InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly * Remain one step ahead of legislative developments with affordable advice and support * Reduce privacy risks with one simple subscription service * Enjoy peace of mind with your own dedicated data privacy manager
North Korea-linked threat actors are behind some of the largest cyberattacks against cryptocurrency exchanges.
North Korea-linked APT groups are suspected to be behind some of the largest cyberattacks against cryptocurrency exchanges. According to South Korean media outlet Chosun, North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.
According to local media, US federal prosecutors believe that North Korea’s government considers cryptocurrency a long-term investment and it is amassing crypto funds through illegal activities.
In a classified report cited by Chosun, the US National Intelligence Service (DNI) found that North Korea was financing its ‘priority policies’, such as nuclear and missile development, through cybercrime. Government experts noticed that nation-state actors are not immediately cashing out all the stolen crypto to create a crypto fund reserve.
“Citing the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the media reported that all banks in the world are being targeted by North Korea’s cyberattacks. It also reported that North Korea is committing cybercriminals such as stealing defense secrets from major powers, using ransomware to steal funds, hijacking cryptocurrencies, and “laundering” criminal proceeds into cryptocurrencies.” reads a post published by Chosun.
“Then, citing the results of investigations by the United States and the UN Security Council, it was estimated that the Kim Jong-un regime’s fraudulent profits from cyber crimes have already reached $2.3 billion (about 2.7 trillion won).”
The report states that North Korea-linked attacks employed the AppleJeus malware to steal cryptocurrency. According to Bloomberg, multiple versions of Apple Zeus have been used in attacks against entities in 30 countries since 2018, and according to a UN and US investigation, between 2019 and November 2020, North Korean hackers stole $316.4 million in cryptocurrency through this program. 380 billion.
According to Chosun, North Korea’s dependence on cybercrime will increase due to international sanctions that limit the amount of money that North Korea can earn from coal exports to $400 million (about 480 billion won) per year.
The Infinite Machine: How an Army of Crypto-hackers Is Building the Next Internet with Ethereum
Researcher Sylvain Pelissier has discovered that the DataVault encryption software made by ENC Security and used by multiple vendors is affected by a couple of key derivation function issues. An attacker can exploit the flaws to obtain user passwords.
This week Pelissier detailed the vulnerabilities at the Chaos Computer Club’s Remote Chaos Experience (rC3) virtual conference.
DataVault is an advanced encryption software to protect user data, it provides comprehensive military grade data protection and security features to multiple systems.
Multiple vendors, including WD, Sony and Lexar use the DataVault software.
Pelissier discovered the issues through the reverse engineering of the software.
“It turned out that the key derivation function was PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors. This makes it easier for an attacker to guess the user password of a vault using time/memory tradeoff attack techniques such as rainbow tables and to re-use the tables to retrieve passwords for all users using the software. The implementation itself was incorrect and even with a randomly generated unique salt, it would be effortless to recover the password of a user. Other flaws of the key derivation function will be discussed and compared with nowadays good practices.” reads the presentation of the speech published on the rc3 website.
“The data encryption method was also found to be malleable, allowing malicious modifications of files in a vault without any detection. No data integrity mechanism was set up.”
The vulnerabilities have been tracked as CVE-2021-36750 and CVE-2021-36751.
“DataVault and its derivatives were using a one-way cryptographic hash with a predictable salt making it vulnerable to dictionary attacks by a malicious user. The software also made use of a password hash with insufficient computational effort that would allow an attacker to brute force user passwords leading to unauthorized access to user data.” reads the security advisory published by ENC. “Both the key derivation function issues described above have been resolved in the updated version DataVault 7.2.”
Researchers devised a series of attacks against SSDs that could allow to implant malware in a location that is not monitored by security solutions.
Korean researchers devised a series of attacks against solid-state drives (SSDs) that could allow to implant malware in specific memory locations bypassing security solutions.
The attacks work against drives with flex capacity features and allow to implant a malicious code in a hidden area of SSDs called over-provisioning. This memory location is used for performance optimization on NAND flash-based storage systems.
“The Micron Flex Capacity feature is designed to unleash the true capabilities of storage media by giving IT administrators the ability to tune their SSDs to meet specific workload characteristics such as performance, capacity and endurance.”
The operating system and any applications running on it have no visibility on the over-provisioning, this means that security software is not able to inspect their content looking for a malicious code.
