Apr 06 2022

The CISO as brand enabler, customer advocate, and product visionary

Category: CISO,vCISODISC @ 8:38 am
The CISO as brand enabler, customer advocate, and product visionary

Just over a quarter-century ago, the first Chief Information Security Officer (CISO) was minted in the financial vertical, and everyone lived happily ever after. The End.

Why Your CISO is Ineffective and What You Can do About it | Cyber Defense Group

If only this story was that simple and straightforward! The CISO role has never been cut-and-dry. Despite its longevity, this role is still in its adolescence – full of promise, mostly headed in the right direction, but not quite fully formed.

If you’re a CISO today, or have worked for or watched one from afar, you have felt the reality of the goalposts continually shifting over time, and you have experienced some of the tough questions that may not yet be answered. Where should the CISO report for maximum effect? How does the CISO gain that valuable seat at the executive table, and a regularly scheduled time slot every quarter in front of the board? Is it possible that broad technical competency may be superior to deep technical expertise for this C-level role? And if you are the CISO who thought you signed up for an IT-centric, inward-facing role, I have a few nation-state and cybercriminal actors to introduce to you.

But there are several other less obvious roles that the CISO should consider taking on to help the organization reach its goals, whether its customers are external or internal.

The CISO as brand enabler

Quantifying the value of a corporate brand is tough. But it’s clear that your organization’s brand is as much an asset as the devices and networks that the CISO is charged with protecting – in fact, the brand may be your organization’s largest single asset. A recent Forbes/MASB report states that brand assets drive approximately 20% of enterprise value on average. Doesn’t that sound like something worth protecting?

Yes, the creation and growth of the brand is typically the responsibility of the marketing organization and the CMO (chief marketing officer). But it’s not unusual for marketing to feel like it’s outracing the other business functions, including the CISO, and they are anxious for everyone to “catch up” and join them. The CISO can act as a useful counterweight to help marketing achieve its goals safely, in good times and bad. For example, isn’t it important to fully coordinate a breach response between these two groups in a way that best preserves the value of your brand? Those brands that emerge out of a high-profile information security incident stronger don’t get there by accident.

This is a missed opportunity in many organizations. When was the last time your CISO and CMO sat down alone to discuss each other’s long-term initiatives? And no, the sometimes recurring conversation between these two parties about how the marketing team is leveraging shadow IT doesn’t count here.

The CISO as customer advocate

If the CISO is considered an inward-facing resource only, your organization may be leaving some significant value on the table. Is your CISO considered and leveraged as an extended member of your customer-facing teams? There is often nothing more compelling to a prospect or a customer than the opportunity to hear from a true CISO practitioner about her experiences in the industry around a common challenge.

Another way to bring the CISO closer into the customer orbit: you have some customers who due to their size or potential are at the very top of your essential, must-not-lose list. Your CISO may be more than willing to act as an executive sponsor for the overall relationship between the two organizations. This is a great way to cement that bond with your truly key and strategic customers. You may also discover that same hugely important customer is willing to share details with the CISO that would never be shared with the sales team.

The CISO as product visionary

In many ways, your CISO may be an ideal prospect, a research partner, and a sounding board for new products, services or features your organization plans to introduce. Think about all the angles a CISO deals with every day: B2B connections and data flowing amongst third parties; identifying and securing B2C data and connectivity; monitoring an infrastructure round the clock to recognize and remediate tactical, strategic and regulatory risks; signing off on your organization’s ISO 27001 certification or SOC 2 attestation, and more!

For bonus points, if you are that CISO of today or the aspirational CISO of tomorrow, don’t settle for approaching your job solely in pursuit of how to best secure your organization – ask yourself how you can make your own customers more secure. Sometimes a new feature or service might pop out from that alternative angle, from a perspective that only the CISO can see.

Whether you are the CISO or are a colleague of the CISO, think outside the box. CISOs can absolutely be leveraged in these and other non-traditional roles, to the greater benefit of your organization.

