Role Based Access Control in Cloud Computing: Role Based Access Control Using Policy Specification and Ontology on Clouds
May 04 2022
Do You Need to Rethink AppSec With 5G?
It’s not quite everywhere yet, but 5G connectivity is growing rapidly. That’s a great thing for remote workers and anyone depending on a fast connection, but what kind of impact will 5G have on application security?
“The explosion of 5G is only going to put more pressure on teams to harden their application security practice,” said Mark Lambert, vice president of products at ArmorCode, via email. The reason is the increase in the attack surface.
More devices with high bandwidth will be connecting to your network systems and services. At the same time, Lambert pointed out, business leaders are demanding an increase in the pace of software delivery. As 5G use becomes the norm, so does the risk of apps without the security to support faster connectivity.
“Application security teams need ways to quickly identify vulnerabilities within the DevSecOps pipeline and collaborate with development teams to escalate remediation,” said Lambert.
The IoT Dilemma
5G will accelerate the use of IoT devices, which in turn will accelerate app development for IoT devices. Based on the lack of priority for security in the application development process today, there is no indication that IoT software will be designed to handle the challenges of 5G security in the future. And there will be challenges.
The 5G systems won’t just connect phones, sensors and software to the internet. “On a high level, a 5G system comprises a device connected to a 5G access network which, in turn, is connected to the rest of the system called a 5G core network,” according to a whitepaper from Ericsson.
So, it won’t simply be all the new connections that are expanding the attack surface and creating an increased application security risk, but also the change in how 5G connects to the network. Rather than the one-way network that was in place under 4G, 5G brings a two-way communication capability, and, according to a Cyrex blog post, would “be linked in this two-way network and effectively would be public to those with the skills to exploit the link.”
5G, AppSec and the Cloud
Expect to see 5G lead to an increase in the adoption of cloud applications, said Kevin Dunne, president at Pathlock, in an email interview.
“Increased connectivity and connection speeds from anywhere will drive companies to invest in infrastructure that can be accessed from anywhere,” said Dunne. “Providing accessible applications will increase employee productivity, but it will also introduce new threats. With critical resources now on the public network, bad actors can access them from anywhere, increasing the number of threats to sensitive data and business processes.”
IT security teams will need to shift their focus from network-based perimeter protection to more modern approaches that look beyond what users can do in an application to what they are doing, Dunne added. “This helps to defend against modern attacks like phishing and ransomware which are increasingly common in cloud environments.”
It’s not all gloom and doom for 5G and application security. 5G can enhance app security, allowing developers to create more intelligent software and allowing them to use virtual hardware. 5G can also improve identity management and authentication that will make it more difficult for threat actors to infiltrate applications.
5G is expected to transform business reliance on IoT devices and cloud applications. Expect new threats and risks to go hand-in-hand with the innovations that 5G brings. Those responsible for application security will need to prepared with cybersecurity systems that will adapt to those threats.
5G Wireless: A Comprehensive Introduction
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
May 04 2022
Pro-Ukraine attackers compromise Docker images to launch DDoS attacks on Russian sites
Pro-Ukraine hackers are using Docker images to launch distributed denial-of-service (DDoS) attacks against a dozen Russian and Belarusian websites.
Pro-Ukraine hackers, likely linked to Ukraine IT Army, are using Docker images to launch distributed denial-of-service (DDoS) attacks against a dozen websites belonging to government, military, and media. The DDoS attacks also targeted three Lithuanian media websites.
The attacks were monitored by cybersecurity firm CrowdStrike, who discovered that the Docker Engine honeypots deployed between February 27 and March 1 were compromised and used in the DDoS attacks.
The attackers attempt to exploit misconfigured Docker installs through exposed APIs and takeover them to abuse their computational resources.
“Container and cloud-based resources are being abused to deploy disruptive tools. The use of compromised infrastructure has far-reaching consequences for organizations who may unwittingly be participating in hostile activity against Russian government, military and civilian targets.” reported Crowdstrike. “Docker Engine honeypots were compromised to execute two different Docker images targeting Russian, Belarusian and Lithuanian websites in a denial-of-service (DoS) attack.”
The technique to compromise Dockers containers is widely adopted by financially-motivated threat actors, like LemonDuck or TeamTNT to abuse their resources and mine cryptocurrencies.
The experts noticed that the Docker images’ target lists overlap with domains shared by the Ukraine IT Army (UIA). The attacks involved the two images that have been downloaded over 150,000 times, but the threat intelligence firm confirmed that CrowdStrike Intelligence cannot determine the exact number of downloads originating from compromised infrastructure.
The list of targeted websites includes the Kremlin and Tass agency websites.
The two images used by the attackers are named “erikmnkl/stoppropaganda” and “abagayev/stop-russia”.
“Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed UIA that called its members to perform DDoS attacks against Russian targets. CrowdStrike Intelligence assesses these actors almost certainly compromised the honeypots to support pro-Ukrainian DDoS attacks. This assessment is made with high confidence based on the targeted websites.” concludes the report that includes Indicators of Compromise (IoCs) along with Snort detection rule.
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
May 03 2022
A DNS flaw impacts a library used by millions of IoT devices
A vulnerability in the domain name system (DNS) component of the uClibc library impacts millions of IoT products.
Nozomi Networks warns of a vulnerability, tracked as CVE-2022-05-02, in the domain name system (DNS) component of the uClibc library which is used by a large number of IoT products. The flaw also affects DNS implementation of all versions of the uClibc-ng library, which is a fork specifically designed for OpenWRT, a common OS for routers used in various critical infrastructure sectors.
An attacker can exploit the vulnerability for DNS poisoning or DNS spoofing and redirect the victim to a malicious website instead of the legitimate one.
“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.” reads the advisory published by Nozomi Networks.
The uClibc library is used by major vendors, including Linksys, Netgear, and Axis, or Linux distributions such as Embedded Gentoo.
Security experts did not disclose the details of the flaw because the vendor has yet to address it.
The researchers from Nozomi discovered the issue by reviewing the trace of DNS requests performed by an IoT device in their test environment. They were able to determine the pattern of DNS requests performed from the output of Wireshark, the transaction ID is first incremental, then resets to the value 0x2, then is incremental again. The transaction ID of the requests was predictable, a circumstance that could allow an attacker to perform DNS poisoning under certain circumstances.
