InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Mozilla has published Firefox 97.0.2, an “out-of-band” update that closes two bugs that are officially listed as critical.
Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first:
We have had reports of attacks in the wild abusing [these] flaw[s].
Access to information about the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.
Assuming that the existing zero-day exploits are not widely known (these days, true zero-days are often jealously guarded by their discoverers because they’re considered both scarce and valuable), temporarily limiting access to the source code changes does provide some protection against copycat attacks.
As we’ve mentioned many times before on Naked Security, finding and exploiting a zero-day hole when you know where to start looking, and what to start looking for, is very much easier than discovering such a bug from scratch.
The bugs are listed as:
CVE-2022-26485.Use-after-free in XSLT parameter processing. This bug has apparently already been exploited for remote code exection (RCE), implying that attackers with no existing privileges or accounts on your computer could trick you into running malware code of their choice simply by luring you to an innocent-looking but booby-trapped website.
CVE-2022-26486,Use-after-free in WebGPU IPC Framework. This bug has apparently already been exploited for what’s known as a sandbox escape. This sort of security hole can typically be abused on its own (for example, to give an attacker access to files that are supposed to be off limits), or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse.
Use-after-free bugs occur when one part of a program signals its intention to stop using a chunk of memory that was allocated to it…
…but carries on using it anyway, thus potentially trampling on data that other parts of the program are now relying on.
What to do?
Go to the About Firefox dialog to check your current version.
If you are out of date then Firefox will offer to fetch the update and then present a [Restart Firefox] button; click the button, or exit and restart the browser, to deploy the update.
The version numbers you want are: Firefox 97.0.2 (if you are using the regular release), or Firefox 91.6.1 ESR (if you are using the extended support release), or Firefox 97.3.0 for Android.
If you’re on Android, check for updates via the Play Store.
If you’re a Linux user where Firefox is managed by your distro, check your distro creator.
When CISOs, CIOs, CTOs, security engineers, security analysts and security architects were asked to rank the primary capabilities of a traditional SIEM according to how satisfied they were with those capabilities, an interesting picture emerged. The survey results indicated that every primary capability of traditional SIEM solutions, at best, only somewhat met the majority of users’ needs. Some capabilities were irrelevant to many users. This tepid level of satisfaction is what drove many security teams to undertake the effort to build their own security monitoring tools.
Data Coverage and Data Use
Less than 25% of the respondents believed that their SIEM covered more than 75% of their security-relevant data. Nearly 17% responded that their existing platform covered less than a quarter of their data.
Furthermore, when asked if they believed their current SIEM platform were capable of handling the volume of security data their organization will generate in the future, a third of the respondents said they expected their existing platform to keep falling behind.
These results underscore the risks security teams (and their organizations) are forced to tolerate due to the cost and overhead required to bring high volumes of security-relevant data into traditional SIEM platforms. Without full visibility into all necessary data, security teams will undoubtedly have blind spots that impede their ability to protect their organizations.
OK, so what can they do instead? Well, a cloud-native architecture capable of ingesting, normalizing and analyzing terabytes of data per day cost-effectively is necessary to keep up.
Moving From Static to Dynamic
Security professionals are well aware of the static nature of traditional SIEM platforms. Many believe they pay too much for the capabilities provided and are concerned about what the future holds.
SIEMs were designed over ten years ago when the world was a very different place. The technology hasn’t evolved its approach to keep up with the needs of cloud-scale environments. Adequate security today depends on full visibility into security-relevant data, structured, scalable data lakes, cloud-native workflows and fast detection and response times. Security teams need a modern approach to security monitoring built for the cloud-first world.
Researchers analyzed more than 200,000 network-connected medical infusion pumps and discovered that over 100,000 of them are vulnerable.
Researchers from Palo Alto Networks have analyzed more than 200,000 medical infusion pumps on the networks of hospitals and other healthcare organizations and discovered that 75% are affected by known vulnerabilities that could be exploited by attackers.