The CISO Evolution: Business Knowledge for Cybersecurity Executives

Tags: CISO, The CISO Evolution

Apr 05 2022

Build your career with ISO 27701 training

Category: ISO 27kDISC @ 4:08 pm

ISO 27701 specifies the requirements for establishing, implementing, maintaining, and continually improving a PIMS (privacy information management system).

Compliance with ISO 27701 shows customers and stakeholders that your organization takes privacy legislation seriously. ISO 27701 serves as an extension to ISO 27001. Organizations that have implemented ISO 27001 will be able to incorporate the controls and requirements of ISO 27701 to extend their existing data security practices to achieve complete coverage of data security and privacy management.

ITG Certified ISO 27701 PIMS Lead Implementer Training Course covers the key steps involved in implementing and maintaining an ISO 27701-compliant PIMS.

Certified ISO 27701 PIMS Lead Implementer Training Course

If you are already an ISO 27701 expert, have you considered developing your career as an auditor? ITG  Certified ISO 27701 PIMS Lead Auditor Training Course teaches you how to extend an ISO 27001 audit program and conduct a PIMS audit against ISO 27701.  

Certified ISO 27701 PIMS Lead Auditor Training Course

Enhance your privacy management with ISO 27701

ISO/IEC 27701 2019 Standard and Toolkit

Tags: ISO 27701, ISO 27701 Auditor, ISO 27701 Implementer

Apr 05 2022

CISA adds Spring4Shell flaw to its Known Exploited Vulnerabilities Catalog

Category: Security vulnerabilitiesDISC @ 8:41 am
CISA adds Spring4Shell flaw to its Known Exploited Vulnerabilities Catalog

The U.S. CISA added the recently disclosed remote code execution (RCE) vulnerability Spring4Shell to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed 

CVE-2022-22965
 (aka Spring4Shell, CVSS score: 9.8) flaw in the Spring Framework, along with three other issues, to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The Spring4Shell issue was disclosed last week, it resides in the Spring Core Java framework. An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.

The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).

This week VMware has published security updates to address the Spring4Shell flaw, according to the virtualization giant, the flaw impacts many of its cloud computing and virtualization products.

The flaw impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.

Spring4Shell impacts VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

The exploitation of this flaw could allow a remote attacker to execute arbitrary code on vulnerable systems. Researchers from Palo Alto Networks’ Unit42 and Akamai have observed the issue being exploited in the wild to deploy malicious code.

CISA also added CVE-2022-22675CVE-2022-22674CVE-2021-45382 flaws to its catalog. The four vulnerabilities added to the catalog have to be addressed by federal agencies by April 25, 2022.

Tags: Spring4Shell

Apr 04 2022

Brokenwire attack, how hackers can disrupt charging for electric vehicles

Category: Cyber Attack,Security vulnerabilitiesDISC @ 8:00 am
Brokenwire attack, how hackers can disrupt charging for electric vehicles

Boffins devised a new attack technique, dubbed Brokenwire, against the Combined Charging System (CCS) that could potentially disrupt charging for electric vehicles.

A group of researchers from the University of Oxford and Armasuisse S+T has devised a new attack technique, dubbed Brokenwire, against the popular Combined Charging System (CCS) that could be exploited by remote attackers to disrupt charging for electric vehicles.

The Combined Charging System (CCS) is one of the most widely used DC rapid charging technologies for electric vehicles (EVs). 

The attack aims at interrupting the control communication between the vehicle and charger, causing the disruption of charging sessions.

“The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously.” reads the post published by the academics. “In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge. With a power budget of 1 W, the attack is successful from around 47 m distance. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it.”

Brokenwire attack

The researchers demonstrated that the Brokenwire attack can be conducted from a distance of as far as 47m (151ft). Experts pointed out that the interruption of the charging process of critical vehicles, such as electric ambulances, can have life-threatening consequences.

The experts did not disclose details about the attack technique to prevent attacks in the wild.

