InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The attacks on critical industrial systems such as Colonial Pipeline last year pushed industrial cybersecurity to center stage. And with the threat of war between Russia and Ukraine, experts warned nations that a global flare-up of cybersecurity attacks on critical infrastructure could be looming. In late January, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put critical infrastructure organizations on notice: Take “urgent, near-term steps” to mitigate the risk of digital attacks. The alert cited tension in eastern Europe as the catalyst for possible attacks against U.S. digital assets.
Critical Infrastructure Under Attack
Unfortunately, critical systems have long been under significant attack. In fact, an overwhelming 80% of critical infrastructure organizations experienced ransomware attacks last year, according to a survey released today by PollFish on behalf of cyber-physical systems security provider Claroty. The survey, completed in September 2021, gathered responses from full-time information technology and operational technology (OT) security professionals in the United States (500 professionals), Europe (300) and Asia-Pacific (300). The industries surveyed include IT hardware, oil and gas (including pipelines), consumer products, electric energy, pharmaceutical/life sciences/medical devices, transportation, agriculture/food and beverage, heavy industry, water and waste and automotive.
Globally, 80% of respondents reported experiencing an attack and 47% of respondents said the attack impacted their operational technology and industrial control systems environment. A full 90% of respondents that reported their attacks to authorities or shareholders said the impact of those attacks was substantial in 49% of cases.
Researchers at cybersecurity firm Avast discovered that a Chinese-language-speaking threat actor has compromised systems at National Games of China in 2021. The event took place on September 15, 2021 in Shaanxi (China), it is a national version of the Olympics with only local athletes.
The attackers breached a web server on September 3rd and deployed multiple reverse web shells to establish a permanent foothold in the target network.
Experts noticed that the threat actors started a reconnaissance phase in August, they have done some tests to determine which type of file was possible to upload to the server. In order to perform the tests, attackers seem to have exploited a vulnerability in the webserver.
The attackers tried submitting files with different file-types and also file extensions, such as a legitimate image with different file extensions: ico, lua, js, luac, txt, html and rar.
“After gaining knowledge on blocked and allowed file types, they tried to submit executable code. Of course, they started submitting PoCs instead of directly executing a webshell because submitting PoCs is more stealthy and also allows one to gain knowledge on what the malicious code is allowed to do.” reported Avast. “For instance, one of the files uploaded was this Lua script camouflaged as an image (20210903-160250-168571-ab1c20.jpg)”
The attackers reconfigured the web server by uploading a configuration file, camouflaged as a PNG file, that allowed the execution of lua scripts. Experts found evidence that the server was configured to execute new threads in a thread pool which didn’t work for Rebeyond Behinder webshell. Then, as a final payload, the attackers uploaded and ran an entire Tomcat server properly configured and weaponized with Rebeyond Behinder.
After gaining access to the server, the attackers tried to perform lateral movements by brute-forcing services and using exploits in an automated way. Attackers were able to upload some tools (dnscrypt-proxy, fscan, mssql-command-tool, behinder) to the server and execute a network scanner (fscan) and a custom one-click exploitation framework written in Go and distributed as a single binary.
“The procedure followed by the attackers hacking the 14th National Games of China is not new at all. They gained access to the system by exploiting a vulnerability in the web server. This shows the need for updating software, configuring it properly and also being aware of possible new vulnerabilities in applications by using vulnerability scanners.” concludes the report. “The most fundamental security countermeasure for defenders consists in keeping the infrastructure up-to-date in terms of patching. Especially for the Internet facing infrastructure.”
Avast reported that the security breach appears to have been resolved before the beginning of the games, however, the experts were not able to determine the type of information exfiltrated by the threat actor.
Office 365 and Azure Active Directory (Azure AD) customers were the targets of billions of brute-force and phishing attacks last year.
Microsoft revealed that Office 365 and Azure Active Directory (Azure AD) customers were the targets of billions of phishing emails and brute force attacks last year.
The IT giant added has blocked more than 25.6 billion Azure AD brute force authentication attacks and detected 35.7 billion phishing emails with Microsoft Defender for Office 365 in 2021.
Enabling multi-factor authentication (MFA) and passwordless authentication would allow customers to protect their accounts from brute force attacks. However, only 22 percent of customers using Microsoft Azure Active Directory (Azure AD), Microsoft’s Cloud Identity Solution, have implemented a strong identity authentication protection as of December 2021.
