InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.
Sophisticated hackers believed to be tied to the North Korean government are actively targeting journalists with novel malware dubbed Goldbackdoor. Attacks have consisted of multistage infection campaign with the ultimate goal of stealing sensitive information from targets. The campaign is believed to have started in March and is ongoing, researchers have found.
Researchers at Stairwell followed up on an initial report from South Koreaâs NK News, which revealed that a North Korean APT known as APT37 had stolen info from the private computer of a former South Korean intelligence official. The threat actorâalso known as Ricochet Collima, InkySquid, Reaper or ScarCruftâattempted to impersonate NK News and distributed what appeared to be a novel malware in an attempt to target journalists who were using the official as a source, according to the report.
NK News passed details to Stairwell for further investigation. Researchers from the cybersecurity firm uncovered specific details of the malware, called Goldbackdoor. The malware is likely a successor of the Bluelight malware, according to a report they published late last week.
âThe Goldbackdoor malware shares strong technical overlaps with the Bluelight malware,â researchers wrote. âThese overlaps, along with the suspected shared development resource and impersonation of NK News, support our attribution of Goldbackdoor to APT37.â
APT37 was previously seen using Bluelight as a secondary payload last August in a series of watering hole attacks against a South Korean newspaper that used known Internet Explorer vulnerabilities.
As Stairwell researchers noted, journalists are âhigh-value targets for hostile governments,â and often the target of cyber-espionage attacks. In fact, one of the biggest security stories of last year was various governmentsâ use of the NGO Groupâs Pegasus spyware against journalists, among other targets.
â[Journalists] often are aggregators of stories from many individualsâsometimes including those with sensitive access,â Stairwell researchers wrote. âCompromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.â
Weâre sure youâve heard of the KISS principle: Keep It Simple and Straightforward.
In cybersecurity, KISS cuts two ways.
KISS improves security when your IT team avoids jargon and makes complex-but-important tasks easier to understand, but it reduces security when crooks steer clear of mistakes that would otherwise give their game away.
For example, most of the phishing scams we receive are easy to spot because they contain at least one, and often several, very obvious mistakes.
Incorrect logos, incomprehensible grammar, outright ignorance about our online identity, weird spelling errors, absurd punctuation!!!!, or bizarre scenarios (no, your surveillance spyware definitely did not capture live video through the black electrical tape we stuck over our webcam)âŠ
âŠall these lead us instantly and unerringly to the [Delete] button.
If you donât know our name, donât know our bank, donât know which languages we speak, donât know our operating system, donât know how to spell ârespond immediatelyâ, heck, if you donât realise that Riyadh is not a city in Austria, youâre not going to get us to click.
Thatâs not so much because youâd stand out as a scammer, but simply that your email would advertise itself as âclearly does not belong hereâ, or as âobviously sent to the wrong personâ, and weâd ignore it even if you were a legitimate business. (After that, weâd probably blocklist all your emails anyway, given your attitude to accuracy, but thatâs an issue for another day.)
Indeed, as weâve often urged on Naked Security, if spammers, scammers, phishers or other cybercriminals do make the sort of blunder that gives the game away, make sure you spot their mistakes, and make them pay for their blunder by deleting their message at once.
An interesting article published by The Intercept reveals the secretive business of a US surveillance firm named Anomaly Six.
When we speak about the secretive business of surveillance businesses we often refer to the powerful tools developed by Israeli firms like NSO Group and Candiru, but many other firms operates in the shadow like the US company Anomaly Six (aka A6).
According to an interesting analysis published by The Intercept, Anomaly Six is a secretive government contractor that claims to monitor billions of phones worldwide.
While Russia was invading Ukraine in February, two unknown surveillance startups, Anomaly Six and Zignal Labs joined forces to provide powerful surveillance services.
Zignal Labs is a company that provides social media surveillance, combining its analysis with capabilities of A6, the U.S. government was able to spy on Russian the army before the invasion.
âAccording to audiovisual recordings of an A6 presentation reviewed by The Intercept and Tech Inquiry, the firm claims that it can track roughly 3 billion devices in real time, equivalent to a fifth of the worldâs population.â reads the article published by The Intercept. âThe staggering surveillance capacity was cited during a pitch to provide A6âs phone-tracking capabilities to Zignal Labs, a social media monitoring firm that leverages its access to Twitterâs rarely granted âfirehoseâ data stream to sift through hundreds of millions of tweets per day without restriction.â
The capabilities claimed by the surveillance firm are worrisome, a government contractor can spy on Americans and pass gathered data to the US intelligence agencies.
The source that provided the information on the secretive surveillance firms to The Intercept said that Zignal Labs violated Twitterâs terms of service to gather intelligence, but the company refused any accusation.
A6, unlike other surveillance firms, harvests only GPS pinpoints and data it provides allows to surveil roughly 230 million devices on an average day. A6 is able to access GPS measurements gathered through covert partnerships with âthousandsâ of apps. A6 also claimed to have amassed a huge quantity of information on people, it has gathered over 2 billion email addresses and other personal details for these individuals.
