InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Gone are the days when phones were only used to make phone calls and send text messages; nowadays, smartphones are more akin to a pocket-sized version of a high-functioning microcomputer that can perform a wide range of functions aside from communications. Android phones are essentially a sub-category of smartphones with installed Android operating systems, allowing their features to function effectively. Today, virtually everybody owns a smartphone, especially the prevalent android versions. More advanced versions of these phones are released yearly with newer innovations and improved operating systems to enhance user experience. It’s simply a cutting-edge technology that we can’t get enough of.
Nowadays, Android phones are quickly becoming a must-have gadget because they are used to perform virtually all everyday functions, from communication, advertising, and marketing to entertainment. They also serve as a means of accessing information through social media and can be used for a wide variety of other functions like taking high-quality pictures, watching movies, typing documents, etc.
Overall, technology has truly revolutionized our daily lives, and the introduction of smartphones made it easier and faster for us to access information and communicate with greater ease. However, aside from the numerous conventional functions that we use our android phones for, there is a long list of hidden features, tricks, shortcuts, and quick hacks that you can take advantage of with your Android phone.
In this article, we will discuss some of the Android tips and tricks for getting the most from your phone.
The US government agencies warned of threat actors that are targeting ICS and SCADA systems from various vendors.
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) to warn of offensive capabilities developed by APT actors that could allow them to compromise multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
Schneider Electric programmable logic controllers (PLCs),
OMRON Sysmac NEX PLCs, and
Open Platform Communications Unified Architecture (OPC UA) servers.
According to the advisory that was issued with the help of leading cybersecurity firms (Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric), nation-state hacking groups were able to hack multiple industrial systems using a new ICS-focused malware toolkit dubbed PIPEDREAM that was discovered in early 2022.
“APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices” reads the advisory.
“The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.”
The toolkit could allow to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.
Threat actors can also leverage a tool to install and exploit a known-vulnerable ASRock-signed motherboard driver (“AsrDrv103.sys“) by triggering the CVE-2020-15368 flaw to execute malicious code in the Windows kernel. The tool could be used to perform lateral movements within an IT or OT environment and interfere with devices’ operation.
Researchers from Dragos shared a detailed analysis of the new PIPEDREAM toolkit confirming that it has yet to be employed in attacks in the wild.
“PIPEDREAM is the seventh known ICS-specific malware. The CHERNOVITE Activity Group (AG) developed PIPEDREAM. PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.” reads the report published by Dragos. “Dragos assesses with high confidence that PIPEDREAM has not yet been employed in the wild for destructive effects. This is a rare case of accessing and analyzing malicious capabilities developed by adversaries before their deployment and gives defenders a unique opportunity to prepare in advance.”
Mandiant, which tack the toolkit as INCONTROLLER, also published a detailed analysis warning of its dangerous cyber attack capability.
“The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.” reads the analysis published by Mandiant. “INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017;”
The joint report also included the following recommendations for all organizations with ICS/SCADA devices:
Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
Implement robust log collection and retention from ICS/SCADA systems and management subnets.
Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
Ensure all applications are only installed when necessary for operation.
Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system.
This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector.
Open source is everywhere, it’s in everything, and everyone is using it. It is safe to say that almost any solution with a web server or a web client uses open source.
The alternative to leveraging the knowledge and experience of open source implementations is to write software from scratch, but “reinventing the wheel” can be costly – both in terms of resources and time.
Open source offers a competitive advantage and it’s mostly free, but in 40 years, a solid, sustainable model to support the majority of open source projects still hasn’t been found.
China-linked Hafnium APT group started using a new piece of new malware to gain persistence on compromised Windows systems.
The China-backed Hafnium cyberespionage group is likely behind a piece of a new malware, dubbed Tarrask, that’s used to maintain persistence on compromised Windows systems, reported Microsoft Threat Intelligence Center (MSTIC) experts.
HAFNIUM primarily targets entities in the United States across multiple industries, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control.
Microsoft Threat Intelligence Center (MSTIC) highlighted the simplicity of the technique employed by the Tarrask malware that creates “hidden” scheduled tasks on the system to maintain persistence.
Tarrask creates new registry keys upon the creation of a new task:
“The first subkey, created within the Tree path, matches the name of the scheduled task. The values created within it (Id, Index, and SD) contain metadata for task registration within the system. The second subkey, created within the Tasks path, is a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.” reads the post published by Microsoft.