Many storage devices can vary the size of the OP area in real-time to optimize performance. A larger size of the OP area can ensure better performance. The OP area can be set for example by a maximum of 50%. An invalidation data region is created by varying the OP area that can be changed by the user or by the firmware manager. However, a threat actor can reduce the size of the OP area using the firmware manager generating an invalid data area. This attack could lead to an information-disclosing attack.
“Assuming that the hacker can access the management table of the storage device, the hacker can access this invalid data area without any restrictions.” reads the research paper. “Without the need for special forensic equipment, as a computer user, a hacker can access these invalid data areas of the NAND flash memory. Depending on sensitive information is stored in the invalid data area, computer users can feel more or less alarmed by this”
A Firewall is the controller of incoming and outgoing traffic between your computer and internet network.
Who should use a Firewall, and for what?
Those wanting to prevent unauthorized remote access.
Those looking to block immoral content (such as adult sites).
Online gamers – at a high risk for getting hacked in online games.
Business owners and those working from home – at a high risk for getting hacked.
Anyone not wanting to risk their data and privacy.
Why is a Firewall important?
A Firewall is important for several reasons:
Promotes privacy A Firewall blocks or alerts the user about all unauthorized inbound or outbound connection attempts. It allows the user to control which programs can access the local network and internet.
Stops viruses and spyware
Prevents hacking A Firewall blocks and prevents hacking attempts and attacks.
Monitors network traffic and applications It regulates all incoming and outgoing internet users as well as applications that are listening for incoming connections. Moreover, it tracks recent events and intrusion attempts to see who has tried to access your computer.
What’s the difference between a personal and business-grade Firewall?
• A personal Firewall usually only protects the computer on which it is installed, whereas a business-grade Firewall is normally installed on a designated interface between two or more networks (allowing for a greater number of computers to be protected). • Personal Firewalls allows a security policy to be defined for individual computers, while a business-grade Firewall controls the policy between the networks that it connects. • Personal Firewalls are useful in protecting computers that are moved through different networks (as the protection is per computer vs. the network). It can be used at public hotspots, allowing the user to decide the level of trust and the option to reconfigure the settings to limit traffic to and from the computer. • Unlike business-grade Firewalls, many personal firewalls have the ability to control network traffic for programs on the secured computer. For instance, when an application needs to establish outbound connection, the personal Firewall will scan it for safety, block it if it’s blacklisted, or ask for permission to blacklist it if not known. • Personal Firewalls may also help block intruders by allowing the software to block connectivity where it suspects an intrusion is being attempted.
The AvosLocker ransomware operation provided a free decryptor after they encrypted the systems of a US government agency.
AvosLocker RaaS operators trying to avoid heat after hitting a US government entity by providing them the decryptor for free. pic.twitter.com/zFg7Idj9Zs
According to BleepingComputer, the gang hit a police department but fearing the reaction of US law enforcement opted to release a free decryptor to the government entity.
The incident is casual, one of the affiliates of the RaaS service hit the government agency and AvosLocker discovered the name of the victim only after their malware encrypted its systems.
Recently major ransomware operations were targeted by international operations conducted by law enforcement. In recent months, the police identified and arrested members and affiliated with several gangs, including REvil, Egregor, and Clop ransomware gangs.
Despite the success of the police operations, ransomware gangs continue to target organizations worldwide, in 2021 several groups rebranded as new operations to evade sanctions.
BleepingComputer, which has reached AvosLocker gang, said that its operators are “not worried about law enforcement as they have no jurisdiction in the motherland.”
This is another problem, the fight against ransomware gangs needs the collaboration of law enforcement agencies of any country, especially Russia where many ransomware groups have their origin.
The Apache Software Foundation released Log4j 2.17.1 version to address a recently discovered arbitrary code execution flaw, tracked as CVE-2021-44832, affecting Log4j 2.17.0.
CVE-2021-44832 is the fifth vulnerability discovered in the popular library in the last weeks. Like the previous issues affecting the library, this one could be exploited by threat actors to execute malicious code on affected systems.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.” reads the advisory.
The flaw received a CVSS score of 6.6 and impacts all log4j versions from 2.0-alpha7 to 2.17.0. Versions 2.3.2 and 2.12.4. are not impacted.
The vulnerability was discovered by Checkmarx security researcher Yaniv Nizry who reported it to Apache on December 27.
