InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI.
This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would get installed by mistake, thanks to users using slightly incorrect search terms or making minor typing mistakes when typing in PyPI URLs.
These pointless packages weren’t overtly malicious, but they did call home to a server hosted in Japan, presumably so that the perpetrator could collect statistics on this “experiment” and write it up while pretending it counted as science.
A month after that, we wrote about a PhD student (who should have known better) and their supervisor (who is apparently an Assistant Professor of Computer Science at a US university, and very definitely should have known better) who went out of their way to introduce numerous apparently legitimate but not-strictly-needed patches into the Linux kernel.
They called these patches hypocrite commits, and the idea was to show that two peculiar patches submitted at different times could, in theory, be combined later on to introduce a security hole, effectively each contributing a sort of “half-vulnerability” that wouldn’t be spotted as a bug on its own.
As you can imagine, the Linux kernel team did not take kindly to being experimented on in this way without permission, not least because they were faced with cleaning up the mess:
Please stop submitting known-invalid patches. Your professor is playing around with the review process in order to achieve a paper in some strange and bizarre way. This is not ok, it is wasting our time, and we will have to report this, AGAIN, to your university…
Whether you are getting ready for back-to-school season, getting new work laptop or fancying a new gamer’s pc, learn the steps to protect your new PC from cyberthreats.
With Windows 11 making headlines for all the right reasons, it could be a great time to invest in a new PC for the family or the home office. But any new household computing device should come with an attendant safety warning. Hackers will be after your data the minute it’s connected to the internet. And they have numerous ways to get it.
That’s why you need to think about cybersecurity even before plugging your machine in and switching it on. Take time out now to refresh your memory and make cyber-hygiene a number one priority.
What are the main threats to my PC?
As soon as you’re connected to the internet, malicious actors will be looking to steal your data, encrypt and hold your machine ransom, lift financial details, secretly mine for cryptocurrency, and much more. They’ll do so via some tried and true methods, which often rely on cracking, stealing or guessing passwords, or exploiting software vulnerabilities. Top threats include:
Phishing: One of the oldest con tricks in the book. Cybercriminals masquerade as legitimate and trustworthy sources (banks, tech providers, retailers etc) and try to persuade users into clicking on links and/or opening attachments in emails. Doing so will take users to a spoofed site requesting that they fill in personal information (like logins and/or address/financial details) or could trigger a covert malware download.
Drive-by downloads and malicious ads: Sometimes merely visiting an infested website or a site running a malicious ad could trigger a malware download. We may think that well-known sites may be less compromised in this way as they are better resourced and can afford enhanced protection. But there have been plenty of counter-example through the years showing that it’s not always the case. That’s why its essential to invest in security software from a reputable provider and ensure that your browser’s security settings are correct.
Digital skimming: Hackers may also compromise the payment pages of e-commerce sites with malware designed to silently harvest your card data as it is entered. This is difficult to guard against as the issue is with the provider. However, shopping with better-known sites can reduce risk. Malicious apps and files: Cybercriminals also hide malware inside legitimate-looking applications and downloads. Many of these are posted to online forums, P2P sites, and other third-party platforms. That’s why it makes sense to download only from trusted sources, and to use an effective security software tool to scan for malicious software.
Ten tips to keep your computer safe
Many of the below steps may be taken care of automatically by your PC manufacturer/Microsoft, but it pays to dig a little deeper to make sure all the settings are as secure as you need them to be. Here are our top 10 tips for computer safety:
Apply automatic updates for the OS and any software running on the PC
Remove bloatware that often comes with PCs. Check beforehand if you don’t recognize any software to ensure removing it won’t degrade the performance. The fewer pieces of software on the machine, the less opportunity for attackers to exploit bugs in it
Install multi-layered security software from a reputable third-party vendor and keep it up to date
Configure backups, and ideally back up a copy of data to a remote storage device kept offline
Secure the browser by adjusting privacy and security settings and ensuring it is on the latest version
Switch on and configure your firewall on the OS and home router, ensuring it is protected with a strong password
Download a multi-factor authentication app in order to help protect your accounts from being hijacked via phishing and other attacks
Avoid using USBs that you don’t own, in case they are loaded with malware
Use a password manager to ensure that all your credentials are unique, strong, and hard-to-crack
Only download apps/files from trusted sources and avoid pirated material, which can often be booby-trapped with malware
It goes without saying that, even by following these best practices, you could still be at risk when browsing online. Always proceed with caution, don’t reply to unsolicited emails/online messages, and ensure device encryption is switched on.
