Apr 11 2022

SuperCare Health discloses a data breach that Impacted +300K people

Category: Data BreachDISC @ 8:39 am
SuperCare Health discloses a data breach that Impacted +300K people

SuperCare Health, a leading respiratory care provider in the Western U.S, disclosed a data breach that impacted more than 300,000 individuals.

SuperCare Health disclosed a security breach that has led to the exposure of personal information belonging to its patients, patients/members of its partner organizations and others.

The company notified impacted individuals and law enforcement agencies.

The company told the US Department of Health and Human Services that the data breach has impacted 318,379 individuals.

The security breach was discovered on July 27, 2021, when the company IT personnel noticed unauthorized activity on some systems. SuperCare Health immediately launched an investigation into the incident with the help of independent cybersecurity experts that revealed that the intrusion took place between July 23 and July 27, 2021.

Seven months later, in February 2022, the company determined the potential compromise of some information relating to certain patients. 

“On July 27, 2021, we discovered unauthorized activity on our systems. In response, we immediately began containment, mitigation, and restoration efforts to terminate the activity and to secure our network, systems, and data. In addition, we retained independent cybersecurity experts to conduct a forensic investigation into the incident and assist us in determining what happened.” reads the data security notice published by the company. “The forensic investigation revealed that an unknown party had access to certain systems on our network from July 23, 2021 to July 27, 2021. Based on that information, we worked diligently to identify the potentially affected files and their contents. On February 4, 2022, we determined that the potentially impacted files contained some information relating to certain patients.”

Potentially compromised data depend on the individual and may include:  name, address, date of birth, hospital or medical group, patient account number, medical record number, health insurance information, testing/diagnostic/treatment information, other health-related information, and claim information. For a small subset of individuals, their Social Security number and/or driver’s license number may have been contained in the impacted files.

The company is not aware of any abuse or misuse for the information exposed as a result of the incident.

SuperCare Health

Tags: SuperCare Health

Apr 08 2022

Developers Remediate Less Than a Third of Vulnerabilities

Category: Security vulnerabilitiesDISC @ 8:28 am
Developers Remediate Less Than a Third of Vulnerabilities

Developers Remediate Less Than a Third of Vulnerabilities

Developers are regularly ignoring security issues as they deal with an onslaught of issues from security teams, even as they are expected to release software more frequently and faster than ever before.

In addition, developers fix just 32% of known vulnerabilities, and 42% of developers push vulnerable code once per month, according to Tromzo’s Voice of the Modern Developer Report.

The report, based on a survey of more than 400 U.S.-based developers who work at organizations where they currently have CI/CD tools in place, also found a third of respondents think developers and security are siloed.

Tromzo CTO and co-founder Harshit Chitalia pointed out the top security vulnerabilities of the past few years—Log4j, SolarWinds, Codecov—have all been supply chain attacks.

“This has made AppSec an urgent and top priority for CISOs worldwide,” he said. “In addition, everything as code with Kubernetes, Terraform and so on have made all parts of the development stack part of AppSec.”

From his perspective, the only way this big attack surface can be overcome is with security and development teams working hand in hand to secure the application in every step of the development cycle.

He added developers ignoring security issues is one of the fundamental issues AppSec engineers have with security.

“Security teams put their blood, sweat and tears into finding different vulnerabilities in code through orchestrating scanners and manual testing,” he said. “After all the work, seeing the issue on Jira queue for months is disappointing and quite frustrating.”

Fighting Friction

On the other hand, he pointed to developers who are now asked not only to develop features and fix bugs but also look at DevOps, performance and security of their applications.

“This leads to friction in priorities and, if unresolved, leads to unhappy employees,” he said. “The C-suite is very much aware of this problem, but they are stuck with security tools which are not created for developers. As application security is going through a big transformation, we believe the tooling will also shift.”

He explained there were several concerning findings from the survey but that two, in particular, stood out.

The first thing Chitalia found deeply concerning was the fact that 62% of developers are using 11 or more application security tools.

