InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
American worldwide logistics and freight forwarding company Expeditors International shuts down global operations after cyber attack
American logistics and freight forwarding company Expeditors International was hit by a cyberattack over the weekend that paralyzed most of its operations worldwide.
Expeditors company has over 18,000 employees worldwide and has annual gross revenue of around $10 billion. The company discovered the attack on February 20, 2022, it doesn’t provide details about the attack and announced to have launched an investigation into the incident.
“Expeditors International of Washington, Inc. (NASDAQ:EXPD) announced that on February 20, 2022, we determined that our company was the subject of a targeted cyber-attack. Upon discovering the incident, we shut down most of our operating systems globally to manage the safety of our overall global systems environment.” reads the announcement published by the company. ”The situation is evolving, and we are working with global cybersecurity experts to manage the situation. While our systems are shut down we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments.”
The information publicly available on the attack suggests the company was the victim of a ransomware attack and was forced to shut down its network to avoid the threat from spreading.
The attack impacted the company’s operations, including the capability to arrange for shipments of freight or managing customs and distribution activities for our customers’ shipments.
The company hired cybersecurity experts to investigate the security breach and recover from the attack.
The company warned the incident could have a material adverse impact on our business, revenues, results of operations and reputation
“We are incurring expenses relating to the cyber-attack to investigate and remediate this matter and expect to continue to incur expenses of this nature in the future. Depending on the length of the shutdown of our operations, the impact of this cyber-attack could have a material adverse impact on our business, revenues, results of operations and reputation.” concludes the advisory.
Which assets can be made accessible by printer vulnerabilities?
Business-class printers are often running a variant of Linux, which means they have many of the same vulnerabilities that you would find on any network attached Linux server. Many zero-day exploits that have been found in the Linux kernel could be found in these printers if they are left unpatched.
So, what is the primary motivation of attackers? It is usually to gain remote access behind the corporate firewall. Cybercriminals often use network-attached devices to discover more about the other devices connected to the network. If a device can be used to scan the network, it might be possible to find other vulnerable devices on the network. It may even be possible for the attacker to use the printer to mount the attacks on other network-attached devices. In this way, a printer becomes a staging area for malicious actors to attack and compromise other, more critical platforms within a corporate network.
That said, for some companies, the printer itself can be the target. Many business class printers have hard drives that are used to save jobs, templates and other necessary information needed for its use by the customer. This means that an immense amount of sensitive and confidential data is being stored on the printer. Extraction of this valuable, locally stored data on the printer is sometimes an attacker’s goal.
What can organizations do to make their printers secure?
First off, good “firmware hygiene” is essential. Multi-function network-attached printers are surprisingly sophisticated systems, and as a result have highly sophisticated embedded operating systems. Most of these printers have a webserver for providing device status and allowing configuration updates along with printer firmware updates. These devices are also expected to support a lot of different network protocols, such as SNTP, SNMP and the related printer-specific protocols.
As you might expect: the more complex the firmware in a device is, the more potential security vulnerabilities it may have. Printer OEMs are aware of the attack surface their products present, and they strive to maintain the highest grade of security within their embedded software. A policy for applying standard vendor-authentic updates and patches should be followed. Also, intrusion-detection software should be operational within a corporate LAN. This allows for monitoring of any non-standard, potentially malicious traffic – not just from the user’s personal devices, but from any network-attached appliance.
The FBI warned US organizations and individuals are being increasingly targeted in BECattacks on virtual meeting platforms
The Federal Bureau of Investigation (FBI) warned this week that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both entities and individuals who perform legitimate transfer-of-funds requests
Cybercriminals are targeting organizations of any size and individuals, in BEC attack scenarios attackers pose as someone that the targets trust in, such as business partners, CEO, executives, and service providers.
Scammers use to compromise legitimate business or personal email accounts through different means, such as social engineering or computer intrusion to conduct unauthorized transfers of funds.
Crooks started using virtual meeting platforms due to the popularity they have reached during the pandemic.
