InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
According to the report by researchers at Vade, phishing attacks abusing the Microsoft brand increased 266 percent in the first quarter of 2022, compared to the year prior. Fake Facebook messages are up 177 percent in the second quarter of 2022 within the same timeframe.
The study by Vade analyzed unique instances of phishing URLs used by criminals carrying out phishing attacks and not the number of phishing emails associated with the URLs. The report tallied the 25 most commonly targeted companies, along with the most abused industries and days of the week for phishing emails.
Phishing By the Numbers
Other top abused brands in phishing attacks include Credit Agricole, WhatsApp, and French telecommunications company Orange. Popular brands also included PayPal, Google and Apple (see chart).
Through the first half of 2022, 34 percent of all unique phishing attacks tracked by the researchers impersonated financial services brands. The next most popular industry for criminals to abuse is cloud and the firms Microsoft, Google and Adobe. Social media was also a popular target with Facebook, WhatsApp and Instagram leading the list of brands leveraged in attacks.
The report revealed the most popular days for sending phishing emails is between Monday and Wednesday. Less than 20 percent of malicious emails are sent on the weekend.
âPhishing attacks are more sophisticated than ever,â wrote Adrien Gendre, chief tech and product officer at Vade in an email to Threatpost.
âHackers have an arsenal of tools at their disposal to manipulate end users and evade email security, including phishing kits that can identify when they are being scanned by a vendor and trigger benign webpages to avoid detection. End users need to be continually trained to identify the latest phishing techniques,â he wrote.
Over 5.4 million Twitter users have reportedly been targeted in a major breach of personal data following revelations earlier this year that the site had a serious security flaw.
The security flaw came to light in January, when a user on HackerOne named âzhirinovskiyâ pointed out that Twitter was vulnerable to hackers seeking to use information for malicious purposes.
At the time, Zhirinovskiy detailed exactly how to exploit the bug and described it as a âserious threatâ even in the hands of those with only a âbasic knowledgeâ of scripting and coding.
Twitter acknowledged the problem five days later and appeared to have fixed the problem a week after that, when it rewarded Zhirinovskiy with a $5,040 bounty for bringing the vulnerability to its attention.Â
A seller with the username âdevilâ claims that âCelebrities, to Companies, randoms, OGs, etcâ are included in the data set and is asking for at least $30,000, RestorePrivacy says.
A spokesperson from Twitter told Fortune: âWe received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability.â
The spokesperson added that Twitter was âreviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.â
Amazon Web Services (AWS) today expanded its portfolio of cloud security tools as part of an ongoing effort to make it simpler to secure application environments running on its infrastructure.
AWS is also making it possible to assign a numeric compliance measurement value to Conformance Packs to make it easier to identify major deviations in security posture and is making available in preview an encrypted collaboration service dubbed AWS Wickr.
CJ Moses, CISO and vice president of security engineering for AWS, reminded conference attendees that they should be encrypting everything in the cloud and that they should only be providing external access to data and applications when required. Organizations should especially block access to cloud storage services, he noted.
The rollout of the latest AWS security services comes at a time of intense focus on cloud security as part of a larger effort to better secure software supply chains after a series of high-profile breaches. In general, cloud platforms are more secure than on-premises IT environments; however, the processes used to build and deploy cloud applications are often problematic and can introduce risk. Developers routinely employ open source tools like Terraform to provision cloud infrastructure and accelerate application development. Most of those developers have limited cybersecurity expertise so, inevitably, mistakes are made. The chronic shortage of cybersecurity expertise means most organizations are not able to keep pace with the rate at which workloads are being deployed in the cloud.
AWS contends its platform is more secure than rival platforms because of what it describes as automated reasoning technology that employs mathematical logic to, for example, detect entire classes of misconfigurations. As a result, AWS said it is able to empirically prove a cloud environment is secure. The issue that organizations encounter is that every cloud service provider assumes the organization using its service assumes responsibility for both configuring the infrastructure correctly and then securing the applications deployed on it. Developers, unfortunately, tend to assume more automation is being applied to secure workloads.
On the plus side, more organizations are also starting to embrace DevSecOps best practices to make software supply chains more secure. The challenge is that no matter how much time and effort is made to educate developers, there will always be a development team that makes a mistakeâ and cybercriminals will find a way to exploit it.