Nizry also published details of the CVE-2021-44832 flaw in a blog post, he speculates that the exploitation of this issue is more complex than the CVE-2021-44228 one.
“This vulnerability doesn’t use the disabled lookup feature. The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration,” states Nizry. “Unlike Logback, in Log4j there is a feature to load a remote configuration file or to configure the logger through the code, so an arbitrary code execution could be achieved with [an] MitM attack, user input ending up in a vulnerable configuration variable, or modifying the config file.”
Now that the festive frenzies have almost finished and you still have a few quiet days to spend at home, this is a great time to invest in your education. Enhance your knowledge of ISO 27001 with our wide range of books. Available in a variety of formats, including audiobook, softcover, Kindle and ePub, they cover everything you need to know about ISO 27001 and how to implement it. You can also focus on gaining an ISO 27001 qualification and top up your CPD/CPE points with our self-paced training courses. Until January 3, you can get 10% off self-paced training courses by using the promo code XMASTRAIN at checkout*.
ISO 27001 controls – A guide to implementing and auditing
ISO 27001 controls – A guide to implementing and auditing Ideal for information security managers, auditors, consultants and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001. Similarly, for anyone involved in internal or external audits, the book includes the definitive requirements that auditors must address when certifying organizations to ISO 27001 Buy now
Nine Steps to Success – An ISO 27001 Implementation Overview, North American edition
Get to grips with the requirements of the ISO 27001 Standard and discover how to make your ISO 27001 implementation project a success with this must-have guide from international ISO 27001 expert Alan Calder. The ideal resource for anyone tackling ISO 27001 implementation for the first time, it details the key steps of an ISO 27001 project from inception to certification and explains each element of the ISO 27001 project in simple, non-technical language. Buy now
Information Security Risk Management for ISO 27001/ISO 27002
Information Security Risk Management for ISO 27001/ISO 27002Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework and deliver real, bottom-line business benefits. Buy now
These are the results of a new research report by Positive Technologies, analyzing results of the company’s penetration testing projects carried out in the second half of 2020 and first half of 2021.
The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors.
During the assessment of protection against external attacks, Positive Technologies experts managed to breach the network perimeter in 93% of cases. According to the company’s researchers, this figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure.
“In 20% of our pentesting projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those. According to our customers, events related to the disruption of technological processes and the provision of services, as well as the theft of funds and important information pose the greatest danger,” said Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies.
“In total, Positive Technologies pentesters confirmed the feasibility of 71% of these unacceptable events. Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,” Kilyusheva added.
Despite the fact that financial organizations are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks we tested, our specialists managed to perform actions that could let criminals disrupt the bank’s business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds.
An attacker’s path from external networks to target systems begins with breaching the network perimeter. According to our research, on average, it takes two days to penetrate a company’s internal network. Credential compromise is the main way criminals can penetrate a corporate network (71% of companies), primarily because of simple passwords used, including for accounts used for system administration.
Microservices Security in Action: Design secure network and API endpoint security for Microservices applications
Security expert from Morphus Labs recently observed several malicious campaigns abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines.
MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema that controls how the build platform processes and builds software to deliver malware using callbacks.
Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler Renato Marinho revealed to have uncovered two different malicious campaigns that were abusing MSBuild for code execution.
The malicious MSBuild project employed in the attacks was designed to compile and execute specific C# code that in turn decodes and executes Cobalt Strike payload.
“Now, let’s look at the malicious MSBuild project file in Figure 3. Using the same principle, when called by MSBuild, it will compile and execute the custom C#, decode and execute the Cobalt Strike beacon on the victim’s machine.” wrote Marinho.
In the attack scenario described by the researcher, the attackers initially gained access to the target environment using a valid remote desktop protocol (RDP) account, then leveraged remote Windows Services (SCM) for lateral movement, and MSBuild to execute the Cobalt Strike Beacon payload.
The Beacon was used to decrypt the communication with the C2 server, which was SSL encrypted.
It’s an information security framework designed to reduce payment card fraud by requiring organisations to implement technical and organisational defence measures.
We explain everything you need to know about the PCI DSS in this blog, including who it applies to, the benefits of compliance and what happens if you fail to meet its requirements.
Who needs PCI DSS compliance?
