InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Wyze Cam devices are affected by three security vulnerabilities that can allow attackers to takeover them and access camera feeds.
Bitdefender researchers discovered three security vulnerabilities in the popular Wyze Cam devices that can be exploited by threat actors to execute arbitrary code and access camera feeds.
The three flaws reported by the cybersecurity firm are:
A stack-based buffer overflow, tracked as CVE-2019-12266, which could lead to remote control execution.
An unauthenticated access to contents of the SD card
A remote attacker could exploit the CVE-2019-9564 flaw to take over the device, including turning on/off the camera.
An attacker could chain the above issue with the CVE-2019-12266 flaw to access live audio and video feeds.
The flaws were reported to Wyze in May 2019, the company addressed the CVE-2019-9564 and CVE-2019-12266 flaws in September 2019 and November 2020, respectively.
The vendor addressed the unauthenticated access to the content of the SD card with the release of firmware updates on January 29, 2022.
According to the experts, there are 3 version of Wyze Cam devices on the market and the first one has been discontinued and will not receive security updates to address the flaws.
“The analyzed device comes in several versions: Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. We learned that, while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes.” reads the report published by the security firm. “Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited.“
Bitdefenders also provided the following recommendations to prevent attacks against IoT devices:
“Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network,” reads the post. “This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.”
The following conversation about reviewing a SOC 2 report is one to avoid.
Potential Customer: “Hi Vendor Co., do you have a SOC 2?”
Vendor Co. Sales Rep: “Yes!”
Potential Customer: “Great! We can’t wait to start using your service.”
The output of a SOC 2 audit isn’t just a stamp of approval (or disapproval). Even companies that have amazing cybersecurity and compliance programs have a full SOC 2 report written about them by their auditor that details their cybersecurity program. SOC 2 reports facilitate vendor management by creating one deliverable that can be given to customers (and potential customers) to review and incorporate into their own vendor management programs.
Vendor security management is an important part of a company’s cybersecurity program. Most mature organizations’ process of vendor selection includes a vendor security review – a key part of which includes the review of a SOC 2 report.
SOC 2 reports can vary greatly in length but even the most basic SOC 2 report is dense with information that can be difficult to digest, especially if you aren’t used to reading them. This article will teach you how to read a SOC 2 report by providing a breakdown of the report’s content, with emphasis on how to pull out the important parts to look at from a vendor security review perspective.
Please note that you should not use this as a guide to hunt and peck your way through a SOC 2 report. It is important to read through the entire report to gain a full understanding of the system itself. However, this should help draw attention to the particular points of interest you should be looking out for when reading a report.
Many different auditing firms perform SOC 2 audits, some reports may look a little different from the others but the overall content is generally the same.
How to read a SOC 2 report: the Cover Page
Even the cover page of a SOC 2 report has a lot of useful information. It will have the type of SOC 2 report, date(s) covered, the relevant trust services criteria (TSC) categories, and the auditing firm that conducted the audit.
What Type of SOC 2 Report?
There are two types of SOC 2 reports that can be issued: A SOC 2 Type I and a SOC 2 Type II. The type of report will be denoted on the cover page. The key difference is the timeframe of the report:
A SOC 2 Type I is an attestation that the company complied with the SOC 2 criteria at a specific point in time.
A SOC 2 Type II is an attestation that the company complied with the SOC 2 criteria over a period of time, most commonly a 6 or 12 month period.
SOC 2 Type II reports are more valuable because they demonstrate a long-term commitment to a security program – and any issues over the time frame will be revealed. It’s possible for a company to get a SOC 2 Type I report then fail to adhere to their controls.
Key takeaway: If a company only has a SOC 2 Type I, ask if and when they are working on achieving a SOC 2 Type II. If they say they are not getting a Type II, this is indicative of a lower commitment to security.
An unauthenticated zero-day RCE vulnerability in the Spring Core Java framework called ‘Spring4Shell’ has been publicly disclosed.
