InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Ransomware is a type of malicious program that demands payment after launching a cyber attack on a computer system. This type of malware has become increasingly popular among criminals, costing organizations millions each year.
Security experts recognise that ransomware is one of the fastest-growing forms of cyber attack. Its prevalence and reach was emphasised when WannaCry, and more recently, NotPetya, exploited a flaw in Microsoft’s SMB software and spread rapidly across networks, locking away files.
For a quick guide to ransomware and what you can do to protect your business, download our free infographic.
Researchers reported that threat actors leveraged a new zero-click iMessage exploit to install NSO Group Pegasus on iPhones belonging to Catalans.
Researchers from Citizen Lab have published a report detailing the use of a new zero-click iMessage exploit, dubbed HOMAGE, to install the NSO Group Pegasus spyware on iPhones belonging to Catalan politicians, journalists, academics, and activists.
The previously undocumented zero-click iMessage exploit HOMAGE works in attacks against iOS versions before 13.2.
The experts speculate the HOMAGE exploit was used since the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address.
The experts at the Citizen Lab, in collaboration with Catalan civil society groups, have identified at least 65 individuals targeted or infected with spyware. 63 of them were targeted or infected with the Pegasus spyware, and four others with the spyware developed by another surveillance firm named Candiru. The researchers reported that at least two of them were targeted or infected with both surveillance software.
Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations, the threat actors also targeted family members.
The researchers also noticed that the content used in the bait SMS messages suggests access to targets personal information, including the Spanish governmental ID numbers.
“With the targets’ consent, we obtained forensic artefacts from their devices that we examined for evidence of Pegasus infections. Our forensic analysis enables us to conclude with high confidence that, of the 63 people targeted with Pegasus, at least 51 individuals were infected.” reads the report published by Citizen Lab.
“We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.”
This isn’t the first time that Catalans were targeted by the NSO Group Pegasus Spyware, Citizen Lab has previously reported “possible cases of domestic political espionage” after detecting infections with the popular surveillance software. Multiple Catalans were targeted with Pegasus through the 2019 WhatsApp attack, at the time the spyware leveraged exploits for the
CVE-2019-3568
vulnerability.
The Citizen Lab doesn’t explicitly attribute the attacks to a specific threat actor, but the nature of the targets suggests a link with Spanish authorities. All the targets were of interest to the Spanish government and experts pointed out that the specific timing of the targeting matches events of specific interest to the Spanish government.
“While we do not currently attribute this operation to specific governmental entities, circumstantial evidence suggests a strong nexus with the government of Spain, including the nature of the victims and targets, the timing, and the fact that Spain is reported to be a government client of NSO Group.” concludes the report.
Earlier this year, the White House announced that it is working with the European Union on a Trans-Atlantic Data Privacy Framework. According to a White House statement, this framework will “reestablish an important legal mechanism for transfers of EU personal data to the United States. The United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”
This is encouraging news. As The National Law Review pointed out, the EU had concerns about the protection of their citizens’ data from U.S. government surveillance. But it may also be the push needed to advance greater data privacy protections in America.
“The joint statement references the U.S. putting in place ‘new safeguards’ to ensure that intelligence activities are ‘necessary and proportionate’, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available,” said Stephen Bailey of NCC Group in an email comment.
Data Privacy and AppSec
The world runs on apps, so it is necessary to look at how the Trans-Atlantic Data Privacy Framework will impact app development and app security.
“For application developers, the single biggest challenge to complying with increasingly rigorous data protection frameworks is getting control of their data, particularly sensitive and personally identifiable information,” explained Chris McLellan, director of operations at the nonprofit Data Collaboration Alliance.
Today, every new app, whether bought or built, traps data in a silo, which can only be connected through the exchange of copies or point-to-point data integration.
“These copies make it incredibly difficult—and in some cases, even impossible—to support GDPR outcomes like ubiquitous data access controls, portability, custodianship, deletion (the right to be forgotten) and precision auditability: Things that could potentially, although they’re unlikely to, be included in the post-Privacy Shield framework. But they are definitely looming on the horizon both internationally and domestically, for example, in California and Utah,” said McLellan.
As data privacy frameworks become more common and we begin to see more joint efforts internationally, organizations have to think about how they share and store data in the future, taking compliance requirements into greater consideration.
Organizations need to get more serious about minimizing their use of data and start implementing strategies that introduce real control to the data they manage, McLellan says. They should be exploring ways now to eliminate data silos and copies that have resulted in rampant data proliferation.
No Quick Fixes
But, as McLellan pointed out, there are no quick fixes. Unwinding years of “an app for everything and a database for every app” mantra will be difficult, and McLellan believes this is best approached in two stages.
Stage One: Immediately treat the symptoms of data proliferation by evaluating and adopting privacy-enhancing technologies that help organizations anonymize and encrypt data, and better manage consent. “They should also investigate the potential to adopt first-party and zero-party data collection practices that redirect customer and other sensitive data away from the third-party apps (e.g. Google Analytics), over which they have no control,” McLellan explained. “Organizations should also adopt processes and workflows that help them establish ‘purpose-based’ data access requests.”