The researchers published a video PoC of the attack showing their technique in action.

Let me close with a couple of Questions from FAQ published by the researchers:

I have a charger at home, can someone stop my car from charging?

Probably not. Most likely your home charger uses AC charging and a different communication standard (IEC 61851), so won’t be affected. This might change in the future though, with home chargers getting ISO 15118 support.

Can Brokenwire also break my car?

We’ve never seen any evidence of long-term damage caused by the Brokenwire attack. Based on our development work, we also have good reason to expect there isn’t any.

Tags: Brokenwire attack

Apr 01 2022

List of data breaches and cyber attacks in March 2022 – 3.99 million records breached

Category: Cyber Attack,Data Breach,Security BreachDISC @ 8:42 am
List of data breaches and cyber attacks in March 2022 – 3.99 million records breached

In March, we discovered 88 publicly disclosed cyber security incidents, accounting for 3,987,593 breached records.

That brings the total number of breached records in the first quarter of 2022 to 75,099,482. We’ll be providing more stats from Q1 2022 in our quarterly review of cyber security incidents, which will be published on our website in the coming days.

Be sure to check our blog to find that article, or subscribe to our Weekly Round-up to make sure you get the latest content delivered straight to your inbox.

Meanwhile, you can find the full list of cyber attacks and data breaches for March 2022 below.

List of data breaches and cyber attacks in March 2022 – 3.99 million records breached

Luke Irwin  31st March 2022

In March, we discovered 88 publicly disclosed cyber security incidents, accounting for 3,987,593 breached records.

That brings the total number of breached records in the first quarter of 2022 to 75,099,482. We’ll be providing more stats from Q1 2022 in our quarterly review of cyber security incidents, which will be published on our website in the coming days.

Be sure to check our blog to find that article, or subscribe to our Weekly Round-up to make sure you get the latest content delivered straight to your inbox.

Meanwhile, you can find the full list of cyber attacks and data breaches for March 2022 below.

Contents

Big Breaches: Cybersecurity Lessons for Everyone

Tags: cyber attacks in March 2022

Apr 01 2022

Flaws in Wyze cam devices allow their complete takeover

Category: Remote codeDISC @ 8:32 am
Flaws in Wyze cam devices allow their complete takeover

Wyze Cam devices are affected by three security vulnerabilities that can allow attackers to takeover them and access camera feeds.

Bitdefender researchers discovered three security vulnerabilities in the popular Wyze Cam devices that can be exploited by threat actors to execute arbitrary code and access camera feeds.

The three flaws reported by the cybersecurity firm are:

  • An authentication bypass tracked CVE-2019-9564
  • A stack-based buffer overflow, tracked as CVE-2019-12266, which could lead to remote control execution.
  • An unauthenticated access to contents of the SD card

A remote attacker could exploit the CVE-2019-9564 flaw to take over the device, including turning on/off the camera.

An attacker could chain the above issue with the CVE-2019-12266 flaw to access live audio and video feeds.

The flaws were reported to Wyze in May 2019, the company addressed the CVE-2019-9564 and CVE-2019-12266 flaws in September 2019 and November 2020, respectively.

The vendor addressed the unauthenticated access to the content of the SD card with the release of firmware updates on January 29, 2022.

According to the experts, there are 3 version of Wyze Cam devices on the market and the first one has been discontinued and will not receive security updates to address the flaws.

The analyzed device comes in several versions: Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. We learned that, while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes.” reads the report published by the security firm. “Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited.

wyze cam 2
Source Punto Informatico website

Bitdefenders also provided the following recommendations to prevent attacks against IoT devices:

“Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network,” reads the post. “This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.”