Researchers disclosed a zero-day vulnerability, dubbed Spring4Shell, in the Spring Core Java framework called ‘Spring4Shell.’ An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.
The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.
The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).
A Java Springcore RCE 0day exploit has been leaked. It was leaked by a Chinese security researcher who, since sharing and/or leaking it, has deleted their Twitter account.
“The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks.” reported the analysis published by Rapid7. “The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly deleted.”
The flaw has yet to be patched and impacts Spring Core on Java Development Kit (JDK) versions 9 and later. The vulnerability is a bypass for another vulnerability tracked as
Rapid7 researchers pointed out that the vulnerability (and proof of concept) could be triggered only when a specific functionality is used. The exploit code released by the Chinese researchers is not related to a “completely different” unauthenticated RCE flaw that was published on March 29, 2022 for Spring Cloud.
“Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. Configuration and JRE version may also be significant factors in exploitability and the likelihood of widespread exploitation.” continues Rapid7.
The analysis of the flaw suggests that its impact may not be severe like other issues, like Log4J.
“Exploitation requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,” reads the analysis published by cybersecurity firm Praetorian.
Security researchers that tested the Spring4Shell exploit confirmed that it works. CERT/CC vulnerability analyst Will Dormann confirmed that the PoC exploit code works against the stock ‘Handling Form Submission’ sample code from
When you cannot access certain sites or hide your identity, you need a tool for that. For example, the USA proxies are in demand among those who want to visit American-only stores and other sites. Here we break it down a bit to show how a proxy can do you good and how to choose a proxy service for your comfort and safety.
The US CISA and the Department of Energy issued guidance on mitigating attacks against uninterruptible power supply (UPS) devices.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy published joint guidance on mitigating cyber attacks against uninterruptible power supply (UPS) devices.
The US agencies warn of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices by exploiting default credentials.
UPS devices provide clean and emergency power in a variety of applications when normal input power sources are interrupted for various reasons.
The guidance recommends organizations immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet. In the case where a UPS device must be accessible online, organizations are recommended to implement the following controls:
Ensure the devices are accessible through a virtual private network.
Enforce multifactor authentication.
Use strong passwords or passphrases in accordance with National Institute of Standards and Technology guidelines (for a humorous explanation of password strength, see XKCD 936)
CISA recommends checking if organizations’ UPS credentials are still set to the factory default.
Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites.
MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites.
There’s about hundred of them actually. All through the WP vulns. Unfortunately, many providers/owners doesn’t react. @GoDaddy ignores abuse letters completely
The only evidence of the ongoing attack is the slowing down of the browser performance.
According to BleepingComputer, which first reported the discovery, DDoS attacks targeted pro-Ukrainian sites and Ukrainian government agencies, including think tanks, recruitment sites for the International Legion of Defense of Ukraine, and financial sites.
Malicious schemas linked to online stores are on the rise in 2022. Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world and thereby trick victims. The targets of this massive campaign are online stores geolocated in different countries, including Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others. The campaign has been active since late 2020 but gained momentum in early 2022, with thousands of victims affected.
Active domains behind the malicious online stores at the time of analysis (21-03-2022). The shopping platforms are available on servers geolocated in the USA, The Netherlands, and Turkey (ZoomEye).
As observed in Figure 1, 617 active shopping platforms were identified worldwide, 562 created in 2022. The servers are located in three countries: the USA, The Netherlands, and Turkey. However, other servers and online stores were also identified during the research. The complete list of IoCs with more than1k malicious entries is provided at the end of the article.
The high-level diagram of this campaign is presented below, with a graphical representation of the different steps and actions carried out by criminals.
A new campaign typically starts with the authors setting up the malicious domain at the top of Google search through digital ads (Google ads) – as shown above referring to the Lefties clothing store disseminated in Portugal in 2022. After some days, users are hit as the malicious URL appears at the top of searches. In specific cases, social Ads were also found on Instagram and Facebook social media platforms.
