InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.
Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.
Both vulnerabilities are marked under “critical” severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.
WhatsApp 0-Day Bugs
CVE-2022-36934 – An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.
Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.
CVE-2022-36934 – Integer Overflow Bug
An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.
An integer overflow also know as “wraparound” occurs when an integer value is incremented to a value that is too large to store in the associated representation.
This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
“A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().”
Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the user’s device to steal sensitive files and also used for surveillance purposes.
According to WhatsApp Advisory “An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.”
An ongoing, widespread Chromeloader malware campaign has been warned by Microsoft and VMware. It has been identified that this malicious campaign is dropping node-WebKit malware and ransomware, as well as dangerous browser extensions.
ChromeLoader was observed in the wild for the first time in January 2022 for Windows users and in March 2022 for Mac users by the VMware Carbon Black Managed Detection and Response (MDR) team.
The ChromeLoader is one of the most widespread and persistent malware programs on the web. A surge in Chromeloader infections occurred in Q1 2022, with the cybersecurity researchers from Red Canary theorizing the malware was used by affiliate marketers and advertisers to defraud them of their money.
To perform click fraud and earn money for the threat actors, the malware infects Chrome with a malicious extension in order to redirect user traffic to advertising websites.
Technical Analysis
The malicious campaign that caused this problem was traced back to a threat actor tracked as DEV-0796 that infected victims with several different types of malware by using Chromeloader.
Microsoft researchers are tracking an ongoing wide-ranging click fraud campaign where attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices. Microsoft attributes the attack to a threat actor tracked as DEV-0796. pic.twitter.com/v6sexKgDSg
In addition to ChromeLoader, there are several variants of the program such as ChromeBack and Choziosi Loader which are known.
The malware called ChromeLoader is delivered in the form of ISO files that may be downloaded from any of the following sources:-
Malicious ads
Browser redirects
YouTube video comments
After Microsoft began blocking Office macros by default, ISO files have become one of the most popular methods of distributing malware.
Additionally, Windows 10 and later automatically mount ISO files as CDROMs when double-clicking them. By doing so, they provide an efficient method for disseminating multiple malware files simultaneously.
There are four files that are commonly included in ChromeLoader ISOs:-
Can a device be hacked when switched off? Recent studies suggest so. Let’s see how this is even possible.
Researchers from the Secure Mobile Networking Lab at the University of Darmstadt, Germany, have published a paper describing a theoretical method for hacking an iPhone — even if the device is off. The study examined the operation of the wireless modules, found ways to analyze the Bluetooth firmware and, consequently, to introduce malware capable of running completely independently of iOS, the device’s operating system.
With a little imagination, it’s not hard to conceive of a scenario in which an attacker holds an infected phone close to the victim’s device and transfers malware, which then steals payment card information or even a virtual car key.
The reason it requires any imagination at all is because the authors of the paper didn’t actually demonstrate this, stopping one step short of a practical attack implementation in which something really useful nasty is loaded into the smartphone. All the same, even without this, the researchers did a lot to analyze the undocumented functionality of the phone, reverse-engineer its Bluetooth firmware, and model various scenarios for using wireless modules.
So, if the attack didn’t play out, what’s this post about? We’ll explain, don’t worry, but first an important statement: if a device is powered off, but interaction with it (hacking, for example) is somehow still possible, then guess what — it’s not completely off!
How did we get to the point where switching something off doesn’t necessarily mean it’s actually off? Let’s start from the beginning…
Apple’s Low Power Mode
In 2021, Apple announced that the Find My service, which is used for locating a lost device, will now work even if the device is switched off. This improvement is available in all Apple smartphones since the iPhone 11.
If, for example, you lose your phone somewhere and its battery runs out after a while, it doesn’t turn off completely, but switches to Low Power Mode, in which only a very limited set of modules are kept alive. These are primarily the Bluetooth and Ultra WideBand (UWB) wireless modules, as well as NFC. There’s also the so-called Secure Element — a secure chip that stores your most precious secrets like credit card details for contactless payments or car keys — the latest feature available since 2020 for a limited number of vehicles.
Bluetooth in Low Power Mode is used for data transfer, while UWB — for determining the smartphone’s location. In Low Power Mode, the smartphone sends out information about itself, which the iPhones of passers-by can pick up. If the owner of a lost phone logs in to their Apple account online and marks the phone as lost, information from surrounding smartphones is then used to determine the whereabouts of the device. For details of how this works, see our recent post about AirTag stalking.
The announcement quickly prompted a heated discussion among information security experts about the maze of potential security risks. The research team from Germany decided to test out possible attack scenarios in practice.
When powering off the phone, the user now sees the “iPhone Remains Findable After Power Off” message. Source
Find My after power off
First of all, the researchers carried out a detailed analysis of the Find My service in Low Power Mode, and discovered some previously unknown traits. After power off, most of the work is handled by the Bluetooth module, which is reloaded and configured by a set of iOS commands. It then periodically sends data packets over the air, allowing other devices to detect the not-really-off iPhone.