“MFA and passwordless solutions can go a long way in preventing a variety of threats and we’re committed to educating customers on solutions such as these to better protect themselves. From January 2021 through December 2021, we’ve blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365.” states Microsoft.
Microsoft added that its Defender for Endpoint blocked more than 9.6 billion malware threats targeting enterprise and consumer customer devices, between January and December 2021.
Microsoft pointed out that online threats are increasing in volume, velocity, and level of sophistication. The company introduced Cyber Signals, a cyber threat intelligence brief informed by the latest Microsoft threat data and research.
Cyber Signals provide trend analysis and practical guidance to strengthen the defense of its customers.
“With Cyber Signals, we’ll share trends, tactics, and strategies threat actors use to gain access to the hardware and software that houses one’s most sensitive data. We will also help inform the world on how, collectively, we can protect our most precious digital resources and our digital lives so we can build a safer world together.” concludes Microsoft.
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails
IBM Cybersecurity Fundamentals Professional Certificate
Information risk management is the process of identifying the ways an organisation can be affected by a disruptive incident and how it can limit the damage.
It encompasses any scenario in which the confidentiality, integrity and availability of data is compromised.
As such, it’s not just cyber attacks that you should be worried about. Information risk management also includes threats within your organisation – such as negligent or malicious employees – as well as residual risks.
For example, the framework can help you address misconfigured databases, software vulnerabilities and poor security practices at third parties.
In this blog, we take a closer look at the way information risk management works and how organisations can use its guidance to bolster their security defences.
Why is information risk management important?
In the face of ever-growing cyber threats, it can be difficult for an organisation to protect its information assets.
Last year, the World Economic Forum listed cyber crime alongside COVID-19, climate change and the debt crisis as the biggest threats facing society in the next decade. It’s clear, then, that organisations need a plan for identifying and addressing security risks.
With an information risk management system, organisations gain a better understanding of where their information assets are, how to protect them and how to respond when a breach occurs.
One way it does this is by forcing organisations to not only identify but also assess their risks. This ensures that organisations prioritise scenarios that are most likely to occur or that will cause the most damage, enabling them to make informed decisions in line with their security budget.
How risk management works
To understand how risk management programmes work, we need to take a closer look at what ‘risk’ actually is.
In an information security context, risk can be defined as the combination of a vulnerability and a threat.
As we’ve previous discussed, a vulnerability is a known flaw that can be exploited to compromise sensitive information.
These are often related to software flaws and the ways that criminal hackers can exploit them to perform tasks that they weren’t intended for.
They can also include physical vulnerabilities, such as inherent human weaknesses, such as our susceptibility to phishing scams or the likelihood that we’ll misplace a sensitive file.
This is different from a threat, which is defined as the actions that result in information being compromised.
So, to use the examples above, threats include a criminal hacker exploiting a software flaw or duping an employee with a bogus email.
When a threat meets a vulnerability, you get a risk. In the case of the criminal hacker phishing an employee, the risk is that the attacker will gain access to the employee’s work account and steal sensitive information. This can result in financial losses, loss of privacy, reputational damage and regulatory action.
A risk management system helps organisations identify the ways in which vulnerabilities, threats and risks intertwine. More importantly, it gives organisations the ability to determine which risks must be prioritised and identify which controls are best equipped to mitigate the risk.
Start protecting your business
At the heart of risk management is the risk assessment. This is the process where threats and vulnerabilities are identified. Organisations can use the result of the assessment to plan their next moves.
With vsRisk, you’ll receive simple tools that are specifically designed to tackle each part of the risk assessment.
This software package is:
Easy to use. The process is as simple as selecting some options and clicking a few buttons.
Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
Streamlined and accurate. Drastically reduces the chance of human error.
Cryptocurrency scammers love social media—especially Meta’s platforms. The Federal Trade Commission says hundreds of millions of dollars were scammed from U.S. consumers in 2021 (and that’s just the scams the FTC knows about).
And the problem’s growing incredibly fast—with no hint of a fix in sight. Meta claims to be “tackling” it, but we’ve probably all experienced scam reports to Facebook and Instagram being ignored or closed with no action. But why expect anything different? Meta makes money from all the scam ads and “engagement.”
Of course, some sayall cryptocurrencies, NFTs and DeFi are scams. In today’s SB Blogwatch, we couldn’t possibly comment.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nothingverse.
“A large majority … involve cryptocurrency” A growing number of U.S. consumers are getting scammed on social media. … That number has also increased 18 times … the FTC said, as new types of scams involving cryptocurrency and online shopping became more popular. This has also led to many younger consumers getting scammed. … Facebook and Instagram were where most of these social media scams took place. … More than half (54%) of the investment scams in 2021 began with social media platforms, where scammers would promote bogus investment opportunities or connect with people directly to encourage them to invest. … A large majority of the investment scams now involve cryptocurrency.
“Bogus investment sites” Cryptocurrency is an easy target because while it’s surging in popularity, there’s still a lot of confusion about how it works. … One type of crypto scam reported to the agency involves someone bragging about their own success to drive people to bogus investment sites. … “We put significant resources towards tackling this kind of fraud and abuse,” said a spokesperson for … Meta. “We also go beyond suspending and deleting accounts, Pages, and ads. We take legal action against those responsible when we can and always encourage people to report this behavior when they see it.”
“Urgent need for money” Social media is also increasingly where scammers go to con us. More than one in four people who reported losing money to fraud in 2021 said it started on social media with an ad, a post, or a message. … For scammers, there’s a lot to like about social media. It’s a low-cost way to reach billions of people. [It] is a tool for scammers in investment scams, particularly those involving bogus cryptocurrency investments — an area that has seen a massive surge. … People send money, often cryptocurrency, on promises of huge returns, but end up empty handed. … If you get a message from a friend about an opportunity or an urgent need for money, call them. Their account may have been hacked – especially if they ask you to pay by cryptocurrency, gift card, or wire transfer. … To learn more about how to spot, avoid, and report scams—and how to recover money if you’ve paid a scammer—visit ftc.gov/scams.
Who would fall for such scams?King_TJ hates to admit it:
“Facebook is complicit” Hate to admit it, but I fell for one of these scams on Facebook myself. It was probably about a year ago. I ran across a “seller” in one of the ads that scrolled by on my feed. … There were plenty of comments posted ranging from other people interested in one, to claims they got one and liked it. … After a little while … the tracking info showed the package as delivered, but I never received anything at all. … When I started digging around more on Facebook after that, I realized the scammers … were actually running dozens of ads for various products, giving out web URLs that were almost identical except with one letter changed in their name. Reported the original ad … to Facebook, but … got no response. … That’s when it struck me that Facebook is complicit in all of this, in the sense they make a lot of ad revenue off of these scams. … It’s more profitable for them to turn a blind eye and simply take one down when a user complains about it specifically.
Facebook is complicit? Carrie Goldberg—@cagoldberglaw—puts it more bluntly:
Platforms love scams because user engagement is so high from all the accounts they create, posts, and messaging; not to mention the panicked use by victims.
Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists
Some of the major oil terminals in Western Europe’s biggest ports have been targeted with a cyberattack.
Threat actors have hit multiple oil facilities in Belgium’s ports, including Antwerp, which is the second biggest port in Europe after Rotterdam.
Among the impacted port infrastructure, there is the Amsterdam-Rotterdam-Antwerp oil trading hub, along with the SEA-Tank Terminal in Antwerp.
“A spokesperson for prosecutors in the northern Belgian city confirmed on Thursday they had begun an investigation earlier this week, but declined to give further details.” reported Reuters agency. “Belgian business daily De Tijd reported that terminal operator Sea-Tank had been hit by a cyber attack last Friday. The company declined to comment.
The AFP agency reported that the attackers have disrupted the unloading of barges in the affected European ports.
“There was a cyber attack at various terminals, quite some terminals are disrupted,” said Jelle Vreeman, senior broker at Riverlake in Rotterdam. “Their software is being hijacked and they can’t process barges. Basically, the operational system is down.”
The attacks were also confirmed by Europol, which is supporting the authorities in Germany, where other ports were hit by the threat actors.
“At this stage the investigation is ongoing and in a sensitive stage,” Europol spokeswoman Claire Georges said.
This week, two oil supply companies in Germany were hit by cyber-attacks that caused severe problems to petrol distribution.
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
The internet is making the world a much smaller place over the period, allowing millions of users throughout the globe to interact and share digital information, ushering the rest of the world into the ‘digital world.’