Any merchant or service provider that processes, transmits or stores cardholder state is subject to the PCI DSS.
Merchants are organisations that accept debit or credit card payments for goods or services.
Service providers are businesses that are directly involved in processing, storing or transmitting cardholder data on behalf of another entity.
Some organisations can be both a merchant and a service provider. For instance, an organisation that provides data processing services for other merchants will also be a merchant itself if it accepts card payments from them.
Benefits of PCI DSS compliance
The most obvious benefit of PCI DSS compliance is to reduce the risk of security incidents. When organisations implement its requirements, they shore up the most common weaknesses that attackers exploit.
According to the 2020 Trustwave Global Security Report, the majority of data breaches involving cardholder data were CNP (card-not-present) attacks. This indicates that e-commerce platforms are the most vulnerable, but this is only half the picture.
Data protection isn’t just about preventing cyber attacks; information can also be exposed by mistakes the organization makes. Such errors can also result in violations of the GDPR (General Data Protection Regulation) and other data protection laws.
PCI DSS compliance can help organisations prevent regulatory errors and the effects associated with it.
Is PCI DSS compliance mandatory?
The PCI DSS is a standard not a law, and is enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.
Compliance is mandatory for all organisations that process, store or transmit cardholder data. Covered organisations that fail to meet their requirements could face strict penalties.
Notably, the Standard doesn’t simply levy a one-off fine for non-compliance. Instead, organisations can be penalised between $5,000 (about €4,300) and $100,000 (about €86,000) a month until they achieve compliance.
Organisations can also face other punitive measures from their acquiring bank. For example, the bank might increase its transaction fees or terminate the relationship with the merchant altogether.
How do I achieve PCI DSS compliance?
The PCI DSS contains 12 requirements that organisations must meet if they are to achieve compliance.
They are combination of technical solutions, such as data encryption and network monitoring, alongside processes and policies to ensure that employees manage sensitive data effectively.
Those processes include steps such as changing default passwords, restricting physical access to locations where cardholder data is stored and creating an information security policy.
How do you know if you are PCI compliant?
To demonstrate that your organisation is PCI DSS compliant, organisations must audit their CDE (cardholder data environment).
There are three types of audit:
An RoC (Report on Compliance), which must be completed by a PCI QSA (qualified security assessor) organization such as IT Governance, or by an ISA (internal security assessor).
An SAQ (self-assessment questionnaire) signed off by a company officer. There are nine types of SAQ and it is essential that you choose the correct one.
The type of audit you must conduct, and your exact PCI DSS compliance requirements, will vary depending on your merchant or service provider level. This information is based on the number of card transactions processed per year.
Level 1 merchants are those process more than 6 million transactions per year, or those whose data has previously been compromised. They must complete the following each year:
RoC conducted by a QSA or ISA.
Quarterly scan by an ASV.
Level 2 merchants are those that process 1 million to 6 million transactions per year. They must complete the following each year:
RoC conducted by a QSA or ISA, or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
Quarterly scan by an ASV
Level 3 merchants are those that process 20,000 to 1 million transactions per year. They must complete the following each year:
SAQ signed by a company officer.
Quarterly scan by an ASV (dependent on SAQ completed).
Level 4 merchants are those that process fewer than 20,000 transactions per year. They must complete the following each year:
SAQ signed by a company officer.
Quarterly scan by an ASV (dependent on SAQ completed).
The audit requirements for service providers are more straightforward. Level 1 encompasses any organisation that process and/or store more than 300,000 transactions per year. They are required to conduct a RoC by a QSA or ISA and have an ASV conduct quarterly scans.
Service providers that transmit and/or store fewer than 300,000 transactions per year must complete either an RoC conducted by a QSA or an ISA, or an SAQ D signed by a company officer. They must also have an ASV conduct quarterly scans.
Get started with the PCI DSS
As a QSA company, IT Governance provides services to support organisations at each stage of each organisation’s PCI DSS compliance project. You can find out complete list of PCI DSS services and solutions on our website.
It contains everything you need to implement the Standard’s requirements, including template documents and a document checker to ensure you select and amend the appropriate records.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.
It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organization.
Researchers from DrWeb monitored attacks leveraging exploits for vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE2021-4104, and CVE-2021-42550) in the Apache Log4j library warning of the need to adopt protective measures.
The vulnerabilities can allow threat actors to execute arbitