InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Cybersecurity researchers at Kaspersky Security Labs have recently identified an unofficial version of WhatsApp for Android, which is dubbed by experts “YoWhatsApp.”
This unofficial version of WhatsApp is mainly designed to steal users’ account access keys or login credentials. There are many unofficial versions of legitimate apps that are advertised as being unofficial versions.
While these unofficial versions lure users by advertising features that the official versions do not have. Though YoWhatsApp is an unofficial version of WhatsApp, but, it’s a fully working messenger with some key additional features like we have mentioned below:-
UI customization
Blocking access to individual chats
Several emojis
Unofficial WhatsApp: YoWhatsApp
There is no difference between YoWhatsApp and the standard WhatsApp application in terms of permissions. The promotion of this unofficial Android mod is done using ads on popular Android apps such as the following ones:
Snaptube
Vidmate
n the latest version of YoWhatsApp, version 2.22.11.75, the threat actors were able to obtain the keys to the WhatsApp accounts of their victims and take full control.
It is claimed that YoWhatsApp will allow users to send files up to 700 MB using their service. While there is a limit of 100 MB per file that can be sent from the official app to your contacts, and this makes the YoWhatsApp more appealing.
In a modified version of WhatsApp, the app sends the user’s access keys to a server located remotely on the developer’s server.
From the basics to advanced techniques, here’s what you should know.
Source: Rancz Andrei via Alamy Stock Photo
Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.
An organization’s security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.
That’s why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.
The Basics: Vulnerability Scanning
The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There’s a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.
Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.
While vulnerability scanning is relatively easy to use, it’s not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They’re also often prone to false positives and must be updated consistently.
Overall, though, vulnerability scanning is an important baseline step. Once it’s running well, the next step is penetration testing.
Penetration Testing
Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there’s a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.
Run periodically, pen testing can uncover weaknesses that aren’t found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.
Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.
While penetration testing can provide a great deal of benefit, it’s a good idea to periodically review the wealth of information on best practices available online.
Red Team/Purple Team
The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization’s security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.
A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.
But too often, red and blue teams devolve into an adversarial relationship that’s counterproductive. It’s also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.
Using Adversary TTPs for Good
There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE’s ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.
For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.
Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure’s detection and response rates.
Looking Ahead
Security vendors are moving beyond simply advocating the concept of MITRE’s ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.
MITRE’s CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.
Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.
This book is the hands-on and methodology guide for pentesting with Kali Linux. You’ll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether you’re new to the field or an established pentester, you’ll find what you need in this comprehensive guide.
Build a modern dockerized environment
Discover the fundamentals of the bash language in Linux
Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation
Apply practical and efficient pentesting workflows
Learn about Modern Web Application Security Secure SDLC
If you’re getting started along the exciting path of hacking, cybersecurity, and pentesting, Linux Basics for Hackers is an excellent first step. Using Kali Linux, an advanced penetration testing distribution of Linux, you’ll learn the basics of using the Linux operating system and acquire the tools and techniques you’ll need to take control of a Linux environment.
First, you’ll learn how to install Kali on a virtual machine and get an introduction to basic Linux concepts. Next, you’ll tackle broader Linux topics like manipulating text, controlling file and directory permissions, and managing user environment variables. You’ll then focus in on foundational hacking concepts like security and anonymity and learn scripting skills with bash and Python. Practical tutorials and exercises throughout will reinforce and test your skills as you learn how to:
Cover your tracks by changing your network information and manipulating the rsyslog logging utility
Write a tool to scan for network connections, and connect and listen to wireless networks
Keep your internet activity stealthy using Tor, proxy servers, VPNs, and encrypted email
Write a bash script to scan open ports for potential targets
Use and abuse services like MySQL, Apache web server, and OpenSSH
Build your own hacking tools, such as a remote video spy camera and a password cracker
In this book you’ll learn an offensive approach to enhance your penetration testing skills by testing the sophisticated tactics employed by real hackers. You’ll go through laboratory integration to cloud services so that you learn another dimension of exploitation that is typically forgotten during a penetration test. You’ll explore different ways of installing and running Kali Linux in a VM and containerized environment and deploying vulnerable cloud services on AWS using containers, exploiting misconfigured S3 buckets to gain access to EC2 instances.