At least 60 entities worldwide have been breached by BlackCat ransomware, warns a flash report published by the U.S. FBI.
The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November.
âThe Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.â reads the flash advisory. âCISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.â
The BlackCat/ALPHV a Ransomware was first discovered in December by malware researchers from Recorded Future and MalwareHunterTeam. The malware is the first professional ransomware strain that was written in the Rust programming language.
BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is âvery sophisticated.
Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.
According to the alert, many of the developers and money launderers for gang are linked to Darkside/Blackmatter operations.
ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims donât pay.
ALPHV is attempting to recruit affiliates for its operations, offering them between 80% and 90% of the final ransom, depending on its value. The BlackCat operations only hit a small number of victims at this time in the USA, Australia, and India.
Ransom demands range from a few hundreds of thousands up to $3M worth of Bitcoin or Monero.
The alert includes indicators of compromise (IoCs) associated with BlackCat/ALPHV, as of mid-February 2022.
The FBI is seeking any information that can be shared related to the operations of the BlackCat ransomware operation.
Below are recommended mitigations included in the alert:
Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized âactionsâ (for example: review the steps each scheduled task is expected to perform).
Review antivirus logs for indications they were unexpectedly turned off.
Implement network segmentation.
Require administrator credentials to install software.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
Use multifactor authentication where possible.
Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
Implement the shortest acceptable timeframe for password changes.
People and data are, arguably, a companyâs two most important resources, and while losing people is a challenge, losing both can be devastating to a businessâs security and competitiveness. This is especially true for security personnel, as they often have unique privileges or access to data and information that other personnel may not. As a result, the Great Resignation has become the âGreat Exfiltration,â as people leaving their jobs may also be taking company data with them.
Considering the Great Exfiltration, it is vital for organizations to create and implement a robust data loss prevention (DLP) strategy during the offboarding process to prevent any destruction or loss of data. This is particularly important with many organizations still working remotely, where the lines between personal and professional devices have become blurred.
That said, there are a few tactics that leaders can keep in mind while employing their DLP strategies during the offboarding process:
When security fails, cyber insurance can become crucial for ensuring continuity.
Cyber has changed everything around us â even the way we tackle geopolitical crisis and conflicts. When Einstein was asked what a war will look like in the future, he couldnât have predicted the importance of digital technology for modern societies.
According to a report by IDC, by the end of 2022, nearly 65% of the global GDP will be digitized â reliant on a digital system of some kind. This shift to digital technology has created a new class of digital risks that are constantly evolving and strike faster and often with more severity than traditional risks. The events of the past two years have made this shift clear: from ransomware attacks to the challenges of managing distributed workforces, digital risk is different.
Our reliance on digital technology and the inherited risk is a key driving factor for buying cyber risk insurance. If the technology were to become unavailable, the resulting business impact could be mitigated with cyber insurance. Even if businesses invest in cybersecurity protections, as they increasingly do, security controls are not impenetrable. When security fails, cyber insurance can become crucial for ensuring continuity.
While traditional insurance has served mainly as a hedge against loss only after an incident, insurance designed for the digital economy needs to look at risk from a different angle, providing value before, during, and after an incident that could lead to a loss. This is essential for all businesses, as the analysis of security incidents that led to claims during 2021 reveals.
Ransom demands continue to increase. The ransomware business model has begun to mature, and the average ransom demand has increased by 20%.
The frequency of other attack techniques also rose as hackers expanded to new tactics. This heralds an era of omnidirectional threat. While ransomware may be the most newsworthy, no attack vector can be ignored.
Small businesses are disproportionately impacted. As attacks become increasingly automated, it has become easier and more profitable for criminals to target small organizations.
âWe are noticing a drastic increase in both likelihood and severity of all types of cyber-attack,â says Isaac Guasch, cyber security specialist at Tokyo Marine HCC International. âWhether you are a small independent business or a large, international organization, the increasingly interconnected nature of the businesses that form our economies, is a key threat. Even if you are confident that your cyber security measures are up to date, those of your partners may not be, so you may need to constantly redefine your perimeter,â Guasch adds.
Evolving global risk environment alters the cyber insurancelandscape
However, not all risks are technology-related. Businesses operate in a hyper-connected environment where turbulences in one part of the world may have dire consequences in many remote markets. Geopolitical conflicts, societal upheavals, and financial cracks may put the stability of the business environment in question.
As digital technology and interconnectedness blur the boundaries with the physical world, it also becomes more difficult to calculate risk and set premiums. However, it is true that in times of global crisis, premiums do increase. For example, the Council of Insurance Agents & Brokers reported in March 2022 an average premium increase of 34.3% for cyber, marking the first time an increase of this magnitude is recorded since the events of 9/11.
