InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The European Data Protection Supervisor authority called for a ban on the development and the use of Pegasus-like commercial spyware.
The European Data Protection Supervisor (EDPS) authority this week called for a ban on the development and the use of surveillance software like theĀ Pegasus spywareĀ in the EU.
PegasusĀ is a surveillance malware developed by theĀ Israeli surveillanceĀ NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.
The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection.
āIt comes from the EDPSā conviction that the use of Pegasus might lead to anĀ unprecedented level of intrusiveness, which threatens theĀ essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.āĀ statesĀ the European Data Protection Supervisor (EDPS).Ā
āPegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.ā
Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.
Pegasus was used by governments with dubious human rights records and histories of abusive behaviour by their state security services.
The surveillance software allows to completely take over the target device and spy on the victims. Developers of surveillance solutions leverage zero-click zero-day exploits to silently compromise the devices without any user interaction. Pegasus is known to have usedĀ KISMETĀ andĀ FORCEDENTRYĀ exploits to infect the devices of the victims.
NSO Group has repeatedly claimed that its software is sold exclusively to law enforcement and intelligence agencies to fight crime and terrorism, in so-called ālife-saving mission.ā
According to a series of disclosures by the business publication Calcalist in recent weeks, dozens of citizens in the country were targeted by Israel Police with the NSO Groupās spyware to gather intelligence without a search warrant authorizing the surveillance.
āNational security cannot be used as an excuse to an extensive use of such technologies nor as an argument against the involvement of the European Union.ā continues EDPS.
EDPS urges tight control over the use of surveillance and hacking tools to prevent and disincentive unlawful use.
Researchers disclose a now-patched remote code execution (RCE) vulnerability in the Apache Cassandra database software.
JFrog researchers publicly disclosed details of a now-patched high-severity security vulnerability (CVE-2021-44521) in Apache Cassandra database software that could be exploited by remote attackers to achieve code execution on affected installations.
Apache Cassandra is an open-source NoSQL distributed database used by thousands of companies.
āJFrogās Security Research team recently disclosed an RCE (remote code execution) issue inĀ Apache Cassandra, which has been assigned toĀ
Ā (CVSS 8.4).ā reads theĀ analsyisĀ published by JFrog. āThis Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra.ā
Cassandra offers the functionality of creating user-defined-functions (UDFs) that allow to perform custom processing of data in the database.
Admins can use Java and JavaScript to write UDFs. In JavaScript it leverages the Nashorn engine in the Java Runtime Environment (JRE) which is not guaranteed to be secure when accepting untrusted code
JFrog researchers that discovered that when the configuration for user-defined functions (UDFs) are enabled, threat actors could leverage the Nashorn engine to escape the sandbox and achieve remote code execution.
āFor example, running the following Nashorn JavaScript code allows execution of an arbitrary shell command ā
Cassandraās development team decided to implement a custom sandbox around the UDF execution which uses two mechanisms to restrict the UDF codeā states the report.ā
Experts noticed that the exploitation is possible when the cassandra.yaml configuration file contains the following definitions:
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
āWhen the option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions. We will show how to abuse these permissions to achieve sandbox escape and RCE.ā continues the analysis.
Experts shared a PoC to create a new file named āhackedā on the Cassandra server
Apache released versionsĀ 3.0.26,Ā 3.11.12, andĀ 4.0.2Ā to address the vulnerability, it adds a new flag āallow_extra_insecure_udfsā thatās set to false by default, it prevents turning off the security manager and blocks access to java.lang.System..
Certified ISO 27001 ISMS Lead Auditor Training Course
ISO 27001 Lead Auditor is the qualification of choice for ISO 27001 professionals, recognized by employers worldwide.
Implementing and maintaining compliance with the Standard requires comprehensive knowledge of ISO 27001.
ITGāÆCertified ISO 27001 ISMS Lead Auditor Training CourseāÆgivesāÆparticipantsāÆa solid understanding of the requirements of an ISO 27001 audit and the knowledge to ensure conformity to the Standard.
If you are already a qualified ISO 27001 auditor, enhance your career by taking ITGĀ Certified ISO 27701 PIMS Lead Auditor Training Course, which will teach you how to conduct audits against ISO 27701,āÆin line with international data protection regimes.
Concerning e-mails, pay attention to the following features:
Impersonal form of address:The sender of the e-mail does not know your correct name. The mail begins with āDear costumerā instead of āDear Mrs. / Mr. XYā. Perhaps you name is inserted, but misspelled.
The sender is using threads:The sender threatens you, e.g. āif you donātrefresh your passwordĀ you account will be lockedā.
Request for confidential data:You are straightforwardly asked for confidential data like your PIN / password, your online bank access or your credit card number.The whole thing is backed up with a threat.
Links and forms:The e-mail contains forms and links which you are obliged to use if you do not want to receive any disadvantages.
Bad language:Sometimes, not always, the messages are written in bad English, sometimes interspersed with Cyrillic letters or special character like $ or &.
Be vigilant even with well-worded texts! If in doubt, always check with the alleged sender, for example you house bank or Amazon. Go to the original website to contact the real customer service, donāt use any links or e-mail-addresses you find in the mail.
Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.
The emergency patches will be rolled out in the next weeks. Users could update their browser manually by visiting the entry Chrome menu > Help > About Google Chrome.