“A source code review revealed that the uClibc library implements DNS requests by calling the internal “__dns_lookup” function, located in the source file “/libc/inet/resolv.c”.” continues the advisory. “Given that the transaction ID is now predictable, to exploit the vulnerability an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server. Exploitability of the issue depends exactly on these factors. As the function does not apply any explicit source port randomization, it is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port.”
If the OS uses randomization of the source port, the only way to exploit the issue is to bruteforce the 16-bit source port value by sending multiple DNS responses, while simultaneously winning the race against the legitimate response.
“As anticipated, as of the publication of this blog, the vulnerability is still unpatched. As stated in a public conversation, the maintainer was unable to develop a fix for the vulnerability, hoping for help from the community. The vulnerability was disclosed to 200+ vendors invited to the VINCE case by CERT/CC since January 2022, and a 30-day notice was given to them before the public release.” concludes Nozomi.
Managing Mission – Critical Domains and DNS: Demystifying nameservers, DNS, and domain names
May 02 2022
Most Important Python Tools for Ethical Hackers & Penetration Testers 2022
By Balaji N
There are a variety of python tools are using in the cybersecurity industries and the python is one of the widely used programming languages to develop the penetration testing tools.
Anyone who is involved in vulnerability research, reverse engineering or pen-testing, Cyber Security News suggests trying out the mastering in Python For Hacking From Scratch.
It has a highly practical but it won’t neglect the theory, so we’ll start with covering some basics about ethical hacking and python programming to advanced level.
The listed tools are written in Python, others are just Python bindings for existing C libraries and some of the most powerful tools pentest frameworks, bluetooth smashers, web application vulnerability scanners, war-dialers, etc. Here you can also find 1000 ofhacking tools.
Best Python Tools for Pentesters
Python Course & Papers
- Hacking with Python – Learn to Create your own Hacking Tools
- Mastering in Python Programming For Hacking From Scratch
- SANS offers the course SEC573: Python for Penetration Testers.
- The Python Arsenal for Reverse Engineering is a large collection of tools related to reverse engineering.
- There is a SANS paper about Python libraries helpful for forensic analysis (PDF).
- For more Python libaries, please have a look at PyPI, the Python Package Index.
Network
- Scapy, Scapy3k: send, sniff and dissect and forge network packets. Usable interactively or as a library
- pypcap, Pcapy and pylibpcap: several different Python bindings for libpcap
- libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission
- dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols
- Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB
- pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection
- Dirtbags py-pcap: read pcap files without libpcap
- flowgrep: grep through packet payloads using regular expressions
- Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist
- SubBrute, fast subdomain enumeration tool
- Mallory, extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard protocols on the fly
- Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests)
- Spoodle: A mass subdomain + poodle vulnerability scanner
- SMBMap: enumerate Samba share drives across an entire domain
- Habu: python network hacking toolkit
Debugging and Reverse Engineering
- Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH
- Immunity Debugger: scriptable GUI and command line debugger
- mona.py: PyCommand for Immunity Debugger that replaces and improves on pvefindaddr
- IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro
- PyEMU: fully scriptable IA-32 emulator, useful for malware analysis
- pefile: read and work with Portable Executable (aka PE) files
- pydasm: Python interface to the libdasm x86 disassembling library
- PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine
- uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory
- diStorm: disassembler library for AMD64, licensed under the BSD license
- Frida: A dynamic instrumentation framework which can inject scripts into running processes
- python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python
- vdb / vtrace: vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it
- Androguard: reverse engineering and analysis of Android applications
- Capstone: lightweight multi-platform, multi-architecture disassembly framework with Python bindings
- Keystone: lightweight multi-platform, multi-architecture assembler framework with Python bindings
- PyBFD: Python interface to the GNU Binary File Descriptor (BFD) library
- CHIPSEC: framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components.
Fuzzing
- afl-python: enables American fuzzy lop fork server and instrumentation for pure-Python code
- Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components
- Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python)
- antiparser: fuzz testing and fault injection API
- TAOF, (The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer
- untidy: general purpose XML fuzzer
- Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
- SMUDGE
- Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
- Fuzzbox: multi-codec media fuzzer
- Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
- Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
- WSBang: perform automated security testing of SOAP based web services
- Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
- fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano
- Fusil: Python library used to write fuzzing programs
Web
- Requests: elegant and simple HTTP library, built for human beings
- lxml: easy-to-use library for processing XML and HTML; similar to Requests
- HTTPie: human-friendly cURL-like command line HTTP client
- ProxMon: processes proxy logs and reports discovered issues
- WSMap: find web service endpoints and discovery files
- Twill: browse the Web from a command-line interface. Supports automated Web testing
- Ghost.py: webkit web client written in Python
- Windmill: web testing tool designed to let you painlessly automate and debug your web application
- FunkLoad: functional and load web tester
- spynner: Programmatic web browsing module for Python with Javascript/AJAX support
- python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript engine; allows for the evaluation and calling of Javascript scripts and functions
- mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly
- pathod / pathoc: pathological daemon/client for tormenting HTTP clients and servers
- spidy: simple command-line web crawler with page downloading and word scraping
Forensics
- Volatility: extract digital artifacts from volatile memory (RAM) samples
- Rekall: memory analysis framework developed by Google
- LibForensics: library for developing digital forensics applications
- TrIDLib, identify file types from their binary signatures. Now includes Python binding
- aft: Android forensic toolkit
Malware Analysis
- pyew: command line hexadecimal editor and disassembler, mainly to analyze malware
- Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content
- pyClamAV: add virus detection capabilities to your Python software
- jsunpack-n, generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities
- yara-python: identify and classify malware samples
- phoneyc: pure Python honeyclient implementation
- CapTipper: analyse, explore and revive HTTP malicious traffic from PCAP file
- peepdf: Python tool to analyse and explore PDF files to find out if they can be harmful
- Didier Stevens’ PDF tools: analyse, identify and create PDF files (includes PDFiD, pdf-parser and make-pdf and mPDF)
- Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified.
- Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files
- pyPDF2: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt…
- PDFMiner: extract text from PDF files
- python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support
Misc
- InlineEgg: toolbox of classes for writing small assembly programs in Python
- Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
- RevHosts: enumerate virtual hosts for a given IP address
- simplejson: JSON encoder/decoder, e.g. to use Google’s AJAX API
- PyMangle: command line tool and a python library used to create word lists for use with other penetration testing tools
- Hachoir: view and edit a binary stream field by field
- py-mangle: command line tool and a python library used to create word lists for use with other penetration testing tools
- wmiexec.py: execute Powershell commands quickly and easily via WMI
- Pentestly: Python and Powershell internal penetration testing framework
- hacklib: Toolkit for hacking enthusiasts: word mangling, password guessing, reverse shell and other simple tools
Other Useful Libraries and Tools
- IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system
- Beautiful Soup: HTML parser optimized for screen-scraping
- matplotlib: make 2D plots of arrays
- Mayavi: 3D scientific data visualization and plotting
- RTGraph3D: create dynamic graphs in 3D
- Twisted: event-driven networking engine
- Suds: lightweight SOAP client for consuming Web Services
- M2Crypto: most complete OpenSSL wrapper
- NetworkX: graph library (edges, nodes)
- Pandas: library providing high-performance, easy-to-use data structures and data analysis tools
- pyparsing: general parsing module
- lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language
- Whoosh: fast, featureful full-text indexing and searching library implemented in pure Python
- Pexpect: control and automate other programs, similar to Don Libes `Expect` system
- Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython
- PyQt and PySide: Python bindings for the Qt application framework and GUI library
Books
- Violent Python by TJ O’Connor. A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers
- Grey Hat Python by Justin Seitz: Python Programming for Hackers and Reverse Engineers.
- Black Hat Python by Justin Seitz: Python Programming for Hackers and Pentesters
- Python Penetration Testing Essentials by Mohit: Employ the power of Python to get the best out of pentesting
- Python for Secret Agents by Steven F. Lott. Analyze, encrypt, and uncover intelligence data using Python
- Python Web Penetration Testing Cookbook by Cameron Buchanan et al.: Over 60 Python recipes for web application testing
- Learning Penetration Testing with Python by Christopher Duffy: Utilize Python scripting to execute effective and efficient penetration tests
- Python Forensics by Chet Hosmer: A Workbench for Inventing and Sharing Digital Forensic Technology
- The Beginner’s Guide to IDAPython by Alexander Hanel
Talks, slides and articles
- Python & Reverse Engineering Software by Alexander Hanel
- Python Arsenal for Reverse Engineering by Dmitriy Evdokimov at RUCTF 2016
Mastering Python for Networking and Security
May 02 2022
How Log4j Reshaped Cloud Security Thinking
A report from IT security firm Valtix has revealed how IT leaders are changing the way they secure cloud workloads in the aftermath of the Log4j vulnerability.
Log4j is a logging library and part of the Apache Software Foundation’s Apache Logging Services project. It is pretty much ubiquitous in applications and services built using Java.
It is used to record all manner of digital activities that run under the hoods of millions of computers. In December 2021, the Log4j vulnerability—aka CVE-2021-44228—was publicly announced and rapidly flagged as one of the most critical security vulnerabilities in recent years.
Once hackers discovered it was vulnerable to attack, they opened a dangerous vulnerability for IT teams across every industry.
Valtix surveyed 200 cloud security leaders to better understand how they protect every app across every cloud in the aftermath of Log4j. The survey found that 95% of IT leaders said Log4j and Log4Shell was a wake-up call for cloud security and that the vulnerability changed it permanently.
Log4j Changed Security Thinking
Log4j impacted not only the security posture of organizations across the globe but the very way IT leaders think about security.
The survey found 83% of IT leaders felt that the response to Log4j has impacted their ability to address business needs and that Log4j taught IT leaders the status quo isn’t good enough.
Respondents said they felt the security protections in place now are insufficient, that other high severity open source vulnerabilities will emerge and they worry that cloud service providers themselves might have vulnerabilities that could impact their teams.
In addition, 85% of respondents said poor integration between cloud security tools often slows down security processes and caused security lapses, while 82% of IT leaders said visibility into active security threats in the cloud is usually obscured.
Just over half (53%) said they felt confident that all their public cloud workloads and APIs were fully secured against attacks from the internet, and less than 75% said they were confident that all of their cloud workloads were fully segmented from the public internet.
“Security leaders are still dealing with the impacts of Log4Shell,” explained Davis McCarthy, principal security researcher at Valtix. “Although many have lost confidence in their existing approach to cloud workload protection, the research shows they are taking action in 2022 by prioritizing new tools, process changes and budget as it relates to cloud security.”
Changing Cloud Security Priorities
The survey also revealed that Log4j shuffled cloud security priorities, with 82% of IT leaders admitting their priorities have changed and 77% of leaders said they are still dealing with Log4j patching.
Vishal Jain, co-founder and CTO at Valtix, added that the research echoed what the company is hearing from organizations daily: Log4Shell was a catalyst for many who realized that—even in the cloud—defense-in-depth is essential because there is no such thing as an invulnerable app.
“Log4Shell exposed many of the cloud providers’ workload security gaps as IT teams scrambled to mitigate and virtually patch while they could test updated software,” he said. “They needed more advanced security for remote exploit prevention, visibility into active threats or ability to prevent data exfiltration.”
According to the report, as a result of Log4j, security leaders are prioritizing additional tools, process changes and budgets, with industries from financial services to manufacturing reprioritizing their cloud security initiatives after Log4j.
The top five industries where confidence is still negatively impacted due to Log4j are energy, hospitality/travel, automotive, government and financial services, the survey found.
The majority (96%) of enterprises said their cloud security threats grow more complex every year as new players, threats, tools, business models and requirements keep IT teams busier and more important than ever.
Security leaders also indicated that they recognize there’s no such thing as an invulnerable cloud workload and that defense-in-depth is needed, with 97% of IT leaders viewing defense-in-depth as essential in the cloud.
However, budget constraints slow tech adoption, with lack of funding the top challenge to adequate protection, followed by concerns that preventative security will slow down the business.
Survey respondents also indicated it is difficult to operationalize cloud workload protection solutions, with 79% of IT leaders agreeing that agent-based security solutions are difficult to operationalize in the cloud.
Meanwhile, 88% of IT leaders said they think bringing network security appliances to the cloud is challenging to the cloud computing operating model and 90% of IT leaders said open network paths to cloud workloads from the public internet can create security risks.