It turned out that the duration of this mode is limited: in version iOS 15.3 only 96 broadcast sessions are set with an interval of 15 minutes. That is, a lost and powered-off iPhone will be findable for just 24 hours. If the phone powered off due to a low battery, the window is even shorter — about five hours. This can be considered a quirk of the feature, but a real bug was also found: sometimes when the phone is off, the “beacon” mode is not activated at all, although it should be.
Of most interest here is that the Bluetooth module is reprogrammed before power off; that is, its functionality is fundamentally altered. But what if it can be reprogrammed to the detriment of the owner?
Attack on a powered-off phone
In fact, the team’s main discovery was that the firmware of the Bluetooth module is not encrypted and not protected by Secure Boot technology. Secure Boot involves multistage verification of the program code at start-up, so that only firmware authorized by the device manufacturer can be run.
The lack of encryption permits analysis of the firmware and a search for vulnerabilities, which can later be used in attacks. But the absence of Secure Boot allows an attacker to go further and completely replace the manufacturer’s code with their own, which the Bluetooth module then executes. For comparison, analysis of the iPhone’s UWB module firmware revealed that it’s protected by Secure Boot, although the firmware isn’t encrypted either.
Of course, that’s not enough for a serious, practical attack. For that, an attacker needs to analyze the firmware, try to replace it with something of their own making, and look for ways to break in. The authors of the paper describe in detail the theoretical model of the attack, but don’t show practically that the iPhone is hackable through Bluetooth, NFC or UWB. What’s clear from their findings is that if these modules are always on, the vulnerabilities likewise will always work.
Apple was unimpressed by the study, and declined to respond. This in itself, however, says little: the company is careful to keep a poker face even in cases when a threat is serious and demonstrated to be so in practice.
Bear in mind that Apple goes to great lengths to keep its secrets under wraps: researchers have to deal with closed software code, often encrypted, on Apple’s own hardware, with made-to-order third-party modules. A smartphone is a large, complex system that’s hard to figure out, especially if the manufacturer hinders rather than helps.
No one would describe the team’s findings as breathtaking, but they are the result of lots of painstaking work. The paper has merit for questioning the security policy of powering off the phone, but keeping some modules alive. The doubts were shown to be justified.
A half powered-off device
The paper concludes that the Bluetooth firmware is not sufficiently protected. It’s theoretically possible either to modify it in iOS or to reprogram the same Low Power Mode by expanding or changing its functionality. The UWB firmware can also be examined for vulnerabilities. The main problem, however, is that these wireless modules (as well as NFC) communicate directly with the protected enclave that is Secure Element. Which brings us to some of the paper’s most exciting conclusions:
Theoretically, it’s possible to steal a virtual car key from an iPhone — even if the device is powered off! Clearly, if the iPhone is the car key, losing the device could mean losing the car. However, in this case the actual phone remains in your possession while the key is stolen. Imagine it like this: an intruder approaches you at the mall, brushes their phone against your bag, and steals your virtual key.
It is theoretically possible to modify the data sent by the Bluetooth module, for example, in order to use a smartphone to spy on a victim — again, even if the phone is powered off.
Having payment card information stolen from your phone is another theoretical possibility.
But all this of course still remains to be proven. The work of the team from Germany shows once more that adding new functionality carries certain security risks that must be taken into account. Especially when the reality is so different from the perception: you think your phone is fully off, when in fact it isn’t.
This is not a completely new problem, mind. The Intel Management Engine and AMD Secure Technology, which also handle system protection and secure remote management, are active whenever the motherboard of a laptop or desktop computer is connected to a power source. As in the case of the Bluetooth/UWB/NFC/Secure Element bundle in iPhones, these systems have extensive rights inside the computer, and vulnerabilities in them can be very dangerous.
On the bright side, the paper has no immediate impact on ordinary users: the data obtained in the study is insufficient for a practical attack. As a surefire solution, the authors suggest that Apple should implement a hardware switch that kills the power to the phone completely. But given Apple’s physical-button phobia, you can be sure that won’t happen.
Trellix Advanced Research Center published its research into CVE-2007-4559, a vulnerability estimated to be present in over 350,000 open-source projects and prevalent in closed-source projects.
Successful exploit
The vulnerability exists in the Python tarfile module which is a default module in any project using Python and is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation and docker containerization.
The vulnerability can be exploited by uploading a malicious file generated with two or three lines of simple code and allows attackers arbitrary code execution, or control of a target device.
“When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact,” said Christiaan Beek, Head of Adversarial & Vulnerability Research, Trellix. “This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”
Open-source developer tools, like Python, are necessary to advance computing and innovation, and protection from known vulnerabilities requires industry collaboration. Researchers are working to push code via GitHub pull request to protect open-source projects from the vulnerability.