Google did not disclose technical details for the CVE-2022-0609 to avoid massive exploitation of the bug. The IT giant also avoided disclosing info regarding the attack in the wild exploiting the flaw.
āAccess to bug details and links may be kept restricted until a majority of users are updated with a fix,ā Google added.
Thereās a remote code execution hole in Adobe e-commerce products ā and cybercrooks are already exploiting it.
Using the Adobe Commerce online selling platform?
Using Magento, the free, open-source variant of the same product?
Buying products from online stores that use either of these?
Using online services that themselves use services that (ā¦repeat up the supply chain as neededā¦) ultimately depend upon Magento or Adobeās paid version?
If so, make sure that the site where Magento or Adobe Commerce is actually running hasĀ downloaded and appliedĀ Adobeās latest patches.
Note that these are so-called out-of-band updates, meaning that theyāre new enough not to have made it into last weekās regular Patch Tuesday updates, but critical enough not to be left until next monthās Patch Tuesday comes round.
Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution.
Adobe is aware that CVE-2022-24086
Ā has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.
Upgrade now
Of course, the words ālimited attacks targeting merchantsā shown above donāt automatically imply that āminimal damage has been doneā.
Anyone who remembers the recentĀ Colonial Pipeline ransomware incidentĀ will know how extensive the knock-on effects of a single cyberattack can be.
Also, until we know what the attackers did when they exploited this hole, we canāt tell how much data they made off with, how many users might be affected, or what follow-up crimes ā such as identity theft, password recovery and account takeover ā the crooks might be able to try next.
According to Adobe, it seems that any Adobe Commerce or Magento installation running a version later than 2.3.3 that hasnāt received the latest patches is vulnerable.
The patches provided are listed as tested for all of these versions: 2.3.3-p1 to 2.3.7-p2, and 2.4.0 to 2.4.3-p1.
Quite what version number will show up after patching we canāt tell you; the patch files themselves are identified asĀ 2.4.3-p1_v1, so our assumption is thatās the version string youāll see.
Every day everybody receives many phishing attacks with malicious docs or PDFs. I decided to take a look at one of these files. I did a static analysis and I went straight to the point to make this reading simple and fast.
Here is the received emailĀ as it was from the Caixa Economica Federal bank, but we can see the sender uses Gmail services and a strange name.
verified this e-mail header using MXtoolbox, and we can see the IP used by the sender (attacker).
Below is the reputation of the IP used by the attacker.
We can see this IP has a lot of mentions about malicious activities.
I downloaded this file in my VPS (Kali Linux) and usedĀ peepdfĀ to do an analysis of the file structure, and I found 2 URIs in objects 3 and 5.
After I checked objects 3 and 5 usingĀ pdf-parser, I discovered a malicious URL in the 3.
I transcribed a recent interview, here some questions and answers about nation-state hacking, spyware, and cyber warfare. Enjoyā
How has spyware changed the rules of cyber security in recent years? What will cyber security look like now that those tools are all over the internet?
In the last decade, we have observed a progressive weaponization of cyberspace. NATOĀ recognizedĀ cyberspace as a new domain of warfare. Cyberspace is the new battlefield for nation-state actors, the digital place where international crime rings operate threatening the pillars of our digital society.
Spyware are powerful weapons in the arsenal of governments and cybercrime gangs. These tools are even more sophisticated and are able to evade detection by using so-called zero-day exploits allowing attackers to bypass the defense of government organizations and businesses. Spyware allows attackers to steal sensitive info from the targets, and perform a broad range of malicious activities.
Is the Pegasus spyware as a game-changer?
PegasusĀ is probably the most popular surveillance software on the market, it has been developed by theĀ Israeli NSO Group. Anyway, it is not the only one. Many otherĀ surveillance firmsĀ develop spyware that are every day abused in dragnet surveillance and target journalists, dissidents, and opponents of totalitarian regimes. These software are developed for law enforcement and intelligence agencies, but they are often abused by many governments worldwide cyber espionage operations. TheĀ surveillance businessĀ is growing in the dark and is becoming very dangerous.
Which are devices of cyber warfare and cyber espionage?
Every technological device can be abused for cyber warfare and cyber espionage. Malware, spyware are the most common means but do not forget the power of social network platforms that can be used for surveillance andĀ misinformationĀ purposes.
Many governments have fallen victim to massive ransomware attacks from groups linked to organized crime, how bad can this new trend of hacking get?
Every day we read about major attacks targeting organizations worldwide with severe impact on their operations. The situation is going worse despite theĀ numerous operationsĀ of law enforcement on a global scale. The number ofĀ ransomware attacksĀ spiked in the last couple of years due to the implementation of theĀ Ransomware-as-a-ServiceĀ model, this means that tens of ransomware gangs have created a network of affiliates and provided them their malware. Almost any criminal group could become an affiliate, obtain ransomware from a gang, and spread it, this is amplifying the damages. Critical infrastructure are even more exposed to a new generation of threats that are more aggressive and sophisticated.
Reports are coming out linking North Korea to illegal online activities related to cryptocurrency. How are some governments using the Internet to threaten world peace in one way or another?
When dealing with nation-state actors you must consider the main motivation behind the attacks and distinguish the technique, tactics, and procedure adopted by the different state-sponsored groups.
