The U.S. government offers rewards of up to $10 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders.
The U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.
This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.
On December 19, 2023, the FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.
On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gangâs websites went offline.
On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcementâs operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.
âThis action has been taken in coordination with the United States Attorneyâs Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.â reads the message published by law enforcement on the seized websites.
âThe Justice Department announced today a disruption campaign against the Blackcat ransomware group â also known as ALPHV or Noberus â that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.â reads the press release published by DoJ.
The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.
The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.
âFBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).â reads the press release. âTo date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.â
According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.
People who have information eligible for the reward can access the following Tor website set up by the US Department of State:Â he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion.Â
Digital forensics plays a crucial role in analyzing and addressing cyberattacks, and itâs a key component of incident response. Additionally, digital forensics provides vital information for auditors, legal teams, and law enforcement agencies in the aftermath of an attack.
Many cutting-edge digital forensics tools are on the market, but for those who cannot afford them, hereâs a list of great free solutions to get you started.
Autopsy is a digital forensics platform widely employed by law enforcement agencies, military personnel, and corporate investigators to examine and understand activities on a computer. Although Autopsy is designed to be cross-platform, the latest version is fully functional and tested only on Windows.
bulk_extractor is a high-speed tool for digital forensics analysis. It scans various inputs, including disk images, files, and directories, extracting organized information like email addresses, credit card numbers, JPEG images, and JSON fragments. This is achieved without the need to parse file systems or their structures. The extracted data is saved in text files, which can be examined, searched, or utilized as inputs for further forensic investigations.
NetworkMiner, an open-source network forensics tool, specializes in extracting artifacts like files, images, emails, and passwords from network traffic captured in PCAP files. Additionally, it can capture live network traffic by sniffing a network interface.
Velociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities. At the press of a (few) buttons, perform targeted collection of digital forensic evidence simultaneously across your endpoints, with speed and precision.
WinHex is a versatile hexadecimal editor, proving especially useful in the areas of computer forensics, data recovery, low-level data processing, and IT security. It allows users to inspect and modify various file types, as well as recover deleted files or retrieve lost data from hard drives with damaged file systems or digital camera cards.
An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.
Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.
Some documents that have been weaponized have embedded links to âView document,â which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commit financial fraud.
Attackers Targeting Wide Range Of Individuals
Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.
âThe affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,â Proofpoint researchers shared with Cyber Security News.
âIndividuals holding executive positions such as âVice President, Operations,â âChief Financial Officer & Treasurerâ and âPresident & CEOâ were also among those targeted.â
Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities.
In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chainâs access phase.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
The âOfficeHomeâ sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:
âOffice365 Shell WCSS-Clientâ (indicative of browser access to Office365 applications)
âOffice 365 Exchange Onlineâ (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation)
âMy Signinsâ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog)
âMy Appsâ
âMy Profileâ
Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.
MFA manipulation events executed by attackers in a compromised cloud tenant
Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.
Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.
Internal emails are sent to the impacted companiesâ finance and human resources departments to commit financial fraud.
Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.
Obfuscation mailbox rules created by attackers following successful account takeover
âAttackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,â researchers said.
Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.
In this Help Net Security interview, Yaron Edan, CISO at REE Automotive, discusses the cybersecurity landscape of the automotive industry, mainly focusing on electric and connected vehicles.
Edan highlights the challenges of technological advancements and outlines strategies for automakers to address cyber threats effectively. Additionally, he emphasizes the importance of consumer awareness in ensuring vehicle security.
Can you describe the state of cybersecurity in the automotive industry, especially in the context of electric and connected vehicles?
The automotive industry is experiencing a digital breakthrough transforming how vehicles are designed, manufactured, and used, primarily driven by the introduction and popularity of electric and autonomous vehicles. Technological advancements have been introduced and integrated throughout the vehicle life cycle. This brings numerous benefits like enhanced safety and improved efficiency to the cars we drive daily, but it also brings new and pressing cybersecurity challenges.
Now that our vehicles are becoming increasingly connected to the internet can go through Over-the-Air (OTA) updates, use remote management, contain Advanced Driver Assistance Systems (ADAS), and employ AI, the potential avenues for cyberattacks have expanded for threat actors to exploit in a significant way.
What steps are automakers taking to address cybersecurity challenges in their latest vehicle models?
We use different forms and increasing amounts of software in our vehicles. The first challenge is in the supply chain, not just in terms of who provides the software; the issue penetrates each layer. Automakers need to understand this from a risk management perspective to pinpoint the onset and location of each specific risk. Suppliers must be involved in this process and continue to follow guidelines put in place by the automaker.
The second challenge involves software updating. As technology continues to evolve and more features are added, cybercriminals find new ways to exploit flaws and gaps in systems that we may not have been aware of because of the newness of the technology. Regular software updates must be administered to products to patch holes in systems, improve existing vulnerabilities and improve product performance.
In order to address these challenges, automakers need to conduct an initial risk assessment to understand what kind of threats and the type of threat actors are active within each layer of the product and supply chain in the automotive industry. From the experience gained from the initial risk assessment, a procedure must be put in place to ensure each internal and external employee and supplier knows their role in maintaining security at the company.
The procedure determines which types of threat actors are active within the automotive industry, where they are located, and each threatâs severity. This is complicated because threat actors reside worldwide in large numbers, and each group uses various forms of attacks to various degrees. Automakers use the information collected daily to help protect their assets. Additionally, audits must be conducted regularly to evaluate each supplier and employee to verify the procedures are followed correctly, donât need to be updated, etc.
Can you explain how vehicle manufacturers integrate cybersecurity into the design and development process?
Once you have a factory line running, the first step to integrate cybersecurity into the manufacturing process is to secure the operation technology (OT) policy by understanding the risk and how to close the gaps. Manufacturers must deal with OT threats, which involve thousands of unique threats coming from the product lines, sensors, and other equipment involved in the manufacturing process, instead of systems like computers.
These threats can be especially dangerous if left ignored because of the simplicity of the equipment used in this stage. Suppose you are a threat actor and you want to damage an automaker. In that case, it is much more difficult to conduct a cyberattack on the cloud or the employees of an automaker. Still, the factory line is easier to attack because it uses equipment that is easier to breach and actions are less detected. This is a very common area for threat actors to target.
What key strategies are you recommending for protecting connected and electric vehicles against cyber threats?
Automotive companies must take a proactive approach to addressing cybersecurity threats instead of being reactive. This allows security teams to avoid threats instead of responding later once the damage has already been done. A few proactive strategies Iâd recommend for companies are the following.
Conduct a risk assessment to understand and prioritize current and future risks.
Develop company-wide security policies and procedures so all employees know their roles in maintaining security.
Hold regular security training and awareness programs to educate employees.
Implement strong network security measures, including firewalls, detection systems, and encryption, to monitor your network traffic for any anomalies regularly.
Regularly backup critical data and store it in secure locations.
Develop a comprehensive incident response plan outlining steps to be taken during a cyberattack.
Conduct periodic security audits to evaluate the effectiveness of security measures and identify improvement areas.