Internet attack on computer systems is pervasive. It can take from less than a minute to as much as eight hours for an unprotected machine connected to the Internet to be completely compromised. It is the information security architect’s job to prevent attacks by securing computer systems. This book describes both the process and the practice of assessing a computer system’s existing information security posture. Detailing the time-tested practices of experienced security architects, Securing systems explains how to deliver the right security at the right time in the implementation lifecycle.
Many experts often overlook hardware based security and its vital importance in establishing a secure workspace.
When it comes to cybersecurity, everyone likes to talk about software and the dangers that it poses. However, people often overlook hardware-based security and its vital importance in establishing a secure workspace. This is attributed to a general lack of knowledge when it comes to hardware security and how it works. So, it’s time to bust some myths that you might think are true when it comes to hardware security.
Myth #1: We never hear about hardware-based attacks, they don’t exist!
Just because you don’t hear about the problem frequently, it doesn’t mean that it doesn’t exist. Usually, cyberattacks that make the headlines are those involving large corporations that have fallen victim to a software-based attack carried out by infamous cybercrime syndicates. These stories are juicy and scandalous and entice audiences to read the article, generating more clicks onto the media outlet’s website. Additionally, many businesses choose to withhold information pertaining to hardware-based attacks as it indicates insufficient physical security, which reflects negatively upon the business. Another reason why you don’t often hear about hardware-based attacks is that enterprises who fall victim to them are oblivious to it. When an enterprise gets breached, the natural assumption is that it was due to a software vulnerability or phishing scam. Such misunderstanding, coupled with a lack of resources to detect a hardware attack tool, results in the attack method getting misconstrued.
However, that is not to say that hardware-based attacks don’t receive any media attention. A great example that receives public resonance concerns ATMs. These cash dispensing machines are becoming a go-to target for cybercriminals because of the instant payout. Instead of using brute force attacks on ATMs, cybercriminals can now just attach a hardware attack tool, known as a Black Box, to the internal computer to trick it into releasing cash through a MiTM attack. Since 2021, Black Box attacks have been on the rise and have amounted to losses of 1.5 million Euros in Europe alone.
Myth #2: We have security measures in place, and all our employees use VPNs– we are protected!
Yes, your security measures like NAC, IDS/IDP, firewalls and VPNs definitely provide some level of protection. However, malicious actors are continually evolving and finding new attack methods, which means exploiting blind spots, one of which is the hardware domain. Existing security solutions lack visibility into the Physical Layer (Layer 1), leaving them unfit to defend against, let alone identify, hardware-based attack tools. These malicious devices are designed to evade detection by operating on the Physical Layer and mimic human-like commands and executions, making them extremely dangerous as they can carry out a variety of harmful attacks without any obstacles in their way. If you are unable to determine all your assets’ hardware information within 10 seconds, you are, in fact, not protected.
Myth #3: “We don’t use USBs, so why should it concern us”
That’s a line we’ve heard many times before, but here’s the thing: you do, and it should!
Sure, your organization might not use flash drives and there might be some authorization capabilities in EPS/EDR solutions that block phones, keyboards and mice with certain VID/PIDs. That’s great, but what about the keyboards employees use to type? And the mice they use to navigate? Correct, those are USBs. They might be authorized, but that doesn’t mean they can’t get impersonated by a covert spoofing device. So long as there are HIDs in the work environment, there is the risk that one (or more) may be illegitimate. And without Physical Layer visibility, there’s no mechanism in place to determine what’s legitimate or not.
Myth #4: Why would anyone want to hack us; we aren’t an interesting target?
That’s where you’re wrong. In today’s day and age, almost anything that has data is of value and there is someone out there who wants to access it, no matter how mundane it could be. Not all hackers target large nuclear facilities or governmental institutions; the risk is usually too high for most cybercriminals. Your company, however, is a prime target – there’s data and it’s accessible. Whether the perpetrator wants to steal information for monetary gain, access it to gain a competitive advantage, or encrypt it in a ransomware attack, your company provides that opportunity and a hardware attack tool can do the job.
In short, every enterprise is a target for malicious actors; it can happen to anyone for any number of reasons. The important thing to remember is that you can prepare and build your company’s resistance to these attacks by gaining visibility on the Physical Layer through hardware-based security.