Stage Two: Organizations should explore ways to address the root causes of data proliferation. Everyone within the organization’s technology teams—CIO, CDO, application development, data and IT teams—should familiarize themselves with emerging frameworks like zero-copy integration, a framework that is on track to become a national standard in Canada.
“It’s the evolution of privacy-by-design and signals the beginning of the end for application-specific data silos and copy-based data integration. Such frameworks are made possible by new categories of technology, including data fabrics, dataware and blockchain that support ‘zero copy’ digital innovation. Many leading organizations, particularly in finance and health care, are already ahead of the curve in adopting this approach,” said McLellan.
Data protection regulations at home and abroad reflect a burgeoning global trend toward citizens and consumers gaining greater control and ownership of data as its rightful owner.
“These regulatory shifts,” said McLellan, “will need to be met by an equally significant shift in how U.S. businesses manage data and build new applications if there’s any hope to comply with new laws as they’re passed.”
It’s easy to see why: it may be exploited by unauthenticated, remote attackers to breach systems and by attackers that already have access to a system and want to hop on others on the same network. It can also be exploited without the vulnerable system’s user doing anything at all (aka “zero-click” exploitation).
About CVE-2022-26809
CVE-2022-26809 is a remote code execution vulnerability in Microsoft Remote Procedure Call (RPC) runtime and affects a wide variety of Windows and Windows Server versions.
“To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service,” Microsoft said and advised admins to:
Block TCP port 445 at the enterprise perimeter firewall (but be aware that this does not protects systems from attacks from within the enterprise perimeter), and
This mention of SMB is probably what triggered some initial nervousness with security defenders, as it resurfaced bad memories related to the global WannaCry outbreak, which used the EternalBlue exploit to take advantage of vulnerabilities in Microsoft Windows SMB Server.
The infosec community worries about a functional proof-of-concept (PoC) exploit being released publicly soon and making the situation bad for enterprise defenders. There has been some topical online trolling and scam offers, but no PoC yet – and no evidence of covert exploitation.
Mitigation and detection
In the meantime, infosec experts have been augmenting Microsoft’s initial risk mitigation advice with their own:
CVE-2022-26809 Yes, blocking 445 at your network perimeter is necessary but not sufficient to help prevent exploitation. If by April 2022 you STILL have SMB exposed to the broader internet you've got some soul searching to do. Now, about those hosts already inside your network… pic.twitter.com/jS8fPrv8E2
Please remember: Port 445 is just ONE of the ports that may reach #RPC (CVE-2022-26809) on Windows. #MSRPC does Port 135 (and high port) or in some cases HTTP as well. Don't "close some ports" but "only open ports you need open". #allowlist#dontblocklist
Akamai researchers have shared their own analysis of Microsoft’s patch, which provides additional insight about the origin of the flaw, and Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, published a post summarizing the danger
CVE-2022-26809
poses and reiterated that patching is the only real fix for this vulnerability.
“You can’t ‘turn off’ RPC on Windows if you are wondering. It will break stuff. RPC does more than SMB. For example, you can’t move icons on the desktop if you disable RPC (according to a Microsoft help page),” he explained, and noted that exploitation detection may be hard.
“I have no idea when we will see a working exploit, but I hope we will have until next week,” he concluded.
Editor’s Note: When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. “I had no success really,” said its founder, who goes by the online moniker smelly_vx.
But over the last couple of years, the site’s popularity has soared thanks in part to its robust Twitter presence that mixes breaking cybersecurity news with memes. The site now bills itself as “the largest collection of malware source code, samples, and papers on the internet,” with about 35 million samples overall.
vx-undergound operator smelly_vx recently talked to Recorded Future analyst and product manager Dmitry Smilyanets about the site’s goals, finances, and plans for the future. The interview, which was conducted over email in English, has been lightly edited for clarity.
Dmitry Smilyanets: I would like to start from the very beginning — please introduce yourself.
smelly_vx: Hi. I am “smelly__vx“. I am the creator of vx-underground and the guy who runs/maintains a good portion of vx-underground’s website and the vx-underground Twitter account.
I am in my early 30s. I have a wife. I have a dog. I don’t think I can say anything else which is interesting or important.
DS: Tell me about the site’s background — how did it start, how did you build it into what it is today?
VX: About vx-underground — it was created to act as the successor to the legendary vxHeaven (created by the Ukrainian dude herm1t). When I was a teenager I discovered vxHeaven and learned tons from it. It was an invaluable asset. Around 2017 or so, when I was a software engineer, I got tired of writing malware (as a hobbyist) by myself.