Cybersecurity is an ongoing process that requires constant vigilance and adaptation â current strategies will likely become outdated and need to be reworked as new threats emerge.
What role do regulatory bodies play in shaping cybersecurity standards for electric and connected vehicles?
Regulatory bodies play a role in shaping cybersecurity standards, but they do not help you secure your products directly â that is up to each individual player in the automotive supply chain. The goal of regulatory bodies is to provide automakers with best practices on steps to take in the event of a cyber hack, what players to communicate with, and how deep to reach depending on the severity of the threat.
Once an automaker is compliant with certain regulatory rules, they will then ask the regulatory bodies to come to conduct an onsite visit, where they conduct an audit for months at a time, trying to hack each layer they can and look for any areas of weakness, to identify what needs to be patched up. This process needs to be repeated until the automaker is fully compliant.
What are the best practices that consumers should be aware of to ensure the cybersecurity of their electric or connected vehicles?
Consumers need to make sure the data collected in the vehicle stays private. For example, if you have an electric vehicle (EV) and you need to charge it, you might visit a public charging station. Not many people know this, but your vehicle data can be easy to hack at public charging stations because you are not only transferring electricity but also data.
To prevent this from happening, vehicle owners need to ask the right questions. Owning an EV is no different than when a homeowner goes to buy a large kitchen appliance, for example. The right questions need to be asked, including â who made it, whether the company has a cybersecurity procedure in place, whether it is currently compliant with regulatory body requirements, etc. Making sure that all software is regularly up to date is also essential. EV users must download official software from trusted brands using a secure network.
Along with automakers, consumers are partially responsible for their own security, which needs to be stressed to the general public more. Without this knowledge, consumers are left highly vulnerable to hacks from cybercriminals.
In this Help Net Security interview, Robin Long, founder of Kiowa Security, shares insights on how best to approach the implementation of the ISO/IEC 27001 information security standard.
Long advises organizations to establish a detailed project roadmap and to book certification audits at an early stage. He also recommends selecting an internal team that includes a leader with the ISO 27001 Lead Implementer qualification and suggests that in some cases, the best approach to the standard may be to start by prioritizing a limited number of âsecurity winsâ before embarking on full implementation.
A few general points about ISO 27001, before getting onto the questions:
1. The documentation behind ISO/IEC 27001:2022 (âISO 27001â) is broken into two main parts: ISO/IEC 27001 itself, which contains the primary guidance, and a âguidance documentâ called ISO/IEC 27002, which lists suggested information security controls that may be determined and implemented based on the risk analysis that is carried out according to the requirements of the primary document.
ISO 27001 is also supported by the other standards ISO/IEC 27000:2018 (IT security techniques) and ISO/IEC 27005:2022 (Information security, cybersecurity, and privacy protection), among others.
All these are developed and maintained by the International Organization for Standardization (ISO), which is based in Geneva, Switzerland.
2. Although there are a number of things that you are obliged to do if youâre seeking certified conformity to the standard, it is actually quite flexible about the details. Even the ârequirementsâ â the obligatory clauses in the 27001 document â generally allow a fairly broad range of interpretation. This makes sense when you think that ISO 27001 has been developed as a one-size-fits-all system for all types and sizes of organization that handle sensitive information.
When you look at it like that, it immediately becomes less intimidating.
3. If you decide to go ahead and implement ISO 27001, itâs highly recommended to put together a detailed road map that defines targets of what should be achieved by what date in the timeline of the project (Gantt charts are good for this â look them up!). This helps to keep the project under control and reduces the risk of time and budget overrun. Breaking the project up into weekly components also makes it less daunting.
4. Youâll also need to define a (small) group of people to carry out, maintain and be accountable for implementation of the standard. You might call this the âISMS Teamâ (where ISMS means Information Security Management System, another way to describe ISO 27001). This team should ideally incorporate expertise and experience in IT, business development and data protection, and have a channel to senior management.
How do you recommend organizations approach understanding and implementing ISO 27001âs wide range of controls and requirements, especially those new to information security management?
As a consultant myself, Iâm aware of the conflict of interest, but I have to say that I do think it makes sense to hire external advice for assistance with implementation of ISO 27001, for internal audit, and interaction with certification auditors.
One of the main responsibilities of such an advisor is to assist with understanding of the standard and information security management generally, at both high and low levels. The range of ISO27002 controls â for example â is wide indeed, but a competent consultant will break them down into manageable portions that are taken on one by one, in a carefully planned order.
Whether or not you decide to hire a consultant, itâs a pretty good idea also to send the leader of the ISMS Team on an ISO2 7001 Lead Implementer (LI) course. These courses typically run for about three days, and they are helpful. Note that ISO 27001 requires the organisation to provide evidence of the competence of key participants in the project, and the LI qualification for a team member indicates a reasonable degree of knowledge and commitment regarding the standard.
Of course, there are also a number of helpful online resources including the ISO27k Forum.
Implementing ISO 27001 can be resource-intensive. What advice do you have for organizations, particularly SMEs, in effectively allocating resources and budget for ISO 27001 implementation?
Itâs true that implementation of ISO 27001 necessarily consumes resources, in terms of money and other assets â particularly peopleâs time. The critical question is whether the resource cost is offset by perceived gains, and this is largely about efficiency of allocation. Among other methods that we can use to attempt to optimise this are:
1. Use of a roadmap â as mentioned above â that takes the organisation all the way through to the two-stage certification audit process at a granular (weekly) level.
2. Early selection of the certification auditor and agreement of tentative dates for the certification audits. The benefits of doing this include the psychological one of getting an end date in the diary to help define the project roadmap. The cost of certification audits is also an important part of the overall budget, and the certification body will provide quotes for these at this stage.
Note that along with the two initial certification audits, there are a couple of (roughly annual) surveillance audits and a recertification audit after three years. These audits all cost money, of course, and require budgeting.
3. Watching out for some of the less obvious costs, including the potential charges associated with:
Legal work on modifications/additions to employment contracts, NDAs etc.
Software that you choose to install e.g., anti-malware, IDS, etc.
What strategies can be employed to convince top management of the necessity and benefits of ISO 27001 compliance?
Consultancy companies love to answer this question â on their websites â with a list of bullet points.
However, I can tell you that in nearly all cases there is just a single key factor at play, and it is a commercial one: Potential important clients or partners have been identified that require certification to the standard. Organisations that operate in sensitive sectors (finance, critical infrastructure, healthcareâŠ) have already learned this or are in the process of learning it, and donât need to be told about it. If they donât know, then by all means tell them!
Other reasons that I consider completely valid and credible include:
Perceived improvement in the level of an organisationâs information security provides assurance to other stakeholders apart from clients â investors, senior management, regulators, suppliers and so on â regarding information security risks to the organisation.
Implementation of ISO 27001 can help smaller companies with their expansion. For example, it can help with the development of sound HR policies, with procedures around business continuity, disaster recovery and change management, and several other areas.