“We reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations using IoT Security for Healthcare from Palo Alto Networks.” reads the report published by Palo Alto Networks. “An alarming 75 percent of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers. These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.”
One of the most interesting findings that emerged from the report is that 52% of all infusion pumps analyzed by the experts were susceptible to two vulnerabilities publicly disclosed in 2019. These data are disconcerting considering that the average infusion pump has a life of eight to 10 years.
The following table reports the 10 most prevalent issues that emerged from the scan of network-connected medical devices.
Table 1. The top 10 most prevalent vulnerabilities found in the more than 200,000 inf
Experts grouped the issues is several categories, including leakage of sensitive information, unauthorized access and buffer overflow. Palo Alto Networks reported that some issues are related to third-party cross-platform libraries used by the devices, such as network stacks.
and CVE 2019-12264 vulnerabilities in the TCP/IP stack IPNet.
Both flaws affect 52% of the analyzed infusion pumps, approximately more than 104,000 devices.
Palo Alto Networks recommends healthcare providers adopt a proactive security strategy to prevent attacks, below are some key capabilities to consider when evaluating IoMT security strategies and technologies for healthcare:
Accurate discovery and inventory
Holistic risk assessment
Apply risk reduction policies
Prevent Threats
“Among the 200,000 infusion pumps we studied, 75% were vulnerable to at least one vulnerability or threw up at least one security alert. While some of these vulnerabilities and alerts may be impractical for attackers to take advantage of unless physically present in an organization, all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations in which threat actors may be motivated to put extra resources into attacking a target.” concludes the report.
Researchers from JFrog’s Security Research team discovered five vulnerabilities in the popular PJSIP open-source multimedia communication library.
PJSIP is a communication library written in C language implementing standard-based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. It combines signaling protocol (SIP) with rich multimedia framework and NAT traversal functionality into high level API that is portable and suitable for almost any type of systems ranging from desktops, embedded systems, to mobile handsets.
PJSIP supports audio, video, presence, and instant messaging, the APT supplied by the library can be used by IP telephony applications, including VoIP devices.
Many popular communication applications use the library, including WhatsApp, BlueJeans and Asterisk.
An attacker can exploit the flaws to gain arbitrary code execution on devices running applications using the vulnerable library or to trigger a denial-of-service (DoS) condition.
Guarding intellectual property (IP) has always been a priority for medical device manufacturers as competitors and even nation states are constantly trying to compromise or steal IP. For example, in January 2019, a Chinese national who stole secrets while working for medical device companies including Medtronic and Edwards, was sentenced to over two years in federal prison. Over time, Wenfeng Lu had copied numerous documents belonging to both of his employers that contained technical information and trade secrets, took them home, and placed them on his personal laptop computer. He was arrested as he prepared to board a plane to the PRC.
It has never been easier or more profitable to hack devices for their IP. More and more medical devices have transformed from mechanical devices with limited software, to software packed devices. Companies spend billions of dollars on R&D for years upon years, only to leave vulnerabilities in the software and firmware of the devices, opening the door for hackers to waltz in, and steal their IP. Something is horribly wrong with this scenario.
Sometimes the vulnerabilities are created during the development process, and sometimes they come part and parcel from the components received from their supply chain providers. Amplifying the challenge is the shortage of parts and components caused in part by the pandemic. This is driving many manufacturers to seek alternative suppliers who can produce steady supplies. With new suppliers comes the added risk of new, untested components and the potential for many new threats and vulnerabilities.
Organizations that wish to secure their IP from theft and misuse need to do a much better job at securing the devices that they produce.
What’s at stake
Stolen intellectual property enables hackers to re-engineer and sell the same device with a fraction of the investment in R&D. Wenfeng Lu for example had obtained financing and was preparing to open a company in the PRC that would manufacture devices used to treat vascular problems and would use technology he had stolen from his American employers, according to court documents.
