Penetration Testing: Step By Step Guide
Jan 04 2022
App security by design
Jan 04 2022
List of data breaches and cyber attacks in December 2021 – 219 million records breached
List of data breaches and cyber attacks in December 2021 – 219 million records breached
Luke Irwin 4th January 2022
2021 was a difficult year many of us, and with the hope that COVID-19 will dissipate in the spring, this is a new year more than any other where we want to look forwards, not backwards.
But before we turn our attention to 2022, we must first round out 2021 with our final monthly review of data breaches and cyber attacks. December saw 74 publicly disclosed security incidents, which accounted for 219,310,808 breached records.
You can find the full list of incidents below, with those affecting UK-based organisations listed in bold.
Additionally, we’ll also soon be publishing our latest quarterly review of security incidents, in which you can discover the latest trends and take a look back at the year as a whole.
Contents
- Cyber attacks
- Ransomware
- Data breaches
- Financial information
- Malicious insiders and miscellaneous incidents
- In other news…
Big Breaches: Cybersecurity Lessons for Everyone
Jan 04 2022
Attackers abused cloud video platform to inject an e-skimmer into 100 Real Estate sites
Threat actors used an unnamed cloud video platform to install an e-skimmer on more than 100 real estate websites belonging to the same parent company.
In e-skimming attacks, attackers inject malicious JavaScript code into e-stores to financial data while visitors are purchasing products. Researchers from Palo Alto Networks documented a supply chain attack in which the attackers abused a cloud video platform to inject an e-skimmer hidden into video.
Every website importing the video from the platform was compromised due to the presence of the e-skimmer.
“With Palo Alto Networks proactive monitoring and detection services, we detected over 100 real estate sites that were compromised by the same skimmer attack.” reads the analysis published by Palo Alto Networks. “After analysis of the sites we identified, we found that all the compromised sites belong to one parent company. All these compromised sites are importing the same video (accompanied by malicious scripts) from a cloud video platform.”
The security firm helped the cloud video platform and the real estate firm in removing the e-skimmer.
The researchers have discovered that the cloud video platform allows users to create their players that could be customized by adding JavaScript code. The JavaScript customizations could be included in a file that is uploaded to the platform.
“In this specific instance, the user uploaded a script that could be modified upstream to include malicious content.We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.” continues the analysis.
The attackers were able to modify the static script at its hosted location by attaching e-skimmer code. By updating the player update, the video platform provided the compromised file and served it along with the customized player.
The software skimmer is highly polymorphic and elusive, experts pointed out that it is continuously updated by the authors.
The e-skimmer allows attackers to gather sensitive and financial information, including names, emails, phone numbers, and credit cards data.
Stolen data were uploaded to the server https://cdn-imgcloud[.]com/img.
The researchers shared Indicators of Compromise (IoCs) for these attacks.
“The skimmer itself is highly polymorphic, elusive and continuously evolving. When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large,” Palo Alto Networks concludes.
RFID Blocking Sleeves, Set With Color Coding. Identity Theft Prevention RFID Credit Card Holders by Boxiki Travel (Set of 12 Credit Card Protectors + 3 Passport Holders)
Jan 03 2022
A CISO’s guide to discussing cybersecurity with the board
To get the assets needed for CISOs to properly do their jobs, business leaders need to invest time, attention, and money in cybersecurity. Here are helpful ways that CISOs can discuss cybersecurity with their C-suite and board members.
Work your way to the table
As a newer role within organizations, CISOs may not yet be understood by leadership teams or have a seat at the executive table. Some CISOs may also be managed by other IT leaders such as a CIO and CTO, making it difficult to build trust among the rest of the C-suite and board. Even if you have a good relationship with your supervisors, some of the messaging might change as it goes through the chain of command.
It’s frustrating to not have a seat at the table, but there are other ways to be heard.
One way is to start building relationships with other members of leadership. You can try meeting one-on-one with business shareholders to share ideas, enjoy informal conversations or identify an ally.
In my own companies, I encourage these types of meetings. When team members want to run ideas by me, I’m happy to listen — regardless of their titles. If they bring in some good thoughts, I usually think them over and may follow up if the employees present compelling ideas. Building this trust may lead to me bringing these ideas to the board or even inviting the employees to present themselves.
Of course, it’s ideal to always have a seat at the table, but if that’s not possible, work your way up. Anyone can make an impact, but you must put yourself out there and build trust with your leadership.
Focus your message
When you get a chance to speak with executives, you typically don’t have much time to discuss details. And frankly, that’s not what executives are looking for, anyway. It’s important to phrase cybersecurity conversations in a way that resonates with the leaders.