Note that ISO 27001 isnât by any means just about personal data but is also concerned with other types of sensitive information, in particular intellectual property or âIPâ (including trade secrets and source code). For many tech start-ups, these are the main assets of the business, and need to be well protected.
Risk management and performance evaluation are critical yet challenging aspects of ISO 27001. How should organizations approach these elements to ensure an effective Information Security Management System (ISMS)?
These are indeed arguably the core areas of ISO 27001. Among the critical things to remember regarding risk assessments are:
You should really at least try to come up with all the possible information security risks (internal and external) that are or might be faced by your organisation. This is best done by brainstorming in a group based around the ISMS Team.
ISO 27001 fundamentally breaks down to: âWhat information security risks do we face? How should we best manage them?â
Just as the chicken may come before the egg, note that what should happen in this case is that you identify the risks first and then select the controls that help to manage those risks.
You definitely donât have to apply all of the controls, and nearly all organisations treat some, validly, as non-applicable in their Statement of Applicability. For example, businesses where all employees work remotely simply donât have the full range of risks that can benefit from mitigation by the physical controls.
When it comes to performance evaluation, itâs largely a case of working through the relevant clauses and controls and agreeing how good a job the organisation is doing trying to meet the associated requirements. The ones that are selected for monitoring, measurement and evaluation will depend on the type and size of the organisation and its business objectives. These are basically key performance indicators (KPIs) for information security and might include supplier evaluations and documented events, incidents, and vulnerabilities.
Specifically for cloud solutions like Microsoft 365, what unique challenges do organizations face in implementing ISO 27001, and how can they be addressed?
The switch towards remote working and use of cloud resources has been quite disruptive for ISO 27001. The 2022 version has been somewhat adapted (via modifications to the controls) to reflect the change in working conditions. However, it still gives a lot of attention to traditional physical places of work, networks, and pre-SaaS style suppliers.
The big switch away from locally downloaded software to cloud services means that we need to take advantage of the flexibility of ISO 27001 to interpret the 27002 controls in a corresponding way, for example:
Thinking less about networks and more about secure configuration of cloud resources.
Focusing on aspects of the âsupplier relationshipsâ controls that are relevant to SaaS suppliers.
Remembering that if cloud resources are very important for handling and storage of sensitive data in your business, then the new control 5.23 (Information security for use of cloud services) is correspondingly important for your business and must be tackled carefully and rigorously. It almost definitely applies to you â and thereâs a lot there.
Note that business continuity/disaster recovery for an organisation with employees that work remotely using cloud services becomes largely a question of how the relevant cloud provider(s) manage backups, redundancy of storage/compute etc.
ISO 27001 requires a commitment to continuous improvement. How should organizations approach this, particularly regarding incident management and response?
This is an enigmatic section of clause 10 (Improvement) that organisations tend to struggle with (the second part is about dealing with non-conformities and is much clearer regarding what needs to be done).
It seems to me that the best approach is to raise the question of âhow can we make the ISMS better?â at the periodic ISMS management meetings, come up with some examples whereby this may be achieved and then provide any observed progress in the right direction. That means that by the time of the first follow-up (surveillance) audit you should be able to present a list of several potential improvements along with how they are being achieved.
Iâd like to finish up by mentioning that nothing stops your organisation implementing ISO 27001 without getting the certification, or even doing a partial implementation. Many businesses like the concept of ISO 27001 but arenât quite ready to commit fully. In that case, I highly recommend the following implementation model:
1. Decide which areas of information security are priorities for your organisation in terms of incremental increase in security, resources (money, time, personnel) required and ease of implementation. You can call these your âlowest-hanging security fruitâ if you must. Possible examples include access control, HR security or endpoint security. 2. Work through these one by one according to the relevant 27002 controls. 3. Once you have the highest priority areas covered off, start working on lower levels of priority. 4. After a few months of this, you may feel that ISO 27001 isnât quite so formidable, and that you are ready to tackle it. Go for it!
HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling
A recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense evasion
CrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection capabilities
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach has the potential to make defense evasion stealthier.
The second technique variation involved an uncommon combination of process doppelgÀnging and process hollowing techniques. This variation increases the complexity of analysis and the defense evasion capabilities of HijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity.
This blog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.
Discover the power of H4X-Tools, a versatile toolkit designed for scraping, OSINT (Open-Source Intelligence), and beyond.
From extracting information from social media accounts to conducting phone and IP lookups, H4X-Tools offers a wide array of functionalities to aid researchers, developers, and security enthusiasts alike.
Explore its features, installation process, and community-driven development in this article. Toolkit for scraping, OSINT and more.
Submit feature requests and bugs in the issues tab.
If you want to help with the development, follow the instructions in contributing and simply open a pull request. You can also donate to keep the project alive and me motivated!
Current Tools
Warning
Some tools might not work on Windows systems.
Tool Name
Description
Ig Scrape
Scrapes information from IG accounts.
Web Search
Searches the internet for the given query.
Phone Lookup
Looks up a phone number and returns information about it.
Ip Lookup
Looks up an IP/domain address and returns information about it.
Port Scanner
Scans for open ports in a given IP/domain address.
Username Search
Tries to find a given username from many different websites.
Email Search
Efficiently finds registered accounts from a given email. Thanks to holehe.
Webhook Spammer
Spams messages to a discord webhook.
WhoIs Lookup
Looks up a domain and returns information about it.
Scans for all local accounts and their information.
Caesar Cipher
Encrypts/decrypts/bruteforce a message using the Caesar cipher.
BaseXX
Encodes/decodes a message using Base64/32/16.
About
Tells you about the tool.
Donate
My crypto addresses where to donate.
Exit
Exits the tool.
Note
-IG Scrape requires you to log in, in order to use it.
-SMS Bomber only works with US numbers.
-You might get rate limited after using some of the tools for too long.
Installation
Iâll upload already built executables to the releases tab, but Iâd recommend installing the tool manually by following the instructions below. This way you also get the freshest version.
As-a-service attacks continue to dominate the threat landscape, with Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) tools making up the majority of malicious tools in use by attackers, according to Darktrace.
Cybercriminals exploit as-a-Service tools
As-a-Service tools can provide attackers with everything from pre-made malware to templates for phishing emails, payment processing systems and even helplines to enable criminals to mount attacks with limited technical knowledge.
The most common as-a-Service tools Darktrace saw in use from July to December 2023 were:
Malware loaders (77% of investigated threats), which can deliver and execute other forms of malware and enable attackers to repeatedly target affected networks.
Cryptominers (52% of investigated threats), which use an infected device to mine for cryptocurrency.
Botnets (39% of investigated threats) enrol users in wider networks of infected devices, which attackers then leverage in larger-scale attacks on other targets.
Information-stealing malware (36% of investigated threats), malicious software like spyware or worms, designed to secretly access and collect sensitive data from a victimâs computer or network.
Proxy botnets (15% of investigated threats), more sophisticated botnets that use proxies to hide the true source of their activity.
