundation to foster a more secure cyberspace and is in line with the overarching intention behind all OWASP Top 10 lists.”
The organization states that the primary audience for its Top 10 is developers and security experts who design and implement LLM applications. However the project could be interest to other stakeholders in the LLM ecosystem, including scholars, legal professionals, compliance officers, and end users.
“The goal of this Working Group is to provide a foundation for developers to create applications that include LLMs, ensuring these can be used securely and safely by a wide range of entities, from individuals and companies to governments and other organizations.” continues the announcement.
The Top Ten is the result of the work of nearly 500 security specialists, AI researchers, developers, industry leaders, and academics. Over 130 of these experts actively contributed to this guide.
Clearly the project is a work in progress, LLM technology continues to evolve, and the research on security risk will need to keep pace.
Below is the Owasp Top 10 for LLM version 1.0
LLM01: Prompt Injection
This manipulates a large language model (LLM) through crafty inputs, causing unintended actions by the LLM. Direct injections overwrite system prompts, while indirect ones manipulate inputs from external sources.
LLM02: Insecure Output Handling
This vulnerability occurs when an LLM output is accepted without scrutiny, exposing backend systems. Misuse may lead to severe consequences like XSS, CSRF, SSRF, privilege escalation, or remote code execution.
LLM03: Training Data Poisoning
This occurs when LLM training data is tampered, introducing vulnerabilities or biases that compromise security, effectiveness, or ethical behavior. Sources include Common Crawl, WebText, OpenWebText, & books.
LLM04: Model Denial of Service
Attackers cause resource-heavy operations on LLMs, leading to service degradation or high costs. The vulnerability is magnified due to the resource-intensive nature of LLMs and unpredictability of user inputs.
LLM05: Supply Chain Vulnerabilities
LLM application lifecycle can be compromised by vulnerable components or services, leading to security attacks. Using third-party datasets, pre-trained models, and plugins can add vulnerabilities.
LLM06: Sensitive Information Disclosure
LLM’s may inadvertently reveal confidential data in its responses, leading to unauthorized data access, privacy violations, and security breaches. It’s crucial to implement data sanitization and strict user policies to mitigate this.
LLM07: Insecure Plugin Design
LLM plugins can have insecure inputs and insufficient access control. This lack of application control makes them easier to exploit and can result in consequences like remote code execution.
LLM08: Excessive Agency
LLM-based systems may undertake actions leading to unintended consequences. The issue arises from excessive functionality, permissions, or autonomy granted to the LLM-based systems.
LLM09: Overreliance
Systems or people overly depending on LLMs without oversight may face misinformation, miscommunication, legal issues, and security vulnerabilities due to incorrect or inappropriate content generated by LLMs.
LLM10: Model Theft
This involves unauthorized access, copying, or exfiltration of proprietary LLM models. The impact includes economic losses, compromised competitive advantage, and potential access to sensitive information.
How CISOs can succeed in a challenging landscape Reimagining operational resilience and recovery in 2023
#CISOs face mounting demands to develop information security strategies that effectively safeguard their organizations against an ever-evolving threat landscape. A strong information security stance is imperative, but the requirements for security and risk management are intricate and distinct for each organization. The alignment of business priorities and suitable solutions may not always be apparent, while swift results and cost-effective measures are crucial.