The Commission on the Theft of American Intellectual Property estimates that annual costs from IP losses range from $225 billion to $600 billion. IP infringement may significantly affect a company’s revenue and put downward pressure on its prices. If a competitor steals a company’s product trade secrets, it may beat that company to market with a new and innovative product, undercutting the victim’s market share.
Medical device companies face a very competitive environment, increasing the incentive for IP theft. Stealing IP using online hacking techniques has become more widespread and harmful due to low costs, difficult attribution and the ability to remotely hack systems.
The device is the target
While it is true that the IP can leak from internal sources and insider threats, IP is being hacked more and more through cyber-attacks on the device itself. For example, a recent case was reported where a Massachusetts medical device engineering company experienced hacking of source code for its medical devices and algorithms, essential to operate the devices. Devices reside at the customer’s location and can often be accessed, investigated and reverse engineered at the attacker’s leisure.
New Common Vulnerabilities and Exposures (CVEs) frequently appear and risk assessments are often only sporadically executed during the development process, and not done at all after the product is launched. This means that there are significant time periods when devices are wide open to hacks, allowing hackers to steal software and firmware algorithms and disappear, without anyone ever knowing they were there.
Hardening the device
Protecting IP assets is a business-critical task. Protecting the IP on a device requires a holistic approach to device security. Locking down the interfaces, as well as protecting the software code and firmware, is crucial for defending against IP theft. While there is no guarantee of protection, the goal is to increase the level of difficulty to the point where there are many more obstacles, and more time and cost required for hacking the device.
It’s imperative that medical manufacturers defend themselves from IP theft, including targeted cyber-attacks. To protect IP, enterprises need product security systems that automatically and continuously monitor medical device software and firmware, uncovering known and zero day vulnerabilities.
Protecting the code
The software and firmware running the device are a valuable target for attackers. Adding layers of protection to make the code less accessible to attackers, is essential to securing IP. This includes uncovering errors in the code that could allow attackers to enter, encryption of the data and storage, and using obfuscation techniques to make reverse engineering more challenging.
Manufacturers should employ continuous vulnerability assessments of the software deployed on medical devices, using vulnerability databases. They should ensure that the cybersecurity platform they enlist is also able to detect zero-day vulnerabilities. The monitoring should stretch through the entire lifecycle from design to end-of-life of the device. The solution should also be able to output software bill of materials (SBOM) or cyber bill of materials (CBOM) and remediation options for any threats or vulnerabilities discovered.
Keeping products secure
One of the most effective ways to secure the IP on a device is to eliminate the easiest method for hacking the device, known vulnerabilities. Attackers scan targets for known and published vulnerabilities to use as starting points for attacks. Vulnerability management requires continuous monitoring of threats and vulnerabilities throughout the product lifecycle. Late discovery or lack of proper remediation of discovered vulnerabilities can lead to costly recalls, and damage to brand and bottom line.
Chipmaker giant Nvidia confirmed a data breach after the recently disclosed security incident, proprietary information stolen.
The chipmaker giant Nvidia was recentty victim of a ransomware attack that impacted some of its systems for two days. The security breach is not connected to the ongoing crisis in Ukraine, according to a person familiar with the incident.
The incident also impacted the company’s developer tools and email systems, but business and commercial activities were not affected.
“Our business and commercial activities continue uninterrupted,” Nvidia said in a statement. “We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time.”
The Lapsus$ ransomware gang is claiming responsibility for this attack, the group announced to have stolen 1 TB of data from Nvidia’s network. The ransomware gang leaked online around 20GB of data, including credentials for all Nvidia employees.
The company launched an investigation into the incident to determine the extent of the intrusion that confirmed that the attackers have stolen data from the chipmaker.
NVIDIA said employee credentials and proprietary information were stolen during a cyberattack they announced on Friday.
The chipmaker giant discovered the intrusion on February 23, the attack also impacted its IT resources.