In the attack analyzed by Mcirosoft, the nation-state actors created a scheduled task named ‘WinUpdate’ via HackTool:Win64/Tarrask to re-establish any dropped connections to the C2 servers.
The attackers deleted the [Security Descriptor] value within the Tree registry path. The security descriptor (SD) defines access controls for running the scheduled task.
The trick consists of erasing the SD value from the Tree registry path to make the task hidden from the Windows Task Scheduler or the schtasks command-line utility. The only way to see the tack is to manually examine the Registry Editor.
The experts pointed out that executing a “reg delete” command to delete the SD value will result in an “Access Denied” error even when run from an elevated command prompt. The only way to delete the SD value is to execute the command within the context of the SYSTEM user. For this reason, the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process.
“The attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.” concludes the report. “As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.”
Researchers at healthcare cybersecurity company Cynerio just published a report about five cybersecurity holes they found in a hospital robot system called TUG.
TUGs are pretty much robot cabinets or platforms on wheels, apparently capable of carrying up to 600kg and rolling along at just under 3km/hr (a slow walk).
They’re apparently available in both hospital variants (e.g. for transporting medicines in locked drawers on ward rounds) and hospitality variants (e.g. conveying crockery and crumpets to the conservatory).
During what we’re assuming was a combined penetration test/security assessment job, the Cynerio researchers were able to sniff out traffic to and from the robots in use, track the network exchanges back to a web portal running on the hospital network, and from there to uncover five non-trivial security flaws in the backend web servers used to control the hospital’s robot underlords.
In a media-savvy and how-we-wish-people-wouldn’t-do-this-but-they-do PR gesture, the researchers dubbed their bugs The JekyllBot Five, dramatically stylised JekyllBot:5 for short.
Despite the unhinged, psychokiller overtones of the name “Jekyllbot”, however, the bugs don’t have anything to do with AI gone amuck or a robot revolution.
The researchers also duly noted in their report that, at the hospital where they were investigating with permission, the robot control portal was not directly visible from the internet, so a would-be attacker would have already needed an internal foothold to abuse any of the bugs they found.
Unauthenticated access to everything
Nevertheless, the fact that the hospital’s own network was shielded from the internet was just as well.
With TCP access to the server running the web portal, the researchers claim that they could:
Access and alter the system’s user database. They were apparently able to modify the rights given to existing users, to add new users, and even to assign users administrative privileges.
Snoop on trivially-hashed user passwords. With a username to add to a web request, they could recover a straight, one-loop, unsalted MD5 hash of that users’ password. In other words, with a precomputed list of common password hashes, or an MD5 rainbow table, many existing passwords could easily be cracked.
Send robot control commands. According to the researchers, TCP-level access to the robot control server was enough to issue unauthenticated commands to currently active robots. These commands included opening drawers in the robot’s cabinet (e.g. where medications are supposedly secured), cancelling existing commands, recovering the robot’s location and altering its speed.
Take photos with a robot. The researchers showed sample images snapped and recovered (with authorisation) from active robots, including pictures of a corridor, the inside of an elevator (lift), and a shot from a robot approaching its charging station.
Inject malicious JavaScript into legitimate users’ browsers. The researchers found that the robot management console portal was vulnerable to various types of cross-site scripting (XSS) attack, which could allow malware to be foisted on legitimate users of the system.
The modern realities of cybersecurity have uncovered the unpreparedness of many sectors and industries to deal with emerging threats. One of these sectors is the healthcare industry. The pervasiveness and proliferation of online innovation, systems, and applications in global healthcare have created a threat domain wherein policy and regulation struggle to keep pace with development, standardization faces contextual challenges, and technical capacity is largely deficient.