Free and open source software (FOSS) will continue to present a risk to organizations as hackers focus on exploiting security flaws in the code, a report from Moody’s Investors Service found.
In the case of Log4j, for example, three to five years could elapse before organizations are finished patching security flaws, and with recent estimates indicating open source makes up 80% to 90% of the average piece of software, the persistent security threats FOSS presents is significant.
Log4Shell 2 Hours Hands-On Log4j Vulnerability: For Java engineers
Apr 29 2022
3 Ways to Boost Pentesting ROI
If you’re a car owner, it can be tempting to put off an oil change, tire rotation or other recommended vehicle tune-up. But reality becomes all too clear when you’re sitting on the side of the highway waiting for AAA. And it’s even more painful when you’re hit with a massive repair bill a few days later that far exceeds any short-lived savings.
Like many frustrated drivers, businesses are currently learning this lesson the hard way with cybersecurity. Last year, data breaches at organizations increased by 68% to reach their highest volume ever, according to Identity Theft Resource Center’s 2021 Data Breach Report.
Even as data breaches become more prevalent and costly, many organizations continue to hold off on vital cybersecurity measures, as well as neglect routine pentesting and provisioning maintenance. This short-sighted approach costs organizations more in the long run.
In order to prevent hacks and breaches, businesses must act quickly and treat cybersecurity as a long-term investment; learning how to drive the most value from security testing instead of waiting for a cyberattack to occur.
Pentesting: A Proactive Approach to Cybersecurity
One of the most effective ways to increase your cybersecurity readiness is penetration testing (pentesting, for short)—a simulated cyberattack designed to discover vulnerabilities in an organization’s IT systems.
Pentesting involves stepping into hackers’ shoes to identify weak spots. By role-playing how a hacker might breach your security configurations, this process helps identify potential vulnerabilities and threats, test security responses and capabilities and measure ongoing improvements to your cybersecurity system.
Your pentesters can come from either your internal security experts or from a third-party team. They dig into your security systems one by one, starting with a set of objectives to carry out an attack. Most teams combine black-box and white-box testing: For black, the pentester acts as a true external hacker with little or no knowledge of the IT landscape; for white, the pentester acts as an internal developer with complete knowledge of the landscape.
Here’s what the process typically looks like:
- Pentesters begin with low-privilege identity credentials from someone in a network, but they also look for vulnerabilities from any unauthenticated perspectives. After gaining remote access, pentesters explore your system and search for exploitable security gaps.
- Based on what they find, pentesters develop and carry out a cyberattack. The aim is to gain escalating privileges and a greater ability to modify your systems, which packs a bigger punch than stealing data alone.
- Once an attack commences, pentesters report their findings, rank vulnerabilities in terms of severity and advise you on remedies. After changes are implemented, pentesters test again to ensure you’ve properly closed all gaps.
How to Get the Most out of Pentesting
For most organizations, reservations about pentesting aren’t rooted in a lack of understanding about the strategy’s benefits; instead, it comes down to time and money. In fact, 74% of IT professionals and security leaders said they would test their systems more frequently if it wasn’t so cumbersome, while 71% said it was too expensive.
So, how can you ensure your investment pays off?
Here are three ways to achieve greater ROI on pentesting that are worth your resources:
- Don’t skimp on scope or substance. On average, a high-quality pentest costs between $30,000 and $60,000 depending on the size and complexity of your organization. Large enterprises, for example, may spend closer to $100,000. While it’s tempting to choose the cheapest option available on the market, low-cost alternatives often sacrifice test quality and deliver results that are far too narrow to provide meaningful remedies. Pay for a test that looks at your cybersecurity system comprehensively and is capable of producing results that benefit your security team in the long term.
- Set clear objectives and test cases. Most CISOs have a laundry list of security concerns that keeps them up at night. Pentesting is a great way to put those scenarios to rest. You can assemble a detailed list of top security concerns for pentesters to target first, which ensures that testing is specific to your industry, your company and your security framework.
- Incorporate testing (and retesting) as part of your cybersecurity routine. Security systems—and threats that aim to compromise them—are constantly changing. Routine testing on an annual or semiannual basis ensures your cybersecurity remains up-to-date and provides a metric for constant improvement. In fact, 85% of cybersecurity pros reported conducting such tests at least once a year. Retesting verifies that issues you’ve identified in the past have been fixed.
The consequences of a cyberattack are more devastating than ever: In 2021, the average cost of a data breach reached a record $4.24 million, according to IBM’s annual Cost of a Data Breach Report.
Yet the average cybersecurity budget only constitutes 15% of a business’s overall IT budget. It often takes a catastrophe to galvanize organizations to update and improve cybersecurity measures. But by that time, the damage is done—loss of business, broken trust with customers, damage to your reputation and even regulatory fines.
Rather than waiting for a security incident, incorporate routine pentesting to ensure your cybersecurity defenses are ready for a potential attack. For cars, every 5,000 miles is a good rule of thumb for an oil change or tire rotation. For cybersecurity teams, an annual pentest is a solid start to boost your organization’s cybersecurity maintenance and drive sustained improvements that are well worth the cost.
The Pentester BluePrint: Starting a Career as an Ethical Hacker
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Apr 29 2022
Keep your digital banking safe: Tips for consumers and banks
Digital banking has been a reality for quite a while now, particularly pushed forward in these last few years. Is security keeping up the pace?
Online banking and mobile banking apps have made great security strides in recent years. In fact, some of today’s most well-respected banks are improving security measures by offering SMS or email alerts for financial transactions, multi-factor authentication, fraud monitoring and alerts, and two-step verification for large money transfers. When these features are set up correctly, they exponentially increase the security for personal banking accounts.
Unfortunately, not all consumers use these critical safeguards on their accounts. Our recent Retail Banking Survey found that 30% of those relying on a password only change it one to two times a year, and 23% admit to never changing their password. Despite banks working to improve online security protocols, consumers must also do their part in taking advantage of enhanced security features to keep their accounts safe.
What makes digital banking vulnerable the most?
Instead of physically walking into a bank to manage finances, consumers can now access their account effortlessly on a banking website or mobile app. However, since banks strive to make the digital banking experience as intuitive and frictionless as possible for users, this can also present an opportunity for hackers to access unwitting consumers’ bank accounts.