A free tool for developers to check if their applications are vulnerable is available on GitHub, and the complete research is available at Trellix.
Sansec Threat Research Team noticed a surge in Magento 2 template attacks. This critical template vulnerability in Magento 2 tracked as (CVE-2022-24086) is increasing among eCommerce cyber criminals. The vulnerability allows unauthenticated attackers to execute code on unpatched sites.
Magento is a popular, Adobe-owned open-source e-commerce platform that powers many online shops. More than 150,000 online stores have been created on the platform. As of April 2021, Magento holds a 2.32% market share in global e-commerce platforms.
Critical Magento Vulnerability
Adobe patched this Magento 2 Vulnerability (CVE-2022-24086) in February 2022; later on the security researchers have created exploit code for the vulnerability that opens a way to mass exploitation.
Sansec researchers shared findings of 3 template hacks. The report says the observed attacks have been interactive; since the Magento checkout flow is very hard to automate. It starts with the creation of a new customer account and an order placement, which may result in a failed payment.
Part of the Injected Template Code
Experts say, this downloads a Linux executable called 223sam(.)jpg and launches it as a background process.
“It is actually a Remote Access Trojan (RAT). While it remains in memory, it creates a state file and polls a remote server hosted in Bulgaria for commands”, Sansec
Researchers pointed out that RAT has full access to the database and the running PHP processes. Also, RAT can be injected on any of the nodes in a multi-server cluster environment.
Another variation of this attack is the attempted injection of a health_check.php backdoor. It creates a new file accepting commands via the POST parameter:
Malicious PHP file
A third attack variation has this template code, which replaces generated/code/Magento/Framework/App/FrontController/Interceptor.php. This malware is then executed on every Magento page request.
PHP eval Backdoor Created
Therefore, experts recommend the Magento 2 site administrators to upgrade their software to the latest version.
Morgan Stanley, which bills itself in its website title tag as the “global leader in financial services”, and states in the opening sentence of its main page that “clients come first”, has been fined $35,000,000 by the US Securities and Exchange Commission (SEC)…
…for selling off old hardware devices online, including thousands of disk drives, that were still loaded with personally identifiable information (PII) belonging to its clients.
Today we announced charges against Morgan Stanley Smith Barney LLC stemming from the firm’s extensive failures to protect the personal identifying information of approximately 15 million customers. MSSB has agreed to pay a $35 million penalty to settle the SEC charges.
Strictly speaking, it’s not a criminal conviction, so the penalty isn’t technically a fine, but it’s “not a fine” in much the same sort of way that car owners in England no longer get parking fines, but officially pay penalty charge notices instead.
Also, strictly speaking, Morgan Stanley didn’t directly sell off the offending devices itself.
But the company contracted someone else to do the work of wiping-and-selling-off the superannuated equipment, and then didn’t bother to keep its eye on the process to ensure that it was done properly.
More than 350,000 open source projects can be potentially affected by a 15-Year-Old unpatched Python vulnerability
More than 350,000 open source projects can be potentially affected by an unpatched Python vulnerability, tracked as CVE-2007-4559 (CVSS score: 6.8), that was discovered 15 years ago.
The issue is a Directory traversal vulnerability that resides in the ‘extract’ and ‘extractall’ functions in the tarfile module in Python. A user-assisted remote attacker can trigger the issue to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
“While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.” reads the post published by security firm Trellix.”The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive.”
The experts pointed out that the issue was underestimated, it initially received a CVSS score of 6.8, however, in most cases an attacker exploit this issue to gain code execution from the file write. Trellix shared a video PoC that shows how to get code execution by exploiting Universal Radio Hacker:
An attacker can exploit the flaw by uploading a specially crafted tarfile that allows escaping the directory that a file is intended to be extracted to and achieve code execution.
“For an attacker to take advantage of this vulnerability they need to add “..” with the separator for the operating system (“/” or “\”) into the file name to escape the directory the file is supposed to be extracted to. Python’s tarfile module lets us do exactly this:” continues the post.
The tarfile module lets users add a filter that can be used to parse and modify a file’s metadata before it is added to the tar archive. This enables attackers to create their exploits with as little as the 6 lines of code above.”
The researchers built Creosote, a Python script that recursively looks through directories scanning for .py files and then analyzing them once they have been found. The script is used to automatically check repositories for vulnerability. Creosote provides as output the list of files that may contain vulnerabilities, sorting them into 3 categories based on confidence level (Vulnerable, Probably Vulnerable, Potentially Vulnerable).
Trellix added that the use of the Creosote tool revealed the existence of a vulnerability in the free and open-source scientific environment Spyder Python IDE Polemarch.
“As we have demonstrated above, this vulnerability is incredibly easy to exploit, requiring little to no knowledge about complicated security topics.” concludes the report. “Due to this fact and the prevalence of the vulnerability in the wild, Python’s tarfile module has become a massive supply chain issue threatening infrastructure around the world.”