“Access to NVIDIA employee VPN requires the PC to be enrolled in MDM (Mobile Device Management). With this they were able to connect to a [virtual machine] we use. Yes they successfully encrypted the data,” the group claimed in a subsequent message.” the LAPSU$ ransomware gang wrote on its Telegram change. “However we have a backup and it’s safe from scum! We are not hacked by a competitors groups or any sorts.”
Lapsus$ claim responsibility for the hack on Nvidia – and also claim that Nvidia successfully hacked back. pic.twitter.com/F8ocpB6Qev
Below is the statement shared by NVIDIA with some websites and published by BleepingComputer.
“On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.” reads the statement. “We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.”
US CISA and the FBI warned US organizations that data wiping attacks targeting Ukraine entities could spill over to targets worldwide.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint cybersecurity advisory to warn US organizations of data wiping attacks targeting Ukraine that could hit targets worldwide.
The advisory warns of the potential effects of the two destructive malware, tracked as WhisperGate and HermeticWiper, on organizations worldwide.
The US agencies believe that further disruptive data wiping attacks could target organizations in Ukraine and may unintentionally spill over to organizations in other countries.
This joint Cybersecurity Advisory (CSA) provides information on the two wipers as well as indicators of compromise (IOCs) that could be used by defenders to detect and prevent infections. The advisory also provides recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices.
“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.” reads the advisory. “Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”
Below is the list of actions recommended to the organizations: • Set antivirus and antimalware programs to conduct regular scans. • Enable strong spam filters to prevent phishing emails from reaching end users. • Filter network traffic. • Update software. • Require multifactor authentication.
The advisory also includes recommendations for System and Application Hardening and Recovery and Reconstitution Planning along with Incident Response instructions.
While some applications are still being built on a monolithic (all-in-one) architecture – i.e., all components in a single code base, on a single server, connected to the internet – an increasing number of them is now based on the microservices architecture, with each application microservice a self-contained functionality, “housed” in a container managed by an orchestrator like Kubernetes, deployed on the cloud (public or private), and communicating with other application microservices over the network in runtime.
But with applications no longer self-contained, security vulnerabilities are no longer present just in the code; vulnerabilities can “start” on one microservice, go through multiple components, and “finish” on a different microservice.
“We are no longer dealing with just vulnerabilities, but also with vulnerable flows between microservices. On top of that, as cloud-native applications are built on multiple infrastructure layers – the container, the cluster, and the cloud – they way these layers are configured affects what a hacker can do with these vulnerabilities,” notes Ron Vider, one of the co-founders and the CTO of Oxeye.
Modern architectures require modern AppSec testing solutions
This dramatic change in how applications are structured has made traditional approaches to application security ineffectual and has created security blind spots for AppSec and DevOps teams.
“Old-school” software composition analysis (SCA) and static, dynamic, and interactive application security testing (SAST, DAST, IAST) tools are run independently, are not synchronized with one another, and are unable to cross-reference and use enriched data from other code layers in the environment. The incomplete and inaccurate results they provide when testing cloud-native apps have made it obvious that a new approach and new, better tools are needed.
Oxeye is one such tool. It essentially combines all AST methodologies with a new generation of security control assessment capabilities and, as a result, excels in finding and correctly prioritizing vulnerabilities in cloud-native applications that need to be addressed. It helps clear the noise of false positives/negatives delivered by legacy solutions, and allows developers and AppSec teams to focus on high-risk, critical vulnerabilities.
Getting started with Oxeye is fantastically easy: you need to deploy a single component (Oxeye Observer) into your staging or testing environment, and you do it by using a single YAML file containing its definitions.
“The Oxeye Observer immediately starts running within the cluster and starts it automatic discovery process,” Vider told Help Net Security.
“First it analyzes the infrastructure to understand how the application is configured, and it does that by communicating with the with the Docker API, the containerd API, the Kubernetes API and the cloud provider API, and fetching the relevant configuration. Then, it detects potential vulnerabilities in the code (the application’s code and the third-party components). Next, it analyzes the communication between the different components and traces their flow. Finally, it validates the found vulnerabilities by sending payloads to the application and analyzing its behavior, to understand whether it’s exploitable or not.”