I began looking for vxHeaven, or whatever it had become. I was unable to find anything, to my disappointment, and one day on some random IRC server I discovered, I was conveying my disappointment to a guy named Phaith and he said to me, “Well, if you miss it so much, why don’t you make your own?” I thought this was a good idea — why not make my own? And that is precisely what I decided to do. The issue I faced was that my background was in low-level development, I primarily did C/C++ development on the Windows platform. I did not have any skills in web development, web security, system administration, etc. I also did not have any contacts, I had been a “lone wolf” for nearly a decade at this point — I was a “nobody.” However, I decided this shouldn’t be a restraining factor so I bought some random bullshit hosting, purchased the domain name ‘vx-underground’ and got to work.
I officially made vx-underground in May 2019. I had no success really, I did not have a Twitter account or any contacts or any relationships in the information security industry. I made the vx-underground Twitter account in August 2019 and, interestingly, shortly after I made the account I was contacted by a guy named Bane. Bane was a member of a group called ThugCrowd. They had a large follower base on Twitter (20,000+), they had connections, they knew their way around things, blah blah blah. ThugCrowd was very kind to me and supported the idea of a new vxHeaven. They introduced me to some people who also liked the idea of a new vxHeaven.
Unsurprisingly, in October 2019, vx-underground was banned from a lot of web hosts. I had places which housed neo-Nazis, pornography, and gambling, deny my hosting.
Nobody wanted to house malware samples, the only way I was going to get the ability to house malware samples was if I had become a company, and did paperwork and all sorts of bullshit. I did not like this idea. Luckily, and to my surprise, the people over at ThugCrowd introduced me to a group of people behind TCP.DIRECT. They also liked the idea of a new vxHeaven, as the main group of people behind it also had been on the vxHeaven forums ages ago. They assisted me with hosting, handling the web security, etc. This was very beneficial for me because, as TCP.DIRECT will confirm, I am a complete idiot with anything system administrative/web security related.
Following this introduction to TCP.DIRECT, vx-underground had essentially zero restraint. I was able to upload malware samples, malware papers, malware source code, etc. as much as I liked. The only thing I had to do then was add content and be consistent. Along the way I met a guy from the [Commonwealth of Independent States], Neogram, who assisted me with Russian translations and giving me a (metaphorical) tour of the CIS malware scene. This expanded my horizon and gave vx-underground better insight into current malware trends.
All of this happened very quickly, this ‘story’ encapsulates what happened between August 2019 and December 2019.
DS: What are your mission and goals?
VX: I don’t know. vx-underground is a library, our goal is basically to… collect malware samples, papers, and code? It exists and that is it. The closest thing to a ‘goal’ we have is simple: “more papers, more samples, more code.” It is as simple as that.
DS: Are you financially motivated? How do you monetize your work? Is it lucrative?
VX: No, we are not financially motivated. vx-underground is fueled by passion and love for the ‘game.’ In 2021 vx-underground made $13,000 all from donations. Every time I tell people vx-underground does not make money I am always greeted with shock and surprise. It appears people are unable to comprehend someone would do something for passion rather than financial gain. This is disappointing.
vx-underground is now in the process of becoming a non-profit. We will be a 501(c)(3) non-profit educational institute for computer malware education, literacy, and advancement (offensively and/or defensively).
Cybersecurity experts would have you believe that your organization’s employees have a crucial role in bolstering or damaging your company’s security initiatives.
While you may disagree, data breach studies show that employees and negligence are the most typical causes of security breaches, yet these prevalent issues are least discussed.
According to a recent industry report from Shred-It, an information security provider, 47% of top business executives believe that employee error, such as the inadvertent loss of a device or document, has resulted in a data breach within their company. According to another study by CybSafe, human errors have been responsible for over 90% of data breaches in 2020.
It’s no secret that companies of all sizes increasingly feel the sting of cybercriminals exploiting vulnerabilities in remote and hybrid working environments. However, little to no effort is made toward strengthening defenses. Now is the moment to train your personnel on security best practices, if you haven’t already.
As a result of inadequate security measures, customers have long suffered the most. However, the stakes for employees and their businesses are higher than ever this year. Experian predicts 2022 will be a hangover from the “cyberdemic” of 2021, making it crucial to stay ahead by designing a cybersecurity training program for employees and strengthening defenses.
Developing a cybersecurity training program requires knowing where the blind spots are. While there are numerous approaches to promoting a more cyber secure workplace, here are the most common and effective ways:
Trick Employees via a Phishing Campaign
You can test your employees’ ability to distinguish authentic email content from fraudulent attachments by mass spear-phishing them. Employees who fall for the phishing email are the ones you need to be extra careful about.
They might be the ones that eventually end up disclosing a company’s valuable digital assets. Once you have the data, you may measure the entire risk to your network and build remedies from there using custom reporting metrics.
Customize Your Security Training
All employees, irrespective of their designation or job role, should be a part of the security training. However, employees who fell for the spear-phishing campaign are the ones you need to observe and invest your security training into.