Phishing threats escalate in business communications
Darktrace identified Hive ransomware as one of the major Ransomware-as-a-Service attacks at the beginning of 2023. With the dismantling of Hive by the US government in January 2023, Darktrace observed the rapid growth of a range of threats filling the void, including ScamClub, a malvertising actor notorious for spreading fake virus alerts to notable news sites, and AsyncRAT, responsible for attacking US infrastructure employees in recent months.
As businesses continue to rely on email and collaboration tools for communication, methods such as phishing continue to cause a headache for security teams. Darktrace detected 10.4 million phishing emails across its customer fleet between the 1st September and the 31st December 2023.
But the report also highlights how cybercriminals are embracing more sophisticated tools and tactics designed to evade traditional security parameters. One example is the rise of Microsoft Teams phishing in which attackers contact employees through Teams, posing as a co-worker and tricking them into clicking malicious links.
In one case in September 2023, Darktrace identified a suspected Teams phisher attempting to trick users into clicking a SharePoint link that would download the DarkGate malware and deploy further strains of malware across the network.
Multi-function malware on the rise
Another new trend identified is the growth of malware developed with multiple functions to inflict maximum damage. Often deployed by sophisticated groups like cyber cartels, these Swiss Army knife-style threats combine capabilities.
For example, the recent Black Basta ransomware also spreads the Qbot banking trojan for credential theft. Such multi-tasking malware lets attackers cast a wide net to monetise infections.
âThroughout 2023, we observed significant development and evolution of malware and ransomware threats, as well as changing attacker tactics and techniques resulting from innovation in the tech industry at large, including the rise in generative AI. Against this backdrop, the breadth, scope, and complexity of threats facing organizations has grown significantly,â comments Hanah Darley, Director of Threat Research, Darktrace. âSecurity teams face an up-hill battle to stay ahead of attackers, and need a security stack that keeps them ahead of novel attacks, not chasing yesterdayâs threats.â
China-backed hackers have had access to some major U.S. critical infrastructure for “at least five years,” according to an intelligence advisory released Wednesday.
Why it matters: The hacking campaign laid out in the report marks a sharp escalation in China’s willingness to seize U.S. infrastructure â going beyond the typical effort to steal state secrets.
The advisory provides the fullest picture to-date of how a key China hacking group has gained and maintained access to some U.S. critical infrastructure.
Details: The U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation released an advisory Wednesday to warn critical infrastructure operators about China’s ongoing hacking interests.
According to the advisory, China-backed hacking group Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country.
The group has relied heavily on stolen administrator credentials to maintain access to the systems â and in some cases it has maintained access for “at least five years,” per the advisory.
Volt Typhoon has been seen controlling some victims’ surveillance camera systems, and its access could have allowed the group to disrupt critical energy and water controls.
Of note: Volt Typhoon uses so-called “living off the land” techniques that limit any trace of their activities on a network â making the actors more difficult to detect.
CNN first reported details from the advisory earlier today.
Between the lines: U.S. officials are increasingly worried China will launch destructive cyberattacks either during or in the lead up to a possible Chinese invasion of Taiwan.
Authorities in Canada, Australia and New Zealand contributed to today’s advisory, citing concerns that China is also targeting organizations in their countries.
Catch up quick: Intelligence officials have been ringing alarm bells about Volt Typhoon for nearly a year.
Last May, Microsoft and the U.S. government warned that Volt Typhoon had been positioning itself to launch attacks on infrastructure across the country, including water utilities and ports.
This month, officials said they had successfully thwarted Volt Typhoon’s access to these networks â but warned that the group had shown a willingness to keep looking for new ways in.
The big picture: U.S. critical infrastructure is riddled with security problems, including poor password management and a lack of procedures to install security updates.
Some critical infrastructure, including water systems, lack the funds to hire security personnel or upgrade equipment.
Government attempts to require basic cybersecurity audits have also hit legalhurdles.
Be smart: U.S. cyber defenders are urging infrastructure operators to apply available software updates to all internet-facing systems, implement multi-factor authentication and turn on activity logs to track for any suspicious user behavior.
Google says spyware vendors behind most zero-days it discovers…
Commercial spyware vendors (CSV) were behind 80% of the zero-day vulnerabilities Google’s Threat Analysis Group (TAG) discovered in 2023 and used to spy on devices worldwide.
Zero-day vulnerabilities are security flaws the vendors of impacted software do not know about or for which there are no available fixes.
Google’s TAG has been following the activities of 40 commercial spyware vendors to detect exploitation attempts, protect users of its products, and help safeguard the broader community by reporting key findings to the appropriate parties.
Based on this monitoring, Google has found that 35 of the 72 known in-the-wild zero-day exploits impacting its products over the last ten years can be attributed to spyware vendors.
“This is a lower-bounds estimate, as it reflects only known 0-day exploits. The actual number of 0-day exploits developed by CSVs targeting Google products is almost certainly higher after accounting for exploits used by CSVs that have not been detected by researchers, exploits where attribution is unknown, and cases where a vulnerability was patched before researchers discovered indications of exploitation in-the-wild.” – Google
Those spyware vendors use the zero-day flaws to target journalists, activists, and political figures as directed by their customers, including governments and private organizations.
Some notable CSVs highlighted in Google’s report are:
Cy4Gate and RCS Lab: Italian firms known for the “Epeius” and “Hermit” spyware for Android and iOS. The former acquired the latter in 2022, but operate independently.
Intellexa: Alliance of spyware firms led by Tal Dilian since 2019. It combines technologies like Cytrox’s “Predator” spyware and WiSpear’s WiFi interception tools, offering integrated espionage solutions.
Negg Group: Italian CSV with international reach established in 2013. It is known for “Skygofree” malware and “VBiss” spyware, targeting mobile devices through exploit chains.
NSO Group: Israeli firm famous for Pegasus spyware and other sophisticated espionage tools. It continues operations despite sanctions and legal issues.
Variston: Spanish CSV providing tailored security solutions. It collaborates with other vendors for zero-day exploits and is linked to the Heliconia framework, expanding in the UAE.
These vendors sell licenses to use their products for millions of dollars, allowing customers to infect Android or iOS devices using undocumented 1-click or zero-click exploits.
Some of the exploit chains utilize n-days, which are known flaws for which fixes are available, yet patching delays still make them exploitable for malicious purposes, often for extended periods.
Google says that CSVs have grown very aggressive in their hunt for zero-days, developing at least 33 exploits for unknown vulnerabilities between 2019 and 2023.
In the appendix of Google’s detailed report, one can find a list of 74 zero-days used by 11 CSVs. Of those, the majority are zero-days impacting Google Chrome (24) and Android (20), followed by Apple iOS (16) and Windows (6).
When white-hat researchers discover and fix the exploited flaws, CSVs often incur significant operational and financial damage as they struggle to reconstruct a working alternative infection pathway.
“Each time Google and fellow security researchers discover and disclose new bugs, it causes friction for CSVs and costs them development cycles,” says Google.
“When we discover and patch vulnerabilities used in exploit chains, it not only protects users, but prevents CSVs from meeting their agreements to customers, preventing them from being paid, and increasing their costs to continue operating.”
