InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
it is not uncommon for large organizations to face cyber attacks or data breaches, and it is important for them to have strong cybersecurity measures in place to prevent such incidents and mitigate their impact if they do occur. However, If such an incident did occur, the affected companies would likely conduct a thorough investigation and take appropriate steps to address the situation and prevent similar incidents from happening in the future.
The massive media and publishing business News Corp reported a data breach in February 2022, disclosing that its journalists had been the focus of an attack on a software supply chain. The breach revealed that the journalists had been hacked. The assets owned by News Corp. include a variety of prominent news sources, such as Dow Jones, FOX News, The Sun, and MarketWatch, amongst others. It is important to note that in March of 2019, the Dow Jones made news for disclosing a “screening list” that included critical information on terrorists, criminals, and shady enterprises. This information included names, addresses, and phone numbers.
The leak of thirteen million data took place on the FOX News website in April of 2022. The fifty-eight terabytes’ worth of information consisted of a variety of different things, including the company’s internal documents, the personally identifiable information (PII) of its workers, and many other things. Prior to the time when the firm was made aware of the occurrence, these documents continued to be accessible to the general public.
Today, the business has disclosed new information saying that the security breach really took place in February of 2020. This indicates that the hackers were present on the network for a period of two years before being discovered. Mandiant, which is now owned by Google, was the cybersecurity company that helped News Corp. back then. Because the perpetrators had access to the system for two years before they were discovered, it is highly likely that they were able to get away with stealing more information than was initially thought. Since no one knew it had been stolen, they would not have been on heightened alert for any potential attacks during that time.
The firm disclosed in a breach notice that the threat actors responsible for the incident gained access to its email and document storage system. This system is used by a variety of News Corp companies. The impacted workers’ personal and health information was obtained; nevertheless, the corporation has said that it does not seem that the activity was centered on exploiting personal information in any way. The Wall Street Journal, the New York Post, and its news operations in the United Kingdom were among the News Corp publications that were compromised as a result of the security hack. Names, birth dates, social security numbers, driver’s license numbers, passport numbers, information about bank accounts, as well as information on medical and health insurance, were some of the pieces of personally identifiable information that were accessed.
News Corporation has indicated in the past that the assailants had links to China and were probably engaged in espionage operations to gather information for the benefit of China’s objectives.
The New York Post admitted that it had been hacked in October 2022, after discovering that its website and Twitter account had been exploited to distribute inappropriate information that targeted a number of different politicians in the United States. The newspaper eventually disclosed that one of its own workers was responsible for the incident, and that individual was terminated once their role in the scandal was uncovered.
The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal.
“RIG EK is a financially-motivated program that has been active since 2014,” Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News.
“Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.”
Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers.
The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scale coverage.
As a result, visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit.
The exploit server, for its part, detects the user’s browser by parsing the User-Agent string and returns the exploit that “matches the pre-defined vulnerable browser versions.”
“The artful design of the Exploit Kit allows it to infect devices with little to no interaction from the end user,” the researchers said. “Meanwhile, its use of proxy servers makes infections harder to detect.”
Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. The operation was dealt a huge blow in 2017 following a coordinated action that dismantled its infrastructure.
From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn’t), its value proposition and limitations, and facts regarding the misperceptions that are commonplace.
If you’re considering or are actively shopping for an analysis solution that treats cyber risk in financially-based business terms, Jack’s extensive, jargon-free guide — including an evaluation checklist — will give you the objective and practical advice you need.
And just in time. There’s never been more interest or, frankly, confusion in the marketplace over what exactly is cyber risk quantification. As you’ll read in this buyer guide, many solutions may count vulnerabilities, provide ordinal values, or deliver numeric “maturity” scores but don’t measure risk, let alone put a financial value on it to help make business decisions.
This paper answers questions such as:
What does CRQ provide that I’m not already getting from other cyber risk-related measurements?
What makes CRQ reliable? Why should I believe the numbers?
Do I have enough data to run an analysis?
Jack also provides red flags to look out for in CRQ solutions, such as:
Mis-identification of risks.
Mis-use of control frameworks as risk measurement tools.
Over-simplification that can result in poorly-informed decisions, especially when performed at scale.
The ‘Understanding Cyber Risk Quantification’ guide is designed to be of use to security and risk executives, industry analysts, consultants, auditors, investors, and regulators–essentially anyone who has a stake in how well cyber risk is managed.
Telus, a Canadian national telecommunications company is looking into whether employees’ data as well as the source code for the system were stolen and then sold on a dark web marketplace.
Subsequently, the threat actor published screenshots that appear to depict the company’s payroll data and private source code repositories.
“We are investigating claims that a small amount of data related to internal Telus source code and select Telus team members’ information has appeared on the dark web,” Richard Gilhooley, director of public affairs at Telus said in an email.
“We can confirm that to this point our investigation, which we launched as soon as we were made aware of the incident, has not identified any corporate or retail customer data.”
Source Code, Employee Data Stolen
A threat actor offered what they claimed to be TELUS’ employee list (including names and email addresses) for sale on a data breach forum on February 17.
“Today we’re selling email lists of Telus employees from a very recent breach. We have over 76k unique emails and on top of this have internal information associated with each employee scraped from Telus’ API”, the forum post says.
The post provides what looks to be a list of email addresses for Telus employees as proof. “It isn’t known if these are the current or former staff — or even real”.
Later on Tuesday, February 21, the same threat actor published a new forum post with an offer to sell TELUS’ private GitHub repositories, source code, and payroll data.
“In the repositories are the backend, frontend, middleware [information,] AWS keys, Google auth keys, Source Code, Testing Apps, Staging/Prod/testing, and more!” says the seller’s latest post.
The claimed TELUS data and source code are posted in a second forum post
The seller also stated that the company’s “sim-swap-api,” which is supposed to allow attackers to conduct SIM swap attacks, was included in the stolen source code.