This book delves into passive and active reconnaissance, from obtaining user information to large-scale port scanning. Building on this, different vulnerability assessments are explored, including threat modeling. See how hackers use lateral movement, privilege escalation, and command and control (C2) on compromised systems. By the end of this book, you’ll have explored many advanced pentesting approaches and hacking techniques employed on networks, IoT, embedded peripheral devices, and radio frequencies.
For more information about this book, we have a video with the author you can watch here.
This is a comprehensive guide for those who are new to Kali Linux and penetration testing that will have you up to speed in no time. Using real-world scenarios, you’ll understand how to set up a lab and explore core penetration testing concepts.
Throughout this book, you’ll focus on information gathering and even discover different vulnerability assessment tools bundled in Kali Linux. You’ll learn to discover target systems on a network, identify security flaws on devices, exploit security weaknesses and gain access to networks, set up Command and Control (C2) operations, and perform web application penetration testing. In this updated second edition, you’ll be able to compromise Active Directory and exploit enterprise networks.
Finally, this book covers best practices for performing complex web penetration testing techniques in a highly secured environment.
Research from Netacea reveals that as of September 2022, there are over 1,600 professional refund service adverts on hacker forums.
Cybercrime’s continued shift to a service-driven economy has enabled several new professionalized hacking services with Refund Fraud-as-a-Service being one of the latest to rise in popularity over the last few years. This is according to Netacea’s latest threat report, which researched rising trends across a multitude of hacking forums.
Refund fraud is the abuse of refund policies for financial gain and costs e-commerce businesses more than $25 billion every year. Those interested in committing refund fraud can outsource the process to professional social engineers offering Refund-as-a-Service. This poses a significant challenge to retailers, as previously legitimate customers can enlist highly experienced fraudsters to perpetrate this fraud on their behalf, making it difficult to identify fraudulent activity. As online shopping continues its upward trend, professional fraudsters will look to cash in on the opportunity.
Over 540 new refund fraud service adverts were identified in the first three quarters of 2022
Refund fraud services increased by almost 150% from 2019 – 2021
Netacea’s report explores the current structure of the underground Refund-as-a-Service market, the changing tactics and methods used by adversarial groups to perform refund fraud, and how threat intelligence and fraud teams can work collaboratively to effectively combat it.
“As shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy — and refund fraud is no exception” said Cyril Noel-Tagoe, Principal Security Researcher, Netacea. “As we approach Black Friday and the holiday season, e-commerce stores should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take.”
Additional steps include:
Delivery carriers should replace or complement signatures with one-time passwords to prevent refund fraudsters from claiming that packages did not arrive.
E-commerce stores and delivery carriers should work together to look for patterns in their data sets that may indicate fraudulent activity.
Reputation is power in the underground market. In the instance that an e-commerce store identifies the claim to be fraudulent after a refund payment has been made, the store should rebill the customer’s account. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.
Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.
Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.
It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.
What is BazarCall?
BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.
In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.
The second Tuesday of every month is Microsoft’s regular day for security updates, still known by almost everyone by its unofficial nickname of “Patch Tuesday”.
But the second Tuesday in October is also Ada Lovelace Day, celebrating Ada, Countess of Lovelace.
Ada was a true pioneer not only of computing, but also of computer science, and gave her name to the programming language Ada.
The Ada language, intriguingly, emerged from a US Department of Defense project aimed at “debabelising” the world of governmental coding, where every department semed to favour a different language, or a different language dialect, making it more difficult, more expensive, and less reliable to get them to work together.
Ada Lovelace’s era
You might be surprised to find, given how strongly Ada’s name is associated with the beginnings of computer science, that she lived in the first half of the nineteenth century, long before anything that we currently recognise as a computer, or even a calculator, existed.
(Ada died of uterine cancer in 1852 at just 36 years old.)
But although computers in their modern sense didn’t exist in the 1800s, they very nearly did.
Here’s how it almost happened.
Charles Babbage, in the early 1800s, famously devised a mechanical calculating device called the Difference Engine that could, in theory at least, automatically solve polynomial equations in the sixth degree, e.g. by finding values for X that would satisfy:
aX6 + bX5 +cX4 +dX3 +eX2 + fX + g = 0
The UK government was interested, because a device of this sort could be used for creating accurate mathematical tables, such as square roots, logarithms and trigonometric ratios.