When delivering cybersecurity training, stress the importance of the training as an exercise that can also be applied elsewhere. Employees will be more inclined to utilize secure procedures at work if they do so at home on their computers and phones.
Incentivize the Security Training
Nothing motivates an employee more than being rewarded for their performance. Set up metrics and determine the level of participation, enthusiasm, and cybersecurity knowledge an employee obtains via quizzes or cross-questions. Employees who follow best practices should be rewarded, and others should be encouraged to improve their cybersecurity habits.
Cover Cybersecurity Topics
Engage your employees by introducing cybersecurity topics and certifications. Employees new to the cybersecurity realm would greatly benefit from relevant courses and learnings that might augment their skills and shine bright on their resumes.
Social media platforms are riddled with short instructional videos, which can be a great source of learning for those struggling to complete cybersecurity courses and manage work simultaneously.
Introduce Data Privacy Laws
Data privacy laws have been here for a while. However, they have recently received recognition after the EU introduced the General Data Protection Regulation (GDPR) in 2016, which came into force in 2018.
Most employees don’t know much about data protection laws or don’t know them altogether. It’s crucial to educate employees regarding existing and upcoming data protection laws and how they impact the business. According to MediaPro, a multimedia communications group, 62% of employees were unsure if their company must comply with the California Consumer Privacy Act (CCPA).
Integrating data privacy laws and regulations within cybersecurity training is crucial. While employees do not need to be compliance specialists, they should have a fundamental understanding of their company’s privacy policies, data handling procedures, and the impact of data privacy laws on their organization.
Address Security Misconceptions
Massive data breaches and ingenious hackers have muddied the waters of what is and isn’t possible when carrying out a cyberattack, making it challenging for novice security personnel to tell the difference between facts and made-up security misunderstandings.
Lack of understanding and misconceptions make matters worse as employees tend to become too concerned about non-existent or misunderstood risks while being less concerned about real ones. That begs the question: Are employees taking cybersecurity seriously, or will they be a liability rather than an asset?
To move forward, begin by designing a survey that starts with the basic cybersecurity knowledge and distributing it across the organization. The survey could contain questions such as:
What is cybersecurity,
Why is cybersecurity important,
Do employees lock their devices and keep strong alphanumeric passwords for online accounts,
Do employees connect to a secure WIFI network provided by the company, etc.
The results will demonstrate the current knowledge base within the organization and whether the employees take cybersecurity seriously.
While discovering the loopholes within your organization is one thing, developing a cybersecurity training program specifically tailored to patch those vulnerabilities might not be enough. Not only this, keep a strategy that focuses on zero-day attacks to avoid any damages. As an individual entrusted with developing a training program, you should know that you need a long-term solution to the existing problem.
Humans have always been the weakest link in the cybersecurity chain, and human errors will only escalate despite the depth of training given. That leaves organizations in a tough spot and struggling to meet compliance requirements.
Understand the Consequences of Inadequate Security Training
Training just for the sake of training will not benefit anyone. Employees need to dedicate their hearts and minds to the training, and continuous sessions should take place so that employees always stay current with the latest happenings and privacy frameworks. Poor training may further confuse employees, which may also draw additional dangers.
With Securiti data privacy automation tools, you can reduce or eliminate reliance on employees and move towards a more modern and error-free framework.
With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.
Gone are the days when phones were only used to make phone calls and send text messages; nowadays, smartphones are more akin to a pocket-sized version of a high-functioning microcomputer that can perform a wide range of functions aside from communications. Android phones are essentially a sub-category of smartphones with installed Android operating systems, allowing their features to function effectively. Today, virtually everybody owns a smartphone, especially the prevalent android versions. More advanced versions of these phones are released yearly with newer innovations and improved operating systems to enhance user experience. It’s simply a cutting-edge technology that we can’t get enough of.
Nowadays, Android phones are quickly becoming a must-have gadget because they are used to perform virtually all everyday functions, from communication, advertising, and marketing to entertainment. They also serve as a means of accessing information through social media and can be used for a wide variety of other functions like taking high-quality pictures, watching movies, typing documents, etc.
Overall, technology has truly revolutionized our daily lives, and the introduction of smartphones made it easier and faster for us to access information and communicate with greater ease. However, aside from the numerous conventional functions that we use our android phones for, there is a long list of hidden features, tricks, shortcuts, and quick hacks that you can take advantage of with your Android phone.
In this article, we will discuss some of the Android tips and tricks for getting the most from your phone.
The US government agencies warned of threat actors that are targeting ICS and SCADA systems from various vendors.
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) to warn of offensive capabilities developed by APT actors that could allow them to compromise multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
Schneider Electric programmable logic controllers (PLCs),
OMRON Sysmac NEX PLCs, and
Open Platform Communications Unified Architecture (OPC UA) servers.
According to the advisory that was issued with the help of leading cybersecurity firms (Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric), nation-state hacking groups were able to hack multiple industrial systems using a new ICS-focused malware toolkit dubbed PIPEDREAM that was discovered in early 2022.
“APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices” reads the advisory.
“The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.”
The toolkit could allow to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.
Threat actors can also leverage a tool to install and exploit a known-vulnerable ASRock-signed motherboard driver (“AsrDrv103.sys“) by triggering the CVE-2020-15368 flaw to execute malicious code in the Windows kernel. The tool could be used to perform lateral movements within an IT or OT environment and interfere with devices’ operation.
Researchers from Dragos shared a detailed analysis of the new PIPEDREAM toolkit confirming that it has yet to be employed in attacks in the wild.
“PIPEDREAM is the seventh known ICS-specific malware. The CHERNOVITE Activity Group (AG) developed PIPEDREAM. PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.” reads the report published by Dragos. “Dragos assesses with high confidence that PIPEDREAM has not yet been employed in the wild for destructive effects. This is a rare case of accessing and analyzing malicious capabilities developed by adversaries before their deployment and gives defenders a unique opportunity to prepare in advance.”
Mandiant, which tack the toolkit as INCONTROLLER, also published a detailed analysis warning of its dangerous cyber attack capability.
“The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.” reads the analysis published by Mandiant. “INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017;”
The joint report also included the following recommendations for all organizations with ICS/SCADA devices:
Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
Implement robust log collection and retention from ICS/SCADA systems and management subnets.
Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
Ensure all applications are only installed when necessary for operation.
Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system.
This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector.
Open source is everywhere, it’s in everything, and everyone is using it. It is safe to say that almost any solution with a web server or a web client uses open source.
The alternative to leveraging the knowledge and experience of open source implementations is to write software from scratch, but “reinventing the wheel” can be costly – both in terms of resources and time.
Open source offers a competitive advantage and it’s mostly free, but in 40 years, a solid, sustainable model to support the majority of open source projects still hasn’t been found.
China-linked Hafnium APT group started using a new piece of new malware to gain persistence on compromised Windows systems.
The China-backed Hafnium cyberespionage group is likely behind a piece of a new malware, dubbed Tarrask, that’s used to maintain persistence on compromised Windows systems, reported Microsoft Threat Intelligence Center (MSTIC) experts.
HAFNIUM primarily targets entities in the United States across multiple industries, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control.
Microsoft Threat Intelligence Center (MSTIC) highlighted the simplicity of the technique employed by the Tarrask malware that creates “hidden” scheduled tasks on the system to maintain persistence.
Tarrask creates new registry keys upon the creation of a new task:
“The first subkey, created within the Tree path, matches the name of the scheduled task. The values created within it (Id, Index, and SD) contain metadata for task registration within the system. The second subkey, created within the Tasks path, is a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.” reads the post published by Microsoft.
In the attack analyzed by Mcirosoft, the nation-state actors created a scheduled task named ‘WinUpdate’ via HackTool:Win64/Tarrask to re-establish any dropped connections to the C2 servers.
The attackers deleted the [Security Descriptor] value within the Tree registry path. The security descriptor (SD) defines access controls for running the scheduled task.
The trick consists of erasing the SD value from the Tree registry path to make the task hidden from the Windows Task Scheduler or the schtasks command-line utility. The only way to see the tack is to manually examine the Registry Editor.
The experts pointed out that executing a “reg delete” command to delete the SD value will result in an “Access Denied” error even when run from an elevated command prompt. The only way to delete the SD value is to execute the command within the context of the SYSTEM user. For this reason, the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process.
“The attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.” concludes the report. “As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.”
Researchers at healthcare cybersecurity company Cynerio just published a report about five cybersecurity holes they found in a hospital robot system called TUG.
TUGs are pretty much robot cabinets or platforms on wheels, apparently capable of carrying up to 600kg and rolling along at just under 3km/hr (a slow walk).
They’re apparently available in both hospital variants (e.g. for transporting medicines in locked drawers on ward rounds) and hospitality variants (e.g. conveying crockery and crumpets to the conservatory).
During what we’re assuming was a combined penetration test/security assessment job, the Cynerio researchers were able to sniff out traffic to and from the robots in use, track the network exchanges back to a web portal running on the hospital network, and from there to uncover five non-trivial security flaws in the backend web servers used to control the hospital’s robot underlords.
In a media-savvy and how-we-wish-people-wouldn’t-do-this-but-they-do PR gesture, the researchers dubbed their bugs The JekyllBot Five, dramatically stylised JekyllBot:5 for short.
Despite the unhinged, psychokiller overtones of the name “Jekyllbot”, however, the bugs don’t have anything to do with AI gone amuck or a robot revolution.
The researchers also duly noted in their report that, at the hospital where they were investigating with permission, the robot control portal was not directly visible from the internet, so a would-be attacker would have already needed an internal foothold to abuse any of the bugs they found.