Despite the malicious attacker calling this a “Full breach” and stating that they will sell “anything related to Telus,” it is still too soon to say whether an event actually happened at TELUS or whether a breach at a third-party vendor actually occurred.
“It’s important to note that it’s not clear whether the data being sold is real”, commented Brett Callow, a British Columbia-based threat analyst for Emsisoft.
“If it is real, this is a potentially serious incident which exposes Telus’ employees to increased risk of phishing and social engineering and, by extension, exposes the company’s customers to risk”.
“The alleged exposure of the private Github repositories, supposedly including a sim-swap API, represents an additional tier of potentially significant risk.”
Krebs on Security – Brian Krebs’ blog is a top resource for in-depth investigative reporting on cybersecurity news, data breaches, and the latest threats.
Schneier on Security – Bruce Schneier is a renowned cybersecurity expert, and his blog offers a deep dive into the latest industry developments, policy issues, and encryption technologies.
Dark Reading – This is a top online news source for cybersecurity professionals, covering a wide range of topics such as threat intelligence, vulnerability management, and cybersecurity trends.
The Hacker News – A leading cybersecurity news website that delivers breaking news and analysis on hacking, cybercrime, and cybersecurity issues.
Threatpost – Another popular cybersecurity news and analysis website that covers a broad range of topics, including malware, phishing, data breaches, and more.
SecurityWeek – This website offers the latest information on cybersecurity news, analysis, and research, with a focus on enterprise security, vulnerability management, and threat intelligence.
Graham Cluley – Graham Cluley is a well-known cybersecurity expert who shares his insights and opinions on his blog, covering everything from security news to privacy concerns and cybersecurity culture.
Naked Security by Sophos – This blog by the Sophos cybersecurity company covers a wide range of cybersecurity topics, including malware, phishing, social engineering, and other cyber threats.
SANS Institute – SANS is a trusted cybersecurity training organization, and their blog covers a wide range of cybersecurity topics, including threat intelligence, incident response, and security awareness.
InfoSec Resources – A popular cybersecurity blog that covers a wide range of topics, including cybersecurity news, best practices, and career development.
Hackers Use Open Source Tools to Attack Shipping Companies & Medical Laboratories
Unfortunately, it is not uncommon for hackers to use open source tools to attack organizations. Open source tools are freely available and can be used for both legitimate and malicious purposes.
In the case of shipping companies and medical laboratories, there are a number of open source tools that hackers could potentially use to launch attacks. For example, they may use network scanning tools such as Nmap or Wireshark to identify vulnerabilities in the organization’s network. They may also use tools such as Metasploit or Cobalt Strike to exploit these vulnerabilities and gain unauthorized access to systems and data.
Once they have access to a system, hackers may use open source tools like Mimikatz to steal passwords and other credentials. They may also use open source malware like DarkComet or Meterpreter to maintain access to compromised systems and exfiltrate sensitive data.
To protect against these types of attacks, it’s important for organizations to take a number of steps, including:
Implementing strong access controls and authentication mechanisms to prevent unauthorized access to systems and data.
Regularly patching and updating software and systems to address known vulnerabilities.
Using security monitoring tools to detect and respond to potential security incidents.
Providing regular security awareness training to employees to help them identify and respond to security threats.
Conducting regular security assessments to identify and address vulnerabilities in the organization’s network and systems.
There has been an emergence of a new security threat that has been causing havoc among the Asian shipping and medical laboratory industries.
It’s a never-before-seen threat group dubbed Hydrochasma, actively targeting the shipping and medical organizations that are engaged in research and treatment of the COVID-19 vaccine.
Symantec, a company under Broadcom, has been monitoring the activities of cybercriminals since October of last year. Their ultimate aim seems to be the acquisition of valuable information.
Modus Operandiof Attack
Hydrochasma’s modus operandi is unique in that they employ open-source tools and LotL techniques during their attacks. This enables them to carry out their malicious activities without leaving behind any traces that could potentially expose their identity.
This method of operation poses a challenge to those attempting to track and attribute the attacks to specific threat actors.
The origin and affiliation of this threat actor have not been determined, nor has any evidence yet been collected as to its origin.
The utilization of pre-existing tools seems to serve a dual purpose for Hydrochasma:-
To evade attribution efforts
To enhance the stealthiness of their attacks
By leveraging these tools, they can mask their activity and blend in with legitimate network traffic, making it more challenging for security experts to detect and respond to their malicious activities.
Attack Chain
Most likely, Hydrochasma infected its host with a phishing email in order to spread its infection. Initial signs of Hydrochasma’s presence on a targeted system are often indicated by the appearance of a lure document, with a file name that is crafted to appear as if it were an email attachment written in the native language of the victim organization.
This is an attempt to deceive the target into thinking that the document is legitimate and relevant to their work. Here below we have mentioned those attachment names:-
Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf[.]exe
University-Development Engineer[.]exe
Once the attacker gains access to a machine, they utilize this access to deploy a Fast Reverse Proxy (FRP), which has the potential to expose servers that are located behind a firewall to the public web.
Tools Used
Here below we have mentioned all the tools that are dropped by the intruder on the affected system:-
Gogo scanning tool
Process Dumper (lsass.exe)
Cobalt Strike Beacon
AlliN scanning tool
Fscan
Dogz proxy tool
SoftEtherVPN
Procdump
BrowserGhost
Gost proxy
Ntlmrelay
Task Scheduler
Go-strip
HackBrowserData
It is extremely difficult to relate the activity to any specific threat group when a large number of publicly available tools are used.
There was no evidence that any data was taken from any of the targeted computers by Hydrochasma according to researchers from Symantec. Hydrochasma on the other hand utilizes certain tools that allow remote access to the system, which could result in data being extracted from the system.
This attack appears to have been motivated by a mission to gather intelligence, as indicated by the sectors targeted.