And any machine good at trigonometric calculations would also be handy for computing things like gunnery tables that could revolutionise the accuracy of artillery at land and sea.
But Babbage had two problems.
Firstly, he could never quite reach the engineering precision needed to get the Difference Engine to work properly, because it involved sufficiently many interlocking gears that backlash (tiny but cumulative inaccuracies leading to “sloppiness” in the mechanism) would lock it up.
Secondly, he seems to have lost interest in the Difference Engine when he realised it was a dead end – in modern terms, you can think of it as a pocket calculator, but not as a tablet computer or a laptop.
So Babbage leapt ahead with the design of a yet more complex device that he dubbed the Analytical Engine, which could work out much more general scientific problems than one sort of polynomial equation.
Perhaps unsurprisingly, if regrettably in hindsight. the government wasn’t terribly interested in funding Babbage’s more advanced project.
Given that he hadn’t managed to build the mechanism needed for a much simpler equation solver, what chance did a giant, steam-powered, general-purpose computer have of ever delivering any useful results?
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
Conclusion
The top cybersecurity threats are generally a consequence of new technologies the public sector is either looking to implement or is already implementing. It is harder to know all the variables and potential vulnerabilities with anything new.
This isn’t to suggest that old technologies are more reliable, however. Like antivirus software, the virus definitions must be continually updated for the software to remain effective. The public sector needs to stay on the cutting edge of best practices.
The public sector must also remain agile in adapting to new threats, whether offering ongoing cybersecurity training, hiring skilled consultants to keep their new technological infrastructures in check, partnering with experienced cybersecurity service providers like Indusface, or otherwise.
A WOMAN IN TEHRAN CLIMBED ONTO A CAR AND SET HER HIJAB ABLAZE. “AMIN” WAS JUST FIVE METERS AWAY. (PHOTO CREDIT: TWITTER)
The death of 22-year-old Mahsa Amini in Iran has ignited the most powerful protests the country has seen in years. Authorities there have rolled out a host of new tools to throttle mobile phone connections, block social media sites, and make it harder for people on the ground to organize. Our Click Here team spoke to one man who has been protesting since Amini’s death was announced, and he talked to us about the dangers of using social media and technology while participating in street demonstrations. He asked us not to use his real name because speaking to foreign reporters could get him arrested. Amin talked with us about getting around internet restrictions, the dangers of using social media in Iran, and how protesters handle their passwords.
Our interview with him has been edited and condensed for clarity.
BidenCash, a popular dark web carding site, released a dump of more than 1.2 million credit cards to promote its service.
Operators behind the popular dark web carding market ‘BidenCash’ have released a dump of 1,221,551 credit cards to promote their underground payment card shop. Multiple security firms, noticed the promotional activity, but the news was first reported by threat intelligence firm Cyble and the Italian firm D3Lab.
It is a great gift to fraudsters that can download for free the dump and use it for fraudulent activities.
The announcement of the availability of the dataset consisting of over 1.2 million credit and debit cards information on a notorious cybercrime forum mainly hosting Russian and English-speaking Threat Actors.
Not too long ago, the role of chief information security officer was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the CISO role has evolved — growing both in responsibility and stature within a company. The CISO is now a critical member of the executive team, responsible for tying not only cybersecurity, but overall risk management, to the company’s business strategy and operations.
The modern CISO is involved in strategic decision-making, for example, ensuring the business securely embraces digital transformation while assuring the board, clients, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes, and technologies to enable their organization to fulfill its overarching business objectives securely.
Given this evolution in responsibilities, a CISO’s first 90 days on the job should look a lot different today than it did even several years ago.
The First 90 Days
While many CISOs want to immediately demonstrate value by jumping in with big ideas and projects on day one, they will be able to make much more of a long-term impact if they first take the time to understand the company’s mission, values, and business objectives. They also need to get up to speed on core activities, products, services, research and development, intellectual property, and merger and acquisition plans. And they need to understand all potential issues, previous breaches, regulatory or external obligations, and existing technical debt.
With this in mind, here are a few recommendations on what a CISO’s focus should be during their first 90 days on the job.