Just under a year ago, the US arm of telecomms giant T-Mobile admitted to a data breach after personal information about its customers was offered for sale on an underground forum.
At the time, VICE Magazine claimed to have communicated with the hacker behind the breach via online chat, and to have been offered âT-Mobile USA. Full customer info.â
VICEâs Motherboard reporters wrote at the time that:
The data include[d] social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.
IMEI is short for International Mobile Equipment Identity, a globally unique serial number burned into your phone when itâs manufactured. Because the IMEI is considered a ânon-resettable identifierâ, apps on both Android and iOS are restricted from accessing it unless they have been granted special device management privileges, and developers are instructed to rely on user-resettable identifiers such as advertising IDs when legitimately tracking users and devices. You can view your phoneâs IMEI by dialling the special phone number *#06#.
Reuters reports that T-Mobile has agreed, in a US federal court in Missouri, to make $350,000,000 available for what are known in America as class-action settlements.
Class actions involve individuals, who would otherwise need to sue individually for impossibly small amounts, banding together with a team of attorneys to bring lawsuits that combine their individual complaints.
Part of the $350 million mega-settlement, says Reuters, is up to $105,000,000 (30% of the total amount) for the lawyers, leaving a slightly less dramatic $245 million for the individuals who joined the suit.
Apparently, more than 75 million people were affected in the breach, though with the standard payout listed by Reuters as $25 per person, it looks as though fewer than 10 million of them decided to sign up to be part of the legal action.
According to Reuters, T-Mobile will also commit to spending âan additional US$150 million to upgrade data securityâ, bringing its total settlement pledge to half-a-billion dollars.
In return, T-Mobile doesnât have to admit guilt, so this isnât a fine or a criminal penalty â itâs a civil agreement to settle the matter.
The settlement still needs approval from from the court, something thatâs expected to happen by the end of 2022.
Cyber Insurance counts in a big Data Breach like this, may even be business limiting factor if you don’t have enough coverage.
You will fall into one of those levels if your organisation processes fewer than six million card transactions per year.
There are several types of questionnaire, and in this blog we help you understand which one is right for you.
What is a PCI SAQ?
Organisations that are subject to the PCI DSS must demonstrate that they have taken appropriate steps to secure the payment card data that they hold.
There are two ways to do this: with a PCI SAQ or an RoC (report on compliance). Each payment brand (American Express, Discover, JCB, MasterCard and Visa) has its own requirements, so they establish the eligibility criteria for SAQ or RoC.
The PCI SAQ is the less rigorous method and is typically used for organisations that process fewer than six million transactions annually.
Once itâs completed, the PCI SAQ is signed off by an officer of the merchant or service provider, validating the organisationâs compliance practices.
PCI SAQ types
There are several types of PCI SAQ that apply in certain circumstances. Itâs essential that organisations choose the correct assessment. They are as follows:
SAQ A
For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants.
It applies where:
The merchantâs website is hosted and managed by a PCI-compliant third-party payment processor; or
The merchantâs website provides an iframe (inline frame) or URL that redirects customers to a PCI-compliant third-party payment processor.
Nearly all online merchants aim for SAQ A, because it is the simplest, least time-consuming assessment.
SAQ A-EP
For e-commerce merchants that donât receive cardholder data but do control the method through which data is redirected to a third-party payment processor.
It applies where:
The merchantâs website creates a payment form and âdirect postsâ payment data to a PCI-compliant third-party payment processor; or
The merchantâs website provides an iframe or URL that redirects a consumer to a PCI-compliant third-party payment processor, but some elements of the payment page originate from the merchant website.
SAQ B
For merchants that only process credit card data via imprint machines or via a standalone dial-out terminal.
Card imprint machines are non-electronic machines that make an imprint of the payment card, transferring the imprint onto a carbon paper receipt, which is then stored by the merchant.
Dial-out terminals are electronic machines that use chip and PIN and swipe cards, or require users to manually key in information. To be eligible for SAQ B, a merchantâs standalone dial-out terminal must be connected to a phone line and nothing else.
SAQ B-IP
For merchants that donât store card data in electronic format but use IP-connected POI (point-of-interaction) devices. These merchants may handle either card-present or card-not-present transactions.
SAQ C-VT
For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
SAQ C
For merchants that process cardholder data via POS (point-of-sale) systems or other payment application systems connected to the Internet.