However, this is not enough to stop the proliferation of spyware, as the demand for these tools is strong, and the contracts are too lucrative for CSVs to give up.
Google calls for more action to be taken against the spyware industry, including higher levels of collaboration among governments, the introduction of strict guidelines that govern the use of surveillance technology, and diplomatic efforts with countries hosting non-compliant vendors.
Google is proactively countering spyware threats through solutions like Safe Browsing, Gmail security, the Advanced Protection Program (APP), and Google Play Protect, as well as by maintaining transparency and openly sharing threat information with the tech community.
Our list of cybersecurity books has been curated to steer your professional growth in 2024. This selection aims to provide comprehensive information security insights and knowledge, ensuring you stay ahead in your career learning journey throughout the year.
Cyber for Builders provides an overview of the cybersecurity industry from entrepreneurial lenses, breaks down the role of various industry players, from investors to channel partners and acquirers, and offers insight into the trends shaping the future of security. Moreover, the book is packed with mental models, notes, and advice to help early-stage cybersecurity founders get their ideas off the ground and solve problems young companies face around problem discovery, hiring, building products, and fundraising.
Authors: Dr. Gerald Auger, Jaclyn âJaxâ Scott, Jonathan Helmus, Kim Nguyen
This book is designed to help you confidently enter the world of cybersecurity, covering everything from gaining the right certification to tips and tools for finding your first job. The book starts by helping you gain a foundational understanding of cybersecurity, covering cyber law, cyber policy, and frameworks. Next, youâll focus on choosing the career field best suited to you, from security operations to penetration testing and risk analysis. The book also guides you through the different certification options and the pros and cons of a formal college education versus formal certificate courses.
This book demystifies EDR, taking you on a deep dive into how EDRs detect adversary activity. The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system.
This book delivers an eye-opening exploration of the bestâand worstâthings the internet has given us. From instant connectivity between any two points on the globe to organized ransomware gangs, the net truly has been a mixed blessing. In this book, the author explores the transformative potential of the future of the internet, as well as those things that threaten its continued existence: government surveillance, censorship, organized crime, and more.
Youâll start by finding out what threat intelligence is and where it can be applied. Next, youâll discover techniques for performing cyber threat intelligence collection and analysis using open source tools. The book also examines commonly used frameworks and policies as well as fundamental operational security concepts. Later, youâll focus on enriching and analyzing threat intelligence through pivoting and threat hunting. Finally, youâll examine detailed mechanisms for the production of intelligence.
Within this book, youâll learn the fundamentals of cybersecurity architecture as a practical discipline. Once mastered, these fundamentals are evergreen approaches that can be applied and adapted to new and emerging technologies like artificial intelligence and machine learning. Youâll learn how to address and mitigate risks, design secure solutions in a purposeful and repeatable way, communicate with others about security designs, and bring designs to fruition.
This book delivers a hands-on and step-by-step guide to implementing an effective and practical Zero Trust security strategy at your organization. The book is written as an engaging narrative that follows the story of Dylan, a new IT Director at a company that experiences a ransomware attack on his first day. Youâll learn John Kindervagsâ 5-step methodology for implementing Zero Trust, the four key Zero Trust design principles, and discover how to align this framework with your companyâs operational and commercial requirements.
Youâll learn the most intriguing psychological principles exploited by attackers, including influence, manipulation, rapport, persuasion, and empathy, and gain insights into how attackers leverage technology to enhance their attacks using fake logins, email impersonation, fake updates, and executing attacks through social media. This book will equip you with the skills to develop your own defensive strategy, including awareness campaigns, phishing campaigns, cybersecurity training, and a variety of tools and techniques.
Wiley CISO and CIO Sean D. Mack delivers an expert analysis of how to keep your business secure, relying on the classic triad of people, process, and technology to examineâin depthâevery component of DevSecOps. In the book, youâll learn why DevSecOps is as much about people and collaboration as it is about technology and how it impacts every part of our cybersecurity systems.
This book delivers an incisive and penetrating look at how contemporary and future AI can and will be weaponized for malicious and adversarial purposes. You will explore multiple foundational concepts to include the history of social engineering and social robotics, the psychology of deception, considerations of machine sentience and consciousness, and the history of how technology has been weaponized in the past.
Cybersecurity products can get pricy but there are many excellent open source tools to help secure your systems and data. Here’s a list of some of the most popular with cyber pros.
Cybersecurity tools aren’t just for the enterprise anymore; they’re essential for every type and size of organization.
Some tools specialize in antivirus, while others focus on spear phishing, network security or scripting. Even the best cybersecurity products can only do a few things very well, and there is no room for error.
Effective products, coupled with in-depth cybersecurity planning, are a must for all. Whether businesses have an in-house security team or outsource these services, every entity needs cybersecurity pros to discover and fix any points of weakness in computer systems. This reality can tax the bottom line, but luckily there are many free cybersecurity tools available.
Here is a rundown of some of the top free tools cybersecurity professionals use every day to identify vulnerabilities.
1. Aircrack-ng
Aircrack-ng is a must-have suite of wireless security tools that focus on different aspects of Wi-Fi security. Aircrack-ng focuses on monitoring, attack testing and cracking your Wi-Fi network. This package of tools can capture, analyze and export packet data, spoof access points or routers and crack complex Wi-Fi passwords. The Aircrack-ng suite of programs includes Airdecap-ng, which decrypts WEP or WPA-encrypted capture files; Airodump-ng, a packet sniffer; Airtun-ng, a virtual tunnel interface creator; and Packetforge-ng, which creates encrypted packets for injection. All of it is free and open source.
2. Burp Suite
Burp is a suite of tools specifically focused on debugging and testing web app security. Burp Suite includes a spider for crawling web app content, a randomness tool for testing session tokens and a sophisticated request repeater to resend manipulated requests. The real power of Burp Suite, however, is the intercepting proxy tool, which enables Burp to intercept, inspect, modify and send traffic from the browser to a target. This powerful feature makes it possible to creatively analyze a web app’s attack vectors from all angles — a key reason it’s often ranked as one of the best free cybersecurity tools. The community version of Burp Suite is free, but there is also a paid Enterprise Edition designed for enabling testing in DevSecOps.
3. Defendify
Defendify is an all-in-one product that provides multiple layers of protection and offers consulting services if needed. With Defendify, organizations can streamline cybersecurity assessments, testing, policies, training, detection and response in one consolidated cybersecurity tool.
Features include cybersecurity risk assessments, technology and data use policies, incident response plans, penetration testing, threat alerts, phishing simulations and cybersecurity awareness training.
4. Gophish
Many of the costliest data breaches and ransomware attacks in recent years can be traced back to simple phishing campaigns because many company workers fall for them. One of the best protections is to secretly test your staff to see who is gullible, and for that you can use the free program Gophish. Gophish is open source and provides a full-featured toolkit for security administrators to build their own phishing campaigns with relative ease. The overall goal is not to embarrass staff, but find out who needs greater phishing awareness and foster better security training within their organization.