He said application security has evolved in recent years with AppSec teams now responsible for source-code analysis, DAST, bug bounty, dependency, secrets scanning, cloud scanning and language-specific scanners.

“This means developers are constantly fed information from these tools without any context and they have to triage and prioritize the workload these tools generate for them,” he said. 

The second big worry was the fact that a third of vulnerabilities are noise.

“If someone told you that a third of the work you did needs to be thrown away every single day, how would you feel about that?” he asked. “But that’s the current state of application security.”

False Positives a Big Negative

developers

Securing DevOps: Security in the Cloud

Tags: DevOps, DevSecOps, Securing DevOps

Apr 07 2022

A cyber attack forced the wind turbine manufacturer Nordex Group to shut down some of IT systems

Category: Cyber AttackDISC @ 8:45 am

Nordex Group, one of the largest manufacturers of wind turbines, was hit by a cyberattack that forced the company to shut down part of its infrastructure. 

https://securityaffairs.co/wordpress/129875/security/a-cyber-attack-forced-the-wind-turbine-manufacturer-nordex-group-to-shut-down-some-of-it-systems.html

Nordex Group, one of the world’s largest manufacturers of wind turbines, was the victim of a cyberattack that forced the company to take down multiple systems.

The attack was uncovered on March 31 and the company immediately started its incident response procedure to contain the attack.

Nordex Group shut down “IT systems across multiple locations and business units” as a precautionary measure to prevent the threat from spreading across its networks.

“On 31 March 2022 Nordex Group IT security detected that the company is subject to a cyber security incident. The intrusion was noted in an early stage and response measures initiated immediately in line with crisis management protocols. As a precautionary measure, the company decided to shut down IT systems across multiple locations and business units.” reads the announcement published by the company. “The incident response team of internal and external security experts has been set up immediately in order to contain the issue and prevent further propagation and to assess the extent of potential exposure.”

Nordex did not disclose technical details of the cyberattack, but the fact that it was forced to shut down part of its IT infrastructure suggests that it fell victim to a ransomware attack.

According to the press release, customers, employees, and other stakeholders may be affected by the shutdown of the company’s systems.

Nordex did not disclose technical details of the cyberattack, but the fact that it was forced to shut down part of its IT infrastructure suggests that it felt victim to a ransomware attack.

In November another manufacturer of wind turbines was hit by a cyber attack, it was the Danish wind turbine giant Vestas Wind Systems. The company was hit by the Lockbit 2.0 ransomware gang than published stolen data in December after the negotiation for the ransomware payment failed.

Nordex Group

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

Tags: Nordex Group, The Hacker and the State

Apr 06 2022

Social Media Bots Infographic Set

Category: Social networkDISC @ 5:31 pm

Social Media Bots Infographic – by Cybersecurity and Infrastructure Security Agency

Social-Media-Bots-Infographic-1Download

Bots (Digital Media and Society)

Apr 06 2022

The CISO as brand enabler, customer advocate, and product visionary

Category: CISO,vCISODISC @ 8:38 am
The CISO as brand enabler, customer advocate, and product visionary

Just over a quarter-century ago, the first Chief Information Security Officer (CISO) was minted in the financial vertical, and everyone lived happily ever after. The End.

Why Your CISO is Ineffective and What You Can do About it | Cyber Defense Group

If only this story was that simple and straightforward! The CISO role has never been cut-and-dry. Despite its longevity, this role is still in its adolescence – full of promise, mostly headed in the right direction, but not quite fully formed.

If you’re a CISO today, or have worked for or watched one from afar, you have felt the reality of the goalposts continually shifting over time, and you have experienced some of the tough questions that may not yet be answered. Where should the CISO report for maximum effect? How does the CISO gain that valuable seat at the executive table, and a regularly scheduled time slot every quarter in front of the board? Is it possible that broad technical competency may be superior to deep technical expertise for this C-level role? And if you are the CISO who thought you signed up for an IT-centric, inward-facing role, I have a few nation-state and cybercriminal actors to introduce to you.