About the author: Julien Katzenmaier, Content Writer at Sepio
Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba
You may not recognize the name Carine Kanimba, but you have probably heard of her dad: Paul Rusesabagina. He was the manager of Hôtel des Milles Collines and rather famously decided to shelter some 1,200 mostly Tutsi Rwandans in his hotel during the 1994 genocide in Rwanda. Don Cheadle played him in the movie Hotel Rwanda.
After, Rusesabagina became a superstar ambassador of human rights. He wrote an autobiography about his work during the genocide; President George W. Bush awarded him the Medal of Freedom; and he went on the speakers’ circuit not just talking about 1994 – but criticizing the current government of President Paul Kagame for trampling on human rights.
In August 2020, Rusesabagina boarded a private jet for what he thought would be a trip to Burundi, but instead he was rendered to Rwanda. He’s since been sentenced to 25-years in prison.
Carine Kanimba was on Capitol Hill last week to talk not just about her dad (who adopted sisters Carine and Anaïse shortly after the genocide), but also her recent discovery that she’s been targeted by a commercial spyware program called Pegasus. And she believes the Rwandan government was behind it.
Pegasus spyware is the brainchild of an Israeli company called NSO Group and it has been found on the phones of so many activists around the world it has become a kind of cautionary tale about the commercial spyware industry. It has been linked to the murder of journalist Jamal Khashoggi, discovered on the phones of Mexican opposition leaders, Catalonian politicians, and journalists and lawyers around the world. (In a statement, NSO Group told Click Here that it “thoroughly investigates any claim for illegal use of its technology by customers, and terminates contracts when illegal use is found.”)
The Click Here podcast sat down with Kanimba shortly after her Congressional testimony to talk to her about her role as a human rights advocate, what it is like finding oneself on the receiving end of a spyware campaign, and why she is confident she will win her father’s release. The interview has been edited and shortened for clarity.
CLICK HERE: We wanted to start by saying we’re very sorry about what you’re going through with your father…
According to a new Tessian report, 30% employees do not think they personally play a role in maintaining their company’s cybersecurity posture.
What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it.
Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.
The report suggests this could stem from a reliance on traditional training programs; 48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.
The report also reveals a disconnect when it comes to reporting security risks. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.
Gootkit access-as-a-service (AaaS) malware is back with tactics and fileless delivery of Cobalt Strike beacons.
Gootkit runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. Gootkit has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike.
In the past, Gootkit distributed malware masquerading as freeware installers, now it uses legal documents to trick users into downloading these files.
The attack chain starts with a user searching for specific information in a search engine. Attackers use black SEO technique to display a website compromised by Gootkit operators among the results.
Upon visiting the website, the victim will notice that it is presented as an online forum directly answering his query. This forum hosted a ZIP archive that contains the malicious .js file, which is used to establish persistence and drop a Cobalt Strike binary in the memory of the infected system.
“When the user downloaded and opened this file, it spawned an obfuscated script which, through registry stuffing, installed a chunk of encrypted codes in the registry and added scheduled tasks for persistence. The encrypted code in the registry was then reflectively loaded through PowerShell to reconstruct a Cobalt Strike binary that runs directly in the memory filelessly.” reads the analysis published by Trend Micro. “Much of what we have just described is still in line with the behavior we reported in 2020, but with a few minor updates. This indicates that Gootkit Loader is still actively being developed and has proved successful in compromising unsuspecting victims.”
Experts pointed out that encrypted registries now use custom text replacement algorithm instead of base64 encoding.
The Cobalt Strike binary loaded directly to the memory of the victim’s system has been observed connecting to the IP address 89[.]238[.]185[.]13, which is a Cobalt Strike C2.
“One key takeaway from this case is that Gootkit is still active and improving its techniques. This implies that this operation has proven effective, as other threat actors seem to continue using it. Users are likely to encounter Gootkit in other campaigns in the future, and it is likely that it will use new means of trapping victims.” concludes the report. “This threat also shows that SEO poisoning remains an effective tactic in luring unsuspecting users. The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on their guard. Such tactics highlight the importance of user awareness and the responsibility of website owners in keeping their cyberspaces safe.”
The best-known cryptographic library in the open-source world is almost certainly OpenSSL.