It is now urgent that healthcare professionals know the most relevant concepts and fundamentals of global cybersecurity related to eHealth. Cybersecurity for eHealth: A Practical Guide for Nontechnical Stakeholders and Healthcare Practitioners uses both a rigorous academic and practical professional approach in covering the essentials of cybersecurity. The book:
Distills foundational knowledge and presents it in a concise manner that is easily assimilated
Draws lessons from real-life case studies across the global healthcare industry to drive home complex principles and insights
Helps eHealth professionals to deal more knowledgeably and effectively with the realities of cybersecurity
Written for healthcare professionals without a background in the workings of information and communication technologies, the book presents the basics of cybersecurity and an overview of eHealth. It covers the foundational concepts, perspectives, and applications of cybersecurity in the context of eHealth and traverses the cybersecurity threat landscape to eHealth, including:
Threat categories, agents, and objectives
Strategies and approaches deployed by various threat agents
Predisposing risk factors in cybersecurity threat situations
Tools and techniques to protect against cybersecurity incidents
An espionage attempt was made by an NSO Group customer to hack the phones of senior EU officials. Although there’s some suggestion that it might have been QuaDream—a similar Israeli spyware firm.
Commissioner for Justice Didier Reynders (pictured) seems to have been the main target, along with several of his staffers at the Directorate-General for Justice and Consumers. They were warned of the attack five months ago—by Apple.
But who ordered the hack? Might it have been the French government? In today’s SB Blogwatch, we’re shocked—SHOCKED—to discover un peu d’espionnage fratricide.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Shrimp can lobster.
“Remotely and invisibly take control of iPhones” Among them was Didier Reynders, a senior Belgian statesman who has served as the European Justice Commissioner since 2019. … At least four other [Justice and Consumers] commission staffers were also targeted. … The commission became aware of the targeting following messages issued by Apple to thousands of iPhone owners in November telling them they were “targeted by state-sponsored attackers.” … The warnings triggered immediate concern at the commission. … A senior tech staffer sent a message to colleagues with background about Israeli hacking tools: … “Given the nature of your responsibilities, you are a potential target.” … Recipients of the warnings were targeted between February and September 2021 using ForcedEntry, an advanced piece of software that was used by Israeli cyber surveillance vendor NSO Group to help foreign spy agencies remotely and invisibly take control of iPhones. A smaller Israeli spyware vendor named QuaDream also sold a nearly identical tool.
“Comes at potentially the worst possible time” It’s not totally clear why these officials were targeted or who used the malware against them. … NSO has denied that it had any involvement. … Reuters also reached out to QuaDream … but did not get any sort of comment or response. … The claims that EU officials were targeted with NSO Group software comes at potentially the worst possible time for the company as it continues to battle both legal and financial troubles, as well as multiple government investigations. … NSO is now appealing to the U.S. Supreme Court in a new effort to rid itself of a hefty lawsuit filed by … WhatsApp, [which] sued NSO in October of 2019 after the surveillance firm’s malware was allegedly discovered on some 1,400 users’ phones. … The company is also currently battling another lawsuit from Apple filed last November on similar grounds.
“Use of surveillance software” The discovery of the misuse of NSO Group’s tools certainly doesn’t help the company’s profile following the Pegasus scandal, when it was found the tool was used by governments to spy on journalists, activists, and government opponents, instead of for fighting crime. The adoption of Pegasus and other tools by government agencies led to lawmakers in the U.S. asking Apple and the FBI about the latter’s acquisition of NSO Group tools. … Meanwhile, the European Parliament will be launching a committee on April 19 to investigate the use of surveillance software in European member states.
The European Union, huh?FOHEng thinks this should be a teachable moment:
Many of these same EU people think The App Store should be forced to open, increasing the vectors for … exploits to make it into devices. They’re as stupid as some US Senators, who aren’t allowed to sideload Apps on their devices over security concerns, yet want to force Apple to allow this. They are truly delusional. … Third party stores with Apps being vetted for security? An oxymoron if ever there was one. … You think iOS third party stores are going to somehow be secure and Apps checked?
“No big deal until it happens to me.” This story has been unfolding slowly for years, yet these EU officials didn’t seem too bothered until Apple notified them about their phones being hacked. … Thanks for all the concern.
But what of Apple in all this? Heed the prognostications of Roderikus:
More fines for offering a platform that is basically compromised while being marketed as “safe.”
However,mikece is triggered by a certain word in the Reuter hed:
Throwing the adjective “Israeli” into the title is misleading as it suggest the state of Israel is somehow involved. … Blaming Israel for this is like blaming Japan for all of the Toyota Hiluxes converted into gun platforms around the world.
Yet we’ve still not dealt with the “who” question. For this, we turn to Justthefacts:
CitizenLab did some clever geographic fingerprinting, and have a list of which countries are doing this. … Out of these, the credible list is: France, Greece, Netherlands, Poland, UK, USA.