Following these best practices, you can increase the cloud security and protection of your cloud-based data and applications.
As cloud computing has revolutionized how we store and process data, it has also introduced new security risks. Your data must be secure as more and more businesses turn to the cloud.
Here are some steps you can take to ensure that your cloud environment is secure:
It would help if you chose a reputable cloud provider: Not all cloud providers provide the same level of security. You should select a provider with a positive security track record that implements strict security controls.
Secure your data in transit and at rest: Ensure that your data is encrypted both in transit and at rest. Keeping your data secure and accessible only to authorized users can help protect against data breaches. To prevent unauthorized access, implement strong access controls, including limiting access to cloud resources only to authorized users and implementing multi-factor authentication.
Monitoring your cloud environment regularly: Implement tools to monitor your cloud environment for unusual activity or signs of a breach. By doing so, you can identify potential security threats early on and mitigate their effect.
Plan for a disaster recovery scenario by implementing a disaster recovery plan. This backup will allow you to recover your data and applications in case of a security breach or other catastrophe.
You should educate your employees regarding the risks associated with cloud computing and provide them with training on protecting their data.
With these steps, you can protect your business from cyber threats and ensure the security of your cloud-based data. Take action today to protect your valuable assets by ensuring your business is secure.
What are the three categories of cloud security?
With the advancement of cloud computing, businesses can now store, process, and share massive amounts of data more easily and efficiently than ever before. Cloud computing, like any technology, carries inherent security risks.
Three categories of cloud security can assist in mitigating these risks: physical security, operational security, and data security.
Physical Security
Physical security refers to the measures the cloud service provider takes to protect its physical infrastructure. These actions include access controls, surveillance, and environmental controls, and those used in data centers play a crucial role in preventing unauthorized access.
Operational Security
A cloud service provider’s operational security refers to the processes and policies to manage their business operations. This process includes several measures, such as change management, incident response, and business continuity planning. Your cloud services must be protected against active cyber threats to ensure reliability and availability.
Data Security
Data Security refers A cloud security measure is a means of protecting your data. These include measures such as encryption, access controls, and data backups. To ensure the integrity and availability of your sensitive data, it is essential to implement effective data security measures.
In the cloud, each of these categories of security is essential for protecting your business from cyber threats and ensuring the safety and security of your data.
When you work with a reputable cloud service provider and implement best practices for physical, operational, and data security, you can minimize the risks of cloud computing and take advantage of the benefits of this revolutionary technology. Take advantage of the cloud with confidence and peace of mind by embracing security concerns.
Cybersecurity and the Cloud: What You Need to Know
Cloud computing has become increasingly important as more and more businesses move their data and applications to the cloud.
Cybersecurity and the cloud have some key considerations.
Understand your responsibilities:
When you use cloud services, you typically share security responsibility with the cloud provider. Ensure that you are aware of which security aspects are your responsibility and which are the service provider’s responsibility.
When it comes to security, not all cloud providers are equal. You should research the provider and choose one with a good security record.
Provide strong authentication to all cloud users, such as multi-factor authentication.Encrypt your data:
Your data must be encrypted in transit and at rest. It helps prevent data breaches and ensures only authorized persons can access your data.Monitor your data:
Use security tools to monitor your data for unusual activity or signs of a breach. By detecting potential security issues early, you can mitigate their impact.
Cloud Security: How to Protecting Your Data in The Cloud.
The increasing amount of data stored online in cloud-based systems has made cloud security a growing concern for businesses and individuals. You will learn cloud security basics, from recognizing potential cyber threats to protecting your data.
Cloud security risks.
Data breaches and denial of service (DOS) attacks are some risks associated with cloud security. Protecting yourself requires an understanding of common types of threats.
It is common for cloud security threats to include malicious outsiders such as hackers, insider threats from employees and contractors with access to your data, misconfigurations that leave your data vulnerable, and disasters that may cause data loss. When you understand the risks associated with storing your data in the cloud, you can develop effective strategies for mitigating them.
Set up Multi-Factor Authentication.
A multi-factor authentication (MFA) system is one of the best ways to protect your cloud environment. The authentication adds a layer of security by requiring users to use two or more credentials, such as a password and a one-time code sent by email or text message. It ensures that only authorized people can access your data and makes it much harder for attackers to compromise your system by guessing passwords or using stolen credentials.
Update security software and patches regularly.
Cyber Threat Intelligence programs should permanently be installed and maintained. It is also highly recommended that you patch your system regularly to ensure that there are no vulnerabilities attackers could exploit. If your systems do not receive regular updates, they may be vulnerable to attack. Additionally, other users on the system must keep up-to-date, so make sure everyone understands the importance of patching and security maintenance.
Create rules for permissions and user access.
Cloud services should be protected from unauthorized access. Establish specific user access and permission settings rules by creating or purchasing a policy. The policy should define what data users can access and edit and set boundaries for authorized users and applications. It would help if you also considered creating logins with distinct roles for each employee — this way, each user can only view information relevant to their job.
Prepare a Breach and Attack Recovery Plan.
Any business operating in the cloud needs a disaster recovery plan. Specifically, the goal should outline how the team should respond to a data breach or cyber attack, how to contact potential victims, how to recover files and systems, and how to mitigate risks.
Cloud Security Protecting Your Data?
Cloud security is the practice of protecting your data and applications that are stored in the cloud. As more and more businesses move their data to the cloud, ensuring the security of that data has become increasingly important.
Here are some steps you can take to protect your data in the cloud:
Use strong passwords and two-factor authentication: It’s important to use strong, unique passwords for all of your accounts and enable two-factor authentication wherever possible. This will help prevent unauthorized access to your accounts.
Encrypt your data: Encryption is a process of converting your data into a secret code that can only be accessed with the right encryption key. This is an effective way to protect your data from unauthorized access.
Choose a reputable cloud provider: When choosing a cloud provider, look for one that has a strong track record of security and compliance. Make sure they have proper encryption, backup and disaster recovery plans in place.
Keep your software up to date: Make sure to keep all of your software, including your cloud applications, up to date with the latest security patches.
Limit access to your data: Only give access to your cloud data to those who need it. You can use access controls to limit who can view, edit, or delete your data.
Backup your data: Make sure to regularly back up your cloud data. This will ensure that you can still access your data even if there is a security breach or outage.
By taking these steps, you can help protect your data in the cloud and ensure that your business stays secure.
According to a recent security report, Chinese government has decided to resort to hacking, cyberwarfare and corporate espionage tactics to boost its ambitious defense program, compromising the systems of firms like Lockheed Martin in order to access classified information useful for their own purposes.
Peter Suciu, a renowned researcher, says China is an actor that should be taken seriously, especially on military issues. This is not the first such report, as since 2019 the Pentagon had accused the Chinese military of resorting to what they defined as “cyber theft” and other methods to achieve great improvements in military terms.
It all went back to 2007, when the firm Lockheed Martin discovered that a Chinese hacking group had been stealing technical documents related to the F-35 program, while a similar theft occurred when cybercriminals working for Beijing managed to compromise a network of an Australian subcontractor to the F-35.
These reports lead experts to believe that the Chinese have acquired a wealth of crucial information and data for these programs, including the development of the Chinese J-20 fighter jet, also known as “Mighty Dragon.” Suciu himself claims that the creation of these aircraft would have been impossible without the information stolen from Lockheed Martin.
In connection with these reports, Business Insider published a report detailing the clear similarities in appearance and engineering between American aircraft and those created by the Chinese government. In addition, the report not only emphasizes the similarity of these aircraft, but also states that the sensor systems used by the Chinese government are virtually identical to the electro-optical guidance employed by Lockheed Martin in the Lightning II model, further evidence of espionage against the company.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
In 2007, Chinese Advanced Persistent Threat (APT) hackers targeted the computer networks of defense contractor Lockheed Martin, which was working on the development of the F-35 Lightning II fighter jet. The APT hackers gained access to the networks by using spear-phishing attacks to trick employees into downloading malware or providing their login credentials. Once inside the network, the hackers used various techniques to move laterally and gain access to sensitive data.
The hackers were able to steal large amounts of data related to the F-35 program, including design plans, testing results, and software source code. The stolen data allowed China to gain a significant advantage in its own stealth fighter program, the J-20.
The J-20 first flew in 2011, and it bears striking similarities to the F-35. Both aircraft are designed to be stealthy, with angular shapes and features that minimize their radar signature. The J-20 also features advanced avionics and sensor systems, which are similar to those used in the F-35.
The theft of the F-35 data was part of a larger campaign by Chinese APT hackers to steal sensitive information from Western companies and governments. The campaign, which has been ongoing for many years, is believed to be part of China’s broader efforts to modernize its military and develop advanced technologies.
The theft of the F-35 data was a significant blow to U.S. national security, as it gave China valuable insights into one of the most advanced fighter jets in the world. It also highlighted the need for stronger cybersecurity measures and better protection of sensitive data.
The ongoing cybersecurity skills shortage is a critical issue plaguing organizations and causing serious problems. The lack of trained and qualified professionals in the field has resulted in numerous security breaches, leading to the loss of large amounts of money.
In this Help Net Security video, José-Marie Griffiths, President of Dakota State University, discusses how this shortage is not just a mere inconvenience but a major threat compromising the safety and security of companies and putting the sensitive information of their clients and customers at risk.
With each passing day, the consequences of this shortage become more and more severe, making it imperative for organizations to take immediate action and find ways to address this critical challenge.
Advancing cyber education can help fill workforce gaps in several ways:
Meeting the growing demand for cybersecurity professionals: With the increasing number of cyber threats and attacks, there is a growing demand for cybersecurity professionals. Advancing cyber education can help produce more skilled professionals to fill the gap.
Increasing the number of qualified candidates: Cybersecurity positions often require specific skills and certifications. Advancing cyber education can help increase the number of qualified candidates by providing them with the necessary skills and certifications.
Addressing the skills gap: The skills gap in cybersecurity is a major challenge for employers. Advancing cyber education can help address the skills gap by providing education and training programs that are tailored to the needs of the industry.
Encouraging diversity: Cybersecurity has historically been a male-dominated field, and there is a lack of diversity in the workforce. Advancing cyber education can help encourage diversity by providing opportunities for underrepresented groups to enter the field.
Preparing for future threats: Cyber threats are constantly evolving, and it is essential to have a workforce that is prepared to face new challenges. Advancing cyber education can help prepare the workforce to address future threats by providing them with the necessary knowledge and skills.
Overall, advancing cyber education is crucial to fill workforce gaps in cybersecurity and to ensure that the workforce is prepared to address current and future threats.
The leaked data includes email addresses, password hashes, names, phone numbers, and more.
Hackers obtained login credentials for several mainstream corporate giants, including Microsoft, Samsung, Uber and Apple, etc. and gained remote access to the entities’ surveillance cameras after attacking two data centers in Asia.
A screenshot from the leaked data shows login credentials for Samsung, Amazon, Uber, Alibaba and more. (Credit: Hackread.com)
This was revealed by the cyber security firm Resecurity. The company originally identified the data breach in September 2021; however, details of it were only revealed to the media now as on February 20th, 2023, hackers leaked the stolen login credentials online.
It is worth noting that these credentials were leaked on Breachforums by a threat actor going by the handle of “Minimalman.” For your information, Breachforums is a hacker and cybercrime forum that surfaced as an alternative to the popular and now-seized Raidforums.
According to Resecurity, hackers accessed two of the largest data center operators in Asia that were being used by several mainstream companies and technology giants. From there, the hackers could obtain customer support logins for high-profile companies, including Amazon and Apple, BMW, Microsoft, Alibaba, Walmart, Goldman Sachs, etc.