But there are several other less obvious roles that the CISO should consider taking on to help the organization reach its goals, whether its customers are external or internal.

The CISO as brand enabler

Quantifying the value of a corporate brand is tough. But it’s clear that your organization’s brand is as much an asset as the devices and networks that the CISO is charged with protecting – in fact, the brand may be your organization’s largest single asset. A recent Forbes/MASB report states that brand assets drive approximately 20% of enterprise value on average. Doesn’t that sound like something worth protecting?

Yes, the creation and growth of the brand is typically the responsibility of the marketing organization and the CMO (chief marketing officer). But it’s not unusual for marketing to feel like it’s outracing the other business functions, including the CISO, and they are anxious for everyone to “catch up” and join them. The CISO can act as a useful counterweight to help marketing achieve its goals safely, in good times and bad. For example, isn’t it important to fully coordinate a breach response between these two groups in a way that best preserves the value of your brand? Those brands that emerge out of a high-profile information security incident stronger don’t get there by accident.

This is a missed opportunity in many organizations. When was the last time your CISO and CMO sat down alone to discuss each other’s long-term initiatives? And no, the sometimes recurring conversation between these two parties about how the marketing team is leveraging shadow IT doesn’t count here.

The CISO as customer advocate

If the CISO is considered an inward-facing resource only, your organization may be leaving some significant value on the table. Is your CISO considered and leveraged as an extended member of your customer-facing teams? There is often nothing more compelling to a prospect or a customer than the opportunity to hear from a true CISO practitioner about her experiences in the industry around a common challenge.

Another way to bring the CISO closer into the customer orbit: you have some customers who due to their size or potential are at the very top of your essential, must-not-lose list. Your CISO may be more than willing to act as an executive sponsor for the overall relationship between the two organizations. This is a great way to cement that bond with your truly key and strategic customers. You may also discover that same hugely important customer is willing to share details with the CISO that would never be shared with the sales team.

The CISO as product visionary

In many ways, your CISO may be an ideal prospect, a research partner, and a sounding board for new products, services or features your organization plans to introduce. Think about all the angles a CISO deals with every day: B2B connections and data flowing amongst third parties; identifying and securing B2C data and connectivity; monitoring an infrastructure round the clock to recognize and remediate tactical, strategic and regulatory risks; signing off on your organization’s ISO 27001 certification or SOC 2 attestation, and more!

For bonus points, if you are that CISO of today or the aspirational CISO of tomorrow, don’t settle for approaching your job solely in pursuit of how to best secure your organization – ask yourself how you can make your own customers more secure. Sometimes a new feature or service might pop out from that alternative angle, from a perspective that only the CISO can see.

Whether you are the CISO or are a colleague of the CISO, think outside the box. CISOs can absolutely be leveraged in these and other non-traditional roles, to the greater benefit of your organization.

The CISO Evolution: Business Knowledge for Cybersecurity Executives

Tags: CISO, The CISO Evolution

Apr 05 2022

Build your career with ISO 27701 training

Category: ISO 27kDISC @ 4:08 pm

ISO 27701 specifies the requirements for establishing, implementing, maintaining, and continually improving a PIMS (privacy information management system).

Compliance with ISO 27701 shows customers and stakeholders that your organization takes privacy legislation seriously. ISO 27701 serves as an extension to ISO 27001. Organizations that have implemented ISO 27001 will be able to incorporate the controls and requirements of ISO 27701 to extend their existing data security practices to achieve complete coverage of data security and privacy management.

ITG Certified ISO 27701 PIMS Lead Implementer Training Course covers the key steps involved in implementing and maintaining an ISO 27701-compliant PIMS.

Certified ISO 27701 PIMS Lead Implementer Training Course

If you are already an ISO 27701 expert, have you considered developing your career as an auditor? ITG  Certified ISO 27701 PIMS Lead Auditor Training Course teaches you how to extend an ISO 27001 audit program and conduct a PIMS audit against ISO 27701.  