For example,Ā China-linked nation-state actorsĀ are more focused on cyberespionage aimed at stealing intellectual property, while Russia-linked Advanced Persistent Threat groups often operate to destabilize the political contest of foreign states, carry out cyber espionage activities, and conductĀ disinformationĀ campaigns.Ā North Korea-linked threat actorsĀ carry out financially motivated attacks against banks and cryptocurrency firms worldwide to steal funds to re-invest in their military industry.
What about the resilience of countriesā infrastructure to face such kind of war?
We needĀ norms of state behavior in the cyber spaceĀ and more information sharing on cyber threats. We need to share information about the attacks in an early stage, profiling the threat actors to mitigate and prevent their campaigns. It is essential to increase the level of security of critical infrastructure like power grids, power plants and hospitals. Critical infrastructure are the main targets of nation-state actors in a cyber warfare contest.
Is making the internet a safe place technically possible?
Let me use the title of a famous book, āNo place to hideā. I mean that both nation-state actors and cybercriminal organizations are spending a growing effort to increase their hacking capabilities and evasion techniques. Unfortunately, today most of the organizations still consider cybersecurity a cost to cut and this approach gives the attackers an immense advantage. We need a cultural change and we must consider that a security by design approach is the unique way to make the Internet a safe place. We also need globally recognized norms of responsible state behavior in cyberspace.
French data protection authority says Google Analytics is in violation of GDPR
The French national data protection authority, CNIL, issued a formal notice to managers of an unnamed local website today arguing that its use of Google Analytics is in violation of the European Unionās General Data Protection Regulation, following a similar decision by Austria last month.
The root of the issue stems from the websiteās use of Google Analytics, which functions as a tool for managers to track content performance and page visits. CNIL said the toolās use and transfer of personal data to the U.S. fails to abide by landmark European regulations because the U.S. was deemed to not have equivalent privacy protections.
European regulators including CNIL have been investigating such complaints over the last two years, following a decision by the EUās top court that invalidated the U.S.ās āPrivacy Shieldā agreement on data transfers. NOYB, the European Center for Digital Rights, reported 101 complaints in 27 member states of the EU and 3 states in the European Economic Area against data controllers who conduct the transatlantic transfers.Ā Ā
Privacy Shield, which went into effect in August of 2016, was a āself-certification mechanism for companies established in the United States of America,ā according to CNIL.
Originally, the Privacy Shield was considered by the European Commission to be a sufficient safeguard for transferring personal data from European entities to the United States. However, in 2020 the adequacy decision was reversed due to no longer meeting standards.
An equivalency test was used to compare European and U.S. regulations which immediately established the U.S.ās failure to protect the data of non-U.S. citizens. European citizens would remain unaware that their data is being used and how it is being used, and they cannot be compensated for any misuse of data, CNIL found.
CNIL concluded that Google Analytics does not provide adequate supervision or regulation, and the risks for French users of the tool are too great.
āIndeed, if Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of access by American intelligence services to this data,ā CNIL said.
The unnamed site manager has been given a month to update its operations to be in compliance with GDPR. If the tool cannot meet regulations, CNIL suggests transitioning away from the current state of Google Analytics and replacing it with a different tool that does not transmit the data.Ā
The privacy watchdog does not call for a ban of Google Analytics, but rather suggests revisions that follow the guidelines. āConcerning the audience measurement and analysis services of a website, the CNIL recommends that these tools be used only to produceĀ anonymousĀ statistical data, thus allowing anĀ exemption from consentĀ if the data controller ensures that there are no illegal transfers,ā the watchdog said.Ā
Technological advancements have come a long way ā from when internet utility was very limited to when internet connection was achieved only throughĀ internet protocol (IP) version 4 (IPv4) addressesĀ to this modern age where IPv6 is the next big thing.
IPv6 stands for internet protocol version 6, as you might have figured out by now, and was first introduced in 2012.
It became imperative after developers discovered that IPv4 had a finite number and addresses. It would not take long before we ran out of possible commutations for the fourth IP version.
As such, a new version that would allow humanity to generate an infinite number of IP addresses was born; IPv6. And several technologies have been built and designed in its wake.
IPv6 proxy, for instance, was subsequently developed to make things easy. IPv6 had several benefits, such as routing traffic and packet headers conveniently and attracting many organizations to start hosting their servers on it.
However, traffic and connections coming from the older IPv4 could not reach or interact with these new servers because they operated on different standards.
Therefore, it became necessary to build a tool that could translate all IPv4 traffic to reach IPv6 hosted servers, hence the IPv6 proxy.
What Is A Proxy?
A proxy is a device or computer that can serve as the middleman between different servers or networks.
It can stand anywhere between the user and the internet and transfer data and connections back and forth quickly and securely.
This traffic transfer is often done using its IP and location while concealing the userās details. This helps to provide necessary security and anonymity for the internet user.
How Do Proxies Work?
Proxies are not the only tools used in re-routing usersā connections, but they are one of the most effective, and this is evident in the way they work:
The user sends out a request using a proxy
The proxy accepts the incoming traffic and remodels it to ensure lesser errors and better speed
Then it masks the userās IP and transfers the traffic using its IP instead
The request reaches the final server, and the results are collected and returned to the user via the proxy network
The proxy again accepts this traffic and screens it for possible malware. Once it certifies that it is healthy, it sends it to the user.