5. Have I Been Pwned
Created by award-winning cybersecurity thought leader and teacher Troy Hunt, Have I Been Pwned is a website where you enter your email address to check if your address has been revealed in a data breach. Have I Been Pwned’s database is filled with billions of usernames, passwords, email addresses and other information that hackers have stolen and published online. Just enter your address in the search box.
6. Kali Linux
Kali Linux is a Debian Linux derivative specifically designed toward testing for security tasks, such as penetration testing, security auditing and digital forensics. Kali includes roughly 600 pre-installed programs, each included to help computer security experts carry out a specific attack, probe or exploit against a target. Aircrack-ng, Nmap, Wireshark and Metasploit are a few of the pre-installed tools that ship with the Kali Linux download.
7. Metasploit Framework
Similar to Kali Linux but at the application layer rather than OS, the Metasploit Framework can test computer system vulnerabilities or can be used to break into remote systems. It is, in other words, a network penetration “Swiss Army knife” used by both ethical hackers and criminal gangs to probe networks and applications for flaws and weaknesses. There is both a free and a commercial version — known as the Framework and Pro editions, respectively — which are available for trial. Both editions are de facto standard for penetration testing with more than 1,500 exploits. Metasploit comes pre-installed on Kali Linux.
8. Nmap
Nmap is a free network mapper used to discover network nodes and scan systems for vulnerability. This popular free cybersecurity tool provides methods to find open ports, detect host devices, see which network services are active, fingerprint operating systems and locate potential backdoors.
While Nmap provides users immense power and capability to explore networks, the program has a rather steep learning curve to get over before one becomes truly proficient in using it.
9. Nikto
Nikto is an ultra-powerful, command-line tool useful for uncovering vulnerabilities in web apps, services and web servers. Originally launched in the early 2000s, Nikto is still widely used by both blue and red teams that want to quickly scan web servers for unpatched software, misconfigurations and other security issues. The program also features built-in support for SSL proxies and intrusion detection system evasion. Nikto can run on any computer capable of supporting the Perl programming language.
10. Open Vulnerability Assessment Scanner
OpenVAS is an all-in-one vulnerability scanner that comprehensively tests for security holes, misconfigured systems and outdated software. The scanner gets the tests for detecting vulnerabilities from a feed with daily updates. Much of the program’s power stems from its built-in programming interface, which enables developers to create custom scans that fit niche needs.
Its capabilities include unauthenticated and authenticated testing, high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
11. OSSEC
OSSEC is a free program for cybersecurity professionals that’s been touted as one of the most popular systems for intrusion detection and prevention. Made up of multiple components — including a server, agent and router monitor — OSSEC is capable of rootkit detection, system integrity checking, threat alerts and response. One of OSSEC’s highlights is its comprehensive log analysis tool, empowering users to compare and contrast log events from many different sources.
OSSEC comes in three versions: standard; OSSEC+, which includes machine learning and real-time community update; and Atomic OSSEC, with more advanced functions.
12. Password managers
Using only strong passwords — and keeping them secure — is an essential step in the security of any system. But since a best practice is to use a unique password for every website, app and service, that can get tricky. A good password manager makes it possible to safely store all passwords together so a user only needs to remember one master key rather than dozens of unique passwords. This is especially true for cybersecurity professionals tasked with guarding passwords to mission-critical systems. Fortunately, there are free password management tools. Three good, free options for cybersecurity pros are KeePass, Bitwarden and Psono.
13. PfSense
The firewall/router software pfSense can be installed on either a physical computer or virtual machine to protect networks. PfSense is based on the FreeBSD OS, and has become one of the most popular open source firewall/router projects available. PfSense can also be configured for intrusion detection and prevention, traffic shaping, load balancing and content filtering. The pfSense site includes a tour, a community page, a link to both training and support and a download of the latest version of the community edition of the software.
14. P0f
Endpoint fingerprinting is analysis of web traffic to find patterns, responses and packets sent and received in a particular direction — even if they are encrypted. This works even with “dumb” devices that don’t interact with the network but can still enable unauthorized access to an organization’s systems.
P0f is a simple yet powerful network-level fingerprinting and forensics program. While other free cybersecurity programs do a similar job, p0f is unique in that it’s designed for stealth. Where most other programs rely on active scanning and packet injection, p0f can identify fingerprints and other vital information without network interference. Being passive rather than active means p0f is nearly impossible to detect and even harder to block, making it a favorite tool for ethical hackers and cybercriminals alike.
15. REMnux
Normally the dissection and examination of malware is left to the antimalware vendors. But if you would like to do the job yourself, there is REMnux, a free Linux toolkit for reverse-engineering and analyzing malware.
Included in every REMnux distribution are tools to analyze Windows executables, reverse-engineer binaries and inspect suspicious documents. It also includes a collection of free tools cybersecurity professionals can use to monitor networks, gather data and conduct memory forensics.
16. Security Onion
Security Onion is an open source software collection based on the Linux kernel that helps cybersecurity professionals develop a comprehensive profile of their system’s security posture. Security Onion provides network monitoring using full packet capture, host-based and network-based intrusion detection systems, log indexing, search and data visualization features.
The operating system emphasizes ease of use and makes it possible to interweave data and analytics from multiple tools into a unified dashboard. The overarching goal of the project is to offer teams a foolproof security monitoring solution that reduces decision paralysis and false alerts.
17. Snort
Snort is an open source network intrusion prevention and intrusion detection system capable of real-time traffic analysis and logging. It uses a series of rules to identify malicious network activity, find the packets and generate alerts. This packet sniffer — managed by Cisco — actively searches and analyzes networks to detect probes, attacks and intrusions. Snort accomplishes this by fusing a sniffer, packet logger and intrusion detection engine into a single package.
Its developer recently released version 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, use of a shared configuration and attribute table, access to more than 200 plugins, rewritten TCP handling and new performance monitoring.
18. Sqlmap
Sqlmap is an open source penetration testing tool that automates detecting and exploiting SQL injection flaws of database servers, enabling a remote hacker to take control. It comes with a detection engine and many niche features for the ultimate penetration tester. It supports a variety of databases — including Oracle and open source — and a number of injection types.
19. Wireshark
Wireshark is considered by many to be an indispensable tool to locate, identify and examine network packets to diagnose critical issues and spot security weaknesses. The website for Wireshark outlines its broad set of features and provides a user’s guide and other resources for putting this free cybersecurity tool to best use.
20. Zed Attack Proxy (ZAP)
ZAP is an open source penetration testing tool designed specifically for testing web applications. It is known as a “man-in-the-middle proxy,” where it intercepts and inspects messages sent between browsers and web applications.
ZAP provides functionality for developers, testers new to security testing and security testing specialists. There are also versions for each major operating system and Docker. Additional functionality is available via add-ons in the ZAP Marketplace.
Every cybersecurity expert carries a different set of tools, depending on their mission and skill set. However, the free cybersecurity tools here serve as an entry point for those looking to increase their cybersecurity skills and knowledge. Cyberthreats are getting more lethal every year — and more efficient.