Tags: Wyze cam

Mar 31 2022

Every Day Should be World Backup Day

Category: BCP,Security AwarenessDISC @ 1:09 pm

World-Backup-Day-1 | Tips for Backing up your Data! GoldPhish | Cyber Security AwarenessDownload

Modern Data Protection: Ensuring Recoverability of All Modern Workloads

Tags: Backup Day, data archive, data protection, data storage

Mar 31 2022

How to read a SOC 2 Report

Category: Risk Assessment,Security Risk Assessment,Vendor AssessmentDISC @ 8:43 am
how to read a SOC 2 report
https://fractionalciso.com/how-to-read-a-soc-2-report/

The following conversation about reviewing a SOC 2 report is one to avoid. 

Potential Customer: “Hi Vendor Co., do you have a SOC 2?”

Vendor Co. Sales Rep: “Yes!”

Potential Customer: “Great! We can’t wait to start using your service.” 

The output of a SOC 2 audit isn’t just a stamp of approval (or disapproval). Even companies that have amazing cybersecurity and compliance programs have a full SOC 2 report written about them by their auditor that details their cybersecurity program. SOC 2 reports facilitate vendor management by creating one deliverable that can be given to customers (and potential customers) to review and incorporate into their own vendor management programs.

Vendor security management is an important part of a company’s cybersecurity program. Most mature organizations’ process of vendor selection includes a vendor security review – a key part of which includes the review of a SOC 2 report.

SOC 2 reports can vary greatly in length but even the most basic SOC 2 report is dense with information that can be difficult to digest, especially if you aren’t used to reading them. This article will teach you how to read a SOC 2 report by providing a breakdown of the report’s content, with emphasis on how to pull out the important parts to look at from a vendor security review perspective.

Please note that you should not use this as a guide to hunt and peck your way through a SOC 2 report. It is important to read through the entire report to gain a full understanding of the system itself. However, this should help draw attention to the particular points of interest you should be looking out for when reading a report. 

Many different auditing firms perform SOC 2 audits, some reports may look a little different from the others but the overall content is generally the same.

How to read a SOC 2 report: the Cover Page

Even the cover page of a SOC 2 report has a lot of useful information. It will have the type of SOC 2 report, date(s) covered, the relevant trust services criteria (TSC) categories, and the auditing firm that conducted the audit. 

What Type of SOC 2 Report?

There are two types of SOC 2 reports that can be issued: A SOC 2 Type I and a SOC 2 Type II. The type of report will be denoted on the cover page. The key difference is the timeframe of the report:

A SOC 2 Type I is an attestation that the company complied with the SOC 2 criteria at a specific point in time. 

A SOC 2 Type II is an attestation that the company complied with the SOC 2 criteria over a period of time, most commonly a 6 or 12 month period. 

SOC 2 Type II reports are more valuable because they demonstrate a long-term commitment to a security program – and any issues over the time frame will be revealed. It’s possible for a company to get a SOC 2 Type I report then fail to adhere to their controls. 

Key takeaway: If a company only has a SOC 2 Type I, ask if and when they are working on achieving a SOC 2 Type II. If they say they are not getting a Type II, this is indicative of a lower commitment to security. 

Trust Services Criteria

Cybersecurity for Executives in the Age of Cloud 

Tags: SOC 2 report, SOC2

Mar 31 2022

Mysterious disclosure of a zero-day RCE flaw Spring4Shell in Spring

Category: Zero dayDISC @ 8:20 am
Mysterious disclosure of a zero-day RCE flaw Spring4Shell in Spring

An unauthenticated zero-day RCE vulnerability in the Spring Core Java framework called ‘Spring4Shell’ has been publicly disclosed.

Researchers disclosed a zero-day vulnerability, dubbed Spring4Shell, in the Spring Core Java framework called ‘Spring4Shell.’ An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.

The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).

“The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks.” reported the analysis published by Rapid7. “The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly deleted.”