The user receives the result quickly as a web page.
All these happen so quickly and seamlessly that users canāt even tell there have been interceptions at different levels and points.
What Are Proxies Used For?
Proxies are essential for several reasons, and below are some of the most common:
To Boast Internal Security
The internet may be a lovely place for both individuals and brands, but it can also turn sour quickly.
There are cybercriminals monitoring traffic at every turn and waiting for what data to breach.
Proxies are used because they can hide your IP and sensitive data and filter traffic to ensure the user is protected at all times.
To Reduce Server Load
Servers are just like every other type of machine ā they can only handle what is within their capacity.
When a server has to deal with too much traffic every day, it doesnāt take long before it crashes.
Proxies are helpful because they are excellent at reducing the workload on servers. For instance, proxies can allocate traffic to the available server to prevent one server from taking too much load.
Proxies can also deploy caching mechanisms where they store results from past queries. This way, they can pull the data from what has been stored instead of disturbing the servers.
To Bypass Restrictions
There are several limitations and restrictions that people face when surfing the internet. Some users can get banned or blocked when they use the same IP to interact with a website or server repeatedly.
Other users can get restricted from using particular services or accessing specific content because of where they live.
Proxies are used to prevent both types of limitations as they can supply users with an extensive collection of IPs to prevent bans and multiple locations from bypassing geo-restrictions.
What Is An IPv6 Proxy?
An IPv6 proxy can be defined as a type of proxy that translates IPv4 traffic into IPv6 traffic. It could be software or hardware that stands between users and the internet and translate this older traffic into the IPv6 version.
The purpose is often to allow traffic from devices using the older IP versions to reach servers hosted on the IP6 standard.
Without this tool, it would be impossible for anyone using the older IP versions to interact with IPv6 standards.
The IPv6 proxy can also perform other essential functions of a regular proxy, including concealing the userās networks to provide online privacy and filtering traffic to boost online security.
How Do IPv6 Proxies Work?
As the world adopts IPv6 standards and gradually moves towards it, several users, including organizations and service providers still using the IPv4 standard, need a tool to help them translate and forward their traffic.
IPv6 proxies work by intercepting traffic from the older IP standard, translating the address and header, and routing the information before forwarding them to an IPv6 server or target device.
The Main Use Cases of IPv6 Proxies
There are several ways the IPv6 proxy can be used (visit Oxylabs for more info), including the following:
Maximizing Online Security and Privacy
Like all significant proxies, the IPv4 proxies also play a massive role in boosting your security and that of your data. Whatever your online activity, you can hide your identity using these proxies with zero cost to your browsing speed and performance.
Bypassing Censorship and Constraints
If you experience bans, blockings, and restrictions very often online, you may want to consider switching to the IPv6 proxies as they can easily bypass these challenges. You can easily choose a different IP and location to appear like a completely different user.
Web Scraping
IPv4 proxies can also be used with a dedicated scraper to harvest a large amount of data from different sources at once. This capability comes from the fact that an IPv6 proxy can translate and re-route any traffic to help it reach any server. It can also provide you with multiple IP addresses and locations to help you perform these repetitive tasks without using an IP twice.Ā
Colorado and Virginia passed new data privacy laws in 2021. Connecticut and Oklahoma are among the states that could enact new legislation around data privacy protections in 2022. California, which kicked off the conversation around data privacy at the state level, is updating its laws. Couple that with the EUās GDPR and other data privacy laws enacted worldwide, and it is clear that data privacy has become incredibly important within cybersecurity. And that includes within the DevSecOps process.
Itās been enough of a challenge to integrate security into the DevOps process at all, even though it is now recognized that adding security early in the SDLC can eliminate issues further along in app development and deployment. But adding data privacy? Is it really necessary? Yes, it is necessary, said Casey Bisson, head of product growth at BluBracket, in email commentary. Applications now include more and more personal data that needs protection, such as apps that rely on medical PII. Those apps must have security and privacy baked into each phase of the SLDC via DevSecOps.
āThere have been far too many examples of leaks of PII within code, for instance, because many companies donāt secure their Git repositories,ā said Bisson. āAs more sensitive information has made its way into code, itās natural that hackers will target code. True DevSecOps will bake privacy concerns into every stage and will make these checks automated.ā
Data in the Test Process
In DevSecOps, applications are developed often by using test data. āIf that data is not properly sanitized, it can be lost,ā said John Bambenek, principal threat hunter at Netenrich, in an email interview. āThere is also the special case of secrets management and ensuring that development processes properly secure and donāt accidentally disclose those secrets. The speed of development nowadays means that special controls need to be in place to ensure production data isnāt compromised from agile development.ā Beyond test data, real consumer data has to be considered. Ultimately, every organization has information they need to protect so itās important to focus on data privacy early in development so the team working on the platform can build the controls necessary into the platform to support the privacy requirements the data has, explained Shawn Smith, director of infrastructure at nVisium, via email. āThe longer you wait to define the data relationships, the harder it is to ensure proper controls are developed to support them.ā
Bringing Privacy into DevSecOps
Putting a greater emphasis on privacy within DevSecOps requires two thingsādata privacy protocols already in place within the organization and a strong commitment to the integration of cybersecurity with data privacy. āAn organization needs to start with a strong privacy program and an executive in charge of its implementation,ā said Bambenek. āEspecially if the data involves private information from consumers, a data protection expect should be embedded in the development process to ensure that data is used safely and that the entire development pipeline is informed with strong privacy principles.ā The DevSecOps team and leadership should have a strong understanding of the privacy laws and regulationsāboth set by overarching government rules and by industry requirements. Knowing the compliance requirements that must be met offers a baseline to measure how data must be handled throughout the entire app development process, Smith pointed out, adding that once you have the base to build upon, the controls and steps to actually achieve the privacy levels you want will fall into place pretty easily. Finally, Bisson advised DevSecOps professionals to shift security left and empower developers to prevent any credentials or PII from being inadvertently accessible through their code before it makes it to the cloud. āDevSecOps teams should scan code both within company repositories and outside in public repos; on GitHub, for instance. Itās so easy to clone code that these details and secrets can easily be leaked,ā said Bisson.