A deepfake video conference call paired with social engineering tricks has led to the theft of over US$25 million from a multinational firm, the South China Morning Post has reported.
The scheme and the deepfake video conference call
The attack started with messages sent to several of the firmâs employees, but it seems that only one â employed in the finance department of the companyâs Hong Kong branchâs â was ultimately bamboozled.
According to the SCMP, the employeeâs suspicion were raised when they received the message, purportedly by the companyâs UK-based Chief Financial Officer, asking the employee to carry out a secret transaction. But they have been later quelled by a group video conference to which the employee was invited.
Present in the video conference were the companyâs CFO, other company staff and even outsiders â or so it seemed.
In reality, the fraudsters used previous video and audio footage and artificial intelligence technology to create the illusion these individuals were present on the call and make these digital recreations âspeakâ to pull off the illusion.
Baron Chan Shun-ching, a superintendent with Hong Kong Policeâs cyber security division, told the SCMP that âduring the video conference, the scammers asked the victim to do a self-introduction but did not actually interact with the person. The fake images on screen mainly gave orders before the meeting ended abruptly.â
After the call, the scammers delivered additional instructions via IM, emails and one-on-one video calls. As instructed, the employee sent a total of HK$200 million to five local bank accounts.
Several other employees at the same company branch have also contacted by the scammers, the Hong Kong police said, but did not share how those interactions unfolded.
Deepfakes are getting more difficult to spot
AI-generated deepfakes (whether audio or video) are increasingly being leveraged by scammers and other crooks.
Most people overestimate their deepfake detection skills. This is all new territory, and deepfakes are getting more realistic and more difficult to spot by the day.
âWe want to alert the public to these new deception tactics. In the past, we would assume these scams would only involve two people in one-on-one situations, but we can see from this case that fraudsters are able to use AI technology in online meetings, so people must be vigilant even in meetings with lots of participants,â Chan Shun-ching said during a press event.
The Hong Kong Police has advised the public to ask questions during these meetings, ask the participants to move, and confirm requests made during those calls via alternative communication channels.
The recent discovery of a significant flaw in the GNU C Library (glibc), a fundamental component of major Linux distributions, has raised serious security concerns. This flaw grants attackers root access, posing a critical threat to the security of Linux systems.
Vulnerability in GNU C Library (glibc): The GNU C Library, commonly known as glibc, is an essential part of Linux distributions. It provides the core libraries for the system, including those used for file handling, mathematical computations, and system calls.
Root Access Granted: The flaw discovered in glibc allows attackers to gain full root access to Linux machines. Root access means having complete control over the system, enabling an attacker to perform any action, including installing software, accessing all files, and modifying system configurations.
CVE ID: CVE-2023-6246
Description: This vulnerability is related to a dynamic memory buffer overflow and is classified as a Local Privilege Escalation (LPE) issue. It was found in glibcâs __vsyslog_internal() function, which is called by the widely-used syslog and vsyslog functions.
Impact: The flaw allows unprivileged attackers to gain root access on various major Linux distributions in their default configurations. This level of access can enable attackers to take complete control over the affected system.
Severity: Given its potential for granting root access, this vulnerability is considered highly severe.
HOW THE FLAW WORKS
Local Privilege Escalation: The vulnerability is a local privilege escalation (LPE) issue. This means that an attacker who already has access to the system (even with limited privileges) can exploit this flaw to gain root-level access.
Exploitation Requirements: To exploit this flaw, attackers need a Set-User-ID (SUID) binary. SUID is a special type of file permission that allows users to execute a program with the permissions of the file owner, which in many cases is the root user.
IMPACT AND SEVERITY
Widespread Impact: Given the ubiquitous use of glibc in Linux distributions, the impact of this vulnerability is widespread, affecting a vast number of systems and applications.
High Severity: The flaw is considered high severity due to its potential to grant attackers complete control over the affected systems.
MITIGATION AND RESPONSE
Disabling SUID Binaries: One suggested mitigation is to disable SUID binaries using âno new privilegesâ mode, which can be implemented with tools like systemd or bwrap.
Patch and Update: Users and administrators are urged to apply patches and updates provided by their Linux distribution as soon as they become available. Staying updated is crucial in preventing the exploitation of this vulnerability.
The discovery of the glibc flaw that grants root access to major Linux distributions is a stark reminder of the importance of system security and the need for constant vigilance. Users and administrators must take immediate action to mitigate the risk by applying patches and employing security best practices. As Linux continues to be a backbone for many systems and networks, ensuring its security is paramount for the integrity of countless applications and services.
The FritzFrog botnet, originally identified in 2020, is an advanced peer-to-peer botnet built in Golang that can operate on both AMD and ARM-based devices. With constant updates, the malware has developed over time, adding and enhancing features.
A new strain of the FritzFrog botnet was discovered exploiting the Log4Shell vulnerability to target all hosts in the internal network.
Additionally, by using weak SSH credentials, the malware attacks servers that are accessible over the internet.
âNewer variants now read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable,â Akamai shared with Cyber Security News.
The Exploitation Chain
The only infection vector used by FritzFrog was SSH brute force; however, more recent iterations of the malware have added the Log4Shell exploitation dubbed âFrog4Shellâ.Â
A vulnerability called Log4Shell was found in the popular open-source Log4j web tool in 2021. Governments and security firms carried out a global initiative to patch the technology.
Presently, the malware targets every host on the internal network as part of its routine for spreading. The malware is attempting to connect to every address on the local network to accomplish this.
According to the researchers, internal computers, which were less likely to be exploited, were frequently overlooked and went unpatchedâa situation that FritzFrog takes advantage of.
FritzFrog scanning the local network to identify targets
âThis means that even if the âhigh-profileâ internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,â researchers said.
FritzFrog searches for HTTP servers on ports 8080, 8090, 8888, and 9000 to find possible Log4Shell targets. The malware is currently targeting as many vulnerable Java applications as possible.
Log4Shell exploitation flow
Additionally, FritzFrog enhanced its capacity to identify targets for SSH brute force, which is its primary infection vector.
FritzFrog will now attempt to identify specific SSH targets by counting multiple system logs on each of its victims, in addition to targeting randomly generated IP addresses.
The malware now includes a module that exploits CVE-2021-4034, a privilege escalation in the polkit Linux component. On susceptible servers, this module allows the malware to operate as root.
âSince it is installed by default on most Linux distributions, many unpatched machines are still vulnerable to this CVE today,â researchers said.
Recommendation
The network segmentation can stop the lateral movement of the malware. Software-based segmentation has the potential to be a long-lasting protective measure that is comparatively easy to implement.
For use on SSH servers, a FritzFrog detection script is given that searches for the following FritzFrog indicators:
a. Running processes named nginx, ifconfig, php-fpm, apache2, or libexec, whose executable file no longer exists on the file system (as seen below)
One of the best ways to stay safe and secure when using your computers and other electronic devices is to be aware of the risks. For the past decade, that’s precisely what I’ve been doing.