Cyber Security operations center is protecting organizations and sensitive business data of customers. It ensures active monitoring of valuable assets of business with visibility, alerting and investigating threats and a holistic approach to managing risk.
Analytics service can be in-house or managed security service. Collecting event logs and analyzing logs with real-world attacks is the heart of the security operation center.
Events are generated by systems which are error codes, devices generate events with success or failure to its normal function.so event logging plays an important role to detect threats. In the organization, there are multiple number and flavors of Windows, Linux, firewalls, IDS, IPS, Proxy, Netflow, ODBC, AWS, Vmware etc.
These devices usually track attackers footprints as logs and forward to SIEM tools to analyze. In this article, will see how events are pushed to log collector. To know more about windows events or event ids refer Here.
Log Collector
It’s a centralized server to receive logs from any devices. Here I have deployed Snare Agent in Windows 10 machine. So we will collect windows event logs and Detect attacks to windows 10 machine attacks using Snare Agent.
The snare is SIEM(SECURITY INCIDENT AND EVENT MANAGEMENT) Solution for log collector and event analyzer in various operating systems Windows, Linux, OSX Apple, and supports database agent MSSQL events generated by Microsoft SQL Server. It supports both Enterprise and Opensource Agents.
The National Security Agency (NSA) and CISA have issued guidance on how to secure operational technology (OT) and industrial control systems (ICSs) part of U.S. critical infrastructure.
The joint advisory shares info on all the steps used by malicious actors to compromise IT-enabled OT and ICS assets which provide a larger attack surface and highlights measures security professionals can take to defend against them.
“Cyber actors, including advanced persistent threat (APT) groups, have targeted OT/ICS systems in recent years to achieve political gains, economic advantages, and possibly to execute destructive effects. Recently, they’ve developed tools for scanning, compromising, and controlling targeted OT devices,” the NSA said.
The advisory also “notes the increasing threats to OT and ICS assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes. OT/ICS designs are publicly available, as are a wealth of tools to exploit IT and OT systems.”
In today’s advisory [PDF], you can find detailed information on how to block threat actors’ attacks at every step, including attempts to collect intelligence, gain initial access, or deploy and execute malicious tools in compromised critical infrastructure systems.
image: NSA
Mitigation measures
However, some defenders may be unable to implement some of the recommended security strategies that could help mitigate many common tactics used to target critical infrastructure control systems.
For them, NSA and CISA provide some security best practices to counter adversaries’ tactics, techniques and procedures (TTPs):
Limit exposure of system information: Operational and system information and configuration data are crucial elements of critical infrastructure operations. The importance of keeping such data confidential cannot be overstated.
Identify and secure remote access points: Owner/operators must maintain detailed knowledge of all installed systems, including which remote access points are—or could be—operating in the control system network. Creating a full “connectivity inventory” is a critical step in securing access to the system.
Restrict tools and scripts: Limit access to network and control system application tools and scripts to legitimate users performing legitimate tasks on the control system. Removing the tools and scripts entirely and patching embedded control system components for exploitable vulnerabilities is often not feasible. Thus, carefully apply access and use limitations to particularly vulnerable processes and components to limit the threat.
Conduct regular security audits: Such an audit aims to identify and document system vulnerabilities, practices, and procedures that should be eliminated to improve the cyber defensive posture and ultimately prevent malicious cyber actors from being able to cause their intended effects.
Implement a dynamic network environment: A little change can go a long way to disrupt previously obtained access by a malicious actor.
“It is vital for OT/ICS defenders to anticipate the TTPs of cyber actors combining IT expertise with engineering know-how,” the two federal agencies added.
“Defenders can employ the mitigations listed in this advisory to limit unauthorized access, lock down tools and data flows, and deny malicious actors from achieving their desired effects.”
Han Bing allegedly felt undervalued after his security warnings were ignored, and decided to prove his point by trashing four financial servers.
(Image credit: Getty – Andrew Aitchison)
An indignant IT admin, seemingly aiming to prove the lax security his employer had hitherto ignored, proceeded to delete a bunch of vital financial databases, and has subsequently been given seven years in prison as a result. It’s what’s known in the IT trade as ‘cutting your nose off to spite your face,’ or inadvisably hulking out on a server you’re known to have access to and have already complained about.
Han Bing, a database administrator for Lianjia, a Chinese real estate brokerage, previously known as Homelink, was allegedly one of only five people in the security team with access to the company’s financial system databases. So when someone logged in with root access to Lianjia’s financial system and deleted the lot(opens in new tab) (via Bleeping Computer(opens in new tab)), the company already had a handful of suspects.
Four of the five handed over their laptops and passwords immediately, while Bing refused to hand over his password, claiming that it held private information. He agreed to access the device for the company’s investigators while he was present, and no incriminating evidence was found on his machine.