As seen by Hackread.com on the hacker forum, the threat actors managed to obtain and leak credentials from over 2,000 firms and a Chinese foreign-exchange platform.
The data centers have been identified as Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global. Both data centers reportedly forced all customers to change their passwords in January 2023.
Dangers
The dangers of hackers obtaining login credentials of tech giants such as Apple, Amazon, Microsoft, Samsung and others are numerous and severe. Firstly, such credentials allow hackers to access sensitive customer data, including payment information and personal details, which can lead to identity theft and financial fraud.
Secondly, hackers can use these credentials to gain access to the company’s networks, potentially compromising intellectual property and trade secrets. Additionally, with access to company accounts, hackers can launch cyber attacks against other organizations, amplifying the damage caused by their actions.
Furthermore, a breach of a tech giant’s login credentials can have far-reaching consequences, impacting not only the company and its customers but the wider economy and society as a whole. For instance, if a company like Amazon were to suffer a significant data breach, it could lead to a loss of consumer trust, which could in turn affect the confidence of investors and the stock market.
Moreover, a successful hack of a tech giant’s credentials could inspire copycat attacks, leading to an escalation in cybercrime and potentially destabilizing the digital infrastructure that underpins much of our daily lives.
To mitigate these risks, tech giants must remain vigilant in their cybersecurity measures, ensuring that their systems are regularly updated and that their employees are trained to detect and prevent security breaches.
Companies must also invest in advanced technologies such as machine learning and artificial intelligence to detect and respond to cyber threats in real time. Finally, companies must ensure that they comply with industry standards and regulations related to cybersecurity, such as the General Data Protection Regulation (GDPR), to protect the privacy and security of their customers.
How to protect from Data Breach?
There are several steps you can take to protect yourself from a data breach:
Use strong, unique passwords: Use different passwords for each of your accounts and make sure they are strong and difficult to guess. Consider using a password manager to keep track of your passwords.
Enable two-factor authentication: Two-factor authentication adds an extra layer of security to your accounts by requiring you to provide a second form of identification, such as a code sent to your phone, in addition to your password.
Keep your software up to date: Keep your operating system, web browser, and antivirus software up to date to ensure that they have the latest security updates.
Be cautious of suspicious emails: Be wary of emails from unknown senders or emails that contain suspicious links or attachments. These could be phishing emails designed to trick you into giving away your personal information.
Limit your personal information online: Be cautious about sharing personal information online, and only provide it when necessary. Consider using privacy settings on social media to limit who can see your information.
Monitor your accounts: Keep an eye on your accounts for any suspicious activity and report anything out of the ordinary to the appropriate authorities or financial institutions.
By taking these steps, you can help protect yourself from a data breach and minimize the impact if one occurs.
Europol has dismantled a gang linked to a $40 million CEO scam. Find out more about how this international criminal syndicate was uncovered and who was involved.
The email scam gang behind France’s largest-ever CEO scam has been dismantled after a coordinated police operation across multiple countries was successful in arresting six people in France and two in Israel.
The Europe-wide operation to track down the Franco-Israeli criminal organization involved the Croatian National Police, the Croatian Anti Money Laundering Office, the French National Police, the French Gendarmerie, the Hungarian Budapest Metropolitan Police, the Israel Police, the Portuguese Judicial Police, and the Spanish National Police.
Law enforcement authorities involved in the operation (Image: Europol)
In early December 2021, one of the gang members, now arrested as a suspect, impersonated the CEO of a metallurgy company in northeastern France and tricked the accountant into making an urgent and confidential transfer of €500,000 ($530,000) which was subsequently spotted and blocked.
In late December 2021, according to Europol’s press release, Sefri-Cime, a real-estate developer, fell victim to the same group after its members impersonated lawyers working for a well-known French accounting firm. According to Europol, they persuaded the Chief Financial Officer (CFO) to transfer almost €38 million ($40 million) altogether.
The criminal network, consisting of French and Israeli nationals, used a pre-existing money laundering scheme that laundered the funds via European countries, China, and then Israel. An investigation that followed revealed the money mules working for the gang in Croatia, Portugal, and Hungary.
The police were able to seize electronic equipment and vehicles, €3 million from Portuguese bank accounts, €1.1 million from Hungarian bank accounts, €600,000 from Croatian bank accounts, €EUR 400,000 from Spanish bank accounts and €350,000 in virtual currencies.
The operation continued for five days between January 2022 and 2023 in France and Israel, leading to eight house searches and eight arrests, including the alleged Israeli gang leader, according to Europol.
Social engineering techniques are becoming increasingly sophisticated and are exploiting multiple emerging means, such as deep fakes.
The increasing use of videoconferencing platforms and the various forms of remote work also adopted in the post-emergency covid make interpersonal collaborations increasingly virtual. This scenario must undoubtedly force organizations to prepare adequately to be able to recognize impersonation attempts based on social engineering attacks, which are also proving increasingly sophisticated due to the rapid advancement of deepfake technology.
Deepfake technology, what’s it?
The word deepfake, which originates from a combination of the terms “deep learning” and “fake,” refers to digital audio/video products created through artificial intelligence (AI) that could allow one to impersonate an individual with likeness and voice during a video conversation. This is done through deep learning methodologies such as the Generative Adversarial Network (GAN) i.e., a group of neural network models for machine learning, deputed to teach computers how to process information by emulating the human brain.
Deepfake and phishing
The accessibility and effectiveness of deepfake technology have led cybercrime to use it for sophisticated social engineering attacks for the purpose of extortion, fraud, or to cause reputational damage. Consider the impact of a voice phishing attack that replicates the voices of a company’s stakeholders to persuade employees to take a series of actions that could harm security and privacy, or the effectiveness of a phone call with simulated voices for the purpose of convincing an employee to send funds to an offshore bank account.
Aggravating factors
Further aggravating the situation is also the availability of both deepfake tools, made available as a service on clandestine web forums, which make it easier and more convenient for criminal actors with limited technical skills to set up these fraud schemes, and a large number of images and videos posted by users of social media platforms that can be processed by deep learning algorithms to generate precisely deepfake content.
Mitigation
Although there is still no simple and secure way to detect deepfakes, there are still some best practices that can be adopted:
Add additional security and protection processes. Having secondary verification methods, such as a dual approval process for financial transactions, correspondence monitoring, and 2FA, should always be considered an indispensable prevention solution;
Use artificial intelligence itself to recognize deepfakes. An artificial intelligence system might be able to recognize whether an audio/video content has been manipulated by quickly comparing it with known original reference samples or converting an audio track to text to recognize possible malfeasance and decide whether or not to approve a payment transaction;
Integrate the concept of deepfake into the risk assessment process and planning for possible crisis scenarios;
Outlook
Although technology will continue to evolve and it will become increasingly difficult to detect deepfakes, fortunately detection technologies will also improve. But the task for insiders to better protect themselves and their organizations from a variety of cyberattacks will have to be not only to keep abreast of evolving counter techniques and implement them in a timely manner, but also, and most importantly, to raise awareness in their organizations by focusing on training employees of all ranks. The human factor must always be considered as the first bastion of defense, even and especially against the most sophisticated cyber attacks.
About the author: Salvatore Lombardo
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
This article covers Active directory penetration testing that can help for penetration testers and security experts who want to secure their network.
“Active DirectoryPentesting” Called as “AD penetration Testing” is a directory service that Microsoft developed for the Windows domain network. Using it you can to control domain computers and services that are running on every node of your domain.
In this section, we have some levels, the first level is a reconnaissance of your network. every user can enter a domain by having an account in the domain controller (DC).
All this information is just gathered by the user that is an AD user. In the username, there are two parts the first is the domain name and the second part is your username. like below :
Reconnaissance Commands:
+ c:\ > net user
By running this command in CMD (Command Prompt) you can easily see local users on your PC.
+ c:\ >whoami
This command can help you to see the current user associated with Active Directory logged in.
+ c:\ >whoami /groups
This command helps you to show you the current group
+ c:\ > net user \domain
This command shows you all users from any group in the active directory. also, you can see every user’s group by running this command :
+ c:\ > net user [username] domain.
To have a better look, you can user “AD Recon” script. AD Recon is a script written by “Sense of Security“.
It uses about 12 thousand lines of PowerShell script that gives you a good look to AD and all info that you will need it.
You can download this script from GitHub: https://github.com/sense-of-security/ADRecon screenshots of the report of this app:
Picture2 – List of AD GroupsPicture3 – List of DNS Record Zones
When you get all AD users, now you should take a look at the group policy. The group policy is a feature of Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. in the group policy, you can see environment policy such as”Account Lockout Policy“.
It is a method that provides you networks users to be secure from password-guessing attacks. Also, you can see “Password Policy“. A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.
When you get all the data that you need, now you can execute different attacks on users like :
Brute Force Active Directory
To brute force attack on active directory, you can use Metasploit Framework auxiliaries. You can use below auxiliary:
msf > use auxiliary/scanner/smb/smb_login
The options of this auxiliary you can set username file and password file. and set an IP that has SMB service open.
then you can run this auxiliary by entering “run” command.
If you try false passwords more than Account Lockout Policy, you can see this message “Account Has Been Locked out“.
If you try it on all accounts, all users will be disabled and you can see disorder in the network. As you can see in Password Policy, you can set your password list to brute-force.
All hashes are stored in a file named “NTDS.dit” in this location :
C:\Windows\NTDS
You will extract hashes from this file by using mimikatz. mimikatz has a feature which utilities the Directory Replication Service (DRS) to retrieve the password hashes from NTDS.DIT file. you can run it as you can see below : mimikatz # lsadump::dcsync /domain:pentestlab.local /all /csv
Then you can see hashes and password (if the password can be found).
The active directory includes several services that run on Windows servers, it includes user groups, applications, printers, and other resources.
It helps server administrators to manage devices connected with the network and it includes a number of services such as Domain, Certificate Services, Lightweight Directory Services, Directory Federation and rights management.
Active directory penetration testing is required for any organization, nowadays APT groups actively targeting Active Directories using different techniques.
In this Help Net Security video, Daniel Dos Santos, Head of Security Research at Forescout, talks about recent research, which has revealed how attackers can move laterally between vulnerable networks and devices found at the controller level of critical infrastructure. This would allow them to damage assets such as movable bridges physically.
This lateral movement lets attackers access industrial control systems and cross often-overlooked security perimeters to cause physical damage. From sensors that measure and detect pressure, temperature, flow and levels of liquids, air, and gases, to analyzers that determine chemical compositions and actuators that enable machines to move. Moving through these devices at the lowest levels, attackers can circumvent built-in functional and safety limitations to cause significant damage or disruption to services, or worse, pose a potential threat to life.
To demonstrate the potential implications, Forescout has built an industry-first proof-of-concept (PoC) which shows how attackers can move laterally on the controller level (Purdue level 1) to cause cyber and physical impact, as illustrated through the scenario of damaging a movable bridge during a closing sequence.
As part of the research, two new vulnerabilities are also being disclosed for the first time – CVE-2022-45788 and CVE-2022-45789 – which allows for remote code execution and authentication bypass, respectively, on Schneider Electric Modicon Unity Programmable Logic Controllers (PLCs).
Modicon PLCs are used in a wide range of industrial processes and critical infrastructure, including in industries such as water and wastewater, mining, manufacturing, and energy. Whilst these devices should not be accessible online, Forescout has found that close to a thousand PLCs have been exposed, with France (33%), Spain (17%), Italy (15%), and the United States (6%) revealed as the countries with the most exposed devices.