Messaging starts with understanding the C-suite and boards’ priorities. Usually, they are interested in big picture initiatives, so explain why cyber investment is critical to the success of these initiatives. For example, if the CEO wants to increase total revenue by 5% in the next year, explain how they can prevent major unnecessary losses from a cyber attack with an investment in cybersecurity.
Once you know the executive team and board’s goals, look to specific members, and identify a potential ally. Has one team recently had a workplace security breach? Does one leader have a difficult time getting his or her team to understand the makings of a phishing scheme? These interests and experiences can help guide the explanation of the security solution.
Lose the tech jargon
If you’re a CISO, you’re well-versed in cybersecurity, but remember that not everyone is as involved in the subject as you are, and business leaders probably will not understand technical jargon. Conversations leading with highly technical terms are unlikely to kindle and keep a C-suite or board member’s attention.
CISOs are the translators that explain cybersecurity needs to leadership in a way they understand — through real-life examples and business metrics outlining risk. If you speak their language, executive leaders will be more willing to consider a proposal.
There’s more to being a CISO than keeping track of evolving risks and staying up to date on technological advancements. You are also an advocate for cybersecurity initiatives that protect the company, convincing executives to invest in cybersecurity. Working up to the board room might not be easy, but with clear and relevant messaging, you can be a champion for a strong cybersecurity strategy.
Information Security Governance: Framework and Toolset for CISOs and Decision Makers
Jan 03 2022
Critical Log Review Checklist For Security Incidents
Critical Log Review Checklist For Security Incidents – by SANS Institute
Guide to Computer Security Log Management : Recommendations of the National Institute of Standards and Technology
Jan 03 2022
SEGA Europe left AWS S3 bucket unsecured exposing data and infrastructure to attack
At the end of the year, gaming giant SEGA Europe inadvertently left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket, cybersecurity firm VPN Overview reported.
The unsecured S3 bucket contained multiple sets of AWS keys that could have allowed threat actors to access many of SEGA Europe’s cloud services along withMailChimp and Steam keys that allowed access to those services. in SEGA’s name.
“Researchers found compromised SNS notification queues and were able to run scripts and upload files on domains owned by SEGA Europe. Several popular SEGA websites and CDNs were affected.” reads the report published by VPN Overview.
The unsecured S3 bucket could potentially also grant access to user data, including information on hundreds of thousands of users of the Football Manager forums at community.sigames.com.
Below is the list of bugs in SEGA Europe’s Amazon cloud reported by the company:
| FINDING | SEVERITY |
|---|---|
| Steam developer key | Moderate |
| RSA keys | Serious |
| PII and hashed passwords | Serious |
| MailChimp API key | Critical |
| Amazon Web Services credentials | Critical |
Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and CloudFormation
Jan 02 2022
NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager
NIST Cybersecurity Framework
![NIST Cybersecurity Framework: A pocket guide by [Alan Calder]](https://m.media-amazon.com/images/I/31zbdJvBpPL.jpg)
Data Governance
Jan 02 2022
North Korea-linked threat actors stole $1.7 billion from cryptocurrency exchanges
North Korea-linked threat actors are behind some of the largest cyberattacks against cryptocurrency exchanges.
North Korea-linked APT groups are suspected to be behind some of the largest cyberattacks against cryptocurrency exchanges. According to South Korean media outlet Chosun, North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.
According to local media, US federal prosecutors believe that North Korea’s government considers cryptocurrency a long-term investment and it is amassing crypto funds through illegal activities.
In a classified report cited by Chosun, the US National Intelligence Service (DNI) found that North Korea was financing its ‘priority policies’, such as nuclear and missile development, through cybercrime. Government experts noticed that nation-state actors are not immediately cashing out all the stolen crypto to create a crypto fund reserve.
“Citing the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the media reported that all banks in the world are being targeted by North Korea’s cyberattacks. It also reported that North Korea is committing cybercriminals such as stealing defense secrets from major powers, using ransomware to steal funds, hijacking cryptocurrencies, and “laundering” criminal proceeds into cryptocurrencies.” reads a post published by Chosun.
“Then, citing the results of investigations by the United States and the UN Security Council, it was estimated that the Kim Jong-un regime’s fraudulent profits from cyber crimes have already reached $2.3 billion (about 2.7 trillion won).”
The report states that North Korea-linked attacks employed the AppleJeus malware to steal cryptocurrency. According to Bloomberg, multiple versions of Apple Zeus have been used in attacks against entities in 30 countries since 2018, and according to a UN and US investigation, between 2019 and November 2020, North Korean hackers stole $316.4 million in cryptocurrency through this program. 380 billion.