Help Net Security newest report takes a closer look at one of the most targeted industries today – healthcare.
As exhausted healthcare professionals struggle with an extraordinary situation, their IT departments face critical skills and staffing shortages. Routine security measures may fall by the wayside, breaches may go undetected for weeks, and efforts to validate the security measures undertaken by affiliates and third parties may fall short.
The idea behind the Help Net Security: Healthcare Cybersecurity Report is to provide you with an overview of the information security issues healthcare is dealing with, offer expert insight on what is needed to move defense capabilities in the right direction, and provide food for thought for those working to protect healthcare infrastructures worldwide.
Published Q1 2022
Since the start of the COVID-19 pandemic, security incidents at healthcare organizations have become more common. This not only increased costs for an already struggling industry, but inflicted a burden on the individuals whose personal information was exposed.
The Help Net Security: Healthcare Cybersecurity Report provides you with an overview of the information security issues healthcare is dealing with, offer expert insight on what is needed to move defense capabilities in the right direction, and provide food for thought for those working to protect healthcare infrastructures worldwide.
Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors.
Cybersecurity researchers from Palo Alto Networks’ Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors.
According to the experts, the SockDetour backdoor has been in the wild since at least July 2019.
Unit 42 attributes the malware to an APT campaign codenamed TiltedTemple (aka DEV-0322), threat actors also exploited the Zoho ManageEngine ADSelfService Plus vulnerability (
). The attackers successfully compromised more than a dozen organizations across multiple industries, including technology, energy, healthcare, education, finance and defense.
SockDetour serves as a backup fileless Windows backdoor in case the primary one is removed. The analysis of one of the command and control (C2) servers used by TiltedTemple operators revealed the presence of other miscellaneous tools, including memory dumping tool and several webshells.
“SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,” reads the analsysi published by Palo Alto Networks. “It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers.”
Once SockDetour is injected into the process’s memory, it hijacks legitimate processes’ network sockets to establish an encrypted C2 channel, then it loads an unidentified plugin DLL file retrieved from the server.
According to Microsoft DEV-0322 is an APT group based in China, which employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.
Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation in July 2021.
At least four defense contractors were targeted by the threat actor, and one of them was compromised.
SockDetour was delivered from an external FTP server, a compromised QNAP to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021. The researchers speculate the QNAP NAS server was previously infected with QLocker ransomware.
“While it can be easily altered, the compilation timestamp of the SockDetour sample we analyzed suggests that it has likely been in the wild since at least July 2019 without any update to the PE file. Plus, we did not find any additional SockDetour samples on public repositories. This suggests that the backdoor successfully stayed under the radar for a long time.” concludes the report.
The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel.
The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel.
The Ukrainian agency attributes the campaign to the Belarus-linked cyberespionage group tracked as UNC1151.
In mid-January, the government of Kyiv attributed the defacement of tens of Ukrainian government websites to Belarusian APT group UNC1151. Defaced websites were displaying the following message in Russian, Ukrainian and Polish languages.
“Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.” reads a translation of the message.
In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus. In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites. According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
Now Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters, that the Ukrainian government blamed the UNC1151 APT group. Demedyuk explained that the attacks were carried out to cover for more destructive actions behind the scenes.
The nation-state group is using the compromised accounts to target contacts in the victims’ address books. Attackers spear-phishing messages have been sent from email accounts using the domains
i.ua-passport.space
and
id.bigmir.space
.
The phishing messages used a classic social engineering technique in the attempt to trick victims into providing their information to avoid the permanent suspension of their email accounts.
The phishing attacks are also targeting Ukrainian citizens, reported the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).
Warning ⚠️ A phishing #attack has started against Ukrainians! Citizens' e-mail addresses receive letters with attached files of uncertain nature. The mass distribution of such messages to messengers may happen. #cyberattacks#Ukrainepic.twitter.com/YPvFH2oNk0
Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB), was hit by a wiper malware in late January 2022.