The number of devices visible is just a small indication of the popularity of these PLCs, but these devices also highlight some of the critical facilities that rely on them. For example, several devices were connected to hydro power plants, solar parks and airports.
ProxyShellMiner is being distributed to Windows endpoints by a very elusive malware operation, according to Morphisec.
To generate income for the attackers, “ProxyShellMiner” deploys cryptocurrency miners throughout a Windows domain using the Microsoft Exchange ProxyShell vulnerabilities.
“After successfully breaching an Exchange server and obtaining control, the attackers use the domain controller’s NETLOGON folder to ensure the miner executes throughout the domain, similar to how software is delivered through GPO”, Morphisec reports.
Researchers noticed that the attackers were utilizing four C2 servers. The legitimate, infected mail servers are all where the malware-dependent files are stored.
“Mining cryptocurrency on an organization’s network can lead to system performance degradation, increased power consumption, equipment overheating, and can stop services”, according to Morphisec.
Technical Analysis of the ProxyShellMiner Malware
The malware needs a command line parameter that acts as a password for the XMRig miner component in order to activate.
“This parameter is later used as a key for the XMRig miner configuration, and as an anti-runtime analysis tactic”, Morphisec
The parameter serves as an anti-analysis technique and as a password for the XMrig miner
The XOR decryption algorithm, an XOR key, and an embedded dictionary are all used by ProxyShellMiner. The subsequent embedded code modules are then executed using the C# compiler CSC.exe with “InMemory” compile parameters.
The malware then downloads a file with the name “DC DLL” and uses .NET reflection to get the task scheduler, XML, and XMRig key arguments. The decryption of additional files is done using the DLL file.
By setting up a scheduled activity to start when the user logs in, a second downloader achieves persistence on the compromised system. The report says four other files and the second loader are downloaded from a remote resource.
The deobfuscated scheduled task
Using a technique called “process hollowing,” that file determines which of the installed browsers on the hacked system would be used to inject the miner into its memory space. The mining process then starts after selecting a random mining pool from a hardcoded list.
Picking a mining pool
Setting a firewall rule that blocks all outgoing traffic and is applicable to all Windows Firewall profiles is the last stage in the attack chain. This is done to reduce the likelihood that defenders may find infection signs or get notifications about a possible compromise from the compromised system.
“The malware waits at least 30 seconds while the target machine blocks any outbound connection. It does this to tamper with the process runtime behavior analysis of common security solutions”, researchers.
Adding a firewall rule to block all outgoing traffic
Final Thoughts
ProxyShellMiner doesn’t just disrupt business networks, drive up power bills, overheat equipment, and stop services from operating. It gives threat actors access to further evil purposes.
“Once attackers have a foothold in a network, they have deployed web shells, backdoors, and used tunneling utilities to further compromise victim organizations”, Morphisec
Hence, Morphisec encourages all administrators to install all available security updates and employ thorough and all-encompassing threat detection and defense measures to reduce the danger of ProxyShellMiner attacks.
In this article, I will explain how to use Nikto on Kali Linux .
Firstly we will install the Nikto tool from Github or Using apt install command on terminal.
Using help manual of Nikto we can see various options or parameters on how we can use this tool very efficiently.
Firstly we will use the basic syntax to check the vulnerability of the website.
However, Nikto is capable of doing a scan that can go after SSL and port 443, the port that HTTPS websites use (HTTP uses port 80 by default). So we’re not just limited to scanning old sites, we can do vulnerability assessments on sites that use SSL, which is pretty much a requirement these days to be indexed in search results.
If we know it’s an SSL site that we’re targeting, we can specify it in Nikto to save some time on the scan by adding -ssl to the end of the command.
So by using this tool we can analyze the vulnerability of the website.
A large number of e-commerce payment platforms use effective payment gateway tools and effectively integrate them with an acceptable payment strategy. Today’s e-commerce websites need to integrate anti-fraud tools, renew bank cards, integrate multiple gateways, and manage alternative payment methods.
It is important to get these complex integrations right and bring them together into one functioning system; choosing the right tokenization partner is the key to success in these processes.
What is the tokenization process and why is it needed?
Tokenization is an important process of replacing sensitive data, such as credit card numbers, with unique identifying information while preserving all important data information; a tokenization solution is a form of using a unique security key to provide an appropriate level of security to important confidential data.
Think of tokenization as a secret code that uses a key to retrieve an encrypted message. Some versions of the credit card number store the last four digits; however, the remaining digits of the credit number are random.
In this case, you can safely store the token in the database. Anyone with access to this token cannot use it to compromise your credit card account. For these tokens to be used to process credit card transactions, they must be re-linked to the original credit card numbers. Typically, this mapping is performed by a secure third party. All this is done to ensure full security.
Blockchain technology is a technology that most people associate only with cryptocurrencies. This attribution is not entirely incorrect, as the blockchain was created for the Bitcoin cryptocurrency. However, much has changed since 2009 (the year Bitcoin appeared), and the scope of blockchain technology continues to actively expand.
One of the key applications of this technology today is tokenization, a secure form of digitization based on the blockchain technology mentioned above. The process of tokenization consists of assigning a specific value to a symbol, which can exist materially or immaterially, and is a digital “token” that stores data. With this efficient solution, you can securely buy and sell your assets online.
Examples of this use of tokens include the value of the stock market. Most of us associate stocks and bonds with paper-based notices of ownership of those assets, but tokenization allows us to replace those paper notices with digital versions. The implementation of traditional solutions in the digital world simplifies and optimizes a large number of important processes, making them significantly more efficient.
The terms “token” and “cryptocurrency” are often confused and used interchangeably; not surprisingly, both concepts are closely related to blockchain technology. The key difference between cryptocurrencies and tokens is that cryptocurrencies are a means of payment, whereas tokens cannot; they can be compared to a kind of chip.