The flaw has yet to be patched and impacts Spring Core on Java Development Kit (JDK) versions 9 and later. The vulnerability is a bypass for another vulnerability tracked as 

CVE-2010-1622
.

https://twitter.com/th3_protoCOL/status/1509201539461619715?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1509201539461619715%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2F129644%2Fhacking%2Fspring-java-framework-rce-zero-day.html

Rapid7 researchers pointed out that the vulnerability (and proof of concept) could be triggered only when a specific functionality is used. The exploit code released by the Chinese researchers is not related to a “completely different” unauthenticated RCE flaw that was published on March 29, 2022 for Spring Cloud.

“Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. Configuration and JRE version may also be significant factors in exploitability and the likelihood of widespread exploitation.” continues Rapid7.

The analysis of the flaw suggests that its impact may not be severe like other issues, like Log4J.

“Exploitation requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,” reads the analysis published by cybersecurity firm Praetorian.

Security researchers that tested the Spring4Shell exploit confirmed that it works. CERT/CC vulnerability analyst Will Dormann confirmed that the PoC exploit code works against the stock ‘Handling Form Submission’ sample code from 

spring.io
.

Security experts are aware of public exploitation of the Spring4Shell in the attacks.

Spring4Shell

Tags: RCE flaw, Spring4Shell

Mar 30 2022

What Proxies Are For

Category: ProxyDISC @ 3:29 pm
What Proxies Are For

When you cannot access certain sites or hide your identity, you need a tool for that. For example, the USA proxies are in demand among those who want to visit American-only stores and other sites. Here we break it down a bit to show how a proxy can do you good and how to choose a proxy service for your comfort and safety.

Table of Contents

Web Application Proxy and Active Directory Federation Services on AWS 

Tags: proxies

Mar 30 2022

CISA and DoE warns of attacks targeting UPS devices

Category: Cyber AttackDISC @ 8:30 am
CISA and DoE warns of attacks targeting UPS devices

The US CISA and the Department of Energy issued guidance on mitigating attacks against uninterruptible power supply (UPS) devices.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy published joint guidance on mitigating cyber attacks against uninterruptible power supply (UPS) devices.

The US agencies warn of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices by exploiting default credentials.

UPS devices provide clean and emergency power in a variety of applications when normal input power sources are interrupted for various reasons.

The guidance recommends organizations immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet. In the case where a UPS device must be accessible online, organizations are recommended to implement the following controls:

  • Ensure the devices are accessible through a virtual private network.
  • Enforce multifactor authentication.
  • Use strong passwords or passphrases in accordance with National Institute of Standards and Technology guidelines (for a humorous explanation of password strength, see XKCD 936)

CISA recommends checking if organizations’ UPS credentials are still set to the factory default.

Cisa UPS

Additional info, including incident response best practices, are included in the “Mitigating Attacks Against Uninterruptible Power Supply Devices” guidance.

The Cyber Security Handbook: Prepare for, Respond to and Recover from Cyber Attacks with the It Governance Cyber Resilience Framework (CRF) 

Tags: CISA, DoE, UPS devices

Mar 29 2022

Active Directory Privilege Escalation

Category: Privilege EscalationDISC @ 2:38 pm

“Active Directory Privilege Escalation – by Paramount Defenses”Download

Privilege Escalation Techniques: Learn the art of exploiting Windows and Linux systems

Tags: Active Directory

Mar 29 2022

Compromised WordPress sites launch DDoS on Ukrainian websites

Category: DDoS,Web SecurityDISC @ 8:44 am
Compromised WordPress sites launch DDoS on Ukrainian websites

Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites.

MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites.

The JavaScript was designed to perform thousands of HTTP GET requests to the targeted sites

The only evidence of the ongoing attack is the slowing down of the browser performance.

According to BleepingComputer, which first reported the discovery, DDoS attacks targeted pro-Ukrainian sites and Ukrainian government agencies, including think tanks, recruitment sites for the International Legion of Defense of Ukraine, and financial sites.

Below is the list targeted websites:

https://stop-russian-desinformation.near.page
https://gfsis.org/
http://93.79.82.132/
http://195.66.140.252/
https://kordon.io/
https://war.ukraine.ua/
https://www.fightforua.org/
https://bank.gov.ua/
https://liqpay.ua
https://edmo.eu

The script generates random requests to avoid that they are served through a caching service.