The company, however, claimed the attack could be done simply by connecting to the server in a way that would leave no residual trace on the client laptop.
Subsequent electronic forensic analysis of the company’s server logs, alongside the use of CCTV footage, linked records held on the server with the host name of Bing’s MacBook, “Yggdrasil,” as well as certain MAC and IP addresses linked on his computer.
Yeah, Yggdrasil. The tree of life. The roots of which can be seen sprawling across the sky in Valheim, and as that big f-off plant glowing away in Elden Ring. Everything in 2022 always seems to lead back to Elden Ring. This whole case is probably in the game somewhere as lore.
With all the evidence in hand, the Beijing Tongda Fazheng Forensic Identification Centre concluded none of the other potential suspects could be linked to the attack on June 4, 2018, and Han Bing was found guilty of damaging computer information and sentenced to seven years in prison.
Initially that feels a bit harsh on the guy, but he did basically destroy four different servers, salting the earth so nothing could be recovered, and grinding the company’s operation to a halt. It then had to pay some $30,000 as amends for the fact that Lianjia employees were left without pay for an extended amount of time.
Which is also pretty harsh.
Bing’s colleagues have suggested that the reasoning behind his deletion of company records was down to the fact he discovered the security of the financial system was compromised, and his concerns were ignored.
He worked with another database admin to bring the issues to his seniors in the organisation but was apparently dismissed. It’s alleged this led to Bing arguing with other colleagues, and after his office was relocated it is suggested that he no longer felt valued by the company, was “passive and sluggish, often late and early, and there is also the phenomenon of absenteeism.” That’s according to the Edge machine translation, so make of that what you will.
Maybe Bing thought he was going to be rewarded for highlighting the problems more obviously, or maybe he was just a grumpy, vengeful admin by the end of it. Either way going to prison for seven years was most definitely not what he was aiming to get out of this.
I just wanted to inform you that, at the end of September, Advisera launched “Second Course Exam for Free” promotional campaign. The campaign will start on September 22, and end on September 29, 2022.
In this promotion the second course exam is completely FREE OF CHARGE.
The bundles are displayed on two landing pages, one with bundles related to ISO 9001 and another with bundles related to ISO 27001.
Foundations course exam bundles:
ISO 9001 Foundations exam + ISO 14001 Foundation exam
ISO 9001 Foundations exam + ISO 27001 Foundation exam
ISO 9001 Foundations exam + ISO 13485 Foundation exam
ISO 9001 Foundations exam + ISO 45001 Foundation exam
ISO 14001 Foundations exam + ISO 45001 Foundation exam
Internal Auditor course exam bundles:
ISO 9001 Internal Auditor exam + ISO 14001 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 27001 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 13485 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 45001 Internal Auditor exam
ISO 14001 Internal Auditor exam + ISO 45001 Internal Auditor exam
Lead Auditor course exam bundles:
ISO 9001 Lead Auditor exam + ISO 14001 Lead Auditor exam
ISO 9001 Lead Auditor exam + ISO 13485 Lead Auditor exam
ISO 9001 Lead Auditor exam + ISO 45001 Lead Auditor exam
ISO 14001 Lead Auditor exam + ISO 45001 Lead Auditor exam
Lead Implementer course exam bundles:
ISO 9001 Lead Implementer exam + ISO 14001 Lead Implementer exam
ISO 9001 Lead Implementer exam + ISO 13485 Lead Implementer exam
ISO 9001 Lead Implementer exam + ISO 45001 Lead Implementer exam
ISO 14001 Lead Implementer exam + ISO 45001 Lead Implementer exam
2/ ISO 27001/EU GDPR-related bundles:
ISO 27001 Foundations exam + EU GDPR Foundations exam
ISO 27001 Foundations exam + ISO 9001 Foundation exam
ISO 27001 Internal Auditor exam + EU GDPR Data Protection Officer exam
ISO 27001 Internal Auditor exam + ISO 9001 Internal Auditor exam
ISO 27001 Lead Auditor exam + ISO 9001 Lead Auditor exam
ISO 27001 Lead Implementer exam + ISO 9001 Lead Implementer exam
Take ISO 27001 course exam and get the EU GDPR course exam for Free
As it turns out, it’s not some AI-powered machine learning super virus or pernicious and anonymous cybercrime syndicate. It’s not the latest and greatest in botnets, malware, or spyware either.
Sure, these can be scary, and they are worth protecting against. The headlines report the increased volume and velocity of security threats every other day. The risk is real, and companies need to take cybersecurity seriously.
Just Look out for the Humans
What is the biggest security threat in your company?
But the greatest threat of all? Well, that would be humans. Look no further if you’re trying to identify your biggest cyber threats.
Humans: The Biggest Cyber Security Threats
When we say “humans,” you may assume we are talking about hackers and cybercriminals. After all, they are humans, too, right?