Gain An Understanding of the Organization’s Larger Mission and Culture
The very first day, begin to deploy a collection of interview and interrogation techniques with a goal of understanding the business, its purposes and its priorities. Interview your employees, midlevel business leaders, and customers to get a sense of all key stakeholders, initial pain points, and how mature the cybersecurity culture is within the organization. Finally, gently interrogate your partners, suppliers, and vendors to determine who is just selling and who is a trusted advisor. Going through this process will open lines of communication, uncover challenges, and help build a 90-day action plan and road map.
Identify the Crown Jewels
Determine which data and systems underpin the company’s strategic mission and core competencies, represent intellectual property, differentiate the enterprise from its competitors, or support major customer segments or revenue lines. These crown jewels are the digital assets that are most likely to be targeted by threat actors, and thus must have their cyber-hygiene efforts accelerated. If the C-suite and board understand these critical areas, they can tell you their risk appetite, and you can implement security strategies accordingly.
Develop a Plan Based on the Company’s Current IT and Business Landscape
Once assets are identified and prioritized, develop a written risk management plan with checklists for deliverables, structure and communication between key internal and external stakeholders. On this latter point, the CISO always must act as an information broker and as a partner to all the key organizational decision-makers. One effective way to do this is to establish formal and informal communication with these roles, so the organization can move forward strategically.
Master the Basics
There are many technologies needed to secure the modern company, but there are a few must-haves that should be implemented right away, if they aren’t already. These are baseline controls, including vulnerability management and anti-malware defenses for the endpoint, and non-negotiable controls, including multifactor authentication, sensitive data encryption, application whitelisting, 24/7 security monitoring, file integrity monitoring, privileged access management, network segmentation, data loss prevention, and a rigorous assessment and audit function connected to vulnerability and patching strategies.
Implement Benchmarks
Prove the value of security plans, processes, and technologies to the C-suite, business unit executives, and the board by implementing benchmarks and maturity assessments that show how the company stacks up against competitors, how security strategies stack up against industry best practices and frameworks, and how security initiatives are enabling the business with secure operations.
Always Treat Security as a Business Problem
Security incidents can result in myriad consequences on the business, and conversely, strong security can help the business succeed in a secure fashion. This is why it’s so important that IT and security teams always remain integrated with the business side of the organization. As part of this, ensure ongoing communication and collaboration between executive leaders, the board, and security leaders. When management understands the business risks posed by cybersecurity threats, they’ll be more apt to pay attention and participate in security efforts.
At the end of the first 90 days, a CISO should be able to answer questions such as: How well protected is the organization? What is our capability maturity against industry standard frameworks? What are our most critical vulnerabilities and cyber-risk scenarios? What data is most important to the organization? What data risks could have the most significant negative impact on the organization? And what will it take to improve the organization’s security posture, and do we have a road map?
While this may seem like a lot to get to the bottom of in a three-month timespan, following these six steps will set your company up for both short- and long-term security and business success.
An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities such as DDOS Attacks or security policy violations.
An IDS works by monitoring system activity through examining vulnerabilities in the system, the integrity of files and analyzing patterns based on already known attacks. It also automatically monitors the Internetto search for any of the latest threatswhich could result in a future attack.
Detection Methods
An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target.
An attack is an attempt to compromise confidentiality, integrity, or availability. The two primary methods of detection are signature-based and anomaly-based. Any type of IDS (HIDS or NIDS) can detect attacks based on signatures, anomalies, or both.
The HIDS monitors the network traffic reaching its NIC, and the NIDS monitors the traffic on the network.
Host Based intrusion detection system (HIDS)
A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or a server.
It provides protection to the individual host and can detect potential attacks and protect critical operating system files. The primary goal of any IDS is to monitor traffic.
The role of a host Intrusion Detection System is passive, only gathering, identifying, logging, and alerting. Examples of HIDS:
The primary goal of any IDS is to monitor traffic. For a HIDS, this traffic passes through the network interface card (NIC). Many host-based IDSs have expanded to monitor application activity on the system.
As one example, you can install a HIDS on different Internet-facing servers, such as web servers, mail servers, and database servers. In addition to monitoring the network traffic reaching the servers, the HIDS can also monitor the server applications.
It’s worth stressing that a HIDS can help detect malicious software (malware) that traditional anti-virus software might miss.