To be eligible for SAQ C, a merchant must operate isolated payment application systems that are connected to the Internet and donât store electronic cardholder data.
SAQ D
For those that donât fit into any of the above categories. It is often referred to as âReport on Compliance Lightâ, because it requires organisations to go through all 12 PCI DSS requirements, albeit on a reduced scale.
There are separate forms for merchants and service providers.
SAQ P2PE-HW
For merchants that use card-present transactions, meaning it is not applicable to organisations that deal in e-commerce.
Merchants that use a PCI-validated P2PE (point-to-point encryption) solution and have implemented it successfully are eligible for SAQ P2PE-HW.
Identify the right SAQ with IT Governance
Hopefully youâve now identified which SAQ applies to you, but how do you go about completing the form?
Thatâs where our PCI DSS Documentation Toolkit can help. It contains all the template documents you need to ensure complete coverage of your PCI DSS requirements.
All you need do is fill in the sections that are relevant to your organisation.
The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.
Itâs fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard.
The phrase Office macros is a harmless-sounding, low-tech name that refers, in real life, to program code you can squirrel away inside Office files so that the code travels along with the text of a document, or the formulas of a spreadsheet, or the slides in a presentationâŠ
âŠand even though the code is hidden from sight in the file, it can nevertheless sneakily spring into life as soon as you use the file in any way.
Those hidden macros, indeed, can be configured (by the sender, not by the recipient, you understand!) to trigger automatically when the file is opened; to override standard items in Officeâs own menu bar; to run secondary programs; to create network connections; and much more.
Almost anything, in fact, that you could do with a regular .EXE file, which is the sort of file that few of us would willingly accept via email at all, even from someone we knew, and that most of us would be deeply cautious about downloading from a website we didnât already know and trust.
Fighting back against cybercriminals
Thanks to macros and the hidden programming power they provide, Office documents have been widely used by cybercriminals for implanting malware since the 1990s.
Curiously, though, it took Microsoft 20 years (actually, closer to 25, but weâll be charitable and round it down to two decades) to block Office macros by default in files that arrived over the internet.
As regular Naked Security readers will know, we were as keen as mustard about this simple change of heart, proclaiming the news, back in February 2022, with the words, âAt last!â
To be fair, Microsoft already had an operating system setting that you could use to turn on this safety feature for yourself, but by default it was off.
Enabling it was easy in theory, but not straightforward in practice, especially for small businesses and home users.
Either you needed a network with a sysadmin, who could turn it on for you using Group Policy, or you had to know exactly where to go and what to tweak by yourself on your own computer, using the policy editor or hacking the registry yourself.
So, turning this setting on by default felt like an uncontroversial cybersecurity step forward for the vast majority of users, especially given that the few who wanted to live dangerously could use the aforementioned policy edits or registry hacks to turn the security feature back off again.
Apparently, however, these âfewâ turned out [a] to be more numerous than you might have guessed and [b] to have been more inconvenienced by the change than you might have expected:
Notably, many people using cloud servers (including, of course, Microsoftâs own online data storage services such as SharePoint and OneDrive) had got used to using external servers, with external servernames, as repositories that their friends or colleagues were expected to treat as if they were internal, company-owned resources.
Remember that old joke that âthe cloudâ is really just shorthand for âsomeone elseâs computerâ? Turns out that thereâs many a true word spoken in jest.
Organisations that relied on sharing documents via cloud services, and who hadnât taken the appropriate precautions to denote which external servers should be treated as official company sourcesâŠ
âŠfound their macros blocked by default, and voiced their displeasure loudly enough that Microsoft officially relented around the middle of 2022.
Within 20 weeks, a change that cybersecurity experts had spent 20 years hoping for had been turned off once more:
What to do?
The hows, whys and wherefores of Office macro security are now officially explained in two Microsoft documents:
Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.
A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and has resorted to recruiting so-called âcyber-mercenariesâ to carry out specific illicit hacks that are part of larger criminal campaigns.
Dubbed Atlas Intelligence Group (A.I.G.), the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its own campaigns. A.I.G., also known as Atlantis Cyber-Army, functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services, according to a Thursday report by threat intelligence firm Cyberint.
â[A.I.G.] has introduced us to out-of-the-box thinking,â Cyberintâs Shmuel Gihon wrote in the report.