Consumers donāt understand how or where in the development process security is added, and itās not entirely necessary for them to understand how the sausage is made. The most important concern for them is that their sensitive data is protected at all times. For that to happen most efficiently, data privacy has to be an integral part of DevSecOps.
The master decryption keys for the Maze, Egregor, and Sekhmet ransomware families were released on the BleepingComputer forums by the alleged malware developer.
The Maze group was considered one of the most prominent ransomware operations since it began operating in May 2019. The gang was the first to introduce a double-extortion model in the cybercrime landscape at the end of 2019. At the end of 2019, the Maze ransomware implemented data harvesting capabilities and started threatening the victims to release the stolen data for all those victims who refuse to pay the ransom.
In November 2020, the Maze ransomware operators announced that they have officially shut down their operations and denied the creation of a cartel.
Maze operation then rebranded in September as Egregor, but on February 2021 several members of the Egregor group were arrested in Ukraine.
TheĀ SekhmetĀ operation was launched in March 2020 and it has some similarities with the above ransomware operations.
While TTPās of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during an incident response conducted by Group-IBĀ revealedĀ that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique. Egregor source code bears similarities with Maze ransomware as well.
Now the decryption keys for these operations have now been leaked in theBleepingComputer forums. The keys were shared by a user named āTopleakā who claims to be the developer for all three operations.
āHello, Itās developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families. also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat.āĀ the user wrote on the forum.
āEach archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config. In the āOLDā folder of maze leak is keys for itās old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version. Enjoy!ā
TopLeak user pointed out that it is a planned leak, and is not linked to recent arrests and takedowns conducted by law enforcement. The alleged ransomware developer added that none of the ransomware gang will ever return in ransomware operation and that the source code of tools ever made is wiped out.
In one of the archives leaked by the user there is the source code for a malware dubbed āM0yvā that was part of the gangās arsenal.
The popular malware researchers Michael Gillespie and Fabian Wosar confirmed to BleepingComputer that they are decryption keys are legitimate and allow to decrypt files encrypted by the three ransomware families for free.
EmsisoftĀ hasĀ released a decryptorĀ a free decryption tool for the Maze, Egregor, and Sekhmet ransomware
The world relies on technology. So, a strong cybersecurity program is more important than ever. The challenge of achieving good cyber hygiene can be especially acute for small- and medium-sized businesses. This is particularly true for those with fully remote or hybrid work environments. Add to the mix limited resources and limited talent focused on cybersecurity, and the challenges can seem overwhelming.
Considering this, weāve simplified things down to three key elements of a strong cybersecurity program. You need to know how to assess, remediate, and implement security best practices at scale. In more detail, this means:
Assessing your organizationās current cybersecurity program and its prioritization
Remediating endpoints at scale, bringing them into compliance with security best practices
Implementing cybersecurity policies and monitoring them to stay in compliance
1. Assess your organizationās current cybersecurity program
Taking the first step toward better cyber hygiene means understanding where your organization stands today. Conduct an honest assessment of your strengths and weaknesses in order to prioritize where to focus your efforts for your cybersecurity program. The challenge here is finding the right bar to measure yourself against. There are several frameworks that will do the job. Thus, it can be daunting to figure out which one is the right fit, especially if this is the first time youāre doing an assessment. Starting with the CIS Controls and CIS Benchmarks can help take the guesswork out of your assessment and provide peace of mind that youāre covering all of your bases.
Hereās what makes these two sets of best practices especially useful:
They tell you the āwhatā and the āhowā: Many frameworks tell you what you should do, but not how to do it. CIS best practices give you both.
They are comprehensive and consensus-based: CIS best practices are developed in collaboration with a global community of cybersecurity experts. Theyāre also data-driven as explained in the CIS Community Defense Model.
They are mapped to other industry regulatory frameworks: CIS best practices have been mapped or referenced by several other industry regulatory requirements, including: NIST, FINRA, PCI DSS, FedRAMP, DISA STIGs, and many others. This means you can get the proverbial ātwo birds with one stoneā by assessing against CIS best practices.
The CIS Controls are a prioritized and prescriptive set of safeguards that mitigate the most common cyber-attacks against systems and networks. The CIS Benchmarks are more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against todayās evolving cyber threats. Both are available as free PDF downloads to help you get started.