Images are also incredibly helpful in an OSINT investigation since they can reveal what a target seems like, where the target has been, or any devices that were used.
Researchers can utilize pics to create the intelligence image, discover equipment used to capture photographs, determine where and when photos were taken, and determine if a social media profile relates to a target utilizing search engines and free resources.
This article is a list of tools and tips. It will show you how to look for, obtain, extract, and analyze digital photos.
8 Steps to Better Security: A Simple Cyber Resilience Guide for Business
Harden your business against internal and external cybersecurity threats with a single accessible resource.
In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.
A massive social engineering campaign targeting banks has been delivered in the last two years in several countries.
A massive social engineering campaign has been delivered in the last two years in several countries, including Portugal, Spain, Brazil, Mexico, Chile, the UK, and France. According to Segurança Informática publication, the malicious waves have impacted banking organizations with the goal of stealing the users’ secrets, accessing the home banking portals, and also controlling all the operations on the fly via Command and Control (C2) servers geolocated in Brazil.
In short, criminal groups are targeting victims’ from different countries to collect their homebanking secrets and payment cards. The campaigns are carried out by using social engineering schemas, namely smishing, and spear-phishing through fake emails.
Criminals obtain lists of valid and tested phone numbers and emails from other malicious groups, and the process is performed on underground forums, Telegram channels or Discord chats.
The spear-phishing campaigns try to lure victims with fake emails that impersonate the banking institutions. The emails are extremely similar to the originals, exception their content, mainly related to debts or lack of payments.
According to the analysis, the malicious campaign consists of a redirector system, capable of performing an initial screening to verify that the users’ requests are valid and expected. The system is equipped with a blacklisting mechanism and a logging feature that notifies criminals of new infections.
When the victim matches all the rules, several pathways are possible, with different landing-pages. Some of them only collect raw data, including the homebanking credentials, SMS tokens and bank codes. On the other hand, a well-structured C2 server can be used to orchestrate all the processes in real-time, simulating a flow extremely similar to the legitimate service.
As phishing and malware campaigns make headlines every day, monitoring these types of behaviors and IoCs is crucial to fighting this emerging segment, which has grown in both volume and sophistication.
The heightened risk of cyberattacks on businesses is being compounded by significant recruitment and retention issues within cybersecurity teams, making businesses more vulnerable to potential attacks, according to a research from ThreatConnect.
With the number of data breaches in 2021 soaring past that of 2020, there is added pressure on cybersecurity teams to keep businesses secure. The research has found a concerning level of staff turnover, skills shortages, burnout, and low staff morale, pointing towards depleted reserves trying to manage the growing risk.
Cybersecurity teams recruitment and retention issues
Senior decision-makers across the US report an average security staff turnover rate of 20%.
64% of senior decision-makers have seen a rise in turnover over the past year.
43% of US respondents attribute a lack of skills as the biggest barrier for recruitment.
1 in 5 US respondents are considering quitting their jobs in the next six months.
57% of US respondents have experienced an increase in stress over the past six months.
The COVID-19 pandemic has created what many are calling the Great Resignation, which has affected all industries for the past two years. Employees, specifically those in the security industry, are now being expected to do more with less.
Cybercrime has increased significantly over the past year, making digital protection for businesses both more important and more difficult to achieve. Companies cannot afford to lose any security team members with cybercrime increasing so rapidly.
“In today’s digital ecosystem it is crucial that security employees receive adequate training, support, and resources needed to work efficiently in their jobs,” said Adam Vincent, CEO of ThreatConnect. “As employee turnover increases in this sector, it creates a vicious cycle that impacts a company’s performance and ability to mitigate cyber risks.”
“This makes it even more difficult for security teams to fulfill the company’s needs. Organizations must look at these numbers and recognize that there is more that can be done to protect their employees and in turn, the welfare of their company.”
The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.