[FREE On-demand Event: Join Keeper Securityâs Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]
A.I.G., according to researchers, is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with certain capabilities that they can reuse and incent them with profit sharing. For example, Ransomware-as-a-Service organized crime campaigns can involve multiple threat actors â each getting a cut of any extorted lucre or digital assets stolen. What makes A.I.G. different is it outsources specific aspects of an attack to âmercenariesâ who have no further involvement in an attack.
The reportâs author, Gihon, said only A.I.G. administrators and the groupâs leaderâdubbed Mr. Eagleâknow fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets.
Unique Business Model
This uncommon business model also allows the group, which has been operating since the beginning of May, to offer a range of cybercriminal services instead of a single core competency, he said.
âWhile many groups are focusing on one, maybe two, services that they offer, Atlas seems to grow rapidly and expand its operations in an efficient way which allows them to offer many services,â Gihon wrote.
A.I.G. tends to target government and state assets in countries all over the world, including the United States, Pakistan, Israel, Colombia and United Arab Emirates, researchers found.
Mr. Eagle not only leads the campaigns but also doubles as a chief marketing officer of sorts, putting a significant effort into advertising A.I.G.âs various cybercriminal services, he said.
The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists.
Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day.
The flaw, which was fixed by Google on July 4, 2022, is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component, it is the fourth zero-day patched by Google in 2022.
Most of the attacks uncovered by Avast researchers took place in Lebanon and threat actors used multiple attack chains to target the journalists. Other infections were observed in Turkey, Yemen, and Palestine since March 2022.
In one case the threat actors conducted a watering hole attack by compromising a website used by employees of a news agency.
The researchers noticed that the website contained artifacts associated with the attempts of exploitation for an XSS flaw. The pages contained calls to the Javascript function âalertâ along with keywords like âtestâ, a circumstance that suggests the attackers were testing the XSS vulnerability, before ultimately exploiting it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com).
This injected code was used to route the victims to the exploit server, through a chain of domains under the control of the attacker.
Once the victim lands on the exploit server, the code developed by Candiru gathers more information the target system, and only if the collected data satisfies the exploit server the exploit is used to deliver the spyware.
âWhile the exploit was specifically designed for Chrome on Windows, the vulnerabilityâs potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Appleâs Safari.â reads the analysis published by Avast. âWe do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but itâs possible that they did.â
The zero-day was chained with a sandbox escape exploit, but experts were not able to recover it due to the protection implemented by the malware.
After getting a foothold on the victimâs machine, the DevilsTongue spyware attempts to elevate its privileges by exploiting another zero-day exploit. The malicious software targets a legitimate signed kernel driver in a BYOVD (Bring Your Own Vulnerable Driver) fashion. In order to exploit the the driver, it has to be first dropped to the filesystem (Candiru used the path C:\Windows\System32\drivers\HW.sys), experts pointed out that this could be used as an indicator of compromise.
âWhile there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.â concludes the report.
As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS (Monterey), as well as into the updates for iOS and iPad OS.
But the updates for the older versions of macOS donât include Safari, so the standalone Safari update (see HT213341 above) therefore applies to users of previous macOS versions (both Big Sur and Catalina are still officially supported), who will need to download and install two updates, not just one.
Build your ISO 27001 knowledge and win new business with Adviseraâs free ISO 27001 online courses. And you can be sure that you chose the right learning partner, since all Adviseraâs courses are now accredited by ASIC, the internationally respected assurance body for online learning providers worldwide.
The coursesâ structure is simple:
Modules that cover important topics related to ISO 27001.
Video lectures give you an opportunity to learn from ISO 27001 top experts.
Quizzes teach you how to apply what you have learned through practical examples.
Recap quiz at the end of each module helps you reinforce the acquired knowledge.
You can choose the course based on your specific needs:
ISO 27001 Foundations course â youâll learn about all of the standardâs requirements and the best practices for compliance.
ISO 27001 Internal Auditor course â besides the knowledge about the standard, youâll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course â besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course â besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
âWin11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,â David Weston of Enterprise and OS Security at Microsoft, announced, just as the company confirmed that it will resume the rollout of the default blocking of VBA macros obtained from the internet.
Brute-forced RDP access and malicious macros have for a long time been two of the most popular tactics used by threat actors to gain unauthorized access to Windows systems.
Minimizing the RDP attack vector
The Windows Account Lockout Policy allows enterprise network admins to set a lockout threshold â a specific number of failed logon attempts â after which a user account will be locked.