Firstly, it’s one of the most widely-used, to the point that most developers on most platforms have heard of it even if they haven’t used it directly.
Secondly, it’s probably the most widely-publicised, sadly because of a rather nasty bug known as Heartbleed that was discovered more than eight years ago.
Despite being patched promptly (and despite reliable workarounds existing for developers who couldn’t or wouldn’t update their vulnerable OpenSSL versions quickly), Heartbleed remains a sort of “showcase” bug, not least because it was one of the first bugs to be turned into an aggressive PR vehicle by its discoverers.
With an impressive name, a logo all of its own, and a dedicated website, Heartbleed quickly became a global cybersecurity superstory, and, for better or worse, became inextricably linked with mentions of the name OpenSSL, as though the danger of the bug lived on even after it had been excised from the code.
Life beyond OpenSSL
But there are several other open-source cryptographic libraries that are widely used as well as or instead of OpenSSL, notably including Mozilla’s NSS (short for Network Security Services) and the GNU project’s GnuTLS library.
As it happens, GnuTLS just patched a bug known as CVE-2022-2509, reported in the project’s security advisoryGNUTLS-SA-2022-07-07.
This patch fixes a memory mismanagement error known as a double-free.
Microsoft’s announcement that it would block macros in Microsoft Office apps by default didn’t stop threat actors—they have simply resorted to new tricks.
“Threat actors across the landscape responded by shifting away from macro-based threats,” Proofpoint researchers noted in a blog post. In fact, an analysis of campaign data, “which include threats manually analyzed and contextualized,” showed the use of VBA and XL4 Macros ticked down 66% or so between October 2021 and June 2022.
“While Proofpoint observed a notable increase in other attachment types, macro-enabled documents are still used across the threat landscape,” the researchers wrote, explaining that the tactics, techniques and procedures (TTPs) have changed, with miscreants turning to use of container files—like ISO and RAR—and Windows Shortcut files to pass malware along, according to Proofpoint research.
Threat actors have long used VBA macros “to automatically run malicious content when a user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application, but can also be weaponized by threat actors,” researchers pointed out. “Typically, threat actors distributing macro-enabled documents rely on social engineering to convince a recipient the content is important, and enabling macros is necessary to view it.”
Microsoft took steps to block VBA macros by keying on a Mark of the Web (MOTW) attribute called the Zone.Identifier that shows whether a file comes from the internet and is added by Microsoft apps to some documents downloaded from the web. But bad actors can bypass MOTW by using container file formats.
By using container file formats like ISO (.iso), RAR (.rar), ZIP (.zip) and IMG (.img) files to send macro-enabled documents, “ … the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not,” researchers noted. “When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web.”
They also can distribute payloads directly using container files so that when they’re opened they can contain “additional content such as LNKs, DLLs or executable (.exe) files that lead to the installation of a malicious payload.”
“The change to block macros by default is a very good thing; has been suggested for years and it’s good Microsoft is finally doing it,” said Rob Jenks, SVP strategy and business at Tanium. He explained that “as with all security techniques, it’s not a silver bullet and attackers inevitably move on to the next attack pathway(s)—so the findings aren’t surprising.”
But “regarding the new attacks, there are other restrictions on not trusting zip content, so these other mechanisms throw more consent dialogs into the user’s face, potentially making a phishing attack less reliable,” Jenks said.
Proofpoint researchers have not only noted a two-thirds decrease in macro-enabled documents leveraged as attachments in email-based threats, but they observed “the number of campaigns leveraging container files including ISO and RAR, and Windows Shortcut (LNK) attachments increased nearly 175%,” researchers said.
“They attribute the increase in part to the uptick in use of ISO and LNK files in campaigns. Cybercriminal threat actors are increasingly adopting these as initial access mechanisms, such as actors distributing Bumblebee malware,” they said. “The use of ISO files increased over 150% between October 2021 and June 2022. More than half of the 15 tracked threat actors that used ISO files in this time began using them in campaigns after January 2022.”
Most notably, LNK files have emerged as a go-to for threat actors—at least 10 of them have begun using LNK files since February. In fact, the number of campaigns containing LNK files exploded an incredible 1,675% since October 2021.