Because of this, many organizations install a HIDS on every workstation as an extra layer of protection, in addition to traditional anti-virus software. Just as the HIDS on a server is used primarily to monitor network traffic, a workstation HIDS is mainly used to monitor network traffic reaching the workstation. However, a HIDS can also monitor some applications and can protect local resources such as operating system files. In other organizations, administrators only install a HIDS when there’s a perceived need.
For example, if an administrator is concerned that a specific server with proprietary data is at increased risk of an attack, the administrator might choose to install a HIDS on this system as an extra layer of protection.
Each uncompleted session consumes resources on the server, and if the SYN flood attack continues, it can crash the server.
Some servers reserve a certain number of resources for connections, and once the attack consumes these resources, the system blocks additional connections. Instead of crashing the server, the attack prevents legitimate users from connecting to the server.
IDSs and IPSs can detect an SYN flood attack and respond to block the attack. Additionally, many firewalls include a flood guard that can detect SYN flood attacks and take steps to close the open sessions.
About 1 in 5 phishing email messages reach workers’ inboxes, as attackers get better at dodging Microsoft’s platform defenses and defenders run into processing limitations.
Source: Andrea Danti via Alamy Stock Photo
This week’s report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft’s default security showcases an alarming evolution in phishing tactics, security experts said this week.
Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They’re also doing more targeting and research on victims.
As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft’s platform defenses and landed in workers’ inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.
The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.
“It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company’s security layers,” he says. “The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content.”
Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.
This October is Cyber Security Awareness Month, an event designed to educate people about information security and the steps they can take to stay safe online.
Now in its nineteenth year, the campaign provides tools and resources to help people learn more about the cyber security industry and the ways they can get involved.
This year’s event focuses on phishing and ransomware – two of the biggest threats that organisations currently face.
The attack method is often used to deliver ransomware, which itself is responsible for significant damage. Our research discovered more than 100 publicly disclosed ransomware attacks in the first half of 2022, with intrusions shuttering businesses and creating huge financial problems.
Getting involved
There are events being held throughout October as part of National Cyber Security Awareness Month. Both national governments and private organisations have supported the campaign and are running programmes online and in person.
You can find a full list of events on Stay Safe Online, where you can also find information security tips.
The theme of this year’s campaign is ‘See Yourself in Cyber’, and individuals are encouraged to get involved online with the hashtag #BeCyberSmart.
A key component of that is protecting yourself from scams. The campaign reminds people that: “The signs can be subtle, but once you recognize a phishing attempt you can avoid falling for it.
“Before clicking any links or downloading attachments, take a few seconds (like literally 4 seconds) and ensure the email looks legit.”
The campaign also highlights the benefits of multi-factor authentication, strong passwords and regularly updating software.
How IT Governance can help
You can also follow the latest developments with Cyber Security Awareness Month by following us on LinkedIn. We’ll will provide the latest updates on the campaign to help you get involved in events near you.
Plus, our experts will provide quick and simple tips to boost your cyber security awareness. Did you know, for example, that one of the most effective ways to boost your defences is also one of the simplest – ensuring that your accounts are protected by strong, unique passwords.
This applies not only to login credentials but also to databases and other sensitive information that you store online. The InterContinental Hotel Group was recently caught out by a cyber attack, after criminal hackers discovered a database protected by the password ‘Qwerty1234’.
The breach enabled the attackers to access the most sensitive parts of the hotel giant’s computer systems, and ultimately led to a phishing attack in which an employee was duped into downloading malware that destroyed huge volumes of sensitive data.
Another top tip for preventing cyber attacks is to test your employees with Phishing Challenge E-learning Game. These are messages that use the same techniques as genuine scams without the malicious payload.
The attacks give you the opportunity to monitor how your employees respond to a bogus email. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact the IT team to alert them of the threat?
Simulated phishing is an essential technique in an organisation’s cyber security practices. It complements traditional staff awareness training to assess the effectiveness of your programme in a real-world scenario.
In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.
But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
There are several open-source packet analyzers available, but Wireshark is among the most popular. Moreover, the application has been upgraded to version 4.0.0 and comes with multiple new features and fixes.
It is not only network administrators who use Wireshark packet analyzers to analyze packets, but also security analysts to analyze packets.
Wireshark network protocol analyzer can be used for the following primary purposes:-
Troubleshooting
Analysis
Development
Education
An array of organizations use the tool to manage their business activities related to their business, and it has been adopted by organizations of all sizes.