The content of the malicious websites – clones of the official stores – are based on a static Content Management System (CMS) and a PHP API that communicates with a MySQL cluster in the background. Some artifacts related to the static CMS can be found on a GitHub repository from criminals. In detail, criminals put some effort into developing a generic platform that could serve a mega operation at a large scale, where small tweaks of images and templates would allow the reuse of code for different online stores. Then, all the observed stores use the same code with different templates according to the target brand. As mentioned, the store is also equipped with an API that communicates with a MySQL database cluster where all the victims’ data is stored, including:
Name (first and last)
Complete address (street, zip-code, city, and country)
Mobile phone
Email
Password
Credit card information (number, date, and CVV); and
Details about the order and tracking code of the package.
The Federal Communications Commission (FCC) added Kaspersky to its Covered List because it poses unacceptable risks to U.S. national security.
The Federal Communications Commission (FCC) added multiple Kaspersky products and services to its Covered List saying that they pose unacceptable risks to U.S. national security.
“The Federal Communications Commission’s Public Safety and Homeland Security Bureau today added equipment and services from three entities – AO Kaspersky Lab, China Telecom (Americas) Corp, and China Mobile International USA Inc. – to its list of communications equipment and services that have been deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019.” reads the FCC’s press release.
The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.
The US commission also added Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas to the list. Below is the list of Covered Equipment or Services added on March 25, 2022:
Information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.
International telecommunications services provided by China Mobile International USA Inc. subject to section 214 of the Communications Act of 1934.
Telecommunications services provided by China Telecom (Americas) Corp. subject to section 214 of the Communications Act of 1934.
FCC banned Kaspersky security solutions and services supplied by Kaspersky or any linked companies.
“The FCC’s decision to add these three entities to our Covered List is welcome news. The FCC plays a critical role in securing our nation’s communications networks, and keeping our Covered List up to date is an important tool we have at our disposal to do just that. In particular, I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list. Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.” said FCC Commissioner Brendan Carr. “I applaud Chairwoman Rosenworcel for working closely with our partners in the Executive Branch on these updates. As we continue our work to secure America’s communications networks, I am confident that we will have more entities to add to our Covered List.”
In Mid March, the German Federal Office for Information Security agency, aka BSI, recommended consumers uninstall Kaspersky anti-virus software. The Agency warns the cybersecurity firm could be implicated in hacking attacks during the ongoing Russian invasion of Ukraine.
According to §7 BSI law, the BSI warns against the use of Kaspersky Antivirus and recommends replacing it asap with defense solutions from other vendors.
Nach §7 BSI-Gesetz warnen wir vor dem Einsatz von Virenschutzsoftware des russischen Herstellers Kaspersky. Wir empfehlen, solche Anwendungen durch Produkte anderer Hersteller zu ersetzen.
Google addresses an actively exploited zero-day flaw with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux.
Google fixed an actively exploited high-severity zero-day vulnerability with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux.
Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug, tracked as CVE-2022-1096, exploited in the wild.
The CVE-2022-1096 vulnerability is a Type Confusion in V8 JavaScript engine, the bug was reported by an anonymous on 2022-03-23.
“The Stable channel has been updated to 99.0.4844.84 for Windows, Mac and Linux which will roll out over the coming days/weeks.” reads the security advisory published by Google.
“Google is aware that an exploit for CVE-2022-1096 exists in the wild.”
At this time, Google has yet to publish technical details about the flaw ether how it was exploited by threat actors in the wild.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” continues the advisory.
CVE-2022-0609
is the second zero-day vulnerability addressed by the IT giant this year in Chrome. In February Google fixed a high-severity zero-day flaw, tracked as
CVE-2022-0609
, which was actively exploited. Google released a Chrome emergency update for Windows, Mac, and Linux to fix the
CVE-2022-0609
bug.
The CVE-2022-0609 zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.
The flaw was exploited by North Korea-linked threat actors since January 4, 2022.
The ongoing global turmoil has tested the supply chain across industries in a myriad of ways – from strained resources and remote workflows to security concerns and more. Sustaining a resilient supply chain is one area where many organizations have seen disruptions and business risk, mostly related to managing third-party vendors.