As the global risk environment evolves and changes almost every day, the insurance industry needs to evolve as well. This level of evolution should not only cover cyber insurance but other forms of âtraditionalâ insurance. For example, what happens if a facility is damaged or even destroyed because of a cybersecurity incident targeting a connected IoT device? What is the level of risk that each connected OT device exposes critical infrastructure to?
âWith respect to insurance, cyber-attacks are not just affecting cyber liability policies. They are affecting many, if not all policies that are carried by a company,â Rick Toland, executive vice president at Waters Insurance Network, told Industrial Cyber. âFurther, it is difficult to quantify where the cyber loss begins, and the property, automobile, GL, pollution or other policy begins and how the financial responsibility of each insurer will be allocated to pay the resulting loss,â Toland added.
Cyber insurance is not a panacea
Within a flux financial, technological, and geopolitical environment, many businesses, especially small-and-medium ones, tend to rely heavily on cyber insurers for answers to their cybersecurity posture challenges. However, buying cyber insurance cannot become the answer to all their security problems.
Instead, businesses can partner with an experienced managed security services company to guide and counsel them through the actions and best practices that can undertake now to better protect themselves against cyberthreats. Shaping a proactive and holistic cybersecurity strategy will better equip businesses in the event they need to submit a claim for losses or damages resulting from a ransomware attack or similar malicious activity.
Above all, it comes down to the basics. Organizations should start by analyzing the security controls they have in place to ensure adherence to guidelines developed by agencies like CISA, FBI, and ENISA, including multifactor authentication, employing antivirus and anti-malware scanning, enabling strong spam filters, updating software, and segmenting networks. Either way, failure to implement basic cyber hygiene measures is a no-go for buying cyber insurance.
About the author: Viral Trivedi
Viral Trivedi is the Chief Business Officer at Ampcus Cyber Incâa pure-play cybersecurity service company headquartered in Chantilly, Virginia. As a CBO at Ampcus Cyber, Viral leads many customer-facing initiatives, including market strategy, channel partner programs, strategic accounts, and customer relationship management. He specializes in all aspects of managed security services, in both hands-on, and advisory roles. Viral has also held executive and senior management positions with small, and large organizations, and is also a Smart Cities & Critical Infrastructure Professional, as well as an active member of Infragard.
Threat intelligence firm Resecurity details how crooks are delivering IRS tax scams and phishing attacks posing as government vendors.
Cybercriminals are leveraging advanced tactics in their phishing-kits granting them a high delivery success rate of spoofed e-mails which contain malicious attachments right before the end of the 2021 IRS income tax return deadline in the U.S. April 18th, 2022 â there was a notable campaign detected which leveraged phishing e-mails impersonating the IRS, and in particular one of the industry vendors who provide solutions to government agencies which including e-mailing, digital communications management, and the content delivery system which informs citizens about various updates.
Cybercriminals purposely choose specific times when all of us are busy with taxes, and preparing for holidays (e.g., Easter), thatâs why you need to be especially careful during these times.
The IT services vendor actors impersonated is widely used by major federal agencies, including the DHS, and other such WEB-sites of States and Cities in the U.S. The identified phishing e-mail warned the victims about overdue payments to the IRS, which should then be paid via PayPal, the e-mail contained an HTML attachment imitating an electronic invoice.
Notably, the e-mail doesnât contain any URLs, and has been successfully delivered to the victimâs inbox without getting flagged as potential spam. Based on the inspected headers, the e-mail has been sent through multiple âhopsâ leveraging primarily network hosts and domains registered in the U.S.:
Itâs worth noting, on the date of detection none of the involved hosts have previously been âblacklistedâ nor have they had any signs of negative IP or abnormal domain reputation:
Kaspersky discovered a flaw in the encryption process of the Yanluowang ransomware that allows victims to recover their files for free.
Researchers from Kaspersky discovered a vulnerability in the encryption process of the Yanluowang ransomware that can be exploited to recover the files encrypted by the malware without paying the ransom.
The Yanluowang ransomware was first spotted by researchers from Symantec Threat Hunter Team in October 2021, the malware was used in highly targeted attacks against large enterprises.
The discovery is part of an investigation into an attempted ransomware attack against a large organization.
Kaspersky implemented the decrypting process for the Yanluowang ransomware in its RannohDecryptor tool. In order to decrypt their files, victims of this family of ransomware should have at least one original file.
âKaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack.â reads the post published by the company.
The Yanluowang ransomware uses different encryption routines depending on the size of the files.
Files greater than 3GB using are partially encrypted in stripes, 5MB after every 200MB, while files smaller than 3GB are completely encrypted from beginning to end.
For this reason, to decrypt files the following conditions must be met:
To decrypt small files (less than or equal to 3 GB), users need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
To decrypt big files (more than 3 GB), users need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.
âBy virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.â continues the post.
The Symantec researchers noticed the use of the legitimate AdFind command line Active Directory query tool that is often abused by ransomware operators as a reconnaissance tool.