2. Remediate endpoints at scale with CIS Build Kits
One of the challenges in applying any best practice framework is dedicating the time and resources to do the work. Luckily, CIS offers tools and resources to help automate and track the assessment process. TheĀ CIS Controls Self Assessment Tool (CIS CSAT)Ā helps organizations assess the implementation of the CIS Controls. Additionally, theĀ CIS Configuration Assessment ToolĀ (CIS-CAT Pro Assessor) scans target systems for conformance to the CIS Benchmarks. CIS-CAT Pro Assessor allows you to move more quickly toward analyzing results and setting a strategy to remediate your gaps.
CIS resources and tools are designed to help you move toward compliance with best practices by remediating the gaps. Once you understand where your gaps are and how to fix them, you can useĀ CIS Build KitsĀ to achieve compliance at scale. CIS Build Kits are automated, efficient, repeatable, and scalable resources for rapid implementation of CIS Benchmark recommendations. You can apply them via the group policy management console in Windows, or through a shell script in Linux (Unix,*nix) environments.
Interested in trying out a Build Kit? CIS offersĀ sample Build KitsĀ that contain a subset of the recommendations within the CIS Benchmark. They provide you a snapshot of what to expect with the full CIS Build Kit.
3. Implement cybersecurity policies and monitor for compliance
Lastly, creating strong policies and monitoring conformance helps ensure that an organization is working toward a more robust cybersecurity program. Regularly monitoring conformance over time is critical. It helps you avoid configuration drift, and helps identify any new issues quickly. CIS tools can help monitor conformance and identify gaps.
CIS-CAT Pro Dashboard provides an easy-to-use graphical user interface for viewing CIS Benchmark conformance assessment results over time. Similarly, CIS CSAT Pro enables an organization to monitor implementation of the CIS Controls over time.
A strong cybersecurity program with CIS SecureSuite Membership
Any organization can start improving its cyber hygiene by downloading CISās free best practices, like the PDF versions of the CIS Benchmarks. But itās important to know that you donāt have to go it alone. A cost-effectiveĀ CIS SecureSuite MembershipĀ can be both a solution to your immediate security needs, as well as a long-term resource to help optimize your organizationās cybersecurity program.
Youāll get access to:
CIS-CAT Pro Assessor and Dashboard
CIS CSAT Pro
CIS Build Kits
CIS Benchmarks in various formats (Microsoft Word, Microsoft Excel, XCCDF, OVAL, XML) and more
Get the most out of CIS best practices for your cybersecurity program by signing up for a cost-effective CIS SecureSuite Membership.
The attacks on critical industrial systems such as Colonial Pipeline last year pushed industrial cybersecurity to center stage. And with the threat of war between Russia and Ukraine, experts warned nations that a global flare-up of cybersecurity attacks on critical infrastructure could be looming. In late January, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put critical infrastructure organizations on notice: Take āurgent, near-term stepsā to mitigate the risk of digital attacks. The alert cited tension in eastern Europe as the catalyst for possible attacks against U.S. digital assets.
Critical Infrastructure Under Attack
Unfortunately, critical systems have long been under significant attack. In fact, an overwhelming 80% of critical infrastructure organizations experienced ransomware attacks last year, according to a survey released today by PollFish on behalf of cyber-physical systems security provider Claroty. The survey, completed in September 2021, gathered responses from full-time information technology and operational technology (OT) security professionals in the United States (500 professionals), Europe (300) and Asia-Pacific (300). The industries surveyed include IT hardware, oil and gas (including pipelines), consumer products, electric energy, pharmaceutical/life sciences/medical devices, transportation, agriculture/food and beverage, heavy industry, water and waste and automotive.
Globally, 80% of respondents reported experiencing an attack and 47% of respondents said the attack impacted their operational technology and industrial control systems environment. A full 90% of respondents that reported their attacks to authorities or shareholders said the impact of those attacks was substantial in 49% of cases.
Researchers at cybersecurity firm Avast discovered that a Chinese-language-speaking threat actor has compromised systems at National Games of China in 2021. The event took place on September 15, 2021 in Shaanxi (China), it is a national version of the Olympics with only local athletes.
The attackers breached a web server on September 3rd and deployed multiple reverse web shells to establish a permanent foothold in the target network.
Experts noticed that the threat actors started a reconnaissance phase in August, they have done some tests to determine which type of file was possible to upload to the server. In order to perform the tests, attackers seem to have exploited a vulnerability in the webserver.
The attackers tried submitting files with different file-types and also file extensions, such as a legitimate image with different file extensions: ico, lua, js, luac, txt, html and rar.
āAfter gaining knowledge on blocked and allowed file types, they tried to submit executable code. Of course, they started submitting PoCs instead of directly executing a webshell because submitting PoCs is more stealthy and also allows one to gain knowledge on what the malicious code is allowed to do.ā reported Avast. āFor instance, one of the files uploaded was this Lua script camouflaged as an image (20210903-160250-168571-ab1c20.jpg)ā
The attackers reconfigured the web server by uploading a configuration file, camouflaged as a PNG file, that allowed the execution of lua scripts. Experts found evidence that the server was configured to execute new threads in a thread pool which didnāt work for Rebeyond Behinder webshell. Then, as a final payload, the attackers uploaded and ran an entire Tomcat server properly configured and weaponized with Rebeyond Behinder.