Unauthenticated access to everything
Nevertheless, the fact that the hospital’s own network was shielded from the internet was just as well.
With TCP access to the server running the web portal, the researchers claim that they could:
Access and alter the system’s user database. They were apparently able to modify the rights given to existing users, to add new users, and even to assign users administrative privileges.
Snoop on trivially-hashed user passwords. With a username to add to a web request, they could recover a straight, one-loop, unsalted MD5 hash of that users’ password. In other words, with a precomputed list of common password hashes, or an MD5 rainbow table, many existing passwords could easily be cracked.
Send robot control commands. According to the researchers, TCP-level access to the robot control server was enough to issue unauthenticated commands to currently active robots. These commands included opening drawers in the robot’s cabinet (e.g. where medications are supposedly secured), cancelling existing commands, recovering the robot’s location and altering its speed.
Take photos with a robot. The researchers showed sample images snapped and recovered (with authorisation) from active robots, including pictures of a corridor, the inside of an elevator (lift), and a shot from a robot approaching its charging station.
Inject malicious JavaScript into legitimate users’ browsers. The researchers found that the robot management console portal was vulnerable to various types of cross-site scripting (XSS) attack, which could allow malware to be foisted on legitimate users of the system.
The modern realities of cybersecurity have uncovered the unpreparedness of many sectors and industries to deal with emerging threats. One of these sectors is the healthcare industry. The pervasiveness and proliferation of online innovation, systems, and applications in global healthcare have created a threat domain wherein policy and regulation struggle to keep pace with development, standardization faces contextual challenges, and technical capacity is largely deficient.
It is now urgent that healthcare professionals know the most relevant concepts and fundamentals of global cybersecurity related to eHealth. Cybersecurity for eHealth: A Practical Guide for Nontechnical Stakeholders and Healthcare Practitioners uses both a rigorous academic and practical professional approach in covering the essentials of cybersecurity. The book:
Distills foundational knowledge and presents it in a concise manner that is easily assimilated
Draws lessons from real-life case studies across the global healthcare industry to drive home complex principles and insights
Helps eHealth professionals to deal more knowledgeably and effectively with the realities of cybersecurity
Written for healthcare professionals without a background in the workings of information and communication technologies, the book presents the basics of cybersecurity and an overview of eHealth. It covers the foundational concepts, perspectives, and applications of cybersecurity in the context of eHealth and traverses the cybersecurity threat landscape to eHealth, including:
Threat categories, agents, and objectives
Strategies and approaches deployed by various threat agents
Predisposing risk factors in cybersecurity threat situations
Tools and techniques to protect against cybersecurity incidents
An espionage attempt was made by an NSO Group customer to hack the phones of senior EU officials. Although there’s some suggestion that it might have been QuaDream—a similar Israeli spyware firm.
Commissioner for Justice Didier Reynders (pictured) seems to have been the main target, along with several of his staffers at the Directorate-General for Justice and Consumers. They were warned of the attack five months ago—by Apple.
But who ordered the hack? Might it have been the French government? In today’s SB Blogwatch, we’re shocked—SHOCKED—to discover un peu d’espionnage fratricide.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Shrimp can lobster.
“Remotely and invisibly take control of iPhones” Among them was Didier Reynders, a senior Belgian statesman who has served as the European Justice Commissioner since 2019. … At least four other [Justice and Consumers] commission staffers were also targeted. … The commission became aware of the targeting following messages issued by Apple to thousands of iPhone owners in November telling them they were “targeted by state-sponsored attackers.” … The warnings triggered immediate concern at the commission. … A senior tech staffer sent a message to colleagues with background about Israeli hacking tools: … “Given the nature of your responsibilities, you are a potential target.” … Recipients of the warnings were targeted between February and September 2021 using ForcedEntry, an advanced piece of software that was used by Israeli cyber surveillance vendor NSO Group to help foreign spy agencies remotely and invisibly take control of iPhones. A smaller Israeli spyware vendor named QuaDream also sold a nearly identical tool.
“Comes at potentially the worst possible time” It’s not totally clear why these officials were targeted or who used the malware against them. … NSO has denied that it had any involvement. … Reuters also reached out to QuaDream … but did not get any sort of comment or response. … The claims that EU officials were targeted with NSO Group software comes at potentially the worst possible time for the company as it continues to battle both legal and financial troubles, as well as multiple government investigations. … NSO is now appealing to the U.S. Supreme Court in a new effort to rid itself of a hefty lawsuit filed by … WhatsApp, [which] sued NSO in October of 2019 after the surveillance firm’s malware was allegedly discovered on some 1,400 users’ phones. … The company is also currently battling another lawsuit from Apple filed last November on similar grounds.
“Use of surveillance software” The discovery of the misuse of NSO Group’s tools certainly doesn’t help the company’s profile following the Pegasus scandal, when it was found the tool was used by governments to spy on journalists, activists, and government opponents, instead of for fighting crime. The adoption of Pegasus and other tools by government agencies led to lawmakers in the U.S. asking Apple and the FBI about the latter’s acquisition of NSO Group tools. … Meanwhile, the European Parliament will be launching a committee on April 19 to investigate the use of surveillance software in European member states.