Certified ISO 27701 PIMS Lead Auditor Training Course

Enhance your privacy management with ISO 27701

ISO/IEC 27701 2019 Standard and Toolkit

Tags: ISO 27701, ISO 27701 Auditor, ISO 27701 Implementer

Apr 05 2022

CISA adds Spring4Shell flaw to its Known Exploited Vulnerabilities Catalog

Category: Security vulnerabilitiesDISC @ 8:41 am
CISA adds Spring4Shell flaw to its Known Exploited Vulnerabilities Catalog

The U.S. CISA added the recently disclosed remote code execution (RCE) vulnerability Spring4Shell to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed 

CVE-2022-22965
 (aka Spring4Shell, CVSS score: 9.8) flaw in the Spring Framework, along with three other issues, to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The Spring4Shell issue was disclosed last week, it resides in the Spring Core Java framework. An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.

The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).

This week VMware has published security updates to address the Spring4Shell flaw, according to the virtualization giant, the flaw impacts many of its cloud computing and virtualization products.

The flaw impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.

Spring4Shell impacts VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

The exploitation of this flaw could allow a remote attacker to execute arbitrary code on vulnerable systems. Researchers from Palo Alto Networks’ Unit42 and Akamai have observed the issue being exploited in the wild to deploy malicious code.

CISA also added CVE-2022-22675CVE-2022-22674CVE-2021-45382 flaws to its catalog. The four vulnerabilities added to the catalog have to be addressed by federal agencies by April 25, 2022.

Tags: Spring4Shell

Apr 04 2022

Brokenwire attack, how hackers can disrupt charging for electric vehicles

Category: Cyber Attack,Security vulnerabilitiesDISC @ 8:00 am
Brokenwire attack, how hackers can disrupt charging for electric vehicles

Boffins devised a new attack technique, dubbed Brokenwire, against the Combined Charging System (CCS) that could potentially disrupt charging for electric vehicles.

A group of researchers from the University of Oxford and Armasuisse S+T has devised a new attack technique, dubbed Brokenwire, against the popular Combined Charging System (CCS) that could be exploited by remote attackers to disrupt charging for electric vehicles.

The Combined Charging System (CCS) is one of the most widely used DC rapid charging technologies for electric vehicles (EVs). 

The attack aims at interrupting the control communication between the vehicle and charger, causing the disruption of charging sessions.

“The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously.” reads the post published by the academics. “In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge. With a power budget of 1 W, the attack is successful from around 47 m distance. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it.”

Brokenwire attack

The researchers demonstrated that the Brokenwire attack can be conducted from a distance of as far as 47m (151ft). Experts pointed out that the interruption of the charging process of critical vehicles, such as electric ambulances, can have life-threatening consequences.

The experts did not disclose details about the attack technique to prevent attacks in the wild.

The researchers published a video PoC of the attack showing their technique in action.

Let me close with a couple of Questions from FAQ published by the researchers:

I have a charger at home, can someone stop my car from charging?

Probably not. Most likely your home charger uses AC charging and a different communication standard (IEC 61851), so won’t be affected. This might change in the future though, with home chargers getting ISO 15118 support.

Can Brokenwire also break my car?

We’ve never seen any evidence of long-term damage caused by the Brokenwire attack. Based on our development work, we also have good reason to expect there isn’t any.

Tags: Brokenwire attack

Apr 01 2022

List of data breaches and cyber attacks in March 2022 – 3.99 million records breached

Category: Cyber Attack,Data Breach,Security BreachDISC @ 8:42 am
List of data breaches and cyber attacks in March 2022 – 3.99 million records breached

In March, we discovered 88 publicly disclosed cyber security incidents, accounting for 3,987,593 breached records.

That brings the total number of breached records in the first quarter of 2022 to 75,099,482. We’ll be providing more stats from Q1 2022 in our quarterly review of cyber security incidents, which will be published on our website in the coming days.

Be sure to check our blog to find that article, or subscribe to our Weekly Round-up to make sure you get the latest content delivered straight to your inbox.