Since authenticating a consumer’s true identity is so important to the online banking experience, if a bank does not offer strong identity verification, or if consumers are not practicing proper cyber hygiene on their mobile devices and computers, they can be socially engineered into giving up access to their bank account. Considering the majority (45%) of bank customers continue to use traditional username and password to log in, as opposed to more secure methods like thumbprint (20%), facial recognition (17%) or two-factor authentication (16%), consumer’s financial information is more vulnerable than they may realize.
What are the common mistakes consumers make when using digital banking?
The biggest mistake is that many customers still use the same username and password combination to access their online bank account, as they would for other websites. Since websites are constantly being breached (and then their entire password databases are bought and sold on hacker forums), today’s fraudsters are well-versed in testing stolen credentials to log into as many other sensitive websites (like emails, bank accounts and cloud storage accounts) as possible. This is why consumers must use a lengthy and unique password for their online banking accounts, one that can also easily be created and managed through a password manager.
Another common mistake is when consumers don’t set up secure multi-factor authentication, which is necessary in protecting oneself in today’s online world, because simple credentials can be stolen or guessed by a hacker at any time. This protocol is easy to set up and makes it exponentially more difficult for hackers to gain access to a banking account, as it requires additional security measures like FaceID and TouchID, coupled with the consumer’s login credentials, to authenticate to the online bank.
Finally, banking customers should take advantage of security alerts to keep their financial information secure. Many banks allow customers to set up monitoring and security alerts in their banking profiles, so they know when someone is either accessing their account or performing any financial transactions with their funds. This can help them take action much quicker against potential hacks, as well as keep a closer eye on their financial information.
How aware are consumers of the possible threats to their bank accounts and data and how proactive have they become in protecting them?
Many people are still not aware of how easily a fraudster can convince the average person to unknowingly give up their bank account details. Furthermore, many don’t know that poor cyber hygiene on their computers and mobile devices can lead to them inadvertently exposing their personal information.
Some good cyber hygiene practices include keeping devices and all automatically installed apps up to update, installing only trusted apps from the App Store, running anti-virus software and being suspicious of unsolicited calls, texts and emails from banks.
Hackers are using fake emails, texts and phone calls to trick people into thinking their bank is directly contacting them to take some kind of ‘urgent action,’ by coaxing them to verify fake fraudulent activity, or their personal details. Furthermore, there have been cases of fake banking apps distributed on the Google Play Store that look identical to legitimate Android banking apps, but were actually designed to steal victims’ banking credentials.
Banks also educate their customers about the dangers of online banking, as well as actively encourage them to set up features such as multi-factor authentication and security alerts on their accounts.
Consumers should be routinely checking their bank accounts for fraudulent activity, and according to our survey, 41% people check their bank accounts almost every day. Security is a team sport, and it involves active participation by everyone involved to ensure that bank accounts remain safe. In addition to monitoring their accounts, consumers can do their part by making sure they turn on the various security features in their bank account profile.
What can banks do to strengthen their cyber resiliency while offering a satisfactory customer experience?
Banks should continue to communicate to customers how easy it is to enable multi-factor authentication and security alerts for their accounts. This will mitigate many security issues, even if the consumer decides to continue using the same credentials on their banking site, as they do on other websites.
Additionally, banks can strengthen their cyber resiliency using a superior digital insights platform, to ensure that the process and flow for setting up online banking security controls, such as multi-factor authentication and alerts, are seamless and easy to activate. This allows banks to monitor visitors’ digital banking experience, identify and resolve specific pain points consumers face when trying to set up better security controls on their profile, either due to technical errors or confusing UX designs.
If they have any setup issues, and back out of turning features on, banks can pinpoint exactly where that occurred so they can address it, and people are more encouraged in the future to finish the setup process. Real-time monitoring of web and mobile banking applications can also help flag fraudulent activity, so that action can be taken against it and prevent it in the future.
Apr 28 2022
CloudFlare blocked a record HTTPs DDoS attack peaking at 15 rps
Cloudflare has mitigated a distributed denial-of-service (DDoS) attack that peaked at 15.3 million request-per-second (RPS).
Cloudflare announced to have mitigated a distributed denial-of-service (DDoS) attack that peaked at 15.3 million request-per-second (RPS), which is one of the largest HTTPS DDoS attacks blocked by the company.
The company blocked the attack earlier this month, the experts pointed out that HTTPS DDoS attacks are more expensive because require higher computational resources for establishing a secure TLS encrypted connection. On the other side, HTTPS DDoS attacks cost more to the victim to mitigate.
“Earlier this month, Cloudflare’s systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack — one of the largest HTTPS DDoS attacks on record.” reads the post published by CloudFlare. “We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”
The attack was launched by a botnet composed of approximately 6,000 unique bots that was monitored by Cloudflare experts and that was involved in other massive attacks that peaked at 10M rps.
The DDoS attack blocked by the company lasted less than 15 seconds and targeted an unnamed customer operating a crypto launchpad. Crypto launchpads are platforms for launching new coins, crypto projects, and raising liquidity.
Volumetric DDoS attacks are designed to overwhelm a target network/service with significantly high volumes of malicious traffic, which typically originate from a botnet under a threat actor’s control.
The analysis of the malicious traffic revealed that it mostly originated from data centers, it originated from 112 countries around the world. 15% of the malicious traffic originated from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States.
“Within those countries, the attack originated from over 1,300 different networks. The top networks included the German provider Hetzner Online GmbH (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), OVH in France (ASN 16276), as well as other cloud providers.” concludes the post.
In August, the web infrastructure and website security company announced that it has mitigated the largest ever volumetric distributed denial of service (DDoS) attack at the time. The malicious traffic reached a record high of 17.2 million requests-per-second (rps), a volume three times bigger than previously reported HTTP DDoS attacks. Be aware, that the attack that the company blocked in August was an HTTP DDoS and not an HTTPS one.
In November 2021, the company mitigated a distributed denial-of-service (DDoS) attack that peaked just below 2 terabytes per second (Tbps), which is the largest attack Cloudflare has seen to date.
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Apr 27 2022
Linux Nimbuspwn flaws could allow attackers to deploy sophisticated threats
Microsoft disclosed two Linux privilege escalation flaws, collectively named Nimbuspwn, that could allow conducting various malicious activities.