Brute-forcing is a method used by attackers to take over accounts. Usually automated with the help of a software tool, the attack involved submitting many passwords in a row until the right one is âguessedâ.
From Windows 11 build 22528.1000 and onwards, the account lockout threshold is, according to Bleeping Computer, set to 10 failed login attempts in 10 minutes, which should make this type of attack harder to pull off.
The revelation has set off calls for the control to be backported to older Windows and Windows Server version â a move thatâs apparently in the works.
Yes itâs being backported
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 21, 2022
Welcome to our July 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.
This month, we look at a cyber attack at OpenSea, a US school district that was tricked into transferring funds to a crook and a report on the rising threat of phishing.
NFT marketplace warns users of phishing scams
Last month, the worldâs largest NFT (non-fungible token) marketplace, OpenSea, disclosed a data breach in which usersâ email addresses were compromised.
The organisationâs head of security, Cory Hardman, said that the breach occurred when an employee at a third-party email delivery vendor downloaded the details of OpenSea users and newsletter subscribers.
OpenSea has since warned that the information could be used to launch phishing attacks.
âIf you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,â Hardman said.
âBecause the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts.â
OpenSea warned users via an email notification
Hardman provided tips to help OpenSea users spot phishing attacks. He urged people to keep an eye out for emails that use domains replicating the genuine OpenSea.io address.
Cyber criminals could do this by using a different top-level domain (such as opensea.org), or by deliberately misspelling the domain name (such as opensae.io).
Hardman also advised users not to download or open email attachments if they believe the message is suspicious, and to never sign wallet transactions if prompted directly via email.
In addition to the theft, the cyber criminals shared a phishing link on Beepleâs Twitter account that, if clicked, took money directly from their wallets.
Incidents such as this and the OpenSea hack demonstrate the challenges that NFT trading presents. Although many people are enticed into NFTs because the market is unregulated, that also creates major security risks.
Whereas banks and other regulated trading platforms are required to take steps to protect peopleâs assets â and will typically have proof of unauthorised access â the crypto culture emphasises personal responsibility.
If a cyber criminal compromises a crypto wallet, victims have little recourse and will have to accept their loss.
School district accidentally wires $200,000 to fraudulent bank
The Floyd County School District in in Georgia admitted in June that it had wired $197,672.76 (about ÂŁ164,000) to a bank account controlled by cyber criminals.
Officials said they received the request from an email address seemingly associated with Ben Hill Roofing, an organisation that had previously worked with a school in the district.
Floyd County Schools made the payment on 29 April, and was only alerted to its mistake after the real Ben Hill Roofing submitted an invoice.
Speaking to a local news outlet, the school district said: âFloyd County Schools has been made aware of a spear phishing incident, which is a targeted email attack pretending to be from a trusted sender. This cyber-attack resulted in funds being stolen from the school system by an outside source.â
It added: âWe are working with local law enforcement, GEMA, GBI, and insurance officials to recover the funds.
âBecause of the cyber security measures FCS has put in place over the past few years, school system officials believe this is an isolated incident. Due to the ongoing investigation, more details cannot be released at this time.â
Floyd County Schools has since recovered almost all of the stolen funds following a police investigation. Officers traced the stolen money to a bank in Texas, which had already flagged the account as suspicious.
Itâs the highest number of phishing attacks that has ever been reported in a quarter, and it follows a steady increase in attacks throughout the past year. In April 2021, the APWG observed just over 200,000 phishing attacks. By March 2022, it almost doubled, to 384,291.
According to the report, the industry most likely to be targeted was the financial sector. It found that 23.6% of all incidents affected organisations that provide such services.
The next most frequent targets were software-as-a-service and webmail providers (20.5%) and e-commerce sites and retail stores (14.6%).
The report also found that 12.5% of phishing attacks target social media sites, while cryptocurrency platforms account for 6.6% of incidents.
According to John Wilson, Senior Fellow of Threat Research at HelpSystems, the majority of phishing attacks are conducted using BEC (business e-mail compromise).
Wilson noted that in the first quarter of 2022, 82% of BEC messages were sent from free webmail accounts. Gmail is the most popular provider, accounting for 60% of BEC scams.
Meanwhile, 18% of BEC messages used email domains owned by the attacker.