Meanwhile, you can find the full list of cyber attacks and data breaches for March 2022 below.

List of data breaches and cyber attacks in March 2022 – 3.99 million records breached

Luke Irwin  31st March 2022

In March, we discovered 88 publicly disclosed cyber security incidents, accounting for 3,987,593 breached records.

That brings the total number of breached records in the first quarter of 2022 to 75,099,482. We’ll be providing more stats from Q1 2022 in our quarterly review of cyber security incidents, which will be published on our website in the coming days.

Be sure to check our blog to find that article, or subscribe to our Weekly Round-up to make sure you get the latest content delivered straight to your inbox.

Meanwhile, you can find the full list of cyber attacks and data breaches for March 2022 below.

Contents

Big Breaches: Cybersecurity Lessons for Everyone

Tags: cyber attacks in March 2022

Apr 01 2022

Flaws in Wyze cam devices allow their complete takeover

Category: Remote codeDISC @ 8:32 am
Flaws in Wyze cam devices allow their complete takeover

Wyze Cam devices are affected by three security vulnerabilities that can allow attackers to takeover them and access camera feeds.

Bitdefender researchers discovered three security vulnerabilities in the popular Wyze Cam devices that can be exploited by threat actors to execute arbitrary code and access camera feeds.

The three flaws reported by the cybersecurity firm are:

  • An authentication bypass tracked CVE-2019-9564
  • A stack-based buffer overflow, tracked as CVE-2019-12266, which could lead to remote control execution.
  • An unauthenticated access to contents of the SD card

A remote attacker could exploit the CVE-2019-9564 flaw to take over the device, including turning on/off the camera.

An attacker could chain the above issue with the CVE-2019-12266 flaw to access live audio and video feeds.

The flaws were reported to Wyze in May 2019, the company addressed the CVE-2019-9564 and CVE-2019-12266 flaws in September 2019 and November 2020, respectively.

The vendor addressed the unauthenticated access to the content of the SD card with the release of firmware updates on January 29, 2022.

According to the experts, there are 3 version of Wyze Cam devices on the market and the first one has been discontinued and will not receive security updates to address the flaws.

The analyzed device comes in several versions: Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. We learned that, while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes.” reads the report published by the security firm. “Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited.

wyze cam 2
Source Punto Informatico website

Bitdefenders also provided the following recommendations to prevent attacks against IoT devices:

“Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network,” reads the post. “This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.”

Tags: Wyze cam

Mar 31 2022

Every Day Should be World Backup Day

Category: BCP,Security AwarenessDISC @ 1:09 pm

World-Backup-Day-1 | Tips for Backing up your Data! GoldPhish | Cyber Security AwarenessDownload

Modern Data Protection: Ensuring Recoverability of All Modern Workloads

Tags: Backup Day, data archive, data protection, data storage

Mar 31 2022

How to read a SOC 2 Report

Category: Risk Assessment,Security Risk Assessment,Vendor AssessmentDISC @ 8:43 am
how to read a SOC 2 report
https://fractionalciso.com/how-to-read-a-soc-2-report/

The following conversation about reviewing a SOC 2 report is one to avoid. 

Potential Customer: “Hi Vendor Co., do you have a SOC 2?”

Vendor Co. Sales Rep: “Yes!”

Potential Customer: “Great! We can’t wait to start using your service.” 

The output of a SOC 2 audit isn’t just a stamp of approval (or disapproval). Even companies that have amazing cybersecurity and compliance programs have a full SOC 2 report written about them by their auditor that details their cybersecurity program. SOC 2 reports facilitate vendor management by creating one deliverable that can be given to customers (and potential customers) to review and incorporate into their own vendor management programs.

Vendor security management is an important part of a company’s cybersecurity program. Most mature organizations’ process of vendor selection includes a vendor security review – a key part of which includes the review of a SOC 2 report.