But no, we are talking about employees in your organization, not necessarily disgruntled or vengeful ones.
Verizon’s latest 2022 Data Breach Investigation Report showed that 82% of breaches involved the human element, including social attacks, errors, and misuse.
This is the 80/20 Rule (also known as the Pareto Principle) at work. In cybersecurity, 80% of your problems come from 20% of sources – in this case, human beings.
Whether using a weak, compromised password, clicking on a link in a phishing email, or accidentally setting sensitive cloud-based databases to “public,” your team is the weakest link in the chain.
Here’s a breakdown of the leading issues:
Credential problems account for nearly 50% of non-error, non-misuse breaches
Phishing accounts for nearly 20% of breaches
Nearly 20% of breaches are the result of misconfigured cloud accounts or emailing sensitive data to the wrong people
Vulnerability exploits account for less than 10% of attacks
The biggest cyber threats, therefore, cannot be prevented with a robust security technology infrastructure alone. Technology is critical but cannot always account for the human element.
3 Types of Internal Threats
The biggest security threat is humans, who make up your team. The majority are innocent, or at the very least well-meaning. But there are also those with malicious intent. Identifying the different types of internal threats is critical to your security plans.
These are the three types of internal threats to be aware of:
Unintentional. Employees with poor cybersecurity training and habits can unintentionally compromise an organization’s security by clicking on a malicious link, trusting a spoofed website with their credentials, offering sensitive data to the wrong person, or otherwise. Proper cybersecurity training is key to mitigating risk.
Malicious. The occasional disgruntled employee whose primary interest is personal or financial gain. Advanced technologies can help prevent internal threats such as these, but there is no way to read the minds of your employees, so as with cybersecurity in general, an ounce of prevention is worth a pound of cure.
Accomplice. Employees can also collude with cybercriminals or other external parties to steal information from your company for personal gain. Limiting access to key data is critical to preventing scenarios like the “Wolf of Manchester,” who made thousands by selling customer data from an insurance company.
How To Prevent the Biggest Cyber Security Attacks
It’s critical to understand that the same hackers exploiting software vulnerabilities also exploit human vulnerabilities. Cybercriminals have grown wiser about human psychology and are waiting at every turn to seize upon the unsuspecting.
So, you can’t simply reallocate your resources from vulnerability management to in-house training programs. The key is finding a meaningful balance where good cybersecurity practices are baked into your IT security infrastructure.
Preventing the biggest security threat will mean developing a cybersecurity culture in your organization. Blanket policies and procedures are helpful, but they can fall short. Creating an entire culture of cybersecurity will ensure that best practices and good habits are adopted by all.
Naturally, this will mean investing in training. These are the key topics that should be addressed:
Password management
Phishing attacks, how they work, how to avoid them
Encryption and digital signing
Authentication
Creating backups
Best practices in sending personal or sensitive information
Account access and privileges as well as oversight and management
Note that if you don’t have all the resources and personnel necessary to handle the training internally, you can hire an outside party to lead it.
This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.
The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment.
It has been reported that in New York City a number of financial institutions are facing an outburst of super-thin skimming devices known as “deep inserts”. In this type of skimming device, the card is inserted into the mouth of a slot on the ATM that accepts cards.
As a clever disguise, the card skimmers are paired up with pinhole cameras that are hidden within the cash machine in order to pose as part of that machine.
Approximately .68 millimeters is the height of the insert skimmer. It is important to note that this is plenty of space for the machine to capture and return the customer’s credit or debit card without interrupting the machine’s ability to retrieve the card.
Chip-card data or transactions are not snatched by these skimmers. However, most payment cards issued to American citizens still contain plain text cardholder data stored on the magnetic stripe.
Threat Actors’ Goal
In designing this skimmer, the thieves specifically sought the data stored on the magnetic stripe and the 4-digit PIN of the customer.
According to the Kerbs investigation report, With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs. ATMs made by NCR, called SelfServ 84 Walk-Up were abused by the threat actors to install these skimming devices.
Pinhole spy cameras are sometimes embedded in fake panels above PIN pads by skimmer thieves. As a result of incorporating insert kit into the ATMs of financial institutions, most of the insert skimmer attacks at this point have been successfully stopped.
The insert kit is a solution that NCR has developed to mitigate such attacks. A “smart detect kit” from NCR is also tested in field situations, which includes a USB camera to be able to monitor the interior of the card reader, which adds a photographic element to the test.
There will be a continued trend of miniaturization and stealthy device development for skimming devices as long as cardholder data will continue to be stored on magnetic strips on payment cards in plain text.
Whenever you are at a cash machine, make sure you make your mind up to avoid ATMs that are dodgy-looking or that have a low lighting fixture. And not only that even make sure to cover PIN pad with your hand to defeat such thefts.
Cybersecurity company Imperva announced to have mitigated a distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests.
Cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests on June 27, 2022. According to the experts, the attack marks a new record for Imperva’s application DDoS mitigation solution.
The attack targeted an unnamed Chinese telecommunications company and outstands for its duration, it lasted more than four hours and peaked at 3.9 million RPS.
“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”
The Chinese telecommunications company was already targeted by large attacks in the past, and experts added that two days later a new DDoS attack hit its website, although the attack was shorter in duration.
The average rate for this record-breaking attack was 1.8 million RPS. Threat actors used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections.
The technique employed by the attackers is difficult to detect and can bring down targets using a limited number of resources.
“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.
This specific attack was launched botnet composed of almost 170,000 different IPs, including routers, security cameras and compromised servers. The compromised devices are located in over 180 countries, most of them in the US, Indonesia, and Brazil.
On Monday, September 12, 2022, Akamai mitigated the largest DDoS attack ever that hit one of its European customers. The malicious traffic peaked at 704.8 Mpps and appears to originate from the same threat actor behind the previous record that Akamai blocked in July and that hit the same customer.
Gurucul announced the results of a Black Hat USA 2022 security professionals survey with respondents indicating that insider threats were the most difficult type of attack for SOC analysts to detect, and that behavioral analytics was the most common piece of technology they felt was missing and that they planned to add to the SOC in the near future.
The survey also found that a strong majority of respondents feel their SOC programs are improving, but that they needed more training, high-level talent in the SOC, better compensation, and more time off.
“Taken as a whole, these survey results suggest that organizations and security professionals understand that insider threats are a serious security risk and are working to improve their defenses by adding technologies like behavioral analytics and network traffic analysis,” said Saryu Nayyar, Gurucul’s CEO.
Other key findings from the survey include:
27% of respondents identified insider threats as the most difficult attack to detect – the highest percentage across types.
More than 36% of respondents chose behavioral analytics as the technology they are currently missing that would most improve their SOC and more than 24% plan to invest budget into behavioral analytics solutions in the next year.
More than 17% of respondents plan to invest in Network Traffic Analysis technology in the next year.
82% of security professionals feel their SOC programs are improving. Less than 5% said it was actively getting worse.
Tier 3 SOC analysts / threat hunters are the most in-demand role in the SOC (chosen by 31% of respondents), followed by Tier 2 Analysts (20%) and threat content creators (16%).
39% of respondents feel that their organization is investing in enough training for the SOC, but 31% said they are not and 30% were undecided.
35% of analysts need more than two weeks of time off to feel rejuvenated and 28% feel like they deserved a 20% raise.
It has been discovered recently by the European security and compliance assessment company Onekey that arbitrary code may be injected into multiple Netgear router models through FunJSQ in a malicious manner.
In order to accelerate online games, Xiamen Xunwang Network Technology has developed a third-party module known as FunJSQ. In short, FunJSQ is a third-party gaming module.
Along with routers there are some Orbi WiFi Systems that are also affected. If your WiFi password is known to an attacker or your router’s Ethernet cable is connected to your computer, then this vulnerability is exploitable.
Affected Routers and WiFi Systems
Here below we have mentioned the all the router models and WiFi systems that are affected. Not only that even we have also mention their respective fixed firmware versions as well:-
Routers:-
R6230 fixed in firmware version 1.1.0.112
R6260 fixed in firmware version 1.1.0.88
R7000 fixed in firmware version 1.0.11.134
R8900 fixed in firmware version 1.0.5.42
R9000 fixed in firmware version 1.0.5.42
RAX120 fixed in firmware version 1.2.8.40
RAX120v2 fixed in firmware version 1.2.8.40
XR300 fixed in firmware version 1.0.3.72
Orbi WiFi Systems
RBR20 fixed in firmware version 2.7.2.26
RBR50 fixed in firmware version 2.7.4.26
RBS20 fixed in firmware version 2.7.2.26
RBS50 fixed in firmware version 2.7.4.26
Illicit Actions
The FunJSQ gaming module does not have a secure update process. Update packages that are sent from the server to the FunJSQ module are only superficially checked.
A hash checksum is used to validate the packages on the device as they are unsigned.
There are a number of actions that an attacker can take in order to exploit an insecure communication channel, such as:-
The data that has been returned from the server can be tampered with.
A package can be extracted with elevated privileges from its contents and placed in the root folder.
It is possible to overwrite anything on the device by taking control of the update package.
There is a potential for arbitrary code to be executed from the WAN interface as a result of these factors combined.
CVE-2022-40620 has been assigned to the issue relating to an insecure update mechanism introduced in the release. CVE-2022-40619 was the CVE ID number assigned to the flaw related to unauthenticated command injections.
Download the Latest Firmware
To begin with, you will need to visit the NETGEAR Support page.
In the search box, you will need to enter your model number.
Once the drop-down menu appears, you can select the model you are looking for from it.
After that, click on the Downloads tab.