The target was the European Justice Minister from 2019 onwards. He doesn’t have military or external trade secrets. Neither the UK nor USA are impacted in any way by what goes on in his office. So it’s either France, Greece, Netherlands, Poland.
If you have a look at the heat-map produced by CitizenLab, it’s the French government snooping on the EU. What were you expecting?
Nor the “why”: What else do we know about the named victim? ffkom ffills us in: [You’re ffired—Ed.]
Didier Reynders is [one of] those politicians who have continuously undermined EU data protection laws by agreeing to sham contracts like “Safe Harbour” and “Privacy Shield,” … knowing those were contradicting EU law … and not worth the paper they were written on. He, personally, is also responsible for not enforcing … GDPR. … It serves Mr. Reynders right that his data is exposed, just as much as he has helped to expose EU citizen’s data.
In this video for Help Net Security, Paul Calatayud, CISO at Aqua Security, talks about cloud native security and the problem with the lack of understanding of risks to this environment.
A recent survey of over 100 cloud professionals revealed that often businesses lead the charge in cloud, they see the opportunity, they move forward, but more and more critical compute finds its way into these cloud environments, and the security teams start to take notice. Often too late, though.
The survey shows that the awareness is starting to become a problem, and the risks are not fully understood. Organizations need to get ahead of these things. To be able to apply a good cloud native security strategy, understanding the risks is imperative.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
A remote attacker with unprivileged credentials can exploit the CVE-2022-23176 vulnerability in WatchGuard Firebox and XTM appliances to access the system with a privileged management session via exposed management access.
The vulnerability is actively exploited by the Cyclops Blink botnet operated by the Russia-linked Sandworm APT group. Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.
Cyclops Blink is believed to be a replacement for the VPNFilter botnet, which was first exposed in 2018 and at the time was composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.
The Cyclops Blink malware has been active since at least June 2019, it targets WatchGuard Firebox, Small Office/Home Office (SOHO) network devices, and ASUS router models.
WatchGuard published instructions on how to restore compromised Firebox appliances. The company also developed and released a set of Cyclops Blink detection tools, as well as this 4-Step Cyclops Blink Diagnosis and Remediation Plan to help customers diagnose, remediate if necessary, and prevent future infection.
Cyclops Blink is sophisticated malware with a modular structure. It supports functionality to add new modules at run-time allowing Sandworm operators to implement additional capability as required.
The malware leverages the firmware update process to achieve persistence. The malware manages clusters of victims and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses.
Recently, the U.S. government has announced that it had dismantled the Cyclops Blink botnet operated by the Russia-linked Sandworm APT group.
Burpsuite, the proxy-based tool used to evaluate the security of web-based applications and do hands-on testing developed by PortSwigger. It is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security.
SuperCare Health, a leading respiratory care provider in the Western U.S, disclosed a data breach that impacted more than 300,000 individuals.
SuperCare Health disclosed a security breach that has led to the exposure of personal information belonging to its patients, patients/members of its partner organizations and others.
The company notified impacted individuals and law enforcement agencies.
The company told the US Department of Health and Human Services that the data breach has impacted 318,379 individuals.
The security breach was discovered on July 27, 2021, when the company IT personnel noticed unauthorized activity on some systems. SuperCare Health immediately launched an investigation into the incident with the help of independent cybersecurity experts that revealed that the intrusion took place between July 23 and July 27, 2021.
Seven months later, in February 2022, the company determined the potential compromise of some information relating to certain patients.
“On July 27, 2021, we discovered unauthorized activity on our systems. In response, we immediately began containment, mitigation, and restoration efforts to terminate the activity and to secure our network, systems, and data. In addition, we retained independent cybersecurity experts to conduct a forensic investigation into the incident and assist us in determining what happened.” reads the data security notice published by the company. “The forensic investigation revealed that an unknown party had access to certain systems on our network from July 23, 2021 to July 27, 2021. Based on that information, we worked diligently to identify the potentially affected files and their contents. On February 4, 2022, we determined that the potentially impacted files contained some information relating to certain patients.”
Potentially compromised data depend on the individual and may include: name, address, date of birth, hospital or medical group, patient account number, medical record number, health insurance information, testing/diagnostic/treatment information, other health-related information, and claim information. For a small subset of individuals, their Social Security number and/or driver’s license number may have been contained in the impacted files.