SOC 2 reports can vary greatly in length but even the most basic SOC 2 report is dense with information that can be difficult to digest, especially if you aren’t used to reading them. This article will teach you how to read a SOC 2 report by providing a breakdown of the report’s content, with emphasis on how to pull out the important parts to look at from a vendor security review perspective.

Please note that you should not use this as a guide to hunt and peck your way through a SOC 2 report. It is important to read through the entire report to gain a full understanding of the system itself. However, this should help draw attention to the particular points of interest you should be looking out for when reading a report. 

Many different auditing firms perform SOC 2 audits, some reports may look a little different from the others but the overall content is generally the same.

How to read a SOC 2 report: the Cover Page

Even the cover page of a SOC 2 report has a lot of useful information. It will have the type of SOC 2 report, date(s) covered, the relevant trust services criteria (TSC) categories, and the auditing firm that conducted the audit. 

What Type of SOC 2 Report?

There are two types of SOC 2 reports that can be issued: A SOC 2 Type I and a SOC 2 Type II. The type of report will be denoted on the cover page. The key difference is the timeframe of the report:

A SOC 2 Type I is an attestation that the company complied with the SOC 2 criteria at a specific point in time. 

A SOC 2 Type II is an attestation that the company complied with the SOC 2 criteria over a period of time, most commonly a 6 or 12 month period. 

SOC 2 Type II reports are more valuable because they demonstrate a long-term commitment to a security program – and any issues over the time frame will be revealed. It’s possible for a company to get a SOC 2 Type I report then fail to adhere to their controls. 

Key takeaway: If a company only has a SOC 2 Type I, ask if and when they are working on achieving a SOC 2 Type II. If they say they are not getting a Type II, this is indicative of a lower commitment to security. 

Trust Services Criteria

Cybersecurity for Executives in the Age of Cloud 

Tags: SOC 2 report, SOC2

Mar 31 2022

Mysterious disclosure of a zero-day RCE flaw Spring4Shell in Spring

Category: Zero dayDISC @ 8:20 am
Mysterious disclosure of a zero-day RCE flaw Spring4Shell in Spring

An unauthenticated zero-day RCE vulnerability in the Spring Core Java framework called ‘Spring4Shell’ has been publicly disclosed.

Researchers disclosed a zero-day vulnerability, dubbed Spring4Shell, in the Spring Core Java framework called ‘Spring4Shell.’ An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.

The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).

“The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks.” reported the analysis published by Rapid7. “The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly deleted.”

The flaw has yet to be patched and impacts Spring Core on Java Development Kit (JDK) versions 9 and later. The vulnerability is a bypass for another vulnerability tracked as 

CVE-2010-1622
.

https://twitter.com/th3_protoCOL/status/1509201539461619715?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1509201539461619715%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2F129644%2Fhacking%2Fspring-java-framework-rce-zero-day.html

Rapid7 researchers pointed out that the vulnerability (and proof of concept) could be triggered only when a specific functionality is used. The exploit code released by the Chinese researchers is not related to a “completely different” unauthenticated RCE flaw that was published on March 29, 2022 for Spring Cloud.

“Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. Configuration and JRE version may also be significant factors in exploitability and the likelihood of widespread exploitation.” continues Rapid7.

The analysis of the flaw suggests that its impact may not be severe like other issues, like Log4J.

“Exploitation requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,” reads the analysis published by cybersecurity firm Praetorian.

Security researchers that tested the Spring4Shell exploit confirmed that it works. CERT/CC vulnerability analyst Will Dormann confirmed that the PoC exploit code works against the stock ‘Handling Form Submission’ sample code from 

spring.io
.

Security experts are aware of public exploitation of the Spring4Shell in the attacks.

Spring4Shell

Tags: RCE flaw, Spring4Shell

Mar 30 2022

What Proxies Are For

Category: ProxyDISC @ 3:29 pm
What Proxies Are For

When you cannot access certain sites or hide your identity, you need a tool for that. For example, the USA proxies are in demand among those who want to visit American-only stores and other sites. Here we break it down a bit to show how a proxy can do you good and how to choose a proxy service for your comfort and safety.