DDoS

BleepingComputer discovered that the same script is being used by the pro-Ukrainian site to launch attacks against Russian websites.

“When visiting the site, users’ browsers are used to conduct DDoS attacks on 67 Russian websites.” states BleepingComputer.

Tags: Ukrainian websites

Mar 28 2022

Shopping trap: The online stores’ scam that hits users worldwide

Category: Cyber crime,Cyber ThreatsDISC @ 8:45 am
Shopping trap: The online stores’ scam that hits users worldwide

Shopping trap: Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world

Malicious schemas linked to online stores are on the rise in 2022. Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world and thereby trick victims. The targets of this massive campaign are online stores geolocated in different countries, including Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others. The campaign has been active since late 2020 but gained momentum in early 2022, with thousands of victims affected.

Shopping trap

Active domains behind the malicious online stores at the time of analysis (21-03-2022). The shopping platforms are available on servers geolocated in the USA, The Netherlands, and Turkey (ZoomEye).

As observed in Figure 1, 617 active shopping platforms were identified worldwide, 562 created in 2022. The servers are located in three countries: the USA, The Netherlands, and Turkey. However, other servers and online stores were also identified during the research. The complete list of IoCs with more than 1k malicious entries is provided at the end of the article.

The high-level diagram of this campaign is presented below, with a graphical representation of the different steps and actions carried out by criminals.

A new campaign typically starts with the authors setting up the malicious domain at the top of Google search through digital ads (Google ads) – as shown above referring to the Lefties clothing store disseminated in Portugal in 2022. After some days, users are hit as the malicious URL appears at the top of searches. In specific cases, social Ads were also found on Instagram and Facebook social media platforms.

The content of the malicious websites – clones of the official stores –  are based on a static Content Management System (CMS) and a PHP API that communicates with a MySQL cluster in the background. Some artifacts related to the static CMS can be found on a GitHub repository from criminals. In detail, criminals put some effort into developing a generic platform that could serve a mega operation at a large scale, where small tweaks of images and templates would allow the reuse of code for different online stores. Then, all the observed stores use the same code with different templates according to the target brand. As mentioned, the store is also equipped with an API that communicates with a MySQL database cluster where all the victims’ data is stored, including:

  • Name (first and last)
  • Complete address (street, zip-code, city, and country)
  • Mobile phone
  • Email
  • Password
  • Credit card information (number, date, and CVV); and
  • Details about the order and tracking code of the package.

As usual, this Personally Identifiable Information (PII) can be utilized later by criminals to leverage other kinds of campaigns. In order to prevent this type of scenario, we provide a tool that allows you to validate if victims’ information is now in the wrong hands.

Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists

Tags: Online scams, Scam Me If You Can

Mar 27 2022

Morgan Stanley Client Accounts Breached in Social Engineering Attacks

Category: Information SecurityDISC @ 12:28 pm

Morgan-Stanley-Client-Accounts-Breached-in-Social-Engineering-Attacks-1Download
The F&G Group | New York, NY | Miami, FL | Morgan Stanley Private Wealth Management

Mar 26 2022

FCC adds Kaspersky to Covered List due to unacceptable risks to national security

Category: Antivirus,Information Security,Information WarfareDISC @ 9:53 pm
FCC adds Kaspersky to Covered List due to unacceptable risks to national security

The Federal Communications Commission (FCC) added Kaspersky to its Covered List because it poses unacceptable risks to U.S. national security.

The Federal Communications Commission (FCC) added multiple Kaspersky products and services to its Covered List saying that they pose unacceptable risks to U.S. national security.

“The Federal Communications Commission’s Public Safety and Homeland Security Bureau today added equipment and services from three entities – AO Kaspersky Lab, China Telecom (Americas) Corp, and China Mobile International USA Inc. – to its list of communications equipment and services that have been deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019.” reads the FCC’s press release.