The Microsoft 365 Defender Research Team has discovered two Linux privilege escalation flaws (tracked as CVE-2022-29799 and CVE-2022-29800) called “Nimbuspwn,” which can be exploited by attackers to conduct various malicious activities, including the deployment of malware.
“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” reads the advisory published by Microsoft.
The flaws can be exploited by attackers to achieve root access to the target systems and deploy by more sophisticated threats, such as ransomware.
The flaws reside in the systemd component called networked-dispatcher, which is dispatcher daemon for systemd-networkd connection status changes.
The review of the code flow for networkd-dispatcher revealed multiple security issues, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues.
The researchers started enumerating services that run as root and listen to messages on the System Bus, performing both code reviews and dynamic analysis.
Chaining the issues, an attacker in control of a rogue D-Bus service that can send an arbitrary signal, can deploy backdoors on the compromised final touches.
he researchers were able to develop their own exploit that runs an arbitrary script as root. The exploit also copies /bin/sh to the /tmp directory, sets /tmp/sh as a Set-UID (SUID) executable, and then invokes “/tmp/sh -p”. (the “-p” flag is necessary to force the shell to not drop privileges)
Researchers recommend users of networkd-dispatcher to update their installs.
“To address the specific vulnerabilities at play, Microsoft Defender for Endpoint’s endpoint detection and response (EDR) capabilities detect the directory traversal attack required to leverage Nimbuspwn.” concludes the post.
Mastering Linux Security and Hardening
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Apr 26 2022
Nation-state Hackers Target Journalists with Goldbackdoor Malware
A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.
Sophisticated hackers believed to be tied to the North Korean government are actively targeting journalists with novel malware dubbed Goldbackdoor. Attacks have consisted of multistage infection campaign with the ultimate goal of stealing sensitive information from targets. The campaign is believed to have started in March and is ongoing, researchers have found.
Researchers at Stairwell followed up on an initial report from South Korea’s NK News, which revealed that a North Korean APT known as APT37 had stolen info from the private computer of a former South Korean intelligence official. The threat actor–also known as Ricochet Collima, InkySquid, Reaper or ScarCruft—attempted to impersonate NK News and distributed what appeared to be a novel malware in an attempt to target journalists who were using the official as a source, according to the report.
NK News passed details to Stairwell for further investigation. Researchers from the cybersecurity firm uncovered specific details of the malware, called Goldbackdoor. The malware is likely a successor of the Bluelight malware, according to a report they published late last week.
“The Goldbackdoor malware shares strong technical overlaps with the Bluelight malware,” researchers wrote. “These overlaps, along with the suspected shared development resource and impersonation of NK News, support our attribution of Goldbackdoor to APT37.”
APT37 was previously seen using Bluelight as a secondary payload last August in a series of watering hole attacks against a South Korean newspaper that used known Internet Explorer vulnerabilities.
As Stairwell researchers noted, journalists are “high-value targets for hostile governments,” and often the target of cyber-espionage attacks. In fact, one of the biggest security stories of last year was various governments’ use of the NGO Group’s Pegasus spyware against journalists, among other targets.
“[Journalists] often are aggregators of stories from many individuals–sometimes including those with sensitive access,” Stairwell researchers wrote. “Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.”
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Apr 26 2022
Phishing goes KISS: Don’t let plain and simple messages catch you out!
We’re sure you’ve heard of the KISS principle: Keep It Simple and Straightforward.
In cybersecurity, KISS cuts two ways.
KISS improves security when your IT team avoids jargon and makes complex-but-important tasks easier to understand, but it reduces security when crooks steer clear of mistakes that would otherwise give their game away.
For example, most of the phishing scams we receive are easy to spot because they contain at least one, and often several, very obvious mistakes.
Incorrect logos, incomprehensible grammar, outright ignorance about our online identity, weird spelling errors, absurd punctuation!!!!, or bizarre scenarios (no, your surveillance spyware definitely did not capture live video through the black electrical tape we stuck over our webcam)…
…all these lead us instantly and unerringly to the [Delete] button.
If you don’t know our name, don’t know our bank, don’t know which languages we speak, don’t know our operating system, don’t know how to spell “respond immediately”, heck, if you don’t realise that Riyadh is not a city in Austria, you’re not going to get us to click.
That’s not so much because you’d stand out as a scammer, but simply that your email would advertise itself as “clearly does not belong here”, or as “obviously sent to the wrong person”, and we’d ignore it even if you were a legitimate business. (After that, we’d probably blocklist all your emails anyway, given your attitude to accuracy, but that’s an issue for another day.)
Indeed, as we’ve often urged on Naked Security, if spammers, scammers, phishers or other cybercriminals do make the sort of blunder that gives the game away, make sure you spot their mistakes, and make them pay for their blunder by deleting their message at once.
KISS, plain and simple
Apr 26 2022
Anomaly Six, a US surveillance firm that tracks roughly 3 billion devices in real-time
An interesting article published by The Intercept reveals the secretive business of a US surveillance firm named Anomaly Six.
When we speak about the secretive business of surveillance businesses we often refer to the powerful tools developed by Israeli firms like NSO Group and Candiru, but many other firms operates in the shadow like the US company Anomaly Six (aka A6).
According to an interesting analysis published by The Intercept, Anomaly Six is a secretive government contractor that claims to monitor billions of phones worldwide.
While Russia was invading Ukraine in February, two unknown surveillance startups, Anomaly Six and Zignal Labs joined forces to provide powerful surveillance services.
Zignal Labs is a company that provides social media surveillance, combining its analysis with capabilities of A6, the U.S. government was able to spy on Russian the army before the invasion.
“According to audiovisual recordings of an A6 presentation reviewed by The Intercept and Tech Inquiry, the firm claims that it can track roughly 3 billion devices in real time, equivalent to a fifth of the world’s population.” reads the article published by The Intercept. “The staggering surveillance capacity was cited during a pitch to provide A6’s phone-tracking capabilities to Zignal Labs, a social media monitoring firm that leverages its access to Twitter’s rarely granted “firehose” data stream to sift through hundreds of millions of tweets per day without restriction.”
The capabilities claimed by the surveillance firm are worrisome, a government contractor can spy on Americans and pass gathered data to the US intelligence agencies.
The source that provided the information on the secretive surveillance firms to The Intercept said that Zignal Labs violated Twitter’s terms of service to gather intelligence, but the company refused any accusation.