While fewer campaigns are using XL4 macros, Proofpoint did see a spike in macro use in March 2022, which researchers attributed to an uptick in campaigns with higher volumes of messages conducted by the TA542 actor delivering Emotet. “Typically, TA542 uses Microsoft Excel or Word documents containing VBA or XL4 macros,” the researcher wrote. “Emotet activity subsequently dropped off in April and it began using additional delivery methods including Excel Add-In (XLL) files and zipped LNK attachments in subsequent campaigns.”
The adoption of ISO and other container file formats is driving the pivot away from macro-enabled documents to different file types that can bypass the macro-blocking protections offered by Microsoft. “Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft and ransomware,” said Proofpoint researchers, who called the change “one of the largest email threat landscape shifts in recent history.”
Proofpoint has also observed a slight increase in threat actors using HTML attachments to deliver malware. The number of malware campaigns using HTML attachments more than doubled from October 2021 to June 2022, but the overall number remains low. Proofpoint researchers also observed threat actors increasingly adopt HTML smuggling, a technique used to “smuggle” an encoded malicious file within a specially crafted HTML attachment or web page.
A vulnerability, tracked as CVE-2022-30563, impacting Dahua IP Camera can allow attackers to seize control of IP cameras.
The CVE-2022-30563 vulnerability impacting Dahua IP Camera can allow attackers to seize control of IP cameras. The issue affects Dahua’s implementation of the Open Network Video Interface Forum (ONVIF).
ONVIF provides and promotes standardized interfaces for effective interoperability of IP-based physical security products.
The vulnerability was discovered by researchers from Nozomi Networks and received a CVSS score of 7.4.
“We’re publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions.” reads the advisory published by Nozomi Networks. “This vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.”
ONVIF-conformant products allow users to perform a variety of actions on the remote device through a set of standardized Application Programming Interfaces (APIs), including watching camera footage, locking or unlocking a smart door, and performing maintenance operations.
The flaw resides in the “WS-UsernameToken” authentication mechanism implemented by Dahua in some of its IP cameras. Due to the lack of checks to prevent reply attacks, a threat actor can sniff an unencrypted ONVIF interaction and indefinitely replay the credentials in new requests towards the camera, which would be accepted as valid authenticated requests by the device.
Once obtained the credentials, an attacker can add an administrator account and use it to obtain full access to the device and perform actions such as watching live footage from the camera as shown below.
An attacker can conduct this attack by capturing one unencrypted ONVIF request authenticated with the WS-UsernameToken schema.
The following versions of Dahua video products, are affected:
Dahua ASI7XXX: Versions prior to v1.000.0000009.0.R.220620
Dahua IPC-HDBW2XXX: Versions prior to v2.820.0000000.48.R.220614
Dahua IPC-HX2XXX: Versions Prior to v2.820.0000000.48.R.220614
The vendor addressed the issue with the release of a patch on June 28, 2022,
“In addition to building security, surveillance cameras are used throughout many critical infrastructure sectors such as oil & gas, power grids, telecommunications, etc. These cameras are used to oversee many production processes, providing remote visibility to process engineers. Threat actors, nation-state threat groups in particular, could be interested in hacking IP cameras to help gather intel on the equipment or production processes of the target company.” concludes Nozomi. “This information could aid in reconnaissance conducted prior to launching a cyberattack. With more knowledge of the target environment, threat actors could craft custom attacks that can physically disrupt production processes in critical infrastructure.”
A CISO’s mandate is to empower the business to move forward on key growth initiatives and simultaneously reduce risk. To this end, they must continuously evaluate and weigh the security ramifications of many strategic initiatives, ultimately weighing the potential impact on a company’s:
• Speed to market.
• Competitive advantage.
• Brand reputation.
By focusing on how their security infrastructure helps or hinders delivery on those three fronts, CISOs help drive business success. In today’s landscape, one new area has emerged that is integrally connected to all three of those company dynamics: the use of APIs to fuel innovation.
APIs are eating the world.
APIs are essential for companies to support their innovative and revenue-generating digital transformation initiatives. Open banking services, mobile and online services, digital information sharing apps, brands like DoorDash, Uber, PayPal, Spotify, Netflix, Tesla—you name it—all require APIs to function.
Companies are developing and pushing out APIs faster, and in larger quantities, than ever before. APIs allow companies to build and bring advanced services to market, opening up new avenues of business and revenue streams. Digitalization hastened this trend, and Covid accelerated its implementation. Companies had to quickly deploy remote services for workers and customers and build product integrations to support myriad devices—all of which demanded APIs. It’s no wonder that the public API hub Postman hit a record 20 million users earlier this year.