The Public Service Announcement published by FBI warns of a new technique adopted by scammers that are using virtual meeting platforms to provide instructions to the victims to send unauthorized transfers of funds to fraudulent accounts.
“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars.” reads the FBI’s PSA.
Crooks are using the virtual meeting platforms for different purposes, including impersonating CEOs in virtual meetings and infiltrating meetings to steal sensitive and business information.
Below are some of the examples provided by the FBI regarding the use of virtual meeting platforms by crooks:
Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake1” audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
Below are recommendations provided by the FBI:
Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
Use secondary channels or two-factor authentication to verify requests for changes in account information.
Ensure the URL in emails is associated with the business/individual it claims to be from.
Be alert to hyperlinks that may contain misspellings of the actual domain name.
Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
I am quite thrilled to announce that the long-overdue update to my NIST CSF tool V2.0 is finally done. While this new version generally looks the same as the prior one, there are substantial changes underneath which will make updating it in the future far easier.
Originally released in January of 2019, it has become the most popular page on the site, with almost 20,000 downloads. To get a full understanding of the tool, you can read the original post here which goes into great detail about why it was developed and how to use it.
After numerous requests, I have also added the NIST Privacy Framework to the tool as well. The same logic has been applied here as to the CSF side – it’s just as, or perhaps even more, important to measure what you do(your practices) against what you say you do(your policies) when it comes to Privacy as it is Security.
As always, I welcome suggestions and feedback. The email to reach me is in the worksheet.
You can find the new version on the Downloads page.
Advanced Techniques like “Living off the Land”
AV Bypass Tools
Using IoT Devices in Security
and much, much more!!
Learning attacker Tactics, Techniques and Procedures (TTPs) are imperative in defending modern networks. This hands on guide will help guide you through these with step by step tutorials using numerous pictures for clarity.
For the past few weeks, Russia has been deploying military forces into strategic positions on Ukraine’s borders. However, there is another, virtual dimension to the escalating conflict: cyber-attacks on Ukrainian government and business websites and services.
Although it is impossible to confirm the Russian state is behind these attacks, commentators have suggested that similar tactics form part of a type of hybrid warfare that Russia has been fine tuning for the past couple of decades.
Cyber-espionage and information warfare have become an intrinsic part of recent conflicts and happen on a regular basis between conflicting powers. However, governments do not usually publicly claim responsibility for this type of activity, since this could put them in a position of declaring war against the targeted country and provoking counterattacks and sanctions from the international community. Therefore, evidence that Russia is definitely behind these attacks is hard to establish.
Cyber-attacks are often attributed to hacker groups with nationalist motivations, who justify their political agendas without explicitly verifying any state backing.
In January, there was a spate of attacks by Belarusian hackers believed to be supporting Russia. They launched a series of malware attacks against Ukrainian computer systems with many government and other websites being defaced with provocative and intimidating messages.
In mid February, there was another round of cyber-attacks, this time targeting the Ukrainian army website, ministerial websites and some of the major banks, including PrivatBank, preventing online payments and use of banking apps.
These latest attacks were mainly distributed denial of service (DDOS) attacks, where a huge number of small packets of information are sent to websites and servers from multiple sources. This information overload causes the servers and computer systems targeted to slow down or collapse because of the swarm of information requests.
Russian involvement in those cyber-attacks is suspected, but is hard to confirm. The attacks follow the pattern of similar tactics with alleged Russian backing over the past two decades in Ukraine, Estonia and Georgia, including attacks on communications infrastructures and power grids.
The US president and EU officials are now discussing increasing cyberspace defences against such attacks or imposing sanctions, if required.
Despite all of this, Ukrainian officials have refrained from explicitly mentioning the Russian state as being behind these attacks.
A searing look inside the rise of cyberwarfare as the primary way nations now compete with and sabotage one another – The Perfect Weapon
As technology progresses, our daily activities are moving online. This includes tasks that we may not think of as being particularly sensitive, such as shopping and banking. While this makes our lives easier in many ways, it also leaves us vulnerable to identity theft. Here are seven tips to protect your data and reduce your risk of it showing up on the dark web.