Before being deployed on compromised devices, the attackers launch a malicious tool designed to prepare the environment with the following actions:
Creates a .txt file with the number of remote machines to check in the command line
Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file
Logs all the processes and remote machine names to processes.txt
The analysis of the samples collected by the experts revealed that the Yanluowang ransomware uses the Windows API for encryption.
Upon deploying the Yanluowang ransomware, it will stop hypervisor virtual machines, end all processes logged by the above tool (including SQL and back-up solution Veeam), then it will encrypt files. The ransomware appends the .yanluowang extension to the filenames of the encrypted files.
The ransom note (README.txt) dropped on the infected machine warns the victims not to contact law enforcement or ask ransomware negotiation firms for help. The ransomware operators will launch distributed denial of service (DDoS) attacks against the victim if it will not respect their rules. The ransomware operators also threaten to make calls to employees and business partners to damage the brand reputation of the victims, along with targeting again the victim in a few weeks and delete its data.
Ransomware is a type of malicious program that demands payment after launching a cyber attack on a computer system. This type of malware has become increasingly popular among criminals, costing organizations millions each year.
Security experts recognise that ransomware is one of the fastest-growing forms of cyber attack. Its prevalence and reach was emphasised when WannaCry, and more recently, NotPetya, exploited a flaw in Microsoftâs SMB software and spread rapidly across networks, locking away files.
For a quick guide to ransomware and what you can do to protect your business, download our free infographic.
Researchers reported that threat actors leveraged a new zero-click iMessage exploit to install NSO Group Pegasus on iPhones belonging to Catalans.
Researchers from Citizen Lab have published a report detailing the use of a new zero-click iMessage exploit, dubbed HOMAGE, to install the NSO Group Pegasus spyware on iPhones belonging to Catalan politicians, journalists, academics, and activists.
The previously undocumented zero-click iMessage exploit HOMAGE works in attacks against iOS versions before 13.2.
The experts speculate the HOMAGE exploit was used since the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address.
The experts at the Citizen Lab, in collaboration with Catalan civil society groups, have identified at least 65 individuals targeted or infected with spyware. 63 of them were targeted or infected with the Pegasus spyware, and four others with the spyware developed by another surveillance firm named Candiru. The researchers reported that at least two of them were targeted or infected with both surveillance software.
Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations, the threat actors also targeted family members.
The researchers also noticed that the content used in the bait SMS messages suggests access to targets personal information, including the Spanish governmental ID numbers.
âWith the targetsâ consent, we obtained forensic artefacts from their devices that we examined for evidence of Pegasus infections. Our forensic analysis enables us to conclude with high confidence that, of the 63 people targeted with Pegasus, at least 51 individuals were infected.â reads the report published by Citizen Lab.
âWe are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.â
This isnât the first time that Catalans were targeted by the NSO Group Pegasus Spyware, Citizen Lab has previously reported âpossible cases of domestic political espionageâ after detecting infections with the popular surveillance software. Multiple Catalans were targeted with Pegasus through the 2019 WhatsApp attack, at the time the spyware leveraged exploits for theÂ
CVE-2019-3568
 vulnerability.
The Citizen Lab doesnât explicitly attribute the attacks to a specific threat actor, but the nature of the targets suggests a link with Spanish authorities. All the targets were of interest to the Spanish government and experts pointed out that the specific timing of the targeting matches events of specific interest to the Spanish government.
âWhile we do not currently attribute this operation to specific governmental entities, circumstantial evidence suggests a strong nexus with the government of Spain, including the nature of the victims and targets, the timing, and the fact that Spain is reported to be a government client of NSO Group.â concludes the report.
Earlier this year, the White House announced that it is working with the European Union on a Trans-Atlantic Data Privacy Framework. According to a White House statement, this framework will âreestablish an important legal mechanism for transfers of EU personal data to the United States. The United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.â
This is encouraging news. As The National Law Review pointed out, the EU had concerns about the protection of their citizensâ data from U.S. government surveillance. But it may also be the push needed to advance greater data privacy protections in America.
âThe joint statement references the U.S. putting in place ânew safeguardsâ to ensure that intelligence activities are ânecessary and proportionateâ, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available,â said Stephen Bailey of NCC Group in an email comment.
Data Privacy and AppSec
The world runs on apps, so it is necessary to look at how the Trans-Atlantic Data Privacy Framework will impact app development and app security.
âFor application developers, the single biggest challenge to complying with increasingly rigorous data protection frameworks is getting control of their data, particularly sensitive and personally identifiable information,â explained Chris McLellan, director of operations at the nonprofit Data Collaboration Alliance.
Today, every new app, whether bought or built, traps data in a silo, which can only be connected through the exchange of copies or point-to-point data integration.