After gaining access to the server, the attackers tried to perform lateral movements by brute-forcing services and using exploits in an automated way. Attackers were able to upload some tools (dnscrypt-proxy, fscan, mssql-command-tool, behinder) to the server and execute a network scanner (fscan) and a custom one-click exploitation framework written in Go and distributed as a single binary.
āThe procedure followed by the attackers hacking the 14th National Games of China is not new at all. They gained access to the system by exploiting a vulnerability in the web server. This shows the need for updating software, configuring it properly and also being aware of possible new vulnerabilities in applications by using vulnerability scanners.ā concludes the report. āThe most fundamental security countermeasure for defenders consists in keeping the infrastructure up-to-date in terms of patching. Especially for the Internet facing infrastructure.ā
Avast reported that the security breach appears to have been resolved before the beginning of the games, however, the experts were not able to determine the type of information exfiltrated by the threat actor.
Office 365 and Azure Active Directory (Azure AD) customers were the targets of billions of brute-force and phishing attacks last year.
Microsoft revealed that Office 365 and Azure Active Directory (Azure AD) customers were the targets of billions of phishing emails and brute force attacks last year.
The IT giant added has blocked more than 25.6 billion Azure AD brute force authentication attacks and detected 35.7 billion phishing emails with Microsoft Defender for Office 365 in 2021.
Enabling multi-factor authentication (MFA) and passwordless authentication would allow customers to protect their accounts from brute force attacks. However, only 22 percent of customers using Microsoft Azure Active Directory (Azure AD), Microsoftās Cloud Identity Solution, have implemented a strong identity authentication protection as of December 2021.
āMFA and passwordless solutions can go a long way in preventing a variety of threats and weāre committed to educating customers on solutions such as these to better protect themselves. From January 2021 through December 2021, weāve blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365.ā states Microsoft.
Microsoft added that its Defender for Endpoint blocked more than 9.6 billion malware threats targeting enterprise and consumer customer devices, between January and December 2021.
Microsoft pointed out that online threats are increasing in volume, velocity, and level of sophistication. The company introduced Cyber Signals, a cyber threat intelligence brief informed by the latest Microsoft threat data and research.
Cyber Signals provide trend analysis and practical guidance to strengthen the defense of its customers.
āWithĀ Cyber Signals, weāll share trends, tactics, and strategies threat actors use to gain access to theĀ hardwareĀ and software that houses oneās most sensitive data. We will also help inform the world on how, collectively, we can protect our most precious digital resources and our digital lives so we can build a safer world together.ā concludes Microsoft.
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious EmailsĀ
IBM Cybersecurity Fundamentals Professional Certificate
Information risk management is the process of identifying the ways an organisation can be affected by a disruptive incident and how it can limit the damage.
It encompasses any scenario in which the confidentiality, integrity and availability of data is compromised.
As such, itās not just cyber attacks that you should be worried about. Information risk management also includes threats within your organisation ā such as negligent or malicious employees ā as well as residual risks.
For example, the framework can help you address misconfigured databases, software vulnerabilities and poor security practices at third parties.
In this blog, we take a closer look at the way information risk management works and how organisations can use its guidance to bolster their security defences.
Why is information risk management important?
In the face of ever-growing cyber threats, it can be difficult for an organisation to protect its information assets.
Last year, the World Economic Forum listed cyber crime alongside COVID-19, climate change and the debt crisis as the biggest threats facing society in the next decade. Itās clear, then, that organisations need a plan for identifying and addressing security risks.
With an information risk management system, organisations gain a better understanding of where their information assets are, how to protect them and how to respond when a breach occurs.
One way it does this is by forcing organisations to not only identify but also assess their risks. This ensures that organisations prioritise scenarios that are most likely to occur or that will cause the most damage, enabling them to make informed decisions in line with their security budget.
How risk management works
To understand how risk management programmes work, we need to take a closer look at what āriskā actually is.
In an information security context, risk can be defined as the combination of a vulnerability and a threat.
As weāve previous discussed, a vulnerability is a known flaw that can be exploited to compromise sensitive information.
These are often related to software flaws and the ways that criminal hackers can exploit them to perform tasks that they werenāt intended for.
They can also include physical vulnerabilities, such as inherent human weaknesses, such as our susceptibility to phishing scams or the likelihood that weāll misplace a sensitive file.
This is different from a threat, which is defined as the actions that result in information being compromised.
So, to use the examples above, threats include a criminal hacker exploiting a software flaw or duping an employee with a bogus email.
When a threat meets a vulnerability, you get a risk. In the case of the criminal hacker phishing an employee, the risk is that the attacker will gain access to the employeeās work account and steal sensitive information. This can result in financial losses, loss of privacy, reputational damage and regulatory action.
A risk management system helps organisations identify the ways in which vulnerabilities, threats and risks intertwine. More importantly, it gives organisations the ability to determine which risks must be prioritised and identify which controls are best equipped to mitigate the risk.
Start protecting your business
At the heart of risk management is the risk assessment. This is the process where threats and vulnerabilities are identified. Organisations can use the result of the assessment to plan their next moves.