1) Shred sensitive documents
Shredding sensitive documents is an easy way to protect yourself against identity theft or data breaches. For example, when you receive junk mail that contains your personal information (such as pre-approved credit card offers), it’s best to cut up the document into pieces rather than just throw it in the garbage bin. This also goes for unsolicited checks in the mail and other unwanted or unsolicited offers. By cutting up or shredding these types of documents, you prevent someone else from stealing your personal information and more easily disposing of them. The same principle can be applied with old papers containing important information such as bank statements and tax returns – before throwing something away, ask yourself if anyone could get access to it if they took the paper out of your garbage can. If so, shred it!
2) Be cautious about what you post online
Before posting anything on Facebook or Twitter, ask yourself if you would be comfortable if everyone in the world read the information. The Internet is an amazing resource that can provide us with huge amounts of information right at our fingertips. However, it’s important to be aware that just because something is “just for friends” doesn’t mean that someone else won’t see your posts. Remember that this includes any selfies you may take – anyone could grab a picture off of your page, re-post it elsewhere, or even print it out and keep a copy long after you have deleted the original from your computer.
3) Ensure your passwords are strong
When choosing a password, it is very important to use diverse information that is difficult for others to guess. Avoid using real words or meaningful personal information in your passwords, even when combined with numbers or symbols. For example, “ilovemycat” might seem like an unlikely password choice at first glance, yet there are websites out there designed to reveal simple passwords such as these within seconds. A stronger approach would be to create a random string of characters and numbers, such as the phrase “I l@ve mY cAt.” You could then add on some additional characters or numbers if you preferred that people not know which type of animal you love so much! The more complex and unique your password is, the better chance you have of keeping it safe.
4) Use two-factor authentication
An easy way to add another level of security when signing into websites such as Facebook or Gmail is to enable “two-factor authentication.” For example, after entering in your password, a unique code will be sent by text message to the phone number you provided when setting up two-factor authentication. The code must then be entered before you can access your account. This adds a layer of protection since a hacker would need more than just your password in order to get into your accounts – they would also need access to your cell phone! Note that certain banks may also offer this feature for accessing protected accounts via their online banking portal. If you are unsure, contact your bank to find out more about two-factor authentication.
5) Password protect your devices
Another way to prevent unauthorized access is by password-protecting your cell phone or tablet. You may think that this is unnecessary or unimportant, but it can actually be a very important step in securing your data and preventing others from accessing it without consent. For example, if you lose your phone somewhere where someone could pick it up off the ground (such as on public transit), they wouldn’t be able to access your device without knowing the PIN code for unlocking it first. This is an easy step that many people neglect yet protects against any potential personal information leaks through lost or stolen electronic devices.
6) Be mindful of when your software is updated
Another easy way to protect yourself from the latest security risks is by updating your software and programs promptly. Both Mac and PC users can agree that it’s not always fun to spend time shutting down what you’re doing to update your computer or phone, but it is important! You may even receive updates through your system itself, such as Apple OS X – make sure you accept all updates when they are available so that you can keep up with the latest versions of all programs installed on your devices.
7) Take precautions offline as well
While online precautions are important for protecting yourself against identity theft, physical protection of personal information at home should also be taken. If confidential documents are kept anywhere around the house, consider using security safes that can be locked. This makes it difficult for someone to come along and take your information or documents without checking first.
The U.S. CISA has created a list of free cybersecurity tools and services that can help organizations increase their resilience.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced this week that it has compiled a list of free cybersecurity tools and services that can help organizations to reduce cybersecurity risk and increase resilience.
The list is part of an ongoing project, it will be continuously updated by CISA that also plans to allow third parties to propose their resources to include in the list.
The list includes open source tools and free resources provided by government organizations and private cybersecurity firms.
The tools cover a broad range of activities normally conducted by defenders, from incident response to threat detection.
“As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. CISA will implement a process for organizations to submit additional free tools and services for inclusion on this list in the future.” reads the announcement published by CISA. “The list is not comprehensive and is subject to change pending future additions.”