âThese copies make it incredibly difficultâand in some cases, even impossibleâto support GDPR outcomes like ubiquitous data access controls, portability, custodianship, deletion (the right to be forgotten) and precision auditability: Things that could potentially, although theyâre unlikely to, be included in the post-Privacy Shield framework. But they are definitely looming on the horizon both internationally and domestically, for example, in California and Utah,â said McLellan.
As data privacy frameworks become more common and we begin to see more joint efforts internationally, organizations have to think about how they share and store data in the future, taking compliance requirements into greater consideration.
Organizations need to get more serious about minimizing their use of data and start implementing strategies that introduce real control to the data they manage, McLellan says. They should be exploring ways now to eliminate data silos and copies that have resulted in rampant data proliferation.
No Quick Fixes
But, as McLellan pointed out, there are no quick fixes. Unwinding years of âan app for everything and a database for every appâ mantra will be difficult, and McLellan believes this is best approached in two stages.
Stage One: Immediately treat the symptoms of data proliferation by evaluating and adopting privacy-enhancing technologies that help organizations anonymize and encrypt data, and better manage consent. âThey should also investigate the potential to adopt first-party and zero-party data collection practices that redirect customer and other sensitive data away from the third-party apps (e.g. Google Analytics), over which they have no control,â McLellan explained. âOrganizations should also adopt processes and workflows that help them establish âpurpose-basedâ data access requests.â
Stage Two: Organizations should explore ways to address the root causes of data proliferation. Everyone within the organizationâs technology teamsâCIO, CDO, application development, data and IT teamsâshould familiarize themselves with emerging frameworks like zero-copy integration, a framework that is on track to become a national standard in Canada.
âItâs the evolution of privacy-by-design and signals the beginning of the end for application-specific data silos and copy-based data integration. Such frameworks are made possible by new categories of technology, including data fabrics, dataware and blockchain that support âzero copyâ digital innovation. Many leading organizations, particularly in finance and health care, are already ahead of the curve in adopting this approach,â said McLellan.
Data protection regulations at home and abroad reflect a burgeoning global trend toward citizens and consumers gaining greater control and ownership of data as its rightful owner.
âThese regulatory shifts,â said McLellan, âwill need to be met by an equally significant shift in how U.S. businesses manage data and build new applications if thereâs any hope to comply with new laws as theyâre passed.â
Itâs easy to see why: it may be exploited by unauthenticated, remote attackers to breach systems and by attackers that already have access to a system and want to hop on others on the same network. It can also be exploited without the vulnerable systemâs user doing anything at all (aka âzero-clickâ exploitation).
About CVE-2022-26809
CVE-2022-26809 is a remote code execution vulnerability in Microsoft Remote Procedure Call (RPC) runtime and affects a wide variety of Windows and Windows Server versions.
âTo exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service,â Microsoft said and advised admins to:
Block TCP port 445 at the enterprise perimeter firewall (but be aware that this does not protects systems from attacks from within the enterprise perimeter), and
This mention of SMB is probably what triggered some initial nervousness with security defenders, as it resurfaced bad memories related to the global WannaCry outbreak, which used the EternalBlue exploit to take advantage of vulnerabilities in Microsoft Windows SMB Server.
The infosec community worries about a functional proof-of-concept (PoC) exploit being released publicly soon and making the situation bad for enterprise defenders. There has been some topical online trolling and scam offers, but no PoC yet â and no evidence of covert exploitation.
Mitigation and detection
In the meantime, infosec experts have been augmenting Microsoftâs initial risk mitigation advice with their own:
CVE-2022-26809 Yes, blocking 445 at your network perimeter is necessary but not sufficient to help prevent exploitation. If by April 2022 you STILL have SMB exposed to the broader internet you've got some soul searching to do. Now, about those hosts already inside your network… pic.twitter.com/jS8fPrv8E2
Please remember: Port 445 is just ONE of the ports that may reach #RPC (CVE-2022-26809) on Windows. #MSRPC does Port 135 (and high port) or in some cases HTTP as well. Don't "close some ports" but "only open ports you need open". #allowlist#dontblocklist
Akamai researchers have shared their own analysis of Microsoftâs patch, which provides additional insight about the origin of the flaw, and Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, published a post summarizing the dangerÂ
CVE-2022-26809
 poses and reiterated that patching is the only real fix for this vulnerability.
âYou canât âturn offâ RPC on Windows if you are wondering. It will break stuff. RPC does more than SMB. For example, you canât move icons on the desktop if you disable RPC (according to a Microsoft help page),â he explained, and noted that exploitation detection may be hard.
âI have no idea when we will see a working exploit, but I hope we will have until next week,â he concluded.
Editorâs Note: When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. âI had no success really,â said its founder, who goes by the online moniker smelly_vx.