According to Chosun, North Korea’s dependence on cybercrime will increase due to international sanctions that limit the amount of money that North Korea can earn from coal exports to $400 million (about 480 billion won) per year.
The Infinite Machine: How an Army of Crypto-hackers Is Building the Next Internet with Ethereum
Jan 01 2022
Best Practice for Mitre Attack mapping
Jan 01 2022
Flaws in DataVault encryption software impact multiple storage devices
Researcher Sylvain Pelissier has discovered that the DataVault encryption software made by ENC Security and used by multiple vendors is affected by a couple of key derivation function issues. An attacker can exploit the flaws to obtain user passwords.
This week Pelissier detailed the vulnerabilities at the Chaos Computer Club’s Remote Chaos Experience (rC3) virtual conference.
DataVault is an advanced encryption software to protect user data, it provides comprehensive military grade data protection and security features to multiple systems.
Multiple vendors, including WD, Sony and Lexar use the DataVault software.
Pelissier discovered the issues through the reverse engineering of the software.
“It turned out that the key derivation function was PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors. This makes it easier for an attacker to guess the user password of a vault using time/memory tradeoff attack techniques such as rainbow tables and to re-use the tables to retrieve passwords for all users using the software. The implementation itself was incorrect and even with a randomly generated unique salt, it would be effortless to recover the password of a user. Other flaws of the key derivation function will be discussed and compared with nowadays good practices.” reads the presentation of the speech published on the rc3 website.
“The data encryption method was also found to be malleable, allowing malicious modifications of files in a vault without any detection. No data integrity mechanism was set up.”
The vulnerabilities have been tracked as CVE-2021-36750 and CVE-2021-36751.
“DataVault and its derivatives were using a one-way cryptographic hash with a predictable salt making it vulnerable to dictionary attacks by a malicious user. The software also made use of a password hash with insufficient computational effort that would allow an attacker to brute force user passwords leading to unauthorized access to user data.” reads the security advisory published by ENC. “Both the key derivation function issues described above have been resolved in the updated version DataVault 7.2.”
Dec 31 2021
How to implant a malware in hidden area of SSDs with Flex Capacity feature
Researchers devised a series of attacks against SSDs that could allow to implant malware in a location that is not monitored by security solutions.
Korean researchers devised a series of attacks against solid-state drives (SSDs) that could allow to implant malware in specific memory locations bypassing security solutions.
The attacks work against drives with flex capacity features and allow to implant a malicious code in a hidden area of SSDs called over-provisioning. This memory location is used for performance optimization on NAND flash-based storage systems.
“The Micron Flex Capacity feature is designed to unleash the true capabilities of storage media by giving IT administrators the ability to tune their SSDs to meet specific workload characteristics such as performance, capacity and endurance.”
The operating system and any applications running on it have no visibility on the over-provisioning, this means that security software is not able to inspect their content looking for a malicious code.
Many storage devices can vary the size of the OP area in real-time to optimize performance. A larger size of the OP area can ensure better performance. The OP area can be set for example by a maximum of 50%. An invalidation data region is created by varying the OP area that can be changed by the user or by the firmware manager. However, a threat actor can reduce the size of the OP area using the firmware manager generating an invalid data area. This attack could lead to an information-disclosing attack.
“Assuming that the hacker can access the management table of the storage device, the hacker can access this invalid data area without any restrictions.” reads the research paper. “Without the need for special forensic equipment, as a computer user, a hacker can access these invalid data areas of the NAND flash memory. Depending on sensitive information is stored in the invalid data area, computer users can feel more or less alarmed by this”
Dec 30 2021
AvosLocker ransomware gang releases a free decryptor after an affiliate hit US gov agency
The AvosLocker ransomware operation provided a free decryptor after they encrypted the systems of a US government agency.
According to BleepingComputer, the gang hit a police department but fearing the reaction of US law enforcement opted to release a free decryptor to the government entity.
The incident is casual, one of the affiliates of the RaaS service hit the government agency and AvosLocker discovered the name of the victim only after their malware encrypted its systems.
Recently major ransomware operations were targeted by international operations conducted by law enforcement. In recent months, the police identified and arrested members and affiliated with several gangs, including REvil, Egregor, and Clop ransomware gangs.
Despite the success of the police operations, ransomware gangs continue to target organizations worldwide, in 2021 several groups rebranded as new operations to evade sanctions.
BleepingComputer, which has reached AvosLocker gang, said that its operators are “not worried about law enforcement as they have no jurisdiction in the motherland.”