Recent reports have found that 85% of companies are losing money to third-party integration issues related to their supply chains – some losing over $1 million per year. Much of this is contributed by outdated integration systems – those that are not cloud-based – as well as a lack of end-to-end business process visibility. In addition, 35% of businesses have stated their compliance teams have no way of knowing if third-party partners are compliant. Not only is this a big problem financially, but it indicates that most aren’t aware of what is happening across business transactions, which could contribute to even greater future risk and loss.
To overcome these challenges, businesses must implement an agile risk management program that prioritizes third-party risk management. Building a formalized third-party risk management program that strengthens end-to-end process visibility is a three-step process.
Step one: Define and build the program
Defining the current state of an IT and third-party risk management program is the first step in understanding what is working, and most critically, what is not working. This includes a complete audit of existing vendors and the potential risks they pose; this gives leaders visibility into current risks, identifies addressable risk, and unnecessary future risks that can be preemptively mitigated. This process also enables organizations to create new standards and goals for an improved third-party vendor program. For example, organizations need to understand communication processes between IT and third-party risk management teams to unearth potential issues caused by manual processes, inadequate reporting and/or inaccessibility to relevant data.
Top-down sponsorship and bottom-up execution is also key when developing a third-party compliance program. Organization-wide alignment shifts third-party vendor processes from a “check box” compliance exercise to a consistent, thorough process that underscores the significance of having a risk management program in place. For example, many organizations have a vendor onboarding checklist that includes tasks like reviewing their product/service track record, financial stability and if they’ve run afoul of the law. However, a consistent, thorough process would also encompass activities like ongoing due diligence that regularly checks a vendor’s risk profile for financial, regulatory, and reputational risk.
To break down silos and make adoption more seamless, organizations should consider automating these processes, and integrating with systems of record across the business. This will grow program efficacy, create greater efficiency in operations and most importantly, will support a risk management program that can evolve alongside future compliance needs, workflows, and processes.
Step two: Establish resources, priorities, and foundational assets
A primary reason executive sponsorship is critical is because organizations need to determine what resources are available to actualize plans.
Key stakeholders across IT, HR and risk and compliance will be instrumental in not just the rollout of an improved third-party vendor program, but also in defining the scope. Allocating resources can be anything from identifying internal subject matter experts, formalizing committees, or determining if and how new hires need to be evaluated.
Because you can’t boil the ocean, it is important to understand which vendors have the greatest potential impact to the business. With this data in hand – which is accessed by foundational assets like robust risk management tools and solutions – project stakeholders can prioritize risks by level of importance and formulate an actionable plan.
Lastly, establishing and enforcing a library of controls within these solutions can improve processes and decrease the level of risk. By doing so, the organization can manage enforcement for internal as well as regulatorily enforced best practices, while also ensuring that any third parties with access to these systems follow the same requirements, thereby creating uniformity of process and reducing risk.
Step three: Implement program methodology
In addition to assessing third parties, a key step in building a healthy risk management program is defining metrics. The program methodology should include established reporting standards and target metrics, allowing success to be measured over time. With benchmarks from step one in place, teams can measure how cloud integrations led to overall improvements, or how quickly potential risks were rectified, for example.
Employee training plays a big role here as everyone within an organization needs to be able to navigate third-party risk management solutions with ease. Training should include the entire risk management function and provide repeatable introductions into the change management challenges that are associated with any new program, process, or system.
While a robust solution with automated workflows will certainly resolve integration issues and streamline processes, organizational buy-in for third-party risk management programs is what defines resilient vendor relationships and a healthy compliance program. Using this methodology to create a risk-based strategy will not only help a business establish and maintain a strong vendor supply chain but can help identify future risks enabling teams to mitigate them before they become a business-impacting issue, which is what businesses resilience is all about.
Gimmick is a newly discovered macOS implant developed by the China-linked APT Storm Cloud and used to target organizations across Asia.