But over the last couple of years, the siteâs popularity has soared thanks in part to its robust Twitter presence that mixes breaking cybersecurity news with memes. The site now bills itself as âthe largest collection of malware source code, samples, and papers on the internet,â with about 35 million samples overall.
vx-undergound operator smelly_vx recently talked to Recorded Future analyst and product manager Dmitry Smilyanets about the siteâs goals, finances, and plans for the future. The interview, which was conducted over email in English, has been lightly edited for clarity.
Dmitry Smilyanets: I would like to start from the very beginning â please introduce yourself.
smelly_vx: Hi. I am âsmelly__vxâ. I am the creator of vx-underground and the guy who runs/maintains a good portion of vx-undergroundâs website and the vx-underground Twitter account.
I am in my early 30s. I have a wife. I have a dog. I donât think I can say anything else which is interesting or important.
DS: Tell me about the siteâs background â how did it start, how did you build it into what it is today?
VX: About vx-underground â it was created to act as the successor to the legendary vxHeaven (created by the Ukrainian dude herm1t). When I was a teenager I discovered vxHeaven and learned tons from it. It was an invaluable asset. Around 2017 or so, when I was a software engineer, I got tired of writing malware (as a hobbyist) by myself.
I began looking for vxHeaven, or whatever it had become. I was unable to find anything, to my disappointment, and one day on some random IRC server I discovered, I was conveying my disappointment to a guy named Phaith and he said to me, âWell, if you miss it so much, why donât you make your own?â I thought this was a good idea â why not make my own? And that is precisely what I decided to do. The issue I faced was that my background was in low-level development, I primarily did C/C++ development on the Windows platform. I did not have any skills in web development, web security, system administration, etc. I also did not have any contacts, I had been a âlone wolfâ for nearly a decade at this point â I was a ânobody.â However, I decided this shouldnât be a restraining factor so I bought some random bullshit hosting, purchased the domain name âvx-undergroundâ and got to work.
I officially made vx-underground in May 2019. I had no success really, I did not have a Twitter account or any contacts or any relationships in the information security industry. I made the vx-underground Twitter account in August 2019 and, interestingly, shortly after I made the account I was contacted by a guy named Bane. Bane was a member of a group called ThugCrowd. They had a large follower base on Twitter (20,000+), they had connections, they knew their way around things, blah blah blah. ThugCrowd was very kind to me and supported the idea of a new vxHeaven. They introduced me to some people who also liked the idea of a new vxHeaven.
Unsurprisingly, in October 2019, vx-underground was banned from a lot of web hosts. I had places which housed neo-Nazis, pornography, and gambling, deny my hosting.
Nobody wanted to house malware samples, the only way I was going to get the ability to house malware samples was if I had become a company, and did paperwork and all sorts of bullshit. I did not like this idea. Luckily, and to my surprise, the people over at ThugCrowd introduced me to a group of people behind TCP.DIRECT. They also liked the idea of a new vxHeaven, as the main group of people behind it also had been on the vxHeaven forums ages ago. They assisted me with hosting, handling the web security, etc. This was very beneficial for me because, as TCP.DIRECT will confirm, I am a complete idiot with anything system administrative/web security related.
Following this introduction to TCP.DIRECT, vx-underground had essentially zero restraint. I was able to upload malware samples, malware papers, malware source code, etc. as much as I liked. The only thing I had to do then was add content and be consistent. Along the way I met a guy from the [Commonwealth of Independent States], Neogram, who assisted me with Russian translations and giving me a (metaphorical) tour of the CIS malware scene. This expanded my horizon and gave vx-underground better insight into current malware trends.
All of this happened very quickly, this âstoryâ encapsulates what happened between August 2019 and December 2019.
DS: What are your mission and goals?
VX: I donât know. vx-underground is a library, our goal is basically to⊠collect malware samples, papers, and code? It exists and that is it. The closest thing to a âgoalâ we have is simple: âmore papers, more samples, more code.â It is as simple as that.
DS: Are you financially motivated? How do you monetize your work? Is it lucrative?
VX: No, we are not financially motivated. vx-underground is fueled by passion and love for the âgame.â In 2021 vx-underground made $13,000 all from donations. Every time I tell people vx-underground does not make money I am always greeted with shock and surprise. It appears people are unable to comprehend someone would do something for passion rather than financial gain. This is disappointing.
vx-underground is now in the process of becoming a non-profit. We will be a 501(c)(3) non-profit educational institute for computer malware education, literacy, and advancement (offensively and/or defensively).
Cybersecurity experts would have you believe that your organizationâs employees have a crucial role in bolstering or damaging your companyâs security initiatives.
While you may disagree, data breach studies show that employees and negligence are the most typical causes of security breaches, yet these prevalent issues are least discussed.
According to a recent industry report from Shred-It, an information security provider, 47% of top business executives believe that employee error, such as the inadvertent loss of a device or document, has resulted in a data breach within their company. According to another study by CybSafe, human errors have been responsible for over 90% of data breaches in 2020.