This is another problem, the fight against ransomware gangs needs the collaboration of law enforcement agencies of any country, especially Russia where many ransomware groups have their origin.
![Log4Shell You can experience the vulnerability of log4j within two hours: Recommended for Java Engineers (Japanese Edition) by [MORINO SERI]](https://m.media-amazon.com/images/I/51ekitcpa5L.jpg)
Dec 29 2021
10 Steps to Cyber Security
Cybersecurity Program Development for Business: The Essential Planning Guide
Dec 29 2021
Apache Log4j 2.17.1 fixes new remote code execution flaw (CVE-2021-44832)
The Apache Software Foundation released Log4j 2.17.1 version to address a recently discovered arbitrary code execution flaw, tracked as CVE-2021-44832, affecting Log4j 2.17.0.
CVE-2021-44832 is the fifth vulnerability discovered in the popular library in the last weeks. Like the previous issues affecting the library, this one could be exploited by threat actors to execute malicious code on affected systems.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.” reads the advisory.
The flaw received a CVSS score of 6.6 and impacts all log4j versions from 2.0-alpha7 to 2.17.0. Versions 2.3.2 and 2.12.4. are not impacted.
The vulnerability was discovered by Checkmarx security researcher Yaniv Nizry who reported it to Apache on December 27.
Nizry also published details of the CVE-2021-44832 flaw in a blog post, he speculates that the exploitation of this issue is more complex than the CVE-2021-44228 one.
“This vulnerability doesn’t use the disabled lookup feature. The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration,” states Nizry. “Unlike Logback, in Log4j there is a feature to load a remote configuration file or to configure the logger through the code, so an arbitrary code execution could be achieved with [an] MitM attack, user input ending up in a vulnerable configuration variable, or modifying the config file.”
Dec 28 2021
Top 3 ITG ISO 27001 books
| Now that the festive frenzies have almost finished and you still have a few quiet days to spend at home, this is a great time to invest in your education. Enhance your knowledge of ISO 27001 with our wide range of books. Available in a variety of formats, including audiobook, softcover, Kindle and ePub, they cover everything you need to know about ISO 27001 and how to implement it. You can also focus on gaining an ISO 27001 qualification and top up your CPD/CPE points with our self-paced training courses. Until January 3, you can get 10% off self-paced training courses by using the promo code XMASTRAIN at checkout*. |
 ISO 27001 controls – A guide to implementing and auditing |
| ISO 27001 controls – A guide to implementing and auditing Ideal for information security managers, auditors, consultants and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001. Similarly, for anyone involved in internal or external audits, the book includes the definitive requirements that auditors must address when certifying organizations to ISO 27001 Buy now |
 Nine Steps to Success – An ISO 27001 Implementation Overview, North American edition |
| Get to grips with the requirements of the ISO 27001 Standard and discover how to make your ISO 27001 implementation project a success with this must-have guide from international ISO 27001 expert Alan Calder. The ideal resource for anyone tackling ISO 27001 implementation for the first time, it details the key steps of an ISO 27001 project from inception to certification and explains each element of the ISO 27001 project in simple, non-technical language. Buy now |
 Information Security Risk Management for ISO 27001/ISO 27002 |
| Information Security Risk Management for ISO 27001/ISO 27002Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework and deliver real, bottom-line business benefits. Buy now |
Dec 28 2021
Cyber security small business guide
Cybersecurity Program Development for Business: The Essential Planning Guide
Dec 28 2021
External attackers can penetrate most local company networks
These are the results of a new research report by Positive Technologies, analyzing results of the company’s penetration testing projects carried out in the second half of 2020 and first half of 2021.
The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors.
During the assessment of protection against external attacks, Positive Technologies experts managed to breach the network perimeter in 93% of cases. According to the company’s researchers, this figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure.
“In 20% of our pentesting projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those. According to our customers, events related to the disruption of technological processes and the provision of services, as well as the theft of funds and important information pose the greatest danger,” said Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies.
“In total, Positive Technologies pentesters confirmed the feasibility of 71% of these unacceptable events. Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,” Kilyusheva added.
Despite the fact that financial organizations are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks we tested, our specialists managed to perform actions that could let criminals disrupt the bank’s business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds.
An attacker’s path from external networks to target systems begins with breaching the network perimeter. According to our research, on average, it takes two days to penetrate a company’s internal network. Credential compromise is the main way criminals can penetrate a corporate network (71% of companies), primarily because of simple passwords used, including for accounts used for system administration.
Microservices Security in Action: Design secure network and API endpoint security for Microservices applications
« Previous Page — Next Page »