However, because APIs share highly sensitive data with customers, partners and employees, they have also become a very attractive target for attackers. CISOs have recognized the risk.
The faster a business can bring new services to market, the faster the benefits. For some companies (under Covid), speed to market meant the difference between keeping the business up and running versus shutting down operations. API usage ensured that organizations were open for business.
Businesses must always assess the value and the costs in terms of both achieving or losing the speed-to-market race. They must consider the obstacles that could prevent speed to market. In the case of APIs, security threats pose an enormous obstacle. They can slow down rollouts or, even worse, make them untenable.
By protecting APIs from exploitation, companies ensure their ability to drive speed to market, growth opportunities and competitive advantage.
APIs deliver a competitive advantage.
Speed to market is an important underlying factor that contributes to an organization’s competitive advantage. As an industry front runner, businesses have an opportunity to gain the lion’s share of a market and its profits.
In financial services, competitive advantage is a critical business objective, and technology transformation is its core strategic component. Fintech companies have fueled customer expectations, and open banking is right behind them, offering unimaginable innovation and conveniences by easily linking mobile apps to banking accounts.
Banking and financial institutions must stay on the cutting edge of these services to compete and stay relevant. APIs power these capabilities and allow institutions to leapfrog ahead of the competition.
However, security threats and lack of regulatory adherence can compromise successful API implementation and result in costly fines. Businesses must ensure safe passage between the emerging applications and customers’ valuable financial data. APIs represent the access point to PII and other important data assets that attackers target for their own gain and to the detriment of the business.
Dedicated API security is the cost of doing business.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs. APIs support the interconnectivity of a company’s crown jewels—the essential and sensitive data that businesses require to deliver their digital goods and services.
Every company that is developing software has become an API-driven company. For API-driven companies, protecting those APIs is no longer a question—it’s simply the cost of doing business in a digitally transformed landscape. Without dedicated API security to protect these crucial connectivity tools, companies put everything at risk—speed to market, competitive advantage and the brand itself.
Last but not least, CISOs must build a collaborative approach to API security. APIs touch all areas of the business. CISOs need to take an active role in educating teams about their API security initiatives and their importance in reducing the company’s risks. CISOs must provide the answers and insights that empower others to help meet security goals.
CISO after CISO will tell you that creating a strong, cross-functional “security-aware” culture continues to be their number one priority. To generate this security mindset, leaders must prioritize relationships, acknowledge everyone’s contribution to security and continuously communicate the vital importance of security to achieve overall business objectives.
Hackers can use personal healthcare information to target victims with fraudulent schemes related to their medical history.
A new report from GlobalData estimates that up to 22 million US health records have been breached so far in 2022.
The same report forecasts that spending on cybersecurity in the global healthcare industry will increase by nearly $400 million in the next 3 years.
This increase is sorely needed in a sprawling industry which is so often behind the times in terms of information security. The health care industry is often a prime target of ransomware attacks as they store valuable and confidential information on their customers.
Included in this collection is not only names, date of births and medical record numbers but also private health information (PHI) which can include one’s medical history, address, email addresses, and social security numbers.
Using this information, threat actors can design a number of phishing schemes to target patients for further exploitation. Unlike credit card information or personal identification information, medical history cannot be changed, making it much more valuable on the black market.
Over 41 million individuals in the US alone were affected by healthcare data breaches in 2021, according to reports of breaches affecting 500 individuals or more by the US Department of Health and Human Services (HHS) Office of Civil Rights
The largest presently known breach for 2022 so far was the breach at Shields Health Care Group, which affected as many as two million individuals.
Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed.
“Usernames and passwords are insufficient and vulnerable means of authentication on their own; therefore, it is essential to employ strong authentication techniques like multi-factor authentication (MFA) to confirm users’ identities before granting secure access to resources,” Sarah Lefavrais, Product Marketing Manager, Thales states in her recent article. It’s true. Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed to improve security without hindering user convenience.
What is Strong Authentication?
Tech Target states that strong authentication is “any method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it is likely to encounter.” It is commonly referred to as a way to confirm a user’s identity when passwords are not enough. As Tech Target continues, the European Bank and many that adopt its guidelines state that strong authentication must include “at least two mutually-independent factors” so that the compromise of one will not lead to the compromise of the other. These factors are:
Knowledge – Something the user knows
Possession – Something the user has
Inherence – Something the user is
As Lefavrais states, employing more than one of these measures is needed to ensure only legitimate users can access applications and services, and when applications contain sensitive data such as confidential, personally identifiable information that needs to be protected.