Itâs no secret that companies of all sizes increasingly feel the sting of cybercriminals exploiting vulnerabilities in remote and hybrid working environments. However, little to no effort is made toward strengthening defenses. Now is the moment to train your personnel on security best practices, if you havenât already.
As a result of inadequate security measures, customers have long suffered the most. However, the stakes for employees and their businesses are higher than ever this year. Experian predicts 2022 will be a hangover from the âcyberdemicâ of 2021, making it crucial to stay ahead by designing a cybersecurity training program for employees and strengthening defenses.
Developing a cybersecurity training program requires knowing where the blind spots are. While there are numerous approaches to promoting a more cyber secure workplace, here are the most common and effective ways:
Trick Employees via a Phishing Campaign
You can test your employeesâ ability to distinguish authentic email content from fraudulent attachments by mass spear-phishing them. Employees who fall for the phishing email are the ones you need to be extra careful about.
They might be the ones that eventually end up disclosing a companyâs valuable digital assets. Once you have the data, you may measure the entire risk to your network and build remedies from there using custom reporting metrics.
Customize Your Security Training
All employees, irrespective of their designation or job role, should be a part of the security training. However, employees who fell for the spear-phishing campaign are the ones you need to observe and invest your security training into.
When delivering cybersecurity training, stress the importance of the training as an exercise that can also be applied elsewhere. Employees will be more inclined to utilize secure procedures at work if they do so at home on their computers and phones.
Incentivize the Security Training
Nothing motivates an employee more than being rewarded for their performance. Set up metrics and determine the level of participation, enthusiasm, and cybersecurity knowledge an employee obtains via quizzes or cross-questions. Employees who follow best practices should be rewarded, and others should be encouraged to improve their cybersecurity habits.
Cover Cybersecurity Topics
Engage your employees by introducing cybersecurity topics and certifications. Employees new to the cybersecurity realm would greatly benefit from relevant courses and learnings that might augment their skills and shine bright on their resumes.
Social media platforms are riddled with short instructional videos, which can be a great source of learning for those struggling to complete cybersecurity courses and manage work simultaneously.
Introduce Data Privacy Laws
Data privacy laws have been here for a while. However, they have recently received recognition after the EU introduced the General Data Protection Regulation (GDPR) in 2016, which came into force in 2018.
Most employees donât know much about data protection laws or donât know them altogether. Itâs crucial to educate employees regarding existing and upcoming data protection laws and how they impact the business. According to MediaPro, a multimedia communications group, 62% of employees were unsure if their company must comply with the California Consumer Privacy Act (CCPA).
Integrating data privacy laws and regulations within cybersecurity training is crucial. While employees do not need to be compliance specialists, they should have a fundamental understanding of their companyâs privacy policies, data handling procedures, and the impact of data privacy laws on their organization.
Address Security Misconceptions
Massive data breaches and ingenious hackers have muddied the waters of what is and isnât possible when carrying out a cyberattack, making it challenging for novice security personnel to tell the difference between facts and made-up security misunderstandings.
Lack of understanding and misconceptions make matters worse as employees tend to become too concerned about non-existent or misunderstood risks while being less concerned about real ones. That begs the question: Are employees taking cybersecurity seriously, or will they be a liability rather than an asset?
To move forward, begin by designing a survey that starts with the basic cybersecurity knowledge and distributing it across the organization. The survey could contain questions such as:
What is cybersecurity,
Why is cybersecurity important,
Do employees lock their devices and keep strong alphanumeric passwords for online accounts,
Do employees connect to a secure WIFI network provided by the company, etc.
The results will demonstrate the current knowledge base within the organization and whether the employees take cybersecurity seriously.
While discovering the loopholes within your organization is one thing, developing a cybersecurity training program specifically tailored to patch those vulnerabilities might not be enough. Not only this, keep a strategy that focuses on zero-day attacks to avoid any damages. As an individual entrusted with developing a training program, you should know that you need a long-term solution to the existing problem.
Humans have always been the weakest link in the cybersecurity chain, and human errors will only escalate despite the depth of training given. That leaves organizations in a tough spot and struggling to meet compliance requirements.
Understand the Consequences of Inadequate Security Training
Training just for the sake of training will not benefit anyone. Employees need to dedicate their hearts and minds to the training, and continuous sessions should take place so that employees always stay current with the latest happenings and privacy frameworks. Poor training may further confuse employees, which may also draw additional dangers.
With Securiti data privacy automation tools, you can reduce or eliminate reliance on employees and move towards a more modern and error-free framework.
With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company â Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.
Gone are the days when phones were only used to make phone calls and send text messages; nowadays, smartphones are more akin to a pocket-sized version of a high-functioning microcomputer that can perform a wide range of functions aside from communications. Android phones are essentially a sub-category of smartphones with installed Android operating systems, allowing their features to function effectively. Today, virtually everybody owns a smartphone, especially the prevalent android versions. More advanced versions of these phones are released yearly with newer innovations and improved operating systems to enhance user experience. Itâs simply a cutting-edge technology that we canât get enough of.