The report also found that the average sum that scammers requested in wire transfer BEC attacks in Q1 2022 was $84,512 (about âŹ98,000). This is a significant increase over the previous quarter, in which scammers requested âŹ50,027 (about âŹ58,000) on average.
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or the sector, so itâs essential to understand how you might be targeted and what you can do to prevent a breach.
This 45-minute course uses real-world examples like the ones weâve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
Metasploit is the most used penetration testing framework. In this Help Net Security video, Spencer McIntyre, Lead Security Researcher at Rapid7, talks about how Metasploit enables defenders to always stay one step (or two) ahead of the game, and offers a glimpse into the future.
McIntyre is a lead security researcher at Rapid7, where he manages the Metasploit Frameworkâs dedicated research and development team. He has been contributing to Metasploit since 2010, a committer since 2014, and a core team member at Rapid7 since 2019.
Multiple flaws in MiCODUS MV720 Global Positioning System (GPS) trackers shipped with over 1.5 million vehicles can allow hackers to remotely hack them.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of multiple security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers which are used by over 1.5 million vehicles.
An attacker can exploit the flaws to remote disruption of critical functions of the impacted vehicles.
âCISA has released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System Tracker. Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker.â reads the advisory published by CISA. âThese vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.â
The MiCODUS MV720 GPS Tracker is a popular vehicle GPS tracker manufactured in China, which is used by consumers for theft protection and location management, and by organizations for vehicle fleet management.
The flaws were discovered by BitSight researchers, they have been tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944.
Researchers from BitSight who discovered the issues reported that threat actors could hack into the tracker to potentially cut off fuel, physically stop vehicles, or track the movement of vehicles using the device.
MiCODUS is used today by 420,000 customers in multiple industries, including government, military, law enforcement agencies, and Fortune 1000 companies.
CVE-2022-2107 (CVSS score: 9.8) â The use of hard-coded credentials may allow an attacker to log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS ownerâs mobile number.
CVE-2022-2141 (CVSS score: 9.8) â Improper authentication allows a user to send some SMS commands to the GPS tracker without a password.
CVE-2022-2199 (CVSS score: 7.5) â A cross-site scripting vulnerability could allow an attacker to gain control by deceiving a user into making a request.
CVE-2022-34150 (CVSS score: 7.1) â The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter âDevice ID,â which accepts arbitrary Device IDs without further verification.
CVE-2022-33944 (CVSS score: 6.5) â The main web server has an authenticated IDOR vulnerability on POST parameter âDevice ID,â which accepts arbitrary Device IDs.
Experts found a sixth issued that has yet to receive a CVE (CVSS score: 8.1) â all devices ship preconfigured with the default password 123456, as does the mobile interface. There is no mandatory rule to change the password nor is there any claiming process. The setup itself does not require a password change to use the device. We observed that many users have never changed their passwords.
The analysis of the sector usage on a global scale revealed significant differences by continent in the typical user profile. Most North American organizations using flawed MiCODUS devices are in the manufacturing sector, while those in South America are government entities. MiCODUS users in Europe belong to diverse sectors, ranging from finance to energy.
BitSight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers due to the severity of the flaw, at least until the vendor will address the issues.
âIf China can remotely control vehicles in the United States, we have a problem,â said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. âWith the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSightâs research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.â
Researchers highlighted the risks that a nation-state actor could potentially exploit the above vulnerabilities to gather intelligence on entities operating in the military or one of its supplies. Data such as supply routes, troop movements, and recurring patrols could be revealed by exploiting these flaws-
âAlthough GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone. Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations. However, such functionality can introduce serious security risks. Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues. With limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem.â concludes the report. âBitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available. Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk.â
These days security of car is very essential. Thieves are finding more ways of stealing cars and other four wheeler vehicles. In this book we have given details about the anti-theft system which will help to car owners to secure their cars. This system is efficient and affordable. This system gives more advantages than other anti-theft system. Main feature of this system is that owner will gate information if the car is being stolen and the location of car (longitude and altitude).
Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection.
Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection.
The attackers used online storage services to exfiltrate data and drops their malicious payloads.
The use of legitimate cloud services is not a novelty to this nation-state actor, but experts pointed out that in the two most recent campaigns the hackers leveraged Google Drive cloud storage services for the first time.