The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.

The US commission also added Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas to the list. Below is the list of Covered Equipment or Services added on March 25, 2022:

  • Information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.
  • International telecommunications services provided by China Mobile International USA Inc. subject to section 214 of the Communications Act of 1934.
  • Telecommunications services provided by China Telecom (Americas) Corp. subject to section 214 of the Communications Act of 1934.

FCC banned Kaspersky security solutions and services supplied by Kaspersky or any linked companies.

“The FCC’s decision to add these three entities to our Covered List is welcome news. The FCC plays a critical role in securing our nation’s communications networks, and keeping our Covered List up to date is an important tool we have at our disposal to do just that. In particular, I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list. Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.” said FCC Commissioner Brendan Carr. “I applaud Chairwoman Rosenworcel for working closely with our partners in the Executive Branch on these updates. As we continue our work to secure America’s communications networks, I am confident that we will have more entities to add to our Covered List.”

In Mid March, the German Federal Office for Information Security agency, aka BSI, recommended consumers uninstall Kaspersky anti-virus software. The Agency warns the cybersecurity firm could be implicated in hacking attacks during the ongoing Russian invasion of Ukraine.

According to §7 BSI law, the BSI warns against the use of Kaspersky Antivirus and recommends replacing it asap with defense solutions from other vendors.

Tags: FCC, kaspersky, National security

Mar 25 2022

Anonymous Claims to Have Hacked the Central Bank of Russia

Category: Anonymous,HackingDISC @ 3:05 pm

Anonymous-Claims-to-Have-Hacked-the-Central-Bank-of-Russia-1Download
Anonymous Hackers Fire 'Warning Shot' at Companies Refusing to Pull Out of Russia - HS Today

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency

Tags: Central Bank of Russia

Mar 25 2022

Chrome emergency update fixes actively exploited a zero-day bug

Category: Web SecurityDISC @ 2:39 pm
Chrome emergency update fixes actively exploited a zero-day bug

Google addresses an actively exploited zero-day flaw with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux.

Google fixed an actively exploited high-severity zero-day vulnerability with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux.

Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug, tracked as CVE-2022-1096, exploited in the wild.

The CVE-2022-1096 vulnerability is a Type Confusion in V8 JavaScript engine, the bug was reported by an anonymous on 2022-03-23.

“The Stable channel has been updated to 99.0.4844.84 for Windows, Mac and Linux which will roll out over the coming days/weeks.” reads the security advisory published by Google.

“Google is aware that an exploit for CVE-2022-1096 exists in the wild.”

At this time, Google has yet to publish technical details about the flaw ether how it was exploited by threat actors in the wild.

Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” continues the advisory.

CVE-2022-0609
 is the second zero-day vulnerability addressed by the IT giant this year in Chrome. In February Google fixed a high-severity zero-day flaw, tracked as 
CVE-2022-0609
, which was actively exploited. Google released a Chrome emergency update for Windows, Mac, and Linux to fix the 
CVE-2022-0609
 bug.

The CVE-2022-0609 zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.

The flaw was exploited by North Korea-linked threat actors since January 4, 2022.

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

Tags: Chrome emergency update fixes, Sandworm

Mar 24 2022

Strengthening third-party vendor programs in times of crisis and beyond

Category: Vendor AssessmentDISC @ 10:05 pm
Strengthening third-party vendor programs in times of crisis and beyond

The ongoing global turmoil has tested the supply chain across industries in a myriad of ways – from strained resources and remote workflows to security concerns and more. Sustaining a resilient supply chain is one area where many organizations have seen disruptions and business risk, mostly related to managing third-party vendors.

Recent reports have found that 85% of companies are losing money to third-party integration issues related to their supply chains – some losing over $1 million per year. Much of this is contributed by outdated integration systems – those that are not cloud-based – as well as a lack of end-to-end business process visibility. In addition, 35% of businesses have stated their compliance teams have no way of knowing if third-party partners are compliant. Not only is this a big problem financially, but it indicates that most aren’t aware of what is happening across business transactions, which could contribute to even greater future risk and loss.