In IAM strategy, strong authentication methods like MFA and Modern Authentication are quickly replacing traditional methods like passwords, especially as the new gold standard for how IT and security teams enforce access controls, and gain visibility into access events – especially as workloads move to the cloud, VMs and across remote and hybrid environments.
The IAM Security BoundaryStrong authentication is a critical component of modern-day identity and access management. It not only provides additional layers of security around entry points, but allows for customizable levels of authentication, authorization, and access control throughout your environment, giving users only the permissions (and sign-in requirements) they need. To illustrate that point, we’ll investigate two of the primary methods, MFA and Modern Authentication, further in-depth.
Protect against the compromise made possible by weak passwords. With MFA, a password alone is insufficient to grant access, so credential stuffing and brute force attacks are rendered useless.
Reduce identity theft from phishing and other social engineering schemes. Even if you do click on that email and enter a few credentials, if your bank, work VPN, or other access point requires MFA (especially with tokenization, biometrics, or location-based entry), chances are those credentials won’t be enough, and hackers will move on to easier targets.
Certificate-based smart cards and certificate-based USB tokens
Mobile phone and software-based authentication
One Time Password (OTP) authenticators
Pattern-based (or grid) authenticators
Hybrid tokens
Modern Authentication relies on technologies, such as FIDO and Webauthn, contextual authentication and modern federation protocols, which ensure proper user identity and access controls in cloud environments. That means you can implement more effective access security for cloud apps, alongside the existing access controls that are already in place for on-premises and legacy applications. Flexible policy-based access enable a friendly experience while maintaining a high level of security for roles or resources requiring it.
What to Look for in a Strong Authentication Service
When choosing a strong authentication service, be it on-premises or in the cloud, features to consider are:
Policy-based access with ability to implement conditional access. In order to optimize the end user experience while maintain the best access security for a particular user and application, look for a solution that can enforce a range of authentication methods through policies and risk scoring.
Resistant to phishing. Phishing accounts for roughly a quarter of all data breaches, according to Verizon’s 2021 DBIR. Strong authentication solutions with FIDO2 can both authenticate securely and prevent attacks.
User experience. Do the methods involved create security fatigue, or is it simple to secure multiple-use authentication journeys?
Adaptability and customizability. Can you assign different access controls based on role or asset? What about context, environment, or use case?
Ultimately, you need to ensure your strong authentication provider supports your industry’s identity and access regulations and integrates smoothly with your current identity environment, deploying flexibly and maintaining equilibrium as you transition over. To maintain a risk-based authentication posture, IAM solutions must continue evolving alongside increased digitization demands. When a single lock and key no longer suffice to safeguard the VMs, remote environments, and cloud-based assets of today, we must adopt the access management and strong authentication methods that can.
About the Author: Katrina Thompson is an ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.
Experts warn of hacker claiming access to 50 U.S. companies through breached MSP
Cybersecurity experts are raising concerns about an individual on a hacker forum claiming to have access to 50 American companies through an unnamed managed service provider (MSP).
MSPs are paid to manage IT infrastructure and provide support, typically by smaller organizations lacking their own IT departments. In recent years they have been singled out by cybersecurity agencies as potentially vulnerable access points for hackers to exploit.
Harlan Carvey, senior incident responder at cybersecurity firm Huntress, told The Record that on July 18 someone with the handle “Beeper” had posted in Russian on exploit.in asking for help monetizing access to a managed service provider.
“Looking for a Partner for MSP processing. I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1,000+ servers … I want to work qualitatively, but I do not have enough people,” the translated message said.
“In terms of preparation, only little things are left, so my profit share will be high. Please send me a message for more details and suggestions.”
Several cybersecurity experts have shared the message on Twitter and other social media sites warning of the potential fallout from the kind of access the hacker purportedly has.
Carvey said it appears that the hacker gained access to an MSP’s management system and has already done some of the initial legwork.