The European Union, huh?FOHEng thinks this should be a teachable moment:
Many of these same EU people think The App Store should be forced to open, increasing the vectors for … exploits to make it into devices. They’re as stupid as some US Senators, who aren’t allowed to sideload Apps on their devices over security concerns, yet want to force Apple to allow this. They are truly delusional. … Third party stores with Apps being vetted for security? An oxymoron if ever there was one. … You think iOS third party stores are going to somehow be secure and Apps checked?
“No big deal until it happens to me.” This story has been unfolding slowly for years, yet these EU officials didn’t seem too bothered until Apple notified them about their phones being hacked. … Thanks for all the concern.
But what of Apple in all this? Heed the prognostications of Roderikus:
More fines for offering a platform that is basically compromised while being marketed as “safe.”
However,mikece is triggered by a certain word in the Reuter hed:
Throwing the adjective “Israeli” into the title is misleading as it suggest the state of Israel is somehow involved. … Blaming Israel for this is like blaming Japan for all of the Toyota Hiluxes converted into gun platforms around the world.
Yet we’ve still not dealt with the “who” question. For this, we turn to Justthefacts:
CitizenLab did some clever geographic fingerprinting, and have a list of which countries are doing this. … Out of these, the credible list is: France, Greece, Netherlands, Poland, UK, USA.
The target was the European Justice Minister from 2019 onwards. He doesn’t have military or external trade secrets. Neither the UK nor USA are impacted in any way by what goes on in his office. So it’s either France, Greece, Netherlands, Poland.
If you have a look at the heat-map produced by CitizenLab, it’s the French government snooping on the EU. What were you expecting?
Nor the “why”: What else do we know about the named victim? ffkom ffills us in: [You’re ffired—Ed.]
Didier Reynders is [one of] those politicians who have continuously undermined EU data protection laws by agreeing to sham contracts like “Safe Harbour” and “Privacy Shield,” … knowing those were contradicting EU law … and not worth the paper they were written on. He, personally, is also responsible for not enforcing … GDPR. … It serves Mr. Reynders right that his data is exposed, just as much as he has helped to expose EU citizen’s data.
In this video for Help Net Security, Paul Calatayud, CISO at Aqua Security, talks about cloud native security and the problem with the lack of understanding of risks to this environment.
A recent survey of over 100 cloud professionals revealed that often businesses lead the charge in cloud, they see the opportunity, they move forward, but more and more critical compute finds its way into these cloud environments, and the security teams start to take notice. Often too late, though.
The survey shows that the awareness is starting to become a problem, and the risks are not fully understood. Organizations need to get ahead of these things. To be able to apply a good cloud native security strategy, understanding the risks is imperative.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
A remote attacker with unprivileged credentials can exploit the CVE-2022-23176 vulnerability in WatchGuard Firebox and XTM appliances to access the system with a privileged management session via exposed management access.
The vulnerability is actively exploited by the Cyclops Blink botnet operated by the Russia-linked Sandworm APT group. Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.
Cyclops Blink is believed to be a replacement for the VPNFilter botnet, which was first exposed in 2018 and at the time was composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.
The Cyclops Blink malware has been active since at least June 2019, it targets WatchGuard Firebox, Small Office/Home Office (SOHO) network devices, and ASUS router models.
WatchGuard published instructions on how to restore compromised Firebox appliances. The company also developed and released a set of Cyclops Blink detection tools, as well as this 4-Step Cyclops Blink Diagnosis and Remediation Plan to help customers diagnose, remediate if necessary, and prevent future infection.
Cyclops Blink is sophisticated malware with a modular structure. It supports functionality to add new modules at run-time allowing Sandworm operators to implement additional capability as required.
The malware leverages the firmware update process to achieve persistence. The malware manages clusters of victims and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses.
Recently, the U.S. government has announced that it had dismantled the Cyclops Blink botnet operated by the Russia-linked Sandworm APT group.
Burpsuite, the proxy-based tool used to evaluate the security of web-based applications and do hands-on testing developed by PortSwigger. It is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security.
SuperCare Health, a leading respiratory care provider in the Western U.S, disclosed a data breach that impacted more than 300,000 individuals.
SuperCare Health disclosed a security breach that has led to the exposure of personal information belonging to its patients, patients/members of its partner organizations and others.
The company notified impacted individuals and law enforcement agencies.
The company told the US Department of Health and Human Services that the data breach has impacted 318,379 individuals.
The security breach was discovered on July 27, 2021, when the company IT personnel noticed unauthorized activity on some systems. SuperCare Health immediately launched an investigation into the incident with the help of independent cybersecurity experts that revealed that the intrusion took place between July 23 and July 27, 2021.
Seven months later, in February 2022, the company determined the potential compromise of some information relating to certain patients.
“On July 27, 2021, we discovered unauthorized activity on our systems. In response, we immediately began containment, mitigation, and restoration efforts to terminate the activity and to secure our network, systems, and data. In addition, we retained independent cybersecurity experts to conduct a forensic investigation into the incident and assist us in determining what happened.” reads the data security notice published by the company. “The forensic investigation revealed that an unknown party had access to certain systems on our network from July 23, 2021 to July 27, 2021. Based on that information, we worked diligently to identify the potentially affected files and their contents. On February 4, 2022, we determined that the potentially impacted files contained some information relating to certain patients.”
Potentially compromised data depend on the individual and may include: name, address, date of birth, hospital or medical group, patient account number, medical record number, health insurance information, testing/diagnostic/treatment information, other health-related information, and claim information. For a small subset of individuals, their Social Security number and/or driver’s license number may have been contained in the impacted files.
The company is not aware of any abuse or misuse for the information exposed as a result of the incident.
Developers Remediate Less Than a Third of Vulnerabilities
Developers are regularly ignoring security issues as they deal with an onslaught of issues from security teams, even as they are expected to release software more frequently and faster than ever before.
In addition, developers fix just 32% of known vulnerabilities, and 42% of developers push vulnerable code once per month, according to Tromzo’s Voice of the Modern Developer Report.
The report, based on a survey of more than 400 U.S.-based developers who work at organizations where they currently have CI/CD tools in place, also found a third of respondents think developers and security are siloed.
Tromzo CTO and co-founder Harshit Chitalia pointed out the top security vulnerabilities of the past few years—Log4j, SolarWinds, Codecov—have all been supply chain attacks.
“This has made AppSec an urgent and top priority for CISOs worldwide,” he said. “In addition, everything as code with Kubernetes, Terraform and so on have made all parts of the development stack part of AppSec.”
From his perspective, the only way this big attack surface can be overcome is with security and development teams working hand in hand to secure the application in every step of the development cycle.
He added developers ignoring security issues is one of the fundamental issues AppSec engineers have with security.
“Security teams put their blood, sweat and tears into finding different vulnerabilities in code through orchestrating scanners and manual testing,” he said. “After all the work, seeing the issue on Jira queue for months is disappointing and quite frustrating.”
Fighting Friction
On the other hand, he pointed to developers who are now asked not only to develop features and fix bugs but also look at DevOps, performance and security of their applications.
“This leads to friction in priorities and, if unresolved, leads to unhappy employees,” he said. “The C-suite is very much aware of this problem, but they are stuck with security tools which are not created for developers. As application security is going through a big transformation, we believe the tooling will also shift.”
He explained there were several concerning findings from the survey but that two, in particular, stood out.
The first thing Chitalia found deeply concerning was the fact that 62% of developers are using 11 or more application security tools.
He said application security has evolved in recent years with AppSec teams now responsible for source-code analysis, DAST, bug bounty, dependency, secrets scanning, cloud scanning and language-specific scanners.
“This means developers are constantly fed information from these tools without any context and they have to triage and prioritize the workload these tools generate for them,” he said.
The second big worry was the fact that a third of vulnerabilities are noise.
“If someone told you that a third of the work you did needs to be thrown away every single day, how would you feel about that?” he asked. “But that’s the current state of application security.”
Nordex Group, one of the largest manufacturers of wind turbines, was hit by a cyberattack that forced the company to shut down part of its infrastructure.
Nordex Group, one of the world’s largest manufacturers of wind turbines, was the victim of a cyberattack that forced the company to take down multiple systems.
The attack was uncovered on March 31 and the company immediately started its incident response procedure to contain the attack.
Nordex Group shut down “IT systems across multiple locations and business units” as a precautionary measure to prevent the threat from spreading across its networks.
“On 31 March 2022 Nordex Group IT security detected that the company is subject to a cyber security incident. The intrusion was noted in an early stage and response measures initiated immediately in line with crisis management protocols. As a precautionary measure, the company decided to shut down IT systems across multiple locations and business units.” reads the announcement published by the company. “The incident response team of internal and external security experts has been set up immediately in order to contain the issue and prevent further propagation and to assess the extent of potential exposure.”
Nordex did not disclose technical details of the cyberattack, but the fact that it was forced to shut down part of its IT infrastructure suggests that it fell victim to a ransomware attack.
According to the press release, customers, employees, and other stakeholders may be affected by the shutdown of the company’s systems.
Nordex did not disclose technical details of the cyberattack, but the fact that it was forced to shut down part of its IT infrastructure suggests that it felt victim to a ransomware attack.
In November another manufacturer of wind turbines was hit by a cyber attack, it was the Danish wind turbine giant Vestas Wind Systems. The company was hit by the Lockbit 2.0 ransomware gang than published stolen data in December after the negotiation for the ransomware payment failed.