Reducing the likelihood of a damaging cyber incident;
Detecting malicious activity quickly;
Responding effectively to confirmed incidents; and
Maximizing resilience.
The list already includes cybersecurity tools and services from major IT and cybersecurity firms, including ones provided by CISA, AT&T Cybersecurity, Cloudflare, Cisco, Center for Internet Security, CrowdStrike, Google, IBM, Microsoft, Mandiant, Splunk, SANS, Secureworks, Tenable, and Palo Alto Networks. The list also includes tens of tools are open source.
CISA pointed out that it does not endorse any commercial product or service.
Google announced Privacy Sandbox on Android to limit user data sharing and prevent the use of cross-app identifiers. The company states that the Privacy Sandbox technologies are still in development.
“Privacy Sandbox on Android will strengthen privacy, while providing tools app developers need to support and grow their businesses. It will introduce new solutions that operate without cross-app identifiers – including Advertising ID – and limit data sharing with third parties.” reads the announcement.
Google is also committed tp fighting and reducing covert data collection.
The goals of the Privacy Sandbox are:
Build new technology to keep your information private
Enable publishers and developers to keep online content free
Collaborate with the industry to build new internet privacy standards
Google will continue to support existing ads platform features for at least two years. The IT giant is inviting developers to review the proposed solution and provide their feedback through the Android developer portal.
“Starting today, developers can review our initial design proposals and share feedback on the Android developer site. We plan to release developer previews over the course of the year, with a beta release by the end of the year. We’ll provide regular updates on designs and timelines, and you can also sign up to receive updates.” concludes the announcement. “We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.”
Canonical’s Snap software packaging and deployment system are affected by multiple vulnerabilities, including a privilege escalation flaw tracked asÂ
CVE-2021-44731
 (CVSS score 7.8).
Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions
The flaws have been discovered by Qualys researchers, the CVE-2021-44731 is the most severe one and is a race condition in the snap-confine’s setup_private_mount() function.
The snap-confine is a program used internally by snapd to construct the execution environment for snap applications. An unprivileged user can trigger the flaw to gain root privileges on the affected host.
“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.” reads the post published by the experts. “As soon as the Qualys Research Team confirmed the vulnerability, we engaged in responsible vulnerability disclosure and coordinated with both vendor and open-source distributions in announcing this newly discovered vulnerability.”
Qualys experts also developed a PoC exploit for this issue that allows obtaining full root privileges on default Ubuntu installations.
Below is the full list of vulnerabilities discovered by the experts:
CVE
DESCRIPTION
CVE-2021-44731
Race condition in snap-confine’s setup_private_mount()
CVE-2021-44730
Hardlink attack in snap-confine’s sc_open_snapd_tool()
CVE-2021-3996
Unauthorized unmount in util-linux’s libmount
CVE-2021-3995
Unauthorized unmount in util-linux’s libmount
CVE-2021-3998
Unexpected return value from glibc’s realpath()
CVE-2021-3999
Off-by-one buffer overflow/underflow in glibc’s getcwd()
CVE-2021-3997
Uncontrolled recursion in systemd’s systemd-tmpfiles
Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
The European Data Protection Supervisor authority called for a ban on the development and the use of Pegasus-like commercial spyware.
The European Data Protection Supervisor (EDPS) authority this week called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.
Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.
The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection.
“It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.” states the European Data Protection Supervisor (EDPS).Â
“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.”
Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.
Pegasus was used by governments with dubious human rights records and histories of abusive behaviour by their state security services.
The surveillance software allows to completely take over the target device and spy on the victims. Developers of surveillance solutions leverage zero-click zero-day exploits to silently compromise the devices without any user interaction. Pegasus is known to have used KISMET and FORCEDENTRY exploits to infect the devices of the victims.
NSO Group has repeatedly claimed that its software is sold exclusively to law enforcement and intelligence agencies to fight crime and terrorism, in so-called “life-saving mission.”
According to a series of disclosures by the business publication Calcalist in recent weeks, dozens of citizens in the country were targeted by Israel Police with the NSO Group’s spyware to gather intelligence without a search warrant authorizing the surveillance.