Table of Contents

Web Application Proxy and Active Directory Federation Services on AWS 

Tags: proxies

Mar 30 2022

CISA and DoE warns of attacks targeting UPS devices

Category: Cyber AttackDISC @ 8:30 am
CISA and DoE warns of attacks targeting UPS devices

The US CISA and the Department of Energy issued guidance on mitigating attacks against uninterruptible power supply (UPS) devices.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy published joint guidance on mitigating cyber attacks against uninterruptible power supply (UPS) devices.

The US agencies warn of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices by exploiting default credentials.

UPS devices provide clean and emergency power in a variety of applications when normal input power sources are interrupted for various reasons.

The guidance recommends organizations immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet. In the case where a UPS device must be accessible online, organizations are recommended to implement the following controls:

  • Ensure the devices are accessible through a virtual private network.
  • Enforce multifactor authentication.
  • Use strong passwords or passphrases in accordance with National Institute of Standards and Technology guidelines (for a humorous explanation of password strength, see XKCD 936)

CISA recommends checking if organizations’ UPS credentials are still set to the factory default.

Cisa UPS

Additional info, including incident response best practices, are included in the “Mitigating Attacks Against Uninterruptible Power Supply Devices” guidance.

The Cyber Security Handbook: Prepare for, Respond to and Recover from Cyber Attacks with the It Governance Cyber Resilience Framework (CRF) 

Tags: CISA, DoE, UPS devices

Mar 29 2022

Active Directory Privilege Escalation

Category: Privilege EscalationDISC @ 2:38 pm

“Active Directory Privilege Escalation – by Paramount Defenses”Download

Privilege Escalation Techniques: Learn the art of exploiting Windows and Linux systems

Tags: Active Directory

Mar 29 2022

Compromised WordPress sites launch DDoS on Ukrainian websites

Category: DDoS,Web SecurityDISC @ 8:44 am
Compromised WordPress sites launch DDoS on Ukrainian websites

Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites.

MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites.

The JavaScript was designed to perform thousands of HTTP GET requests to the targeted sites

The only evidence of the ongoing attack is the slowing down of the browser performance.

According to BleepingComputer, which first reported the discovery, DDoS attacks targeted pro-Ukrainian sites and Ukrainian government agencies, including think tanks, recruitment sites for the International Legion of Defense of Ukraine, and financial sites.

Below is the list targeted websites:

https://stop-russian-desinformation.near.page
https://gfsis.org/
http://93.79.82.132/
http://195.66.140.252/
https://kordon.io/
https://war.ukraine.ua/
https://www.fightforua.org/
https://bank.gov.ua/
https://liqpay.ua
https://edmo.eu

The script generates random requests to avoid that they are served through a caching service.

DDoS

BleepingComputer discovered that the same script is being used by the pro-Ukrainian site to launch attacks against Russian websites.

“When visiting the site, users’ browsers are used to conduct DDoS attacks on 67 Russian websites.” states BleepingComputer.

Tags: Ukrainian websites

Mar 28 2022

Shopping trap: The online stores’ scam that hits users worldwide

Category: Cyber crime,Cyber ThreatsDISC @ 8:45 am
Shopping trap: The online stores’ scam that hits users worldwide

Shopping trap: Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world

Malicious schemas linked to online stores are on the rise in 2022. Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world and thereby trick victims. The targets of this massive campaign are online stores geolocated in different countries, including Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others. The campaign has been active since late 2020 but gained momentum in early 2022, with thousands of victims affected.

Shopping trap

Active domains behind the malicious online stores at the time of analysis (21-03-2022). The shopping platforms are available on servers geolocated in the USA, The Netherlands, and Turkey (ZoomEye).

As observed in Figure 1, 617 active shopping platforms were identified worldwide, 562 created in 2022. The servers are located in three countries: the USA, The Netherlands, and Turkey. However, other servers and online stores were also identified during the research. The complete list of IoCs with more than 1k malicious entries is provided at the end of the article.