“It sounds as if they’re claiming to have done some pre-work, perhaps something like identifying an account with a high privilege level. As a result, anyone who takes them up on their offer isn’t going to have to do much ‘heavy lifting’ to achieve whatever their goals may be,” Carvey said. “It doesn’t appear that there’s any data involved at this point, per se. Intent isn’t clear at this point, and it may depend upon who responds to the ad. The original poster does seem to be offering to answer questions and provide additional details.”
Carvey added that based on the typical customer base he sees for MSPs, personal details, business data and healthcare information could be at risk.
Some online noted that Kansas City-based MSP NetStandard announced on Wednesday morning that their hosted environment had been hit by a cyberattack. The company did not respond to requests for comment but told customers they discovered the attack on Tuesday and are “working to isolate the threat and minimize impact.”
“MyAppsAnywhere services, which include Hosted GP, Hosted CRM, Hosted Exchange, and Hosted Sharepoint, will be offline until further notice,” the company said.
“At this point, no additional information on the extent of the impact nor time to resolution can be provided. We are engaged with our cybersecurity insurance vendor to identify the source of the attack and determine when the environment can be safely brought back online.”
The cybersecurity authorities of the U.K. (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (FBI, CISA and NSA) warned in May that hackers and APT groups have stepped up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships.
Two of the most prominent hacks from the last two years involved popular MSPs – SolarWinds and Kaseya – and caused widespread damage due to the access they have to hundreds of companies and government agencies.
The CISA alert noted that government agencies are aware of reports of an increase in malicious cyber activity targeting MSPs, adding that they “expect this trend to continue.”
“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said CISA Director Jen Easterly.
Managed service providers make attractive targets for malicious actors to scale their attacks. MSPs and their customers should use these recommendations for handling the shared responsibilities of securing sensitive data. https://t.co/pZPluNVLQr
The agencies provided a range of recommendations to MSPs, such as hardening defenses against password spraying and phishing by potential attackers.
Former Obama administration cybersecurity commissioner Tom Kellermann, who now serves as head of cybersecurity strategy at VMware, previously told The Record that cybercrime cartels have studied the interdependencies of financial institutions and have a better understanding of which MSPs are used.
“In turn, these organizations are targeted and hacked to island hop into banks. Rogue nation states love this method of cyber-colonization,” Kellermann explained, referring to an attack that targets a third party in order to gain access to another entity. VMware has found that such attacks have increased 58% over the past year.
“I am concerned that as geopolitical tension metastasizes in cyberspace, these attacks will escalate and Russian cyber-spies will use this stratagem to deploy destructive malware across entire customer bases of MSP,” he said.
State of Cybersecurity 2022, Global Update on Workforce Efforts, Resources and Cyberoperations reports the results of an eighth annual global study that looks at the following topics and more:
What are the top cybersecurity hiring challenges today?
Which cybersecurity skills are in highest demand?
How can companies improve retention?
How are cybersecurity budgets changing?
Which threat vectors are the most concerning?
How frequently are companies conducting cyber risk assessments?
See what your peers have to say and how your organization’s challenges, actions and priorities compare to other companies around the world.
Built-in Telegram and Discord services are fertile ground for storing stolen data, hosting malware and using bots for nefarious purposes.
Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found.
Threat actors are tapping the multi-feature nature of messaging apps—in particularly their content-creation and program-sharing components—as a foundation for info-stealing, according to new research from Intel 471.
Specifically, they use the apps “to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tuesday.
“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years,” researchers wrote.
Intel 471 identified three key ways in which threat actors are leveraging built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, and using bots that perform their dirty work, they said.
Storing Exfiltrated Data
Having one’s own dedicated and secure network to store data stolen from unsuspecting victims of cybercrime can be costly and time-consuming. Instead, threat actors are using data-storage features of Discord and Telegram as repositories for info-stealers that actually depend upon the apps for this aspect of functionality, researchers have found.
Indeed, novel malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, and it’s far from the only one.
Researchers from Intel 471 observed a bot known as X-Files that uses bot commands inside Telegram to steal and store data, they said. Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said.
Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands, they added.
Other stealers use Discord as their messaging platform of choice for storing stolen data. One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said. Webhooks are similar to APIs in that they simplify the transmission of automated messages and data updates from a victim’s machine to a particular messaging channel.
Blitzed Grabber and two other stealers observed using messaging apps for data storage–—Mercurial Grabber and 44Caliber–also target credentials for the Minecraft and Roblox gaming platforms, researchers added.
“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground,” researchers noted.