“National security cannot be used as an excuse to an extensive use of such technologies nor as an argument against the involvement of the European Union.” continues EDPS.
EDPS urges tight control over the use of surveillance and hacking tools to prevent and disincentive unlawful use.
Researchers disclose a now-patched remote code execution (RCE) vulnerability in the Apache Cassandra database software.
JFrog researchers publicly disclosed details of a now-patched high-severity security vulnerability (CVE-2021-44521) in Apache Cassandra database software that could be exploited by remote attackers to achieve code execution on affected installations.
Apache Cassandra is an open-source NoSQL distributed database used by thousands of companies.
“JFrog’s Security Research team recently disclosed an RCE (remote code execution) issue in Apache Cassandra, which has been assigned toÂ
 (CVSS 8.4).” reads the analsyis published by JFrog. “This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra.”
Cassandra offers the functionality of creating user-defined-functions (UDFs) that allow to perform custom processing of data in the database.
Admins can use Java and JavaScript to write UDFs. In JavaScript it leverages the Nashorn engine in the Java Runtime Environment (JRE) which is not guaranteed to be secure when accepting untrusted code
JFrog researchers that discovered that when the configuration for user-defined functions (UDFs) are enabled, threat actors could leverage the Nashorn engine to escape the sandbox and achieve remote code execution.
“For example, running the following Nashorn JavaScript code allows execution of an arbitrary shell command –
Cassandra’s development team decided to implement a custom sandbox around the UDF execution which uses two mechanisms to restrict the UDF code” states the report.“
Experts noticed that the exploitation is possible when the cassandra.yaml configuration file contains the following definitions:
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
“When the option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions. We will show how to abuse these permissions to achieve sandbox escape and RCE.” continues the analysis.
Experts shared a PoC to create a new file named “hacked” on the Cassandra server
Apache released versions 3.0.26, 3.11.12, and 4.0.2 to address the vulnerability, it adds a new flag “allow_extra_insecure_udfs” that’s set to false by default, it prevents turning off the security manager and blocks access to java.lang.System..
Certified ISO 27001 ISMS Lead Auditor Training Course
ISO 27001 Lead Auditor is the qualification of choice for ISO 27001 professionals, recognized by employers worldwide.
Implementing and maintaining compliance with the Standard requires comprehensive knowledge of ISO 27001.
ITG Certified ISO 27001 ISMS Lead Auditor Training Course gives participants a solid understanding of the requirements of an ISO 27001 audit and the knowledge to ensure conformity to the Standard.
If you are already a qualified ISO 27001 auditor, enhance your career by taking ITG Certified ISO 27701 PIMS Lead Auditor Training Course, which will teach you how to conduct audits against ISO 27701, in line with international data protection regimes.
Concerning e-mails, pay attention to the following features:
Impersonal form of address:The sender of the e-mail does not know your correct name. The mail begins with “Dear costumer” instead of “Dear Mrs. / Mr. XY”. Perhaps you name is inserted, but misspelled.
The sender is using threads:The sender threatens you, e.g. “if you don’trefresh your password you account will be locked”.
Request for confidential data:You are straightforwardly asked for confidential data like your PIN / password, your online bank access or your credit card number.The whole thing is backed up with a threat.
Links and forms:The e-mail contains forms and links which you are obliged to use if you do not want to receive any disadvantages.
Bad language:Sometimes, not always, the messages are written in bad English, sometimes interspersed with Cyrillic letters or special character like $ or &.
Be vigilant even with well-worded texts! If in doubt, always check with the alleged sender, for example you house bank or Amazon. Go to the original website to contact the real customer service, don’t use any links or e-mail-addresses you find in the mail.
Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.
The emergency patches will be rolled out in the next weeks. Users could update their browser manually by visiting the entry Chrome menu > Help > About Google Chrome.
Google did not disclose technical details for the CVE-2022-0609 to avoid massive exploitation of the bug. The IT giant also avoided disclosing info regarding the attack in the wild exploiting the flaw.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.
There’s a remote code execution hole in Adobe e-commerce products – and cybercrooks are already exploiting it.