The high-level diagram of this campaign is presented below, with a graphical representation of the different steps and actions carried out by criminals.

A new campaign typically starts with the authors setting up the malicious domain at the top of Google search through digital ads (Google ads) – as shown above referring to the Lefties clothing store disseminated in Portugal in 2022. After some days, users are hit as the malicious URL appears at the top of searches. In specific cases, social Ads were also found on Instagram and Facebook social media platforms.

The content of the malicious websites – clones of the official stores –  are based on a static Content Management System (CMS) and a PHP API that communicates with a MySQL cluster in the background. Some artifacts related to the static CMS can be found on a GitHub repository from criminals. In detail, criminals put some effort into developing a generic platform that could serve a mega operation at a large scale, where small tweaks of images and templates would allow the reuse of code for different online stores. Then, all the observed stores use the same code with different templates according to the target brand. As mentioned, the store is also equipped with an API that communicates with a MySQL database cluster where all the victims’ data is stored, including:

  • Name (first and last)
  • Complete address (street, zip-code, city, and country)
  • Mobile phone
  • Email
  • Password
  • Credit card information (number, date, and CVV); and
  • Details about the order and tracking code of the package.

As usual, this Personally Identifiable Information (PII) can be utilized later by criminals to leverage other kinds of campaigns. In order to prevent this type of scenario, we provide a tool that allows you to validate if victims’ information is now in the wrong hands.

Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists

Tags: Online scams, Scam Me If You Can

Mar 27 2022

Morgan Stanley Client Accounts Breached in Social Engineering Attacks

Category: Information SecurityDISC @ 12:28 pm

Morgan-Stanley-Client-Accounts-Breached-in-Social-Engineering-Attacks-1Download
The F&G Group | New York, NY | Miami, FL | Morgan Stanley Private Wealth Management

Mar 26 2022

FCC adds Kaspersky to Covered List due to unacceptable risks to national security

Category: Antivirus,Information Security,Information WarfareDISC @ 9:53 pm
FCC adds Kaspersky to Covered List due to unacceptable risks to national security

The Federal Communications Commission (FCC) added Kaspersky to its Covered List because it poses unacceptable risks to U.S. national security.

The Federal Communications Commission (FCC) added multiple Kaspersky products and services to its Covered List saying that they pose unacceptable risks to U.S. national security.

“The Federal Communications Commission’s Public Safety and Homeland Security Bureau today added equipment and services from three entities – AO Kaspersky Lab, China Telecom (Americas) Corp, and China Mobile International USA Inc. – to its list of communications equipment and services that have been deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019.” reads the FCC’s press release.

The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.

The US commission also added Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas to the list. Below is the list of Covered Equipment or Services added on March 25, 2022:

  • Information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.
  • International telecommunications services provided by China Mobile International USA Inc. subject to section 214 of the Communications Act of 1934.
  • Telecommunications services provided by China Telecom (Americas) Corp. subject to section 214 of the Communications Act of 1934.

FCC banned Kaspersky security solutions and services supplied by Kaspersky or any linked companies.

“The FCC’s decision to add these three entities to our Covered List is welcome news. The FCC plays a critical role in securing our nation’s communications networks, and keeping our Covered List up to date is an important tool we have at our disposal to do just that. In particular, I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list. Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.” said FCC Commissioner Brendan Carr. “I applaud Chairwoman Rosenworcel for working closely with our partners in the Executive Branch on these updates. As we continue our work to secure America’s communications networks, I am confident that we will have more entities to add to our Covered List.”

In Mid March, the German Federal Office for Information Security agency, aka BSI, recommended consumers uninstall Kaspersky anti-virus software. The Agency warns the cybersecurity firm could be implicated in hacking attacks during the ongoing Russian invasion of Ukraine.

According to §7 BSI law, the BSI warns against the use of Kaspersky Antivirus and recommends replacing it asap with defense solutions from other vendors.

Tags: FCC, kaspersky, National security

« Previous PageNext Page »