A6, unlike other surveillance firms, harvests only GPS pinpoints and data it provides allows to surveil roughly 230 million devices on an average day. A6 is able to access GPS measurements gathered through covert partnerships with “thousands” of apps. A6 also claimed to have amassed a huge quantity of information on people, it has gathered over 2 billion email addresses and other personal details for these individuals.
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
Apr 25 2022
BlackCat Ransomware gang breached over 60 orgs worldwide
At least 60 entities worldwide have been breached by BlackCat ransomware, warns a flash report published by the U.S. FBI.
The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November.
“The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.” reads the flash advisory. “CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.”
The list of the victims of the gang includes Moncler, the Swissport, and Inetum.
The BlackCat/ALPHV a Ransomware was first discovered in December by malware researchers from Recorded Future and MalwareHunterTeam. The malware is the first professional ransomware strain that was written in the Rust programming language.
BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.
Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.
According to the alert, many of the developers and money launderers for gang are linked to
Darkside/Blackmatter operations.
ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.
ALPHV is attempting to recruit affiliates for its operations, offering them between 80% and 90% of the final ransom, depending on its value. The BlackCat operations only hit a small number of victims at this time in the USA, Australia, and India.
Ransom demands range from a few hundreds of thousands up to $3M worth of Bitcoin or Monero.
The alert includes indicators of compromise (IoCs) associated with BlackCat/ALPHV, as of mid-February 2022.
The FBI is seeking any information that can be shared related to the operations of the BlackCat ransomware operation.
Below are recommended mitigations included in the alert:
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
- Review antivirus logs for indications they were unexpectedly turned off.
- Implement network segmentation.
- Require administrator credentials to install software.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Use multifactor authentication where possible.
- Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
- Implement the shortest acceptable timeframe for password changes.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update antivirus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
Ransomware Protection Playbook
Apr 22 2022
The Great Resignation meets the Great Exfiltration: How to securely offboard security personnel
“The Great Resignation” is a phenomenon that has greatly impacted how we work. As of August 2021, 65% of people in the United States were looking for a new job and 25% of them actually quit. With tens of millions of people shuffling around the workforce, there is another key asset organizations are at risk of losing: data.
People and data are, arguably, a company’s two most important resources, and while losing people is a challenge, losing both can be devastating to a business’s security and competitiveness. This is especially true for security personnel, as they often have unique privileges or access to data and information that other personnel may not. As a result, the Great Resignation has become the “Great Exfiltration,” as people leaving their jobs may also be taking company data with them.
Considering the Great Exfiltration, it is vital for organizations to create and implement a robust data loss prevention (DLP) strategy during the offboarding process to prevent any destruction or loss of data. This is particularly important with many organizations still working remotely, where the lines between personal and professional devices have become blurred.
That said, there are a few tactics that leaders can keep in mind while employing their DLP strategies during the offboarding process:
Automation is key when offboarding security personnel
“People may be your greatest asset – but they can also be your biggest liability.”
People, Risk, and Security: How to prevent your greatest asset from becoming your greatest liability
Apr 22 2022
Cyber Insurance and the Changing Global Risk Environment
When security fails, cyber insurance can become crucial for ensuring continuity.
Cyber has changed everything around us – even the way we tackle geopolitical crisis and conflicts. When
Einstein was asked what a war will look like in the future, he couldn’t have predicted the importance of
digital technology for modern societies.
According to a report by IDC, by the end of 2022, nearly 65% of the global GDP will be digitized — reliant on a digital system of some kind. This shift to digital technology has created a new class of digital risks that are constantly evolving and strike faster and often with more severity than traditional risks. The events of the past two years have made this shift clear: from ransomware attacks to the challenges of managing distributed workforces, digital risk is different.
Our reliance on digital technology and the inherited risk is a key driving factor for buying cyber risk insurance. If the technology were to become unavailable, the resulting business impact could be mitigated with cyber insurance. Even if businesses invest in cybersecurity protections, as they increasingly do, security controls are not impenetrable. When security fails, cyber insurance can become crucial for ensuring continuity.
While traditional insurance has served mainly as a hedge against loss only after an incident, insurance designed for the digital economy needs to look at risk from a different angle, providing value before, during, and after an incident that could lead to a loss. This is essential for all businesses, as the analysis of security incidents that led to claims during 2021 reveals.
- Ransom demands continue to increase. The ransomware business model has begun to mature, and the average ransom demand has increased by 20%.
- The frequency of other attack techniques also rose as hackers expanded to new tactics. This heralds an era of omnidirectional threat. While ransomware may be the most newsworthy, no attack vector can be ignored.
- Small businesses are disproportionately impacted. As attacks become increasingly automated, it has become easier and more profitable for criminals to target small organizations.
“We are noticing a drastic increase in both likelihood and severity of all types of cyber-attack,” says Isaac Guasch, cyber security specialist at Tokyo Marine HCC International. “Whether you are a small independent business or a large, international organization, the increasingly interconnected nature of the businesses that form our economies, is a key threat. Even if you are confident that your cyber security measures are up to date, those of your partners may not be, so you may need to constantly redefine your perimeter,” Guasch adds.
Evolving global risk environment alters the cyber insurance landscape
However, not all risks are technology-related. Businesses operate in a hyper-connected environment where turbulences in one part of the world may have dire consequences in many remote markets. Geopolitical conflicts, societal upheavals, and financial cracks may put the stability of the business environment in question.
As digital technology and interconnectedness blur the boundaries with the physical world, it also becomes more difficult to calculate risk and set premiums. However, it is true that in times of global crisis, premiums do increase. For example, the Council of Insurance Agents & Brokers reported in March 2022 an average premium increase of 34.3% for cyber, marking the first time an increase of this magnitude is recorded since the events of 9/11.
As the global risk environment evolves and changes almost every day, the insurance industry needs to evolve as well. This level of evolution should not only cover cyber insurance but other forms of “traditional” insurance. For example, what happens if a facility is damaged or even destroyed because of a cybersecurity incident targeting a connected IoT device? What is the level of risk that each connected OT device exposes critical infrastructure to?