Using the Adobe Commerce online selling platform?
Using Magento, the free, open-source variant of the same product?
Buying products from online stores that use either of these?
Using online services that themselves use services that (…repeat up the supply chain as needed…) ultimately depend upon Magento or Adobe’s paid version?
If so, make sure that the site where Magento or Adobe Commerce is actually running has downloaded and applied Adobe’s latest patches.
Note that these are so-called out-of-band updates, meaning that they’re new enough not to have made it into last week’s regular Patch Tuesday updates, but critical enough not to be left until next month’s Patch Tuesday comes round.
Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution.
Adobe is aware that CVE-2022-24086
 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.
Upgrade now
Of course, the words “limited attacks targeting merchants” shown above don’t automatically imply that “minimal damage has been done”.
Anyone who remembers the recent Colonial Pipeline ransomware incident will know how extensive the knock-on effects of a single cyberattack can be.
Also, until we know what the attackers did when they exploited this hole, we can’t tell how much data they made off with, how many users might be affected, or what follow-up crimes – such as identity theft, password recovery and account takeover – the crooks might be able to try next.
According to Adobe, it seems that any Adobe Commerce or Magento installation running a version later than 2.3.3 that hasn’t received the latest patches is vulnerable.
The patches provided are listed as tested for all of these versions: 2.3.3-p1 to 2.3.7-p2, and 2.4.0 to 2.4.3-p1.
Quite what version number will show up after patching we can’t tell you; the patch files themselves are identified as 2.4.3-p1_v1, so our assumption is that’s the version string you’ll see.
Every day everybody receives many phishing attacks with malicious docs or PDFs. I decided to take a look at one of these files. I did a static analysis and I went straight to the point to make this reading simple and fast.
Here is the received email as it was from the Caixa Economica Federal bank, but we can see the sender uses Gmail services and a strange name.
verified this e-mail header using MXtoolbox, and we can see the IP used by the sender (attacker).
Below is the reputation of the IP used by the attacker.
We can see this IP has a lot of mentions about malicious activities.
I downloaded this file in my VPS (Kali Linux) and used peepdf to do an analysis of the file structure, and I found 2 URIs in objects 3 and 5.
After I checked objects 3 and 5 using pdf-parser, I discovered a malicious URL in the 3.
I transcribed a recent interview, here some questions and answers about nation-state hacking, spyware, and cyber warfare. Enjoy”
How has spyware changed the rules of cyber security in recent years? What will cyber security look like now that those tools are all over the internet?
In the last decade, we have observed a progressive weaponization of cyberspace. NATO recognized cyberspace as a new domain of warfare. Cyberspace is the new battlefield for nation-state actors, the digital place where international crime rings operate threatening the pillars of our digital society.
Spyware are powerful weapons in the arsenal of governments and cybercrime gangs. These tools are even more sophisticated and are able to evade detection by using so-called zero-day exploits allowing attackers to bypass the defense of government organizations and businesses. Spyware allows attackers to steal sensitive info from the targets, and perform a broad range of malicious activities.
Is the Pegasus spyware as a game-changer?
Pegasus is probably the most popular surveillance software on the market, it has been developed by the Israeli NSO Group. Anyway, it is not the only one. Many other surveillance firms develop spyware that are every day abused in dragnet surveillance and target journalists, dissidents, and opponents of totalitarian regimes. These software are developed for law enforcement and intelligence agencies, but they are often abused by many governments worldwide cyber espionage operations. The surveillance business is growing in the dark and is becoming very dangerous.
Which are devices of cyber warfare and cyber espionage?
Every technological device can be abused for cyber warfare and cyber espionage. Malware, spyware are the most common means but do not forget the power of social network platforms that can be used for surveillance and misinformation purposes.
Many governments have fallen victim to massive ransomware attacks from groups linked to organized crime, how bad can this new trend of hacking get?