An investigation into the attack that hit the Islamic Republic of Iran Broadcasting (IRIB) in late January, revealed the involvement of a disruptive wiper malware along with other custom-made backdoors, and scripts and configuration files used to install and configure the malicious executables.
Researchers from CheckPoint that investigated the attack reported that the attackers used a wiper malware to disrupt the state’s broadcasting networks, damaging both TV and radio networks.
According to the experts, the effects of the attack were more serious than officially reported.
Check Point was not able to find any evidence that demonstrates a previous use of these tools, or attribute them to a specific threat actor.
During the attack, threat actors transmitted pictures of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi along with the image of Ayatollah Khamenei crossed out with red lines and the declaration “Salute to Rajavi, death to (Supreme Leader) Khamenei!.”
“During a period of 10 seconds, the faces and voices of hypocrites appeared on (our) Channel One,” IRIB said.
“Our colleagues are investigating the incident. This is an extremely complex attack and only the owners of this technology could exploit and damage the backdoors and features that are installed on the systems,” Deputy IRIB chief Ali Dadi told state TV channel IRINN.
“Similar disruptions happened to the Koran Channel, Radio Javan and Radio Payam,” he added, referring to other state-affiliated broadcast channels.
The experts discovered two identical .NET samples named msdskint.exe that were used to wipe the files, drives, and MBR on the infected devices, making them unusable.
The malware has also the ability to clear Windows Event Logs, delete backups, kill processes, and change users’ passwords.
The report details the use of four backdoors in the attack:
WinScreeny, used to make screenshots of the victim’s computer;
HttpCallbackService, a Remote Administration Tool (RAT);
HttpService, another backdoor that listens on a specified port;
ServerLaunch, a C++ dropper.
Iranian officials attribute the attack to MEK, however, the opposition group itself denies any involvement.
The hacktivist group Predatory Sparrow, which claimed responsibility for the attacks against the national railway services, the transportation ministry, and the Iranian gas stations, claimed responsibility for the attack on IRIB via its Telegram channel.
“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra’s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks happened in Iran.” the researchers conclude.
DPI has become popular since it provides very detailed traffic analysis. However, this approach requires designated hardware sensors and large amounts of processing power, while at the same time being blind to encrypted network traffic and only analysing data flowing over the mirrored infrastructure.
Metadata analysis (MA) overcomes these limitations to provide detailed and insight-enriched visibility into the entire network. In addition, MA is completely unaffected by encryption and ever-increasing network traffic. These advantages make MA-based NDR solutions a superior and future-proof alternative to NDR solution relying on deep packet inspection.
Modern organisations are characterised by complex IT environments and expanding attack surfaces. To protect themselves, they need a robust cyber architecture with a reliable Network Detection and Response (NDR) solution. NDR is crucial to detect suspicious behaviours and malicious actors, and quickly respond to threats. NDR tools continuously analyse traffic to build models of “normal” behaviour on enterprise networks, detect suspicious traffic, and raise alerts.
Traditional NDR solutions rely on deep packet inspection (DPI). This approach supports detailed analysis and has thus become quite popular. But as data volumes increase and network traffic becomes increasingly encrypted, such solutions are becoming inadequate to protect enterprise networks moving forward. What organisations now need is a more future-proof NDR solution relying on metadata analysis.
In this article, we explore and compare two NDR approaches: deep packet inspection and metadata analysis. We will examine why metadata analysis is a superior detection technology to protect IT/OT networks from advanced cyber threats.
What is deep packet inspection and how does it work?
Deep packet inspection is the traditional approach to NDR. DPI monitors enterprise traffic by inspecting the data packets flowing across a specific connection point or core switch. It evaluates the packet’s entire payload, i.e., its header and data part to look for intrusions, viruses, spam, and other issues. If it finds such issues, it blocks the packet from going through the connection point.