The company is not aware of any abuse or misuse for the information exposed as a result of the incident.
Developers Remediate Less Than a Third of Vulnerabilities
Developers are regularly ignoring security issues as they deal with an onslaught of issues from security teams, even as they are expected to release software more frequently and faster than ever before.
In addition, developers fix just 32% of known vulnerabilities, and 42% of developers push vulnerable code once per month, according to Tromzo’s Voice of the Modern Developer Report.
The report, based on a survey of more than 400 U.S.-based developers who work at organizations where they currently have CI/CD tools in place, also found a third of respondents think developers and security are siloed.
Tromzo CTO and co-founder Harshit Chitalia pointed out the top security vulnerabilities of the past few years—Log4j, SolarWinds, Codecov—have all been supply chain attacks.
“This has made AppSec an urgent and top priority for CISOs worldwide,” he said. “In addition, everything as code with Kubernetes, Terraform and so on have made all parts of the development stack part of AppSec.”
From his perspective, the only way this big attack surface can be overcome is with security and development teams working hand in hand to secure the application in every step of the development cycle.
He added developers ignoring security issues is one of the fundamental issues AppSec engineers have with security.
“Security teams put their blood, sweat and tears into finding different vulnerabilities in code through orchestrating scanners and manual testing,” he said. “After all the work, seeing the issue on Jira queue for months is disappointing and quite frustrating.”
Fighting Friction
On the other hand, he pointed to developers who are now asked not only to develop features and fix bugs but also look at DevOps, performance and security of their applications.
“This leads to friction in priorities and, if unresolved, leads to unhappy employees,” he said. “The C-suite is very much aware of this problem, but they are stuck with security tools which are not created for developers. As application security is going through a big transformation, we believe the tooling will also shift.”
He explained there were several concerning findings from the survey but that two, in particular, stood out.
The first thing Chitalia found deeply concerning was the fact that 62% of developers are using 11 or more application security tools.
He said application security has evolved in recent years with AppSec teams now responsible for source-code analysis, DAST, bug bounty, dependency, secrets scanning, cloud scanning and language-specific scanners.
“This means developers are constantly fed information from these tools without any context and they have to triage and prioritize the workload these tools generate for them,” he said.
The second big worry was the fact that a third of vulnerabilities are noise.
“If someone told you that a third of the work you did needs to be thrown away every single day, how would you feel about that?” he asked. “But that’s the current state of application security.”
Nordex Group, one of the largest manufacturers of wind turbines, was hit by a cyberattack that forced the company to shut down part of its infrastructure.
Nordex Group, one of the world’s largest manufacturers of wind turbines, was the victim of a cyberattack that forced the company to take down multiple systems.
The attack was uncovered on March 31 and the company immediately started its incident response procedure to contain the attack.
Nordex Group shut down “IT systems across multiple locations and business units” as a precautionary measure to prevent the threat from spreading across its networks.
“On 31 March 2022 Nordex Group IT security detected that the company is subject to a cyber security incident. The intrusion was noted in an early stage and response measures initiated immediately in line with crisis management protocols. As a precautionary measure, the company decided to shut down IT systems across multiple locations and business units.” reads the announcement published by the company. “The incident response team of internal and external security experts has been set up immediately in order to contain the issue and prevent further propagation and to assess the extent of potential exposure.”
Nordex did not disclose technical details of the cyberattack, but the fact that it was forced to shut down part of its IT infrastructure suggests that it fell victim to a ransomware attack.
According to the press release, customers, employees, and other stakeholders may be affected by the shutdown of the company’s systems.
Nordex did not disclose technical details of the cyberattack, but the fact that it was forced to shut down part of its IT infrastructure suggests that it felt victim to a ransomware attack.
In November another manufacturer of wind turbines was hit by a cyber attack, it was the Danish wind turbine giant Vestas Wind Systems. The company was hit by the Lockbit 2.0 ransomware gang than published stolen data in December after the negotiation for the ransomware payment failed.
Just over a quarter-century ago, the first Chief Information Security Officer (CISO) was minted in the financial vertical, and everyone lived happily ever after. The End.
If only this story was that simple and straightforward! The CISO role has never been cut-and-dry. Despite its longevity, this role is still in its adolescence – full of promise, mostly headed in the right direction, but not quite fully formed.