The official Windows 32-bit package of Wireshark is no longer being distributed with the release of this version. Here below we have mentioned all the new additions:-
With many new extensions available, the display filter syntax has become much more powerful.
Redesigns have been made to the Conversation and Endpoint dialogs.
Packet Detail and Packet Bytes are now displayed underneath the Packet List pane in the default layout for the main window.
A number of improvements have been made to the hex dump import from Wireshark and from text2pcap.
A great deal of improvement has been made in the performance of using MaxMind geolocation.
New and Updated Features
In this latest release, Here below we have mentioned all the new and updated features:-
The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3.
The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70.
The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.
The ‘v’ (lower case) and ‘V’ (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
The Conversation and Endpoint dialogs have been redesigned.
The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
The display filter syntax has been updated and enhanced.The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
The IEEE 802.11 dissector supports Mesh Connex (MCX).
The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
It is possible to set extcap passwords in tshark and other CLI tools.
The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
Support to display JSON mapping for Protobuf message has been added.
macOS debugging symbols are now shipped in separate packages, similar to Windows packages.
In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session.
ciscodump now supports IOS, IOS-XE and ASA remote capturing.
The PCRE2 library is now required to build Wireshark.
You must now have a compiler with C11 support in order to build Wireshark.
A cybersecurity framework provides a formal and comprehensive set of guidelines to help organizations define their security policies, assess cybersecurity posture, and improve resilience. Cybersecurity frameworks specify security controls, risk assessment methods, and suitable safeguards to protect information systems and data from cyberthreats. Though originally developed for government agencies and other large organizations, cybersecurity frameworks can also be a useful source of security best practices for medium and small businesses. Without getting too formal, let’s see what cybersecurity frameworks exist, why you may want to use one, and how to hand-pick the cybersecurity processes and actions that apply to your specific web application security program.
Why cybersecurity frameworks exist
Depending on the organization, a successful cyberattack can have serious social, economic, or even political consequences. Whether they result in a denial of service, a data breach, or a stealthy and persistent presence in targeted systems, cyberattacks are now a permanent concern not only for business and government but even for military operations. Well-defined cybersecurity programs are vital for organizations of all sizes, but simply saying “secure everything” isn’t good enough, especially given the complexity of today’s interconnected information systems and supply chains. And with data security and privacy high on the agenda, a systematic and formalized approach is necessary to identify specific security controls that keep sensitive information inaccessible to malicious actors.
With public and private organizations of all sizes facing similar cybersecurity events and challenges, it became clear that a common cybersecurity framework would benefit everyone. By working to a common set of best-practice policies and recommendations, everyone would be able to define their own cybersecurity practices and protective technologies while maintaining a common baseline for auditing and certification. And for organizations that may lack the resources or technical resources to design their own policies from scratch, having such a starter policy kit could be the only way to come up with a reasonably complete and effective cybersecurity policy.
Commonly used cybersecurity frameworks
You can think of a cybersecurity framework as a common box of parts for building cybersecurity policies. More formally, a cybersecurity framework can be any document that defines procedures and goals to guide more detailed policies. Existing documents that contain such cybersecurity guidelines include:
The NIST Cybersecurity Framework: The most widely used document for cybersecurity policy and planning, developed by the National Institute of Standards and Technology.
ISO 27001 Information Security Management: Guidelines for information security management systems (ISMS) prepared by the International Organization for Standardization.
Risk management frameworks: Documents such as NIST’s Risk Management Framework (NIST SP 800-37 Rev. 2) and the ISO 27005:2018 standard for Information Security Risk Management focus on risk management strategies, including cybersecurity risk management.
Industry-specific frameworks: Many industries have their own security standards for these sectors, such as PCI DSS for electronic payment processing, HIPAA rules for healthcare, or COBIT for IT management and governance.
A closer look at the NIST cybersecurity framework
In 2013, a US presidential executive order was issued calling for a standardized cybersecurity framework to describe and structure activities and methodologies related to cybersecurity. In response to this, NIST developed its Framework for Improving Critical Infrastructure Cybersecurity, commonly called the NIST Cybersecurity Framework (NIST CSF). It is a detailed policy document created not only to help organizations manage and reduce their cybersecurity risk but also to create a common language for communicating about cybersecurity activities. While the framework was initially intended only for companies managing critical infrastructure services in the US private sector, it is now widely used by public and private organizations of all sizes.