With vsRisk, youāll receive simple tools that are specifically designed to tackle each part of the risk assessment.
This software package is:
Easy to use. The process is as simple as selecting some options and clicking a few buttons.
Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
Streamlined and accurate. Drastically reduces the chance of human error.
Cryptocurrency scammers love social mediaāespecially Metaās platforms. The Federal Trade Commission says hundreds of millions of dollars were scammed from U.S. consumers in 2021 (and thatās just the scams the FTC knows about).
And the problemās growing incredibly fastāwith no hint of a fix in sight. Meta claims to be ātacklingā it, but weāve probably all experienced scam reports to Facebook and Instagram being ignored or closed with no action. But why expect anything different? Meta makes money from all the scam ads and āengagement.ā
Of course, some sayall cryptocurrencies, NFTs and DeFi are scams. In todayās SB Blogwatch, we couldnāt possibly comment.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nothingverse.
āA large majorityāā¦āinvolve cryptocurrencyā A growing number of U.S. consumers are getting scammed on social media. ā¦ That number has also increased 18 timesāā¦āthe FTC said, as new types of scams involving cryptocurrency and online shopping became more popular. This has also led to many younger consumers getting scammed. ā¦ Facebook and Instagram were where most of these social media scams took place. ā¦ More than half (54%) of the investment scams in 2021 began with social media platforms, where scammers would promote bogus investment opportunities or connect with people directly to encourage them to invest. ā¦ A large majority of the investment scams now involve cryptocurrency.
āBogus investment sitesā Cryptocurrency is an easy target because while itās surging in popularity, thereās still a lot of confusion about how it works. ā¦ One type of crypto scam reported to the agency involves someone bragging about their own success to drive people to bogus investment sites. ā¦ āWe put significant resources towards tackling this kind of fraud and abuse,ā said a spokesperson forāā¦āMeta. āWe also go beyond suspending and deleting accounts, Pages, and ads. We take legal action against those responsible when we can and always encourage people to report this behavior when they see it.ā
āUrgent need for moneyā Social media is also increasingly where scammers go to con us. More than one in four people who reported losing money to fraud in 2021 said it started on social media with an ad, a post, or a message. ā¦ For scammers, thereās a lot to like about social media. Itās a low-cost way to reach billions of people. [It] is a tool for scammers in investment scams, particularly those involving bogus cryptocurrency investments ā an area that has seen a massive surge. ā¦ People send money, often cryptocurrency, on promises of huge returns, but end up empty handed. ā¦ If you get a message from a friend about an opportunity or an urgent need for money, call them. Their account may have been hacked ā especially if they ask you to pay by cryptocurrency, gift card, or wire transfer. ā¦ To learn more about how to spot, avoid, and report scamsāand how to recover money if youāve paid a scammerāvisit ftc.gov/scams.
Who would fall for such scams?King_TJ hates to admit it:
āFacebook is complicitā Hate to admit it, but I fell for one of these scams on Facebook myself. It was probably about a year ago. I ran across a āsellerā in one of the ads that scrolled by on my feed. ā¦ There were plenty of comments posted ranging from other people interested in one, to claims they got one and liked it. ā¦ After a little whileāā¦āthe tracking info showed the package as delivered, but I never received anything at all. ā¦ When I started digging around more on Facebook after that, I realized the scammersāā¦āwere actually running dozens of ads for various products, giving out web URLs that were almost identical except with one letter changed in their name. Reported the original adāā¦āto Facebook, butāā¦āgot no response. ā¦ Thatās when it struck me that Facebook is complicit in all of this, in the sense they make a lot of ad revenue off of these scams. ā¦ Itās more profitable for them to turn a blind eye and simply take one down when a user complains about it specifically.
Facebook is complicit? Carrie Goldbergā@cagoldberglawāputs it more bluntly:
Platforms love scams because user engagement is so high from all the accounts they create, posts, and messaging; not to mention the panicked use by victims.
Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists
Some of the major oil terminals in Western Europeās biggest ports have been targeted with a cyberattack.
Threat actors have hit multiple oil facilities in Belgiumās ports, including Antwerp, which is the second biggest port in Europe after Rotterdam.
Among the impacted port infrastructure, there is the Amsterdam-Rotterdam-Antwerp oil trading hub, along with the SEA-Tank Terminal in Antwerp.
āA spokesperson for prosecutors in the northern Belgian city confirmed on Thursday they had begun an investigation earlier this week, but declined to give further details.āĀ reported Reuters agency. āBelgian business daily De Tijd reported that terminal operator Sea-Tank had been hit by a cyber attack last Friday. The company declined to comment.
The AFP agencyĀ reportedĀ that the attackers have disrupted the unloading of barges in the affected European ports.
āThere was a cyber attack at various terminals, quite some terminals are disrupted,āĀ saidĀ Jelle Vreeman, senior broker at Riverlake in Rotterdam. āTheir software is being hijacked and they canāt process barges. Basically, the operational system is down.ā
The attacks were also confirmed by Europol, which is supporting the authorities in Germany, where other ports were hit by the threat actors.
āAt this stage the investigation is ongoing and in a sensitive stage,ā Europol spokeswoman Claire Georges said.
This week, two oil supply companies in Germany were hit by cyber-attacks thatĀ caused severe problemsĀ to petrol distribution.
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