If you’re a CISO today, or have worked for or watched one from afar, you have felt the reality of the goalposts continually shifting over time, and you have experienced some of the tough questions that may not yet be answered. Where should the CISO report for maximum effect? How does the CISO gain that valuable seat at the executive table, and a regularly scheduled time slot every quarter in front of the board? Is it possible that broad technical competency may be superior to deep technical expertise for this C-level role? And if you are the CISO who thought you signed up for an IT-centric, inward-facing role, I have a few nation-state and cybercriminal actors to introduce to you.
But there are several other less obvious roles that the CISO should consider taking on to help the organization reach its goals, whether its customers are external or internal.
The CISO as brand enabler
Quantifying the value of a corporate brand is tough. But it’s clear that your organization’s brand is as much an asset as the devices and networks that the CISO is charged with protecting – in fact, the brand may be your organization’s largest single asset. A recent Forbes/MASB report states that brand assets drive approximately 20% of enterprise value on average. Doesn’t that sound like something worth protecting?
Yes, the creation and growth of the brand is typically the responsibility of the marketing organization and the CMO (chief marketing officer). But it’s not unusual for marketing to feel like it’s outracing the other business functions, including the CISO, and they are anxious for everyone to “catch up” and join them. The CISO can act as a useful counterweight to help marketing achieve its goals safely, in good times and bad. For example, isn’t it important to fully coordinate a breach response between these two groups in a way that best preserves the value of your brand? Those brands that emerge out of a high-profile information security incident stronger don’t get there by accident.
This is a missed opportunity in many organizations. When was the last time your CISO and CMO sat down alone to discuss each other’s long-term initiatives? And no, the sometimes recurring conversation between these two parties about how the marketing team is leveraging shadow IT doesn’t count here.
The CISO as customer advocate
If the CISO is considered an inward-facing resource only, your organization may be leaving some significant value on the table. Is your CISO considered and leveraged as an extended member of your customer-facing teams? There is often nothing more compelling to a prospect or a customer than the opportunity to hear from a true CISO practitioner about her experiences in the industry around a common challenge.
Another way to bring the CISO closer into the customer orbit: you have some customers who due to their size or potential are at the very top of your essential, must-not-lose list. Your CISO may be more than willing to act as an executive sponsor for the overall relationship between the two organizations. This is a great way to cement that bond with your truly key and strategic customers. You may also discover that same hugely important customer is willing to share details with the CISO that would never be shared with the sales team.
The CISO as product visionary
In many ways, your CISO may be an ideal prospect, a research partner, and a sounding board for new products, services or features your organization plans to introduce. Think about all the angles a CISO deals with every day: B2B connections and data flowing amongst third parties; identifying and securing B2C data and connectivity; monitoring an infrastructure round the clock to recognize and remediate tactical, strategic and regulatory risks; signing off on your organization’s ISO 27001 certification or SOC 2 attestation, and more!
For bonus points, if you are that CISO of today or the aspirational CISO of tomorrow, don’t settle for approaching your job solely in pursuit of how to best secure your organization – ask yourself how you can make your own customers more secure. Sometimes a new feature or service might pop out from that alternative angle, from a perspective that only the CISO can see.
Whether you are the CISO or are a colleague of the CISO, think outside the box. CISOs can absolutely be leveraged in these and other non-traditional roles, to the greater benefit of your organization.
ISO 27701 specifies the requirements for establishing, implementing, maintaining, and continually improving a PIMS (privacy information management system).
Compliance with ISO 27701 shows customers and stakeholders that your organization takes privacy legislation seriously. ISO 27701 serves as an extension to ISO 27001. Organizations that have implemented ISO 27001 will be able to incorporate the controls and requirements of ISO 27701 to extend their existing data security practices to achieve complete coverage of data security and privacy management.
If you are already an ISO 27701 expert, have you considered developing your career as an auditor? ITG Certified ISO 27701 PIMS Lead Auditor Training Course teaches you how to extend an ISO 27001 audit program and conduct a PIMS audit against ISO 27701.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
The Spring4Shell issue was disclosed last week, it resides in the Spring Core Java framework. An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.
The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.
The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).
This week VMware has published security updates to address the Spring4Shell flaw, according to the virtualization giant, the flaw impacts many of its cloud computing and virtualization products.
The flaw impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.