Below is the list of the new entries in the catalog:
CVE ID
Description
Patch Deadline
CVE-2022-22587
Apple IOMobileFrameBuffer Memory Corruption Vulnerability
2/11/2022
CVE-2021-20038
SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
2/11/2022
CVE-2014-7169
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
7/28/2022
CVE-2014-6271
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
7/28/2022
CVE-2020-0787
Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability
7/28/2022
CVE-2014-1776
Microsoft Internet Explorer Use-After-Free Vulnerability
7/28/2022
CVE-2020-5722
Grandstream Networks UCM6200 Series SQL Injection Vulnerability
7/28/2022
CVE-2017-5689
Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability
7/28/2022
“CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.” reads the announcement published by CISA. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”
Among the recent entries, there is the CVE-2022-22587 memory corruption issue that resides in the IOMobileFrameBuffer and affects iOS, iPadOS, and macOS Monterey. The exploitation of this flaw leads to arbitrary code execution with kernel privileges on compromised devices.
A few days ago, Apple has released security updates to address a couple of zero-day vulnerabilities, one of them being actively exploited in the wild by threat actors to compromise iPhone and Mac devices.
CISA is ordering federal agencies to address the CVE-2022-22587 flaw by February 11, 2022, along with the CVE-2021-20038vulnerability in SonicWall SMA 100 Appliances.
The vulnerability is an unauthenticated stack-based buffer overflow that was reported by Jacob Baines, lead security researcher at Rapid7. The
CVE-2021-20038
vulnerability impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even when the web application firewall (WAF) is enabled.
A remote attacker can exploit the vulnerability to execute arbitrary code as the ‘nobody’ user in compromised SonicWall appliances.
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation.
Apple last year addressed multiple macOS vulnerabilities discovered by the security researcher Ryan Pickren in the Safari browser that could allow threat actors to access users’ online accounts, microphone, and webcam.
Pickren received a total of $100,500 payouts for these issues as part of Apple’s bug bounty program.
The security researcher chained the vulnerabilities in iCloud Sharing and Safari 15 to gain unauthorized camera access. An attacker can trick victims into clicking “open” on a popup from my website in order to hijack multimedia permissions and gain full access to every website ever visited by the victim.
The expert pointed out that an attacker could exploit this attack chain to turn the user’s camera, and also to hack their iCloud, PayPal, Facebook, Gmail, and other accounts.
“My hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click “open” on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.” reads the post published by the expert. “This research resulted in 4 0day bugs (
CVE-2021-30861
,
CVE-2021-30975
, and two without CVEs), 2 of which were used in the camera hack. I reported this chain to Apple and was awarded $100,500 as a bounty.”
The bugs reside in the iCloud file-sharing mechanism named ShareBear. The iCloud Sharing Application ShareBear prompts users only upon attempting to open a shared document for the first time. Successive actions will no more display the prompt again once the users have accepted to open the file. Pickren successfully exploited this behavior by altering the file’s content and file extension after user agree to open it.
The CVE-2021-30861 is a logic issue in WebKit that could allow a malicious application to bypass Gatekeeper checks. The flaw was reported by Wojciech Reguła (@_r3ggi) and Ryan Pickren (ryanpickren.com). The second bug, tracked as CVE-2021-30975, resides in the Script Editor and could allow a malicious OSAX scripting addition to bypass Gatekeeper checks and circumvent sandbox restrictions.
“Once the user clicks Open, the file is downloaded onto the victim’s machine at the location /Users/<user>/Library/Mobile Documents/com~apple~CloudDocs then automatically opened via Launch Services. Then the user will never see this prompt again. From that point forward, ShareBear (and thus any website in Safari) will have the ability to automatically launch this file.” continues the post.”The truly problematic part of this agreement is that the file can be changed by anybody with write access to it. For example, the owner of the file could change the entire byte content and file extension after you agree to open it. ShareBear will then download and update the file on the victim’s machine without any user interaction or notification.”
In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.
The F.B.I. had bought a version of Pegasus, NSO’s premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.
Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.
But by the time the company’s engineers walked through the door of the New Jersey facility in 2019, the many abuses of Pegasus had also been well documented. Mexico deployed the software not just against gangsters but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist whom the government threw in jail. Saudi Arabia used it against women’s rights activists and, according to a lawsuit filed by a Saudi dissident, to spy on communications with Jamal Khashoggi, a columnist for The Washington Post, whom Saudi operatives killed and dismembered in Istanbul in 2018.
More than 3,600 network-attached storage (NAS) devices from Taiwanese company QNAP have been infected and had their data encrypted by a new strain of ransomware named Deadbolt.
Devices attacked by the Deadbolt gang are easy to recognize because the login screen is typically replaced with a ransom note, and local files are encrypted and renamed with a .deadbolt extension.