If the title of your first download starts with the firmware version under Current Versions, then pick that one.
The next thing you need to do is click the Release Notes button.
For instructions on downloading and installing the new firmware, please refer to the firmware release notes.
It should be noted that Netgear has not yet divulged a workaround for this vulnerability. The latest firmware from NETGEAR should be downloaded as soon as possible, as NETGEAR strongly recommends you do so.
DISC LLC presents a phase approach to deliver ISO 27001 Internal Audit services to SaaS businesses.
The Engagement:
We understand that your core business is your SaaS application and you desire an audit. The audit is to be an independent assessment of the company’s ISMS, to measure the maturity of the program, to identify if the program is ready to pass the certification audit for ISO 27001:2013 certification, and provide strategic guidance for achieving the certification. Our focus will be your application which is hosted at AWS/Azure and you have xxx employees who create, maintain, and manage the application.
The audit will be conducted remotely and we will have a dedicated contact person assigned to our audit team to facilitate access to documentation, records, and select staff for interviews. We will complete your standard audit process documentation according to the ISO 27001 standard.
The Plan:
Below is our high-level audit plan for your ISO 27001internal audit. We propose a staged and flexible approach so we may progressively tune our audit process to deliver maximum business value to you.
Phase 1: This phase starts within a week one of signing of an engagement contract. First step is a kickoff meeting to discuss the overall audit engagement, to finalize the formal audit plan, and to establish access to documents to be reviewed. We will review the available documents based on the ISO27001 standard. At the end of this phase we will present our findings in a briefing session.
Phase2: Phase 2 kickoff will be based on the document review and coordinate scheduling interviews that focus on critical processes to establishing the degree that the various control procedures have been activated. This is a critical part of the audit process. We will measure the maturity of required controls that has been implemented and present the findings for review within another review session (schedule subject to availability for interviews).
Phase 3: Recommendations will be the focus of this phase. This will also start with a kickoff meeting to establish a coordinated plan for what measures are already planned and what new measures are required to actually pass (to-be state) the certification audit. This final step can save you a lot of effort as we can help you navigate to the end goal of passing the audit and also create the precise measures that have maximum business value. The closing meeting of this phase will present our collective recommendations.
All of the efforts outlined above are aligned to a compliant internal audit process with a few enhancements that are value-add. These audit records will likely be a primary target of the certification audit so they need to be well executed. Your controls also have to be tailored to your business. We can help get you certified but that doesn’t mean you are actually secure. We can help you do both. Missing the secure part would be devastating to you and to all of your customers. This is our value-add.
If you have a question about ISO 27001 internal audit:
Two critical vulnerabilities have been found recently in the wireless LAN devices of Contec. These critical vulnerabilities were discovered by the cybersecurity analysts, Samy Younsi and Thomas Knudsen of Necrum Security Lab.
There are two models of the FLEXLAN FXA2000 and FXA3000 series from CONTEC which are primarily used in airplane installations as WiFi access points.
As a result, these devices offer extremely high-speed connectivity during flight trips for the following purposes:-
Coalition announced the mid-year update to its 2022 Cyber Claims Report detailing the evolution of cyber trends, revealinig that small businesses have become bigger targets, overall incidents are down, and ransomware attacks are declining as demands go unpaid.
During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021.
“Across industries, we continue to see high-profile attacks targeting organizations with weak or exposed infrastructure — which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors,” said Catherine Lyle, Coalition’s Head of Claims.
“Small businesses are especially vulnerable because they often lack resources. For these businesses, avoiding downtime and disruption is essential, and they must understand that Active Insurance is accessible.”
The good news: both Coalition and the broader insurance industry observed a decrease in ransomware attack frequency and the amount of ransom demanded between the second half of 2021 and the first half of 2022. Ransomware demands decreased from $1.37M in H2 2021 to $896,000 in H1 2022. Of the incidents that resulted in a payment, Coalition negotiated down to roughly 20% of the initial demand.
More good news: Coalition policyholders experienced 50% fewer claims compared to the broader market. The severity of these claims has also declined, with 45% of incidents resolved at no cost. The substantial decrease in overall claims stems from Coalition’s combination of cybersecurity tools, including active monitoring and alerting, access to digital forensics and incident response, and broad insurance coverage.
“Organizations are increasingly aware of the threat ransomware poses. They have started to implement controls such as offline data backups that allow them to refuse to pay the ransom and restore operations through other means,” said Chris Hendricks, Coalition’s Head of Incident Response. “As ransomware is on the decline, attackers are turning to reliable methods. Phishing, for example, has skyrocketed – and only continues to grow.”
Other key findings:
Phishing triggers the majority of cyber incidents, accounting for 57.9% of reported claims
Cyber gangs have built a thriving business
Funds transfer fraud (FTF) claims have held steady thanks to phishing, and
Microsoft Exchange has become the vulnerability that persists.