DPI relies on traffic mirroring. In effect, the core switch provides a copy (“mirror”) of the network traffic to the sensor that then uses DPI to analyse the packet’s payload. Thus, DPI provides rich information and supports detailed analysis of each packet on the monitored connection points. This is one of its biggest benefits.
However, its drawbacks outnumber this benefit. As network traffic continues to increase and IT environments become increasingly complex and distributed, DPI is reaching its limits.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks aren’t new cyberattack vectors; They go all the way back to the early 1970s when modern commercial and enterprise networks emerged.
DDoS is a cyberattack in which the adversary seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. It doesn’t peruse any private data or get control over the target’s infrastructure; it just aims to bring the service down.
In today’s world, specifically with COVID, which accelerated organizations’ digital transformation, web presence is a must for just about any business. In this environment, DDoS attacks can be very destructive.
Main ingredients of DDoS attacks
Ingredient # 1 – Botnet
A botnet is a group of infected, compromised machines with malware controlled by malicious software without the knowledge of the machine owner. It ranges from ordinary home or office PCs to IoT devices. Compromised machines called bots or ‘zombies’ are used to launch DDoS attacks, spread SPAM, or perform other malicious activities orchestrated by the attacker.
One of the most infamous Botnets is ‘Mirai,’ which used hundreds of thousands of hijacked IoT devices. The creators of the Mirai botnet, Josiah White, Paras Jha, and Dalton Norman, who were all between 18 and 20 years old when they built Mirai, managed to hijack IoT devices by scanning the Internet for vulnerable IoT devices with factory-set usernames and passwords, log into them, and infect them with the Mirai malware.
The Mirai botnet was used in multiple DDoS attacks between 2014 and 2016 and, when the creators felt the heat coming from the authorities, they published the Mirai source code in a Hackers’ forum in an attempt to cover their tracks. All three were eventually indicted, plead guilty, and are now fighting crime with the FBI. Amazing how life turns out.
Just like we have COVID variants and mutations, Mirai also evolved and its source code mutations have been used in the wild by hackers. Okiru, Satori/Fbot, Masuta, Moobot, and more than 60 other Mirai variants are out there.
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
The security intelligence update version of the Microsoft Safety Scanner matches the version described in this web page.
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. For details, refer to the Microsoft Lifecycle Policy.
How to run a scan
Download this tool and open it.
Select the type of scan that you want to run and start the scan.
Review the scan results displayed on screen. For detailed detection results, view the log at %SYSTEMROOT%\debug\msert.log.
To remove this tool, delete the executable file (msert.exe by default).
American worldwide logistics and freight forwarding company Expeditors International shuts down global operations after cyber attack
American logistics and freight forwarding company Expeditors International was hit by a cyberattack over the weekend that paralyzed most of its operations worldwide.
Expeditors company has over 18,000 employees worldwide and has annual gross revenue of around $10 billion. The company discovered the attack on February 20, 2022, it doesn’t provide details about the attack and announced to have launched an investigation into the incident.
“Expeditors International of Washington, Inc. (NASDAQ:EXPD) announced that on February 20, 2022, we determined that our company was the subject of a targeted cyber-attack. Upon discovering the incident, we shut down most of our operating systems globally to manage the safety of our overall global systems environment.” reads the announcement published by the company. ”The situation is evolving, and we are working with global cybersecurity experts to manage the situation. While our systems are shut down we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments.”
The information publicly available on the attack suggests the company was the victim of a ransomware attack and was forced to shut down its network to avoid the threat from spreading.
The attack impacted the company’s operations, including the capability to arrange for shipments of freight or managing customs and distribution activities for our customers’ shipments.
The company hired cybersecurity experts to investigate the security breach and recover from the attack.
The company warned the incident could have a material adverse impact on our business, revenues, results of operations and reputation
“We are incurring expenses relating to the cyber-attack to investigate and remediate this matter and expect to continue to incur expenses of this nature in the future. Depending on the length of the shutdown of our operations, the impact of this cyber-attack could have a material adverse impact on our business, revenues, results of operations and reputation.” concludes the advisory.