Most risks are obvious:Â use strong passwords, don’t download and install software from untrustworthy websites, or hand your unlocked device to a third party.
However, there are less obvious — yet equally dangerous — risks that can result in device or network intrusion, or even device destruction.
Watch out: Some of the most effective and dangerous hacking tools are hard to tell apart from benign devices. They can even be cute.
According to a recent Dynatrace report, only 50% of CISOs believe that development teams have thoroughly tested the software for vulnerabilities before deploying it into the production environment.
This is a statistic that needs to change and the only way to change it is to make sure developers are on the same page as security practitioners.
The challenges
Making developers accept the importance of security in their software development process comes with numerous challenges. They can be split into four categories:
Tool-related challenges
Practice-related challenges
Infrastructure-related challenges
People-related challenges
Integrating security tools into existing DevOps tools can be complicated. âA significant barrier in implementing security into [DevSecOps] is the differences in tool-sets between security and other teams,â researchers Roshan N. Rajapaksea, Mansooreh Zahedia, M. Ali Babara and Haifeng Shenc noted. Also, each team member has their own preferences in tools based on specific advantages.
Some toolsets may also be inadequate, and without standards or documentation developers will have even more difficulties with the integration.
Practice-related challenges involve automation and deployment. DevOps processes are mostly automated, but security requires human action, i.e., manual security practices that are difficult to automate.
Developers are also all about pushing the product as soon as possible, yet, by implementing DevSecOps, the development process needs to slow down to allow possible vulnerabilities to be fixed.
When it comes to infrastructure, a complex cloud environment can slow down secure software development, while a multi-cloud environment can pose difficulties when securing data. Highly regulated environments (air-gapped environments, medical infrastructure, etc.) can also make DevSecOps adoption difficult.
Finally, thereâs the people-related challenges: developers may have difficulties with the imminent changes that DevSecOps bring to the development process, and may lack security skills required to carry out certain security practices in DevSecOps.
CISOs and developers (69% and 64%, respectively) both see that the lack of communication and collaboration between developers and security teams is a significant problem.
Implementing DevSecOps will also not work without the right knowledge, which developers have yet to build.
The solutions
To make developers accept DevSecOps, they need to be heard, which means making sure they have a say when security decisions are made. This can contribute to a more productive and constant collaboration and communication between security and development engineers, while also defining roles and responsibilities.
Shifting left is a must, but developers need to know exactly what is expected of them when it comes to secure coding.
âA big part of improving the DevSecOps experience is not introducing more tooling, but getting clear on the process and expectations of how developers should use the tools they already have. Clear communication about policies ensures an organized and consistent approach to implementing security throughout the SDLC,â says Nick Liffen, director at GitHub Advanced Security.
Training is an important part of DevSecOps implementation, but developers need to be reassured that their job will not be disrupted when security gets integrated into coding.
To further motivate them, itâs good to let them see that knowing how to code securely can contribute to both the companyâs success and their personal growth.
Learning that being a DevSecOps professional is a good career choice can additionally boost their motivation.
âBetween 2021 and 2028, the DevSecOps market is expected to grow at a CAGR of 24.1%. DevSecOps professionals have several job opportunities as a result of this rapid rise. This demand is expected to grow as more companies adopt DevSecOps practices,â said Misbah Thevarmannil, content lead at Practical DevSecOps.
Aembit Becomes the First Workload IAM Platform to Integrate with the Industry-Leading CrowdStrike Falcon Platform to Drive Workload Conditional Access
Aembit, the Workload Identity and Access Management (IAM) platform that enables DevOps and security teams to discover, manage, enforce and audit access between workloads, today announced the availability of a new integration with the industry-leading CrowdStrike FalconÂź platform to give enterprises the ability to dynamically manage and enforce conditional access policies based on the real-time security posture of their applications and services.
This integration signifies a significant leap in Aembitâs mission to empower organizations to apply Zero Trust principles to make workload-to-workload access more secure and manageable.
Workload IAM transforms enterprise security by securing workload-to-workload access through policy-driven, identity-based, and secretless access controls, moving away from the legacy unmanaged, secrets-based approach.
Through this partnership, the Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload and evaluates its real-time security posture to drive workload access decisions to applications and data.
With this approach, now enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional customer benefits from this partnership include:
Managed Workload-to-Workload Access: Enforce and manage workload access to other applications, SaaS services, and third-party APIs based on identity and policy set by the security team, driving down risk.
Seamless Deployment: Drive consolidation by effortlessly integrating the Aembit Workload IAM Platform with the Falcon platform in a few clicks, providing a unified experience for managing workload identities while understanding workload security posture.
Zero Trust Security Model: Embrace a Zero Trust approach, ensuring that every access request, regardless of the source, is verified before granting access rights. Aembitâs solution enforces the principle of least privilege based on identity, policy, and workload security posture, minimizing potential security vulnerabilities.
Visibility and Monitoring: Gain extensive visibility into workload identities and access permissions, enabling swift detection and response to potential security threats. Monitor and audit access logs based on identity for comprehensive security oversight.
This industry-first collaboration builds on the recent CrowdStrike Falcon Fund strategic investment in Aembit, underscoring the global cybersecurity leaderâs commitment to fostering innovation within the space. The investment reflects the recognition of the growing demands for securing workload access.
Josh Summitt, the creator of Faction, has always disliked the process of writing reports, preferring to focus on uncovering bugs. A key frustration for him was the redundant step of using a separate note-taking app for storing screenshots and findings before compiling the final report.
He envisioned an integrated solution where the report generation tool would serve as the note-taking platform, incorporating all the standard templates typically used in reports. He hopes Faction will help others save time, reduce stress, and improve their information security workflow.
âI built Faction to be extendable in ways like you would extend BurpSuite. Itâs designed to be flexible and extended to fit seamlessly in any environment. It is easy for internal teams to build and support their small modules versus a large code base. In addition, I hope the project will get a growing list of prebuilt modules developed by the community to expand capabilities without requiring internal development,â Summitt told Help Net Security.
Faction features
With Faction, you can:
Streamline penetration testing and security assessment reporting through automation.
Facilitate peer review and monitor modifications in reports.
Design docx templates for various assessments and follow-up retests.
Collaborate in real-time with assessors using the web application and extensions for Burp Suite.
Oversee assessment teams and monitor organizational progress.
Monitor the remediation of vulnerabilities with tailored SLA warnings and notifications.
Leverage a comprehensive Rest API for seamless integration with other tools.
Other features:
LDAP, OAuth 2.0 and SMTP Integration.
Extendable with Custom Plugins similar to Burp Extender.
Custom Report Variables.
Future plans
The developer is currently working on enhancing the extendability of Faction by introducing a full app store, reminiscent of those found in platforms like Slack and Burp. This expansion will allow for the inclusion of additional features such as custom UI elements.
âFaction has had a strong focus on penetration testing from an application security mindset. I want to expand that to be more Red and Blue Team inclusive. Not that it wonât work for these teams out of the box but it could be more flexible,â Summitt added.