The threat actor behind the attacks is extorting not only the owners of the NAS devices but also the QNAP company itself.
According to a copy of the ransom note, device owners are told to pay 0.03 Bitcoin ($1,100) to receive a decryption key to unlock their files, while in an second note, the hackers demand 5 Bitcoin ($1.86 million) from QNAP to reveal details about the supposed zero-day vulnerability they have been using to attack its users, and another 50 Bitcoin ($18.6 million) to release a master decryption key that unlock all of the victims’ files.
For its part, QNAP was quick to formally acknowledge the attacks in a blog post on Wednesday, hours after hundreds of users started flocking to its support forum to report finding their files encrypted.
In the first days following the attack, the company has been telling users to disconnect devices from the internet and, if not possible, at least disable features such as port forwarding and UPnP on their routers, to prevent attackers from connecting to the NAS systems.
Finland Ministry for Foreign Affairs revealed that devices of Finnish diplomats have been infected with NSO Group’s Pegasus spyware.
Finland’s Ministry for Foreign Affairs revealed that the devices of some Finnish diplomats have been compromised with the infamous NSO Group’s Pegasus spyware.
The diplomats were targeted with the popular surveillance software as part of a cyber-espionage campaign.
“Finnish diplomats have been targets of cyber espionage by means of the Pegasus spyware, developed by NSO Group Technologies, which has received wide publicity. The highly sophisticated malware has infected users’ Apple or Android telephones without their noticing and without any action from the user’s part. Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features.” reads a statement published by the Ministry.
According to the statement, threat actors have stolen data from the infected devices belonging to employees working in Finnish missions abroad. The attacks were spotted following an investigation that started in the autumn of 2021, anyway, according to the government experts the campaign is no longer active.
The announcement pointed out that the data transmitted or stored on diplomats’ devices are either public or classified at the lowest level of classified information (level 4).
Finland’s Ministry for Foreign Affairs warns that even if the information is not directly classified, the information itself and its source may be subject to diplomatic confidentiality.
“The Ministry for Foreign Affairs is continually monitoring events and activities in its operating environment and assessing related risks. The Ministry for Foreign Affairs monitors its services and strives to prevent harmful activities. The preparation of and decisions on foreign and security policy, in particular, are matters that attract much interest, which may also manifest itself as unlawful intelligence.” concludes the Ministry. “The Ministry responds to the risk by various means, but complete protection against unlawful intelligence is impossible.”
In December, Apple warned that the mobile devices of at least nine US Department of State employees were compromised with NSO Group ‘s Pegasus spyware.
The Senate of Puerto Rico announced this week that it was hit by a major cyberattack that disabled its internet provider, phone system and official online page. Local and federal authorities are investigating the attack.
According to Senate President José Luis Dalmau, there is no evidence that threat actors were able to access sensitive information belonging to employees, contractors or consultants.
This isn’t the first time that Puerto Rico was hit by a cyber attack in recent years.
In March 2021, Puerto Rico Electric Power Authority (PREPA) power utility confirmed early this week that it has been hacked over the weekend.
In June 2021, a large fire at the Luma’s Monacillo electrical substation in San Juan for Puerto Rico’s new electricity provider, Luma Energy, caused major blackouts across Puerto Rico on Thursday. The same day the blackout took place, the company announced that a major DDoS attack disrupted its online services.
It is still unclear whether the fire and DDoS attack are connected.
In October 2020, Puerto Rico’s firefighting department disclosed a security breach, hackers breached its database and demanded a $600,000 ransom.
Threat intelligence feeds are a critical part of modern cybersecurity. Widely available online, these feeds record and track IP addresses and URLs that are associated with phishing scams, malware, bots, trojans, adware, spyware, ransomware and more. Open source threat intelligence feeds can be extremely valuable—if you use the right ones. While these collections are plentiful, there are some that are better than others. Being an actively updated database doesn’t guarantee that it is a highly reliable or detailed one either, as some of the best online haven’t necessarily been updated in a few months.
We will try to keep our own tally of some of the better open source threat intelligence feeds below, regularly updating it with new feeds and more details about each one. A share of the entries will be managed by private companies that have premium, or at least closed-source, offerings as well. This list is meant to cover free and open source security feed options.