Which assets can be made accessible by printer vulnerabilities?
Business-class printers are often running a variant of Linux, which means they have many of the same vulnerabilities that you would find on any network attached Linux server. Many zero-day exploits that have been found in the Linux kernel could be found in these printers if they are left unpatched.
So, what is the primary motivation of attackers? It is usually to gain remote access behind the corporate firewall. Cybercriminals often use network-attached devices to discover more about the other devices connected to the network. If a device can be used to scan the network, it might be possible to find other vulnerable devices on the network. It may even be possible for the attacker to use the printer to mount the attacks on other network-attached devices. In this way, a printer becomes a staging area for malicious actors to attack and compromise other, more critical platforms within a corporate network.
That said, for some companies, the printer itself can be the target. Many business class printers have hard drives that are used to save jobs, templates and other necessary information needed for its use by the customer. This means that an immense amount of sensitive and confidential data is being stored on the printer. Extraction of this valuable, locally stored data on the printer is sometimes an attacker’s goal.
What can organizations do to make their printers secure?
First off, good “firmware hygiene” is essential. Multi-function network-attached printers are surprisingly sophisticated systems, and as a result have highly sophisticated embedded operating systems. Most of these printers have a webserver for providing device status and allowing configuration updates along with printer firmware updates. These devices are also expected to support a lot of different network protocols, such as SNTP, SNMP and the related printer-specific protocols.
As you might expect: the more complex the firmware in a device is, the more potential security vulnerabilities it may have. Printer OEMs are aware of the attack surface their products present, and they strive to maintain the highest grade of security within their embedded software. A policy for applying standard vendor-authentic updates and patches should be followed. Also, intrusion-detection software should be operational within a corporate LAN. This allows for monitoring of any non-standard, potentially malicious traffic – not just from the user’s personal devices, but from any network-attached appliance.
The FBI warned US organizations and individuals are being increasingly targeted in BECattacks on virtual meeting platforms
The Federal Bureau of Investigation (FBI) warned this week that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both entities and individuals who perform legitimate transfer-of-funds requests
Cybercriminals are targeting organizations of any size and individuals, in BEC attack scenarios attackers pose as someone that the targets trust in, such as business partners, CEO, executives, and service providers.
Scammers use to compromise legitimate business or personal email accounts through different means, such as social engineering or computer intrusion to conduct unauthorized transfers of funds.
Crooks started using virtual meeting platforms due to the popularity they have reached during the pandemic.
The Public Service Announcement published by FBI warns of a new technique adopted by scammers that are using virtual meeting platforms to provide instructions to the victims to send unauthorized transfers of funds to fraudulent accounts.
“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars.” reads the FBI’s PSA.
Crooks are using the virtual meeting platforms for different purposes, including impersonating CEOs in virtual meetings and infiltrating meetings to steal sensitive and business information.
Below are some of the examples provided by the FBI regarding the use of virtual meeting platforms by crooks:
Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake1” audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
Below are recommendations provided by the FBI:
Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
Use secondary channels or two-factor authentication to verify requests for changes in account information.
Ensure the URL in emails is associated with the business/individual it claims to be from.
Be alert to hyperlinks that may contain misspellings of the actual domain name.
Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
I am quite thrilled to announce that the long-overdue update to my NIST CSF tool V2.0 is finally done. While this new version generally looks the same as the prior one, there are substantial changes underneath which will make updating it in the future far easier.
Originally released in January of 2019, it has become the most popular page on the site, with almost 20,000 downloads. To get a full understanding of the tool, you can read the original post here which goes into great detail about why it was developed and how to use it.
After numerous requests, I have also added the NIST Privacy Framework to the tool as well. The same logic has been applied here as to the CSF side – it’s just as, or perhaps even more, important to measure what you do(your practices) against what you say you do(your policies) when it comes to Privacy as it is Security.
As always, I welcome suggestions and feedback. The email to reach me is in the worksheet.
You can find the new version on the Downloads page.