Every day we read about major attacks targeting organizations worldwide with severe impact on their operations. The situation is going worse despite the numerous operations of law enforcement on a global scale. The number of ransomware attacks spiked in the last couple of years due to the implementation of the Ransomware-as-a-Service model, this means that tens of ransomware gangs have created a network of affiliates and provided them their malware. Almost any criminal group could become an affiliate, obtain ransomware from a gang, and spread it, this is amplifying the damages. Critical infrastructure are even more exposed to a new generation of threats that are more aggressive and sophisticated.
Reports are coming out linking North Korea to illegal online activities related to cryptocurrency. How are some governments using the Internet to threaten world peace in one way or another?
When dealing with nation-state actors you must consider the main motivation behind the attacks and distinguish the technique, tactics, and procedure adopted by the different state-sponsored groups.
For example, China-linked nation-state actors are more focused on cyberespionage aimed at stealing intellectual property, while Russia-linked Advanced Persistent Threat groups often operate to destabilize the political contest of foreign states, carry out cyber espionage activities, and conduct disinformation campaigns. North Korea-linked threat actors carry out financially motivated attacks against banks and cryptocurrency firms worldwide to steal funds to re-invest in their military industry.
What about the resilience of countries’ infrastructure to face such kind of war?
We need norms of state behavior in the cyber space and more information sharing on cyber threats. We need to share information about the attacks in an early stage, profiling the threat actors to mitigate and prevent their campaigns. It is essential to increase the level of security of critical infrastructure like power grids, power plants and hospitals. Critical infrastructure are the main targets of nation-state actors in a cyber warfare contest.
Is making the internet a safe place technically possible?
Let me use the title of a famous book, “No place to hide”. I mean that both nation-state actors and cybercriminal organizations are spending a growing effort to increase their hacking capabilities and evasion techniques. Unfortunately, today most of the organizations still consider cybersecurity a cost to cut and this approach gives the attackers an immense advantage. We need a cultural change and we must consider that a security by design approach is the unique way to make the Internet a safe place. We also need globally recognized norms of responsible state behavior in cyberspace.
French data protection authority says Google Analytics is in violation of GDPR
The French national data protection authority, CNIL, issued a formal notice to managers of an unnamed local website today arguing that its use of Google Analytics is in violation of the European Union’s General Data Protection Regulation, following a similar decision by Austria last month.
The root of the issue stems from the website’s use of Google Analytics, which functions as a tool for managers to track content performance and page visits. CNIL said the tool’s use and transfer of personal data to the U.S. fails to abide by landmark European regulations because the U.S. was deemed to not have equivalent privacy protections.
European regulators including CNIL have been investigating such complaints over the last two years, following a decision by the EU’s top court that invalidated the U.S.’s “Privacy Shield” agreement on data transfers. NOYB, the European Center for Digital Rights, reported 101 complaints in 27 member states of the EU and 3 states in the European Economic Area against data controllers who conduct the transatlantic transfers. Â
Privacy Shield, which went into effect in August of 2016, was a “self-certification mechanism for companies established in the United States of America,” according to CNIL.
Originally, the Privacy Shield was considered by the European Commission to be a sufficient safeguard for transferring personal data from European entities to the United States. However, in 2020 the adequacy decision was reversed due to no longer meeting standards.
An equivalency test was used to compare European and U.S. regulations which immediately established the U.S.’s failure to protect the data of non-U.S. citizens. European citizens would remain unaware that their data is being used and how it is being used, and they cannot be compensated for any misuse of data, CNIL found.
CNIL concluded that Google Analytics does not provide adequate supervision or regulation, and the risks for French users of the tool are too great.
“Indeed, if Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of access by American intelligence services to this data,” CNIL said.
The unnamed site manager has been given a month to update its operations to be in compliance with GDPR. If the tool cannot meet regulations, CNIL suggests transitioning away from the current state of Google Analytics and replacing it with a different tool that does not transmit the data.Â
The privacy watchdog does not call for a ban of Google Analytics, but rather suggests revisions that follow the guidelines. “Concerning the audience measurement and analysis services of a website, the CNIL recommends that these tools be used only to produce anonymous statistical data, thus allowing an exemption from consent if the data controller ensures that there are no illegal transfers,” the watchdog said.Â