Developed and offered by Proofpoint in both open source and a premium version, The Emerging Threats Intelligence feed (ET) is one of the highest rated threat intelligence feeds. ET classifies IP addresses and domain addresses associated with malicious activity online and tracks recent activity by either. The feed maintains 40 different categories for IPs and URLs, as well as a constantly updated confidence score.
This being backed by the Federal Bureau of Investigation definitely gives it some clout. It’s actually a collaboration between the FBI and the private sector, with its information freely available to private companies and public sector institutions to keep appraised on threats relevant to 16 specific categories of infrastructure identified by the Cybersecurity and Infrastructure Security Agency (a department of the US Department for Homeland Security). Sectors include energy and nuclear power, communications, chemicals, agriculture, healthcare, IT, transportation, emergency services, water and dams, as well as manufacturing and financial.
Dan is a collection of 10 tools that together report on IP and domain information. It includes info on IP subnets, the TOR status of IP addresses, DNS blacklists, IP address checking for autonomous systems, and node lists.
The CINS Score is supported by Sentinel. Like ET’s confidence score, the CINS Score rates IP addresses according to their trustworthiness. They add data about suspected or confirmed attacks from those IPs in the form of frequency, nature and breadth. They also try to create ‘personas’ around the sorts of attacks those IPs are tied to: scanning, network or remote desktop vulnerabilities, malware bots, or command-and-control servers.
Blocklist.de pays attention to server attacks from SSH, FTP, email and webserver sources. Their site claims to report an average of 70,000 attacks every 12 hours using a combo of the abusix.org database, Ripe-Abuse-Finder, and Whois information.
hpHosts is a searchable database and hosts file that is community managed. While it was last updated in August 2019, it is considered one of the more reliable data stores of malicious IPs online. It can also be sorted by PSH and FSA-only.
AlienVault Open Threat Exchange (OTX) is the company’s free, community-based project to monitor and rank IPs by reputation. It generates alert feeds called “pulses,” which can be manually entered into the system, to index attacks by various malware sources. While some pulses are generated by the community, AlienVault creates its own as well that automatically subscribes all OTX’s users. Most pulses are automatically API-generated and submitted via the OTX Python SDK. This example, SSH bruteforce logs 2016-06-09, shows the indicators, geoip of the attacks, and a full list of the IPs used. It also links to reports in other pulses that include the same IPs.
This abuse.ch offering focuses on botnets and command-and-control infrastructure (C&C). The blocklist is an amalgamation of several minor blocklists with attention paid to Heodo and Dridex malware bots. There were 5,374 entries as of 03-03-2020.
Of course, the name itself is a direct response to an older trojan virus called Feodo, which was a successor to the Cridex e-banking trojan. (to which both Dridex and Heodo both trace their source code). Feodo Tracker also tracks an associative malware bot, TrickBot.
The first of two projects from Swiss website abuse.ch, URLhaus is a depository of malicious domains tied to distributing malware. The database can be accessed via a URLhaus API, allowing you to download CSV collections of flagged URLs, those site’s respective statuses, the type of threat associated with them, and more. Ready-made downloads include periods of recent additions (going back 30 days), or all active URLs.
The full URLhaus dataset—as updated every 5 minutes—is automatically and immediately available for CSV download. It also includes a ruleset suited for use in Suricata or Snort. URLhaus also offers a DNS firewall dataset that includes all marked URLs for blocking.
An attacker can exploit a vulnerability in Polkit’s pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges.
The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected.
Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
Researchers from Qualys Research Team have discovered a memory corruption vulnerability in SUID-root program polkit.
“The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.” reads the post published by Qualys.”Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.”
“This vulnerability is an attacker’s dream come true” explained Qualys:
pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);
pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, “Add a pkexec(1) command”);
any unprivileged local user can exploit this vulnerability to obtain full root privileges;
although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
and it is exploitable even if the polkit daemon itself is not running.
Experts pointed out that it is very easy to exploit the flaw, while Qualys doesn’t plan to release a PoC for this issue other experts are already working on releasing it.
Bleeping Computer reported that a working exploit was publicly released less than three hours after Qualys published the technical details for PwnKit. BleepingComputer has compiled and tested the available exploit, which proved to be reliable as it gave us root privileges on the system on all attempts.
![CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation by [United States Government Accountability Office]](https://m.media-amazon.com/images/I/51FIzAXr-CL._SX260_.jpg)