The NIST CSF is divided into three main components:
Framework core: The main informational part of the document, defining common activities and outcomes related to cybersecurity. All the core information is organized into functions, categories, and subcategories.
Framework profile: A subset of core categories and subcategories that a specific organization has chosen to apply based on its needs and risk assessments.
Implementation tiers: A set of policy implementation levels, intended to help organizations in defining and communicating their approach and the identified level of risk for their specific business environment.
The framework core provides a unified structure of cybersecurity management processes, with the five main functions being Identify, Protect, Detect, Respond, and Recover. For each function, multiple categories and subcategories are then defined. This is where organizations can pick and mix to put together a set of items for each function that corresponds to their individual risks, requirements, and expected outcomes. For clarity and brevity, each function and category has a unique letter identifier, so for example Asset Management within the Identify function is denoted as ID.AM, while Response Planning within the Response function is RS.RP.
Each category includes subcategories that correspond to specific activities, and these subcategories get numerical identifiers. To give another example, subcategory Detection processes are tested under the Detection Processes category and Detect function is identified as DE.DP-3. Subcategory definitions are accompanied by references to the relevant sections of standards documents for quick access to the normative guidelines for each action.
Applying the NIST framework to application security
By design, the NIST CSF has an extremely broad scope and covers far more activities than any specific organization is likely to need. To apply the framework to web application security, you start by analyzing each of the five functions as they relate to your existing and planned application security activities and risk management processes. Then, you select the categories and subcategories relevant to your specific needs and use them as the backbone of your own security policy to ensure you cover all the risks and activities you need. For general web application security, a skeleton cybersecurity policy would need to include at least the following subcategories for each function:
Identify:
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.RA-1: Asset vulnerabilities are identified and documented
Protect:
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
Learn to identify security vulnerabilities in applications and implement secure code practices to prevent events like data breaches and leaks. Become familiar with DevSecOps practices, and SAST for identifying security flaws.
The Chrome web browser was recently updated to a new stable version released by Google. Google Chrome’s updated version Chrome 106 offers a number of brand-new features and improvements, and it also includes a number of security updates.
The new version of Chrome 106 has been already released by Google to the stable channel for all the major platforms:-
Windows (Chrome 106.0.5249.61/62)
Mac (Chrome 106.0.5249.61)
Linux (Chrome 106.0.5249.61)
In the course of hours, days, or even weeks, the update will be rolled out to all devices throughout the world in phases.
Security fixes
This update contains 20 security fixes that have been applied to Chrome 106 Stable so far. As usual, the official release notes only include a list of security issues that were reported externally to the developers.
There are different levels of security ratings, the highest being high. There have been at least five security issues that have been publicly disclosed. These five flaws were rated as high, while the remaining have been rated between medium and low.
Here below we have mentioned those five high severity security vulnerabilities:-
CVE-2022-3304: Use after free in CSS.
CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools.
CVE-2022-3305: Use after free in Survey.
CVE-2022-3306: Use after free in Survey.
CVE-2022-3307: Use after free in Media.
There seem to be no exploits in the wild that take advantage of any of the issues. The release notes for this version do not mention anything about that.
Update Now
To speed up the installation of the Chrome 106 update, Chrome users can load the following URL in the address bar of the browser:-
chrome://settings/help
Whenever you open this webpage in Chrome, it will display the current version and automatically check for any updates that have been released.
NJVC has been added to the victim list of the BlackCat (ALPHV) ransomware gang. NJVC provides IT support to the US government’s intelligence and defense organizations.
With annual revenue of over $290 million, the company NJVC has a very impressive record. It is claimed that the BlackCat Ransomware Gang has hacked the Department of Defense of the United States of America.
DarkFeed, a deep web intelligence company that operates on the dark web, spotted the message on 28 September. There was a breach declaration provided by BlackCat, which resulted in its immediate suspension. TheRegister said.
Until 30 September, the Dark Web site that hosted BlackCat’s leak site was accessible. NJVC is no longer listed as a victim of the gang and has been removed from its website.
“We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material,” ALPHV said, per the screenshot.