“With respect to insurance, cyber-attacks are not just affecting cyber liability policies. They are affecting many, if not all policies that are carried by a company,” Rick Toland, executive vice president at Waters Insurance Network, told Industrial Cyber. “Further, it is difficult to quantify where the cyber loss begins, and the property, automobile, GL, pollution or other policy begins and how the financial responsibility of each insurer will be allocated to pay the resulting loss,” Toland added.
Cyber insurance is not a panacea
Within a flux financial, technological, and geopolitical environment, many businesses, especially small-and-medium ones, tend to rely heavily on cyber insurers for answers to their cybersecurity posture challenges. However, buying cyber insurance cannot become the answer to all their security problems.
Instead, businesses can partner with an experienced managed security services company to guide and counsel them through the actions and best practices that can undertake now to better protect themselves against cyberthreats. Shaping a proactive and holistic cybersecurity strategy will better equip businesses in the event they need to submit a claim for losses or damages resulting from a ransomware attack or similar malicious activity.
Above all, it comes down to the basics. Organizations should start by analyzing the security controls they have in place to ensure adherence to guidelines developed by agencies like CISA, FBI, and ENISA, including multifactor authentication, employing antivirus and anti-malware scanning, enabling strong spam filters, updating software, and segmenting networks. Either way, failure to implement basic cyber hygiene measures is a no-go for buying cyber insurance.
About the author: Viral Trivedi
Viral Trivedi is the Chief Business Officer at Ampcus Cyber Inc—a pure-play cybersecurity service company headquartered in Chantilly, Virginia. As a CBO at Ampcus Cyber, Viral leads many customer-facing initiatives, including market strategy, channel partner programs, strategic accounts, and customer relationship management. He specializes in all aspects of managed security services, in both hands-on, and advisory roles. Viral has also held executive and senior management positions with small, and large organizations, and is also a Smart Cities & Critical Infrastructure Professional, as well as an active member of Infragard.
Embracing Risk: Cyber Insurance as an Incentive Mechanism for Cybersecurity
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Apr 21 2022
Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns By Mimicking Government Vendors
Threat intelligence firm Resecurity details how crooks are delivering IRS tax scams and phishing attacks posing as government vendors.
Cybercriminals are leveraging advanced tactics in their phishing-kits granting them a high delivery success rate of spoofed e-mails which contain malicious attachments right before the end of the 2021 IRS income tax return deadline in the U.S. April 18th, 2022 – there was a notable campaign detected which leveraged phishing e-mails impersonating the IRS, and in particular one of the industry vendors who provide solutions to government agencies which including e-mailing, digital communications management, and the content delivery system which informs citizens about various updates.
Cybercriminals purposely choose specific times when all of us are busy with taxes, and preparing for holidays (e.g., Easter), that’s why you need to be especially careful during these times.
The IT services vendor actors impersonated is widely used by major federal agencies, including the DHS, and other such WEB-sites of States and Cities in the U.S. The identified phishing e-mail warned the victims about overdue payments to the IRS, which should then be paid via PayPal, the e-mail contained an HTML attachment imitating an electronic invoice.
Notably, the e-mail doesn’t contain any URLs, and has been successfully delivered to the victim’s inbox without getting flagged as potential spam. Based on the inspected headers, the e-mail has been sent through multiple “hops” leveraging primarily network hosts and domains registered in the U.S.:
It’s worth noting, on the date of detection none of the involved hosts have previously been ‘blacklisted’ nor have they had any signs of negative IP or abnormal domain reputation:
The HTML attachment with the fake IRS invoice contains JS-based obfuscated code.
Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists
Apr 20 2022
Kaspersky releases a free decryptor for Yanluowang ransomware
Kaspersky discovered a flaw in the encryption process of the Yanluowang ransomware that allows victims to recover their files for free.
Researchers from Kaspersky discovered a vulnerability in the encryption process of the Yanluowang ransomware that can be exploited to recover the files encrypted by the malware without paying the ransom.
The Yanluowang ransomware was first spotted by researchers from Symantec Threat Hunter Team in October 2021, the malware was used in highly targeted attacks against large enterprises.
The discovery is part of an investigation into an attempted ransomware attack against a large organization.
Kaspersky implemented the decrypting process for the Yanluowang ransomware in its RannohDecryptor tool. In order to decrypt their files, victims of this family of ransomware should have at least one original file.
“Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack.” reads the post published by the company.
The Yanluowang ransomware uses different encryption routines depending on the size of the files.
Files greater than 3GB using are partially encrypted in stripes, 5MB after every 200MB, while files smaller than 3GB are completely encrypted from beginning to end.
For this reason, to decrypt files the following conditions must be met:
- To decrypt small files (less than or equal to 3 GB), users need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
- To decrypt big files (more than 3 GB), users need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.
“By virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.” continues the post.
The Symantec researchers noticed the use of the legitimate AdFind command line Active Directory query tool that is often abused by ransomware operators as a reconnaissance tool.
Before being deployed on compromised devices, the attackers launch a malicious tool designed to prepare the environment with the following actions:
- Creates a .txt file with the number of remote machines to check in the command line
- Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file
- Logs all the processes and remote machine names to processes.txt
The analysis of the samples collected by the experts revealed that the Yanluowang ransomware uses the Windows API for encryption.
Upon deploying the Yanluowang ransomware, it will stop hypervisor virtual machines, end all processes logged by the above tool (including SQL and back-up solution Veeam), then it will encrypt files. The ransomware appends the .yanluowang extension to the filenames of the encrypted files.
The ransom note (README.txt) dropped on the infected machine warns the victims not to contact law enforcement or ask ransomware negotiation firms for help. The ransomware operators will launch distributed denial of service (DDoS) attacks against the victim if it will not respect their rules. The ransomware operators also threaten to make calls to employees and business partners to damage the brand reputation of the victims, along with targeting again the victim in a few weeks and delete its data.
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Apr 19 2022
Free Infographic: What is ransomware and how can I protect my business?
Ransomware is a type of malicious program that demands payment after launching a cyber attack on a computer system. This type of malware has become increasingly popular among criminals, costing organizations millions each year.
Security experts recognise that ransomware is one of the fastest-growing forms of cyber attack. Its prevalence and reach was emphasised when WannaCry, and more recently, NotPetya, exploited a flaw in Microsoft’s SMB software and spread rapidly across networks, locking away files.
For a quick guide to ransomware and what you can do to protect your business, download our free infographic.
Download now
« Previous Page — Next Page »