In late 2021, Volexity researchers investigated an intrusion in an environment they were monitoring and discovered a MacBook Pro running macOS 11.6 (Big Sur) that was compromised with a previously unknown macOS malware tracked as GIMMICK. The researchers explained that they have discovered Windows versions of the same implant during the past investigations.
The experts attribute the intrusion to a China-linked APT group tracked as Storm Cloud, which is known to target organizations across Asia.
The macOS version of the implant is written primarily in Objective C, while the Windows ones are in both .NET and Delphi. The implant uses public cloud hosting services (such as Google Drive) for C2 to evade detection.
Volexity worked with Apple to implement protections for the GIMMICK implant, on March 17, 2022, Apple pushed new signatures to XProtect and MRT to remove the malware.
GIMMICK should be launched directly by a user, rather than a daemon, then it installs itself as a launch agent by dropping a PLIST file with contents.
“On macOS, GIMMICK was found to support being launched as a daemon on the system or by a user. Should GIMMICK be launched directly by a user, rather than a daemon, it will install itself as a launch agent by dropping a PLIST file with contents, similar to that shown below, to /Users/<username>/Library/LaunchAgents.” reads the analysis published by Volexity. “The name of the binary, PLIST, and agent will vary per sample. In the case observed by Volexity, the implant was customized to imitate an application commonly launched by the targeted user.”
During the initialization, the implant analyzed by the experts decodes several pieces of data used by the implant for its operation using a rotating addition algorithm.
The implant also supports an uninstall function accessible by adding the argument “uninstall” on the command line. The command instructs the malicious code on removing itself and all associated files, and then kills the process.
“Storm Cloud is an advanced and versatile threat actor, adapting its tool set to match different operating systems used by its targets.” concludes the analysis published by the experts. “The work involved in porting this malware and adapting its systems to a new operating system (macOS) is no light undertaking and suggests the threat actor behind it is well resourced, adept, and versatile.”
“Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors,” he noted, and advised those that have not yet done it to harden their cyber defenses by implementing security best practices delineated earlier this year.
“[This warning is] based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” he added.
US Deputy National Security Advisor Anne Neuberger has followed up the warning with a press briefing, during which she stated that “there is no certainty there will be a cyber incident on critical infrastructure,” but that owners and operators of critical infrastructre have the ability and the responsibility to harden the systems and networks the country relies on.
She shared that last week, federal agencies hosted classified briefings with several hundred companies in sectors they felt would be most affected, and “provided very practical, focused advice.”
Previously, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help critical infrastructure owners and operators identify and mitigate the risks of influence operations that use mis-, dis-, and malinformation (MDM) narratives.
Neuberger also said that US agencies have not yet attributed the recent attack on satellite communications company Viasat. Nevertheless, the attack has been followed by a CISA alert advising SATCOM network providers or customers on how to upgrade their defenses.
You might have heard that the iPhone is almost completely impossible to hack or that Samsung devices have some of the best firewalls in the world built right into the device. While these statements are true, they do not mean that your personal information is automatically safe.
In fact, there are a handful of ways hackers can get into your mobile device. That being said, there are several steps you can take to fight back against it. So, let’s take a look and explore those in a bit more depth today.
The Lapsus$ extortion group claims to have stolen sensitive data from the identity and access management giant Okta solutions.
The gang announced the alleged hack through its Telegram channel and shared a series of screenshots as proof of the hack. Some of the images published by the threat actors appear to be related to the company’s customer data.
The message published by the group claims that the gang had Superuser and Admin access to multiple systems of the company.
The company is investigating claims of a data breach which, if confirmed, could pose serious risks to the customers of the company.
“Okta is aware of the reports and is currently investigating,” states a spokesperson for the company. “We will provide updates as more information becomes available.”
Todd McKinnon, CEO at Okta, confirmed that in late January 2022, the company detected an attempt to compromise the account of a third party customer support engineer working for one of its subprocessors.
We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)