Earlier today it was reported that ALPHV ransomware group had breached a United States Department of Defense contracting company which provides IT infrastructure services.
In late 2021, the first outbreaks of BlackCat ransomware were observed, and the Rust programming language was used in BlackCat.
Ransomware-as-a-service (RaaS) is one of the business models operated by this organization, just like so many others in the criminal underworld.
A number of prominent ransomware families are known to have been used by threat actors who started deploying BlackCat ransomware.
Here below we have mentioned those ransomware families:-
Conti
LockBit
REvil
Darkside and Blackmatter ransomware cartels are linked with the BlackCat cartel. This group may have a well-established network with close ties to the ransomware industry in the case of the ransomware business.
As one of the most active ransomware gangs in recent years, BlackCat has been among the most prominent. It is estimated that in 2022, near about 12% of all attacks were perpetrated by this group.
It is estimated that the group’s activity has increased by 117% since the quarter before, in comparison with the quarter prior. Moreover, as part of the group’s strategy, high-profile, critical industries are being targeted by the group.
The Italian luxury sports car manufacturer Ferrari confirmed the availability of internal documents online, but said it has no evidence of cyber attack.
Documents belonging to the Italian luxury sports car manufacturer Ferrari are circulating online, the company confirmed their authenticity stating it is not aware of cyber attacks.
Ferrari is investigating the leak of the internal documents and announced it will implement all the necessary actions.
While the circumstance suggests the company could have suffered a ransomware attack, the car manufacturer that it has no evidence of a compromise of its systems or ransomware, it also added that its business and operations were not impacted.
The news of the alleged cyber attack was first reported by the Italian website Red Hot Cyber which first reported that the ransomware gang RansomEXX claimed to have breached the popular car maker on its Tor leak site.
The ransomware group claimed to have stolen 6.99GB of data, including internal documents, datasheets, repair manuals, etc.
The source of the documents is still unclear. In the past, the ransomware gang Everest breached the systems of the Speroni SPA, a company in the supply chain of multiple car makers, including Ferrari and leaked company documents online.
In August 2022, hackers launched a limited wave of attacks that targeted at least 10 organizations around the world.
There are two newly disclosed zero-day vulnerabilities being exploited by the hackers in these attacks in order to gain access to and compromise Exchange servers in these attacks.
Chopper web shell was installed during these attacks in order to make hands-on keyboard access more convenient. Attackers utilize this technique to gain access to Active Directory in order to perform reconnaissance and exfiltration of data.
As a result of these wild exploits, it is likely that these vulnerabilities will be weaponized further in the coming days due to the growing trend toward weaponizing them.
0-Day Flaws Exploited
Here below we have mentioned the two 0-Day flaws exploited by the hackers in the wild to attack 10 organizations:-
CVE-2022-41040: Microsoft Exchange Server Elevation of Privilege Vulnerability with CVSS score: 8.8.
CVE-2022-41082: Microsoft Exchange Server Remote Code Execution Vulnerability with CVSS score: 8.8.
The combination of these two zero-day vulnerabilities together has been named “ProxyNotShell.” The exploitation of these vulnerabilities is possible by using a standard account with a standard authentication process.
In many different ways, it is possible to acquire the credentials of standard users. While the GTSC, a Vietnamese cybersecurity company, was the first to discover the vulnerabilities that have been exploited.
It is suspected that these intrusions were carried out by a Chinese threat actor.
Mitigation
No action is required on the part of Microsoft Exchange Online customers. Microsoft recommended reviewing the URL Rewriting Instructions for Microsoft Exchange customers using on-premises Exchange and also recommended users implement them immediately.
If you are a Microsoft Exchange Server user using Microsoft 365 Defender, then you have to follow the following checklist provided by Microsoft:-
Enable cloud-based protection in Microsoft Defender Antivirus.
Protect security services from being interrupted by attackers by enabling tamper protection.
Microsoft Defender for Endpoint can detect malicious artifacts when EDR is operating in block mode.
Protect the Internet network from malicious domains and other malicious content by enabling network protection.
Enable full automation for investigation and remediation. By doing so Microsoft Defender for Endpoint can be notified of breaches immediately, allowing it to take immediate action.
Discovering your network’s devices will allow you to have greater visibility into what’s going on.
While as additional prevention measures they also recommended users to:-