Spring4Shell impacts VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
The exploitation of this flaw could allow a remote attacker to execute arbitrary code on vulnerable systems. Researchers from Palo Alto Networks’ Unit42 and Akamai have observed the issue being exploited in the wild to deploy malicious code.
CISA also added CVE-2022-22675, CVE-2022-22674, CVE-2021-45382 flaws to its catalog. The four vulnerabilities added to the catalog have to be addressed by federal agencies by April 25, 2022.
Boffins devised a new attack technique, dubbed Brokenwire, against the Combined Charging System (CCS) that could potentially disrupt charging for electric vehicles.
A group of researchers from the University of Oxford and Armasuisse S+T has devised a new attack technique, dubbed Brokenwire, against the popular Combined Charging System (CCS) that could be exploited by remote attackers to disrupt charging for electric vehicles.
The Combined Charging System (CCS) is one of the most widely used DC rapid charging technologies for electric vehicles (EVs).
The attack aims at interrupting the control communication between the vehicle and charger, causing the disruption of charging sessions.
“The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously.” reads the post published by the academics. “In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge. With a power budget of 1 W, the attack is successful from around 47 m distance. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it.”
The researchers demonstrated that the Brokenwire attack can be conducted from a distance of as far as 47m (151ft). Experts pointed out that the interruption of the charging process of critical vehicles, such as electric ambulances, can have life-threatening consequences.
The experts did not disclose details about the attack technique to prevent attacks in the wild.
The researchers published a video PoC of the attack showing their technique in action.
Let me close with a couple of Questions from FAQ published by the researchers:
I have a charger at home, can someone stop my car from charging?
Probably not. Most likely your home charger uses AC charging and a different communication standard (IEC 61851), so won’t be affected. This might change in the future though, with home chargers getting ISO 15118 support.
Can Brokenwire also break my car?
We’ve never seen any evidence of long-term damage caused by the Brokenwire attack. Based on our development work, we also have good reason to expect there isn’t any.
In March, we discovered 88 publicly disclosed cyber security incidents, accounting for 3,987,593 breached records.
That brings the total number of breached records in the first quarter of 2022 to 75,099,482. We’ll be providing more stats from Q1 2022 in our quarterly review of cyber security incidents, which will be published on our website in the coming days.
Be sure to check our blog to find that article, or subscribe to our Weekly Round-up to make sure you get the latest content delivered straight to your inbox.
Meanwhile, you can find the full list of cyber attacks and data breaches for March 2022 below.
List of data breaches and cyber attacks in March 2022 – 3.99 million records breached
In March, we discovered 88 publicly disclosed cyber security incidents, accounting for 3,987,593 breached records.
That brings the total number of breached records in the first quarter of 2022 to 75,099,482. We’ll be providing more stats from Q1 2022 in our quarterly review of cyber security incidents, which will be published on our website in the coming days.
Be sure to check our blog to find that article, or subscribe to our Weekly Round-up to make sure you get the latest content delivered straight to your inbox.
Meanwhile, you can find the full list of cyber attacks and data breaches for March 2022 below.
Wyze Cam devices are affected by three security vulnerabilities that can allow attackers to takeover them and access camera feeds.
Bitdefender researchers discovered three security vulnerabilities in the popular Wyze Cam devices that can be exploited by threat actors to execute arbitrary code and access camera feeds.
The three flaws reported by the cybersecurity firm are:
A stack-based buffer overflow, tracked as CVE-2019-12266, which could lead to remote control execution.
An unauthenticated access to contents of the SD card
A remote attacker could exploit the CVE-2019-9564 flaw to take over the device, including turning on/off the camera.
An attacker could chain the above issue with the CVE-2019-12266 flaw to access live audio and video feeds.
The flaws were reported to Wyze in May 2019, the company addressed the CVE-2019-9564 and CVE-2019-12266 flaws in September 2019 and November 2020, respectively.
The vendor addressed the unauthenticated access to the content of the SD card with the release of firmware updates on January 29, 2022.
According to the experts, there are 3 version of Wyze Cam devices on the market and the first one has been discontinued and will not receive security updates to address the flaws.
“The analyzed device comes in several versions: Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. We learned that, while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes.” reads the report published by the security firm. “Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited.“
Bitdefenders also provided the following recommendations to prevent attacks against IoT devices:
“Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network,” reads the post. “This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.”