Nowadays, Android phones are quickly becoming a must-have gadget because they are used to perform virtually all everyday functions, from communication, advertising, and marketing to entertainment. They also serve as a means of accessing information through social media and can be used for a wide variety of other functions like taking high-quality pictures, watching movies, typing documents, etc.
Overall, technology has truly revolutionized our daily lives, and the introduction of smartphones made it easier and faster for us to access information and communicate with greater ease. However, aside from the numerous conventional functions that we use our android phones for, there is a long list of hidden features, tricks, shortcuts, and quick hacks that you can take advantage of with your Android phone.
In this article, we will discuss some of the Android tips and tricks for getting the most from your phone.
The US government agencies warned of threat actors that are targeting ICS and SCADA systems from various vendors.
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) to warn of offensive capabilities developed by APT actors that could allow them to compromise multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
Schneider Electric programmable logic controllers (PLCs),
OMRON Sysmac NEX PLCs, and
Open Platform Communications Unified Architecture (OPC UA) servers.
According to the advisory that was issued with the help of leading cybersecurity firms (Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric), nation-state hacking groups were able to hack multiple industrial systems using a new ICS-focused malware toolkit dubbed PIPEDREAM that was discovered in early 2022.
âAPT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devicesâ reads the advisory.
âThe APT actorsâ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.â
The toolkit could allow to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.
Threat actors can also leverage a tool to install and exploit a known-vulnerable ASRock-signed motherboard driver (âAsrDrv103.sysâ) by triggering the CVE-2020-15368 flaw to execute malicious code in the Windows kernel. The tool could be used to perform lateral movements within an IT or OT environment and interfere with devicesâ operation.
Researchers from Dragos shared a detailed analysis of the new PIPEDREAM toolkit confirming that it has yet to be employed in attacks in the wild.
âPIPEDREAM is the seventh known ICS-specific malware. The CHERNOVITE Activity Group (AG) developed PIPEDREAM. PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.â reads the report published by Dragos. âDragos assesses with high confidence that PIPEDREAM has not yet been employed in the wild for destructive effects. This is a rare case of accessing and analyzing malicious capabilities developed by adversaries before their deployment and gives defenders a unique opportunity to prepare in advance.â
Mandiant, which tack the toolkit as INCONTROLLER, also published a detailed analysis warning of its dangerous cyber attack capability.
âThe tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.â reads the analysis published by Mandiant. âINCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017;â
The joint report also included the following recommendations for all organizations with ICS/SCADA devices:
Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
Limit ICS/SCADA systemsâ network connections to only specifically allowed management and engineering workstations.
Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
Implement robust log collection and retention from ICS/SCADA systems and management subnets.
Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISAâs open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
Ensure all applications are only installed when necessary for operation.
Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system.
This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector.
Open source is everywhere, itâs in everything, and everyone is using it. It is safe to say that almost any solution with a web server or a web client uses open source.
The alternative to leveraging the knowledge and experience of open source implementations is to write software from scratch, but âreinventing the wheelâ can be costly â both in terms of resources and time.
Open source offers a competitive advantage and itâs mostly free, but in 40 years, a solid, sustainable model to support the majority of open source projects still hasnât been found.
China-linked Hafnium APT group started using a new piece of new malware to gain persistence on compromised Windows systems.
The China-backed Hafnium cyberespionage group is likely behind a piece of a new malware, dubbed Tarrask, thatâs used to maintain persistence on compromised Windows systems, reported Microsoft Threat Intelligence Center (MSTIC) experts.
HAFNIUM primarily targets entities in the United States across multiple industries, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control.
Microsoft Threat Intelligence Center (MSTIC) highlighted the simplicity of the technique employed by the Tarrask malware that creates âhiddenâ scheduled tasks on the system to maintain persistence.
Tarrask creates new registry keys upon the creation of a new task:
âThe first subkey, created within the Tree path, matches the name of the scheduled task. The values created within it (Id, Index, and SD) contain metadata for task registration within the system. The second subkey, created within the Tasks path, is a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.â reads the post published by Microsoft.
In the attack analyzed by Mcirosoft, the nation-state actors created a scheduled task named âWinUpdateâ via HackTool:Win64/Tarrask to re-establish any dropped connections to the C2 servers.
The attackers deleted the [Security Descriptor] value within the Tree registry path. The security descriptor (SD) defines access controls for running the scheduled task.
The trick consists of erasing the SD value from the Tree registry path to make the task hidden from the Windows Task Scheduler or the schtasks command-line utility. The only way to see the tack is to manually examine the Registry Editor.
The experts pointed out that executing a âreg deleteâ command to delete the SD value will result in an âAccess Deniedâ error even when run from an elevated command prompt. The only way to delete the SD value is to execute the command within the context of the SYSTEM user. For this reason, the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process.
âThe attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.â concludes the report. âAs such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.â