To overcome these challenges, businesses must implement an agile risk management program that prioritizes third-party risk management. Building a formalized third-party risk management program that strengthens end-to-end process visibility is a three-step process.

Step one: Define and build the program

Defining the current state of an IT and third-party risk management program is the first step in understanding what is working, and most critically, what is not working. This includes a complete audit of existing vendors and the potential risks they pose; this gives leaders visibility into current risks, identifies addressable risk, and unnecessary future risks that can be preemptively mitigated. This process also enables organizations to create new standards and goals for an improved third-party vendor program. For example, organizations need to understand communication processes between IT and third-party risk management teams to unearth potential issues caused by manual processes, inadequate reporting and/or inaccessibility to relevant data.

Top-down sponsorship and bottom-up execution is also key when developing a third-party compliance program. Organization-wide alignment shifts third-party vendor processes from a “check box” compliance exercise to a consistent, thorough process that underscores the significance of having a risk management program in place. For example, many organizations have a vendor onboarding checklist that includes tasks like reviewing their product/service track record, financial stability and if they’ve run afoul of the law. However, a consistent, thorough process would also encompass activities like ongoing due diligence that regularly checks a vendor’s risk profile for financial, regulatory, and reputational risk.

To break down silos and make adoption more seamless, organizations should consider automating these processes, and integrating with systems of record across the business. This will grow program efficacy, create greater efficiency in operations and most importantly, will support a risk management program that can evolve alongside future compliance needs, workflows, and processes.

Step two: Establish resources, priorities, and foundational assets

A primary reason executive sponsorship is critical is because organizations need to determine what resources are available to actualize plans.

Key stakeholders across IT, HR and risk and compliance will be instrumental in not just the rollout of an improved third-party vendor program, but also in defining the scope. Allocating resources can be anything from identifying internal subject matter experts, formalizing committees, or determining if and how new hires need to be evaluated.

Because you can’t boil the ocean, it is important to understand which vendors have the greatest potential impact to the business. With this data in hand – which is accessed by foundational assets like robust risk management tools and solutions – project stakeholders can prioritize risks by level of importance and formulate an actionable plan.

Lastly, establishing and enforcing a library of controls within these solutions can improve processes and decrease the level of risk. By doing so, the organization can manage enforcement for internal as well as regulatorily enforced best practices, while also ensuring that any third parties with access to these systems follow the same requirements, thereby creating uniformity of process and reducing risk.

Step three: Implement program methodology

In addition to assessing third parties, a key step in building a healthy risk management program is defining metrics. The program methodology should include established reporting standards and target metrics, allowing success to be measured over time. With benchmarks from step one in place, teams can measure how cloud integrations led to overall improvements, or how quickly potential risks were rectified, for example.

Employee training plays a big role here as everyone within an organization needs to be able to navigate third-party risk management solutions with ease. Training should include the entire risk management function and provide repeatable introductions into the change management challenges that are associated with any new program, process, or system.

While a robust solution with automated workflows will certainly resolve integration issues and streamline processes, organizational buy-in for third-party risk management programs is what defines resilient vendor relationships and a healthy compliance program. Using this methodology to create a risk-based strategy will not only help a business establish and maintain a strong vendor supply chain but can help identify future risks enabling teams to mitigate them before they become a business-impacting issue, which is what businesses resilience is all about.

Cybersecurity and Third-Party Risk: Third Party Threat Hunting 

Tags: third-party vendor program

Mar 24 2022

macOS Malware of Chinese Hackers Storm Cloud Exposed

Category: MalwareDISC @ 11:44 am

macOS-Malware-of-Chinese-Hackers-Storm-Cloud-Exposed-1Download

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

Tags: Chinese hackers, Storm Cloud, The Hacker and the State

« Previous PageNext Page »