âThe ubiquitous nature of Google Drive cloud storage services â combined with the trust that millions of customers worldwide have in them â make their inclusion in this APTâs malware delivery process exceptionally concerning.â reads the analysis published by Palo Alto Network. âThe most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador.â
The recent campaigns observed by the experts targeted multiple Western diplomatic missions between May and June 2022. The lures included in these campaigns revealed that the nation-state actors targeted a foreign embassy in Portugal as well as a foreign embassy in Brazil. The phishing messages included a link to a malicious HTML file (EnvyScout) that acted as a dropper for additional malicious payloads, including a Cobalt Strike beacon.
EnvyScout is a tool that is used to further infect the target with the other implants. Threat actors used it to deobfuscate the contents of a second state malware, which is in the form of a malicious ISO file. This technique is known as HTML Smuggling.
A threat hunting activity based on the analysis of the creation time of the phishing message, producer and PDF version metadata in the sample analyzed by Palo Alto Networks, allowed the experts to identify other suspicious documents that were uploaded to VirusTotal in early April 2022.
âMany of these documents appear to be phishing documents associated with common cybercrime techniques. This suggests that there is likely a common phishing builder being leveraged by cybercrime and APT actors alike to generate these documents.â continues the report.
The file Agenda.html employed in the attack was used to deobfuscate a payload, and also for writing a malicious ISO file to the victimâs hard drive. The payload file is an ISO file named Agenda.iso.
Once the ISO has been downloaded, the user has to click it to start the infection chain and execute the malicious code on the target system. The user must double-click the ISO file and subsequently double-click the shortcut file, Information.lnk, to launch the infection process.
âTheir two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.â concludes the report
A poor, permanent hire can be a very expensive error, whereas a mis-hire on a virtual CISO can be rapidly corrected.
The cybersecurity challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmaneuver security controls effortlessly.
As technology races forward, companies without a full-time CISO are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.
How a vCISO Works Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.
The best vCISO engagements are long-term contracts, such as 12 to 24 months. Typically, there’s an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.
What to Expect From a vCISO When bringing a vCISO on board, it’s important that person has three key attributes: broad and extensive experience in addressing cybersecurity challenges across many industries; business acumen and the ability to rapidly absorb complex business models and strategies; and knowledge of technology solutions and dynamics that can be explored to meet specific organizational needs.
The first thing a vCISO will focus on is prioritization, beginning with understanding a company’s risks. They will then organize actions that provide the greatest positive influence on mitigating these risks while ensuring sustainability in the program. The goal is to establish a security approach that addresses the greatest risks to the business in a way that has staying power and can provide inherent value to additional downstream controls.
Having extensive experience in the technical space, a vCISO can take into consideration the full spectrum of options â those existing within the business environment, established products and services in the marketplace, and new solutions entering the market. Just within that context, a vCISO can collaborate with the technical team to take advantage of existing solutions and identify enhancements that can further capabilities in a cost-efficient manner.
The Value of a vCISO One of the most common findings is that companies often have a large portfolio of cybersecurity technology, but very little is fully deployed. Additionally, most tech teams are not leveraging all of the capabilities, much less integrating with other systems to get greater value. Virtual CISOs help companies save money by exploiting existing technical investments that dramatically improve security. And, since the improvement is focused on existing tools, the transition for the IT and security staff is virtually eliminated due to established familiarity with the environment.
Another essential value point of a vCISO is access to an informed and well-balanced view on risk and compliance. While cybersecurity is dominated by technical moving parts, the reality is the board, executive leadership, and management team needs to incorporate cyber-risks and related liabilities into the overall scope of risk across the business at an executive level. In this sense, leadership has a vast array of competing challenges, demands, and risks and some can be even more impactful than cybersecurity.
How to Convince the Executive Team A CEO is under a constant barrage of challenges, problems, risks, and opportunities. Cybersecurity needs to be part of that formula. If one of the core values of having a vCISO is getting meaningful cyber-risk insights, then trust and confidence in that person is paramount and needs to be established from the beginning.
Another challenge is the team dynamic â at the heart of being a CEO is their success as a leader. Introducing what is essentially a consultant can be an adjustment for the team. It’s important that the vCISO hire fits the culture and can easily integrate with everyone on the team including the CIO, CTO, CPO, CRO, etc.
The conversation with the CFO will understandably have a heavy financial tone. For companies debating between a full-time CISO or a vCISO, it’s clear a poor permanent hire can be a very expensive error, whereas a mis-hire on a vCISO can be rapidly corrected.
As organizations continue to come to grips with the byproducts of digitization and new security challenges that often seem insurmountable, a vCISO can be an enormous value. Beyond offering an efficient and cost-effective model, they bring many advantages to businesses with fewer risks than a dedicated resource.
The Tor Project team has announced the release of Tor Browser 11.5, which introduces functionalities to automatically bypass censorship.
The Tor Project team has announced the release of Tor Browser 11.5, the new version of the popular privacy-oriented browser implements new features to fight censorship.
With previous versions of the browser, circumventing censorship of the Tor Network itself was a manual process that required users to dive into Tor Network settings and chose a bridge to unblock Tor.
Experts pointed out that censorship of Tor isnât uniform, this means that a certain pluggable transport or bridge configuration may work in one country could not work elsewhere.
The Tor Browser version 11.5 implements a new feature called âConnection Assistâ, which was developed to assign automatically the bridge configuration that could allow users in a specific location to bypass censorship.
âIn collaboration with the Anti-Censorship team at the Tor Project, weâve sought to reduce this burden with the introduction of Connection Assist: a new feature that when required will offer to automatically apply the bridge configuration we think will work best in your location for you.â reads the announcement published by the Tor Project. âConnection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent). It manages to do so without needing to connect to the Tor Network first by utilizing moat â the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org.â
Connection Assist downloading up-to-date list options that optimize the connection from the userâs country. To do this, the browser requests user consent.
Maintainers at the Tor Project pointed out that this is only version 1.0 of the Connection Assist, for this reason, they invite users to submit their feedback to help them improve the user experience in future releases.
Another feature implemented in version 11.5 is making âHTTPS-Only Modeâ which is enabled by default for desktop, and HTTPS-Everywhere will no longer be bundled with Tor Browser.
The above features are all for desktop, the announcement provides updates for Androidrs because the Tor Browser for Android is quite behind desktop in terms of feature parity.
Since the beginning of the year our priorities for Android have been three-fold:
Start releasing regular updates for Android again
Fix the crashes that many Android users have experienced
Begin catching up with Fenix (Firefox for Android) releases
Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any artifact a system can identify to support a Deepfake can also be removed in a subsequent Deepfake creation. This article discusses the art of Deepfake.
This document provides guidance on how operators should assess the security of vendorâs security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.
The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendorâs equipment. This is performed by gathering objective, repeatable evidence on the security of the vendorâs processes and network equipment.
Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox.
âMicrosoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.â reads the post published by Microsoft.
âAn access issue was addressed with additional sandbox restrictions on third-party applications. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A sandboxed process may be able to circumvent sandbox restrictions.â reads the description of this issue.
An attacker can trigger the flaw using a specially crafted Office document containing malicious macro code that allows to bypass sandbox restrictions and execute commands on the system.
The Apple App Sandbox provides protection to system resources and user data by limiting your appâs access to resources requested through entitlements.
Developers that want to distribute a macOS app through the Mac App Store must enable the App Sandbox capability.
Microsoft researchers demonstrated that using specially crafted codes could bypass the sandbox rules. An attacker could exploit the sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing malicious payloads.
âWe found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an â~$â prefix.â reads the post. âOur findings revealed that it was possible to escape the sandbox by leveraging macOSâs Launch Services to run an open âstdin command on a specially crafted Python file with the said prefix.â
The root cause of the issue is backward compatibility, which allows Microsoft Word to read and write files with the prefix â~$.â .
The experts first created a POC exploit to create a macro that launches a shell script with the Terminal app, bit it was captured by the sandbox because it was automatically given the extended attribute com.apple.quarantine which prevents the execution by the Terminal. Then the experts tried using Python scripts, but the Python app had similar issues running files having the said attribute.
In one of the hacking attempts, the researchers created a proof-of-concept (PoC) that used the -stdin option for the open Command on a Python file to bypass the âcom.apple.quarantineâ extended attribute restriction. In this way, there was no way for Python to determine that the contents from its standard input originated from a quarantined file.
âOur POC exploit thus became simply as follows:
Drop a â~$exploit.pyâ file with arbitrary Python commands.
Run open âstdin=â~$exploit.pyâ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since itâs a child process of launchd, it isnât bound to Wordâs sandbox rules.â continues the post.