A token is created using smart contracts on a specific blockchain network and can perform various key functions. Each blockchain network can contain an unlimited number of tokens.
On the other hand, a smart contract is a kind of computer program embedded in a certain blockchain network that automatically enforces the terms contained in it. Both tokens and cryptocurrencies can be transferred on the blockchain network; however, token transaction fees depend on the cryptocurrency.
What information must be provided for tokenization?
Tokenization is commonly used to protect credit card numbers, a process mandated by the Payment Card Industry Council (PCI). However, there are many different use cases, tokenization terminology allows you to learn a variety of effective tools that provide active growth in the field of security for business organizations for which it is important to reliably protect confidential data.
Consider personal or personally identifiable information. HIPPA, General Data Protection Regulation (GDPR) requires confidential processing, anonymization, and secure storage of personal data. Organizations and various business environments should use tokenization capabilities when the business needs to securely store confidential information, such as:
ID number;
Date of birth;
Gender or race;
Driver’s license;
Credit card number;
Valid phone number;
Bank account number;
Social insurance number;
Current residential address of clients;
Due to the universality of tokens, they are divided into several types that perform different functions. One of the key differences is between mutual tokens and non-splitting tokens. For example, payment tokens are used to make payments. Their function is mainly to ensure the safety of investors. Issued security tokens are protected by law and represent specific stocks, bonds, or other assets of genuine interest.
Are my tokens safe?
Undoubtedly, there are many advantages to using tokens, but is it safe to store data? Security is considered one of the most important benefits of tokenization. Stability, irreversibility of transactions, and elimination of intermediaries are just some of the characteristics that affect security when using blockchain technology.
In addition, the security of tokenization is provided by smart contracts that allow parties to trade directly. For example, selling real estate in the form of tokens does not require a notary or a real estate agent. Everything is done quickly and directly.
Note that each contracting party must ensure that personal tokens are properly stored and protected from loss to properly act as guarantors of successful transactions. Tokenization is a form of business digitization based on blockchain technology.
The potential of tokenization is huge and has yet to be fully explored. Tokens are divided into different types. The most common use of tokens is to digitize different types of assets, such as physical assets, digital assets, projects, company shares, shares, or loans.
What are the different types of tokenization processes?
When it comes to PCI tokens, there are three key types of tokenization: gateway tokenization, end-to-end tokenization, and payment service tokenization. Gateway tokenization. When you do e-commerce, you most likely get paid through a payment gateway.
Most gateways have technology that allows you to securely store your credit card in the system, then issue a refund and delete your card data. The downside is that each gateway provides its token scheme. This means that you cannot use this gateway. Changing gateways is often a time-consuming and expensive process of moving customer data to a new gateway for secure processing.
In some cases, the gateway may not allow these actions. End-to-end tokenization. Some independent tokenization providers have their technology that sits between your e-commerce site and the gateway. These end-to-end token providers allow you to use your existing gateway integration code.
One of the key advantages of this type of tokenization is that it uses existing technology and can be adapted at a very fast pace. It also has the advantage of modularity. Unlike gateway tokenization, modularity can be actively used for more than just credit card payments. You can use the tokenization model to connect to most APIs and tokenize data other than credit card data.
End-to-end tokenization is an evolution of gateway tokenization. This gives payment solutions the freedom to route transactions to different gateways in real-time, avoiding costly and time-consuming transfers of card data between different payment platforms.
Tokenization processes of various important payment services
A key tokenization strategy is the payment service model. This model offers a single API that, when integrated, can route payments to multiple gateways. The payment service model is best suited for companies with more complex payment needs.
This model works well when a company needs to pay in several regions or several different currencies or through several gateways. A disadvantage of the payment service model is that existing gateway embed code cannot be reused.
In addition to reduced PCI coverage and increased security, the tokenized payment service model has unique key benefits from its active use. The payment services model not only simplifies your embed code but also takes control of your tokens away from the payment gateway. Unlike gateway tokenization, tokens provided by third parties can be actively used with supported gateways.
Tokens issued by payment gateways cannot be used against competing alternative gateways. Security and compliance alone are reasons enough to implement a popular solution like the tokenization of various assets that are important to you, your company, and your customers.
The truth is that key security requirements for online payments are difficult to implement on your own. In particular, startups often choose to sacrifice security for time to market. Accepting online payments makes your business a target for cybercriminals. Hiring security experts and implementing effective tokenization processes can save your business environment valuable time and money in the long run.
Keep these practical tips in mind. Choose a reliable tokenization partner, test the tokenization, what level of protection you can achieve by working on the integration, and find a vendor that can integrate multiple gateways, methods, and services into a single integration. One of the key technologies needed to connect all payment solutions is tokenization.
A trusted provider fully controls tokens, provides redundancy, reduces PCI coverage, and improves the security standards in place in your business environment.
What can be tokenized?
The use cases for tokenization can grow endlessly. Since anything can be digitized, tokenization is often used in professional life. These are various business projects that can demonstrate the most practical examples of using tokenization.
Digitization of the company involves the creation of tokens that are closely related to a specific project. Tokenization techniques that add value to tokens can be used as an indispensable tool for automating processes in companies and as a means of financing them. Real estate tokenization is becoming more and more popular worldwide due to the following features: transaction speed, lack of intermediaries, and security.
The process of property tokenization involves issuing tokens on the blockchain network and linking them to certain properties. Thus, the investor becomes a co-owner or owner of a certain asset, the shares of which can be represented in tokens.
Using blockchain technology and a specially designed platform, it is also possible to assign unique numbers to gems and certain forms of ore to determine their authenticity.
Raw materials registered with digital numbers can then be identified by verifying their origin, properties, and associated processes. NFT tokens have the unique potential to revolutionize both the physical and digital art markets. Each NFT token has a unique, non-tradable value that allows you to express your interest in the rights to a work of art, making investing in art an easy and fast process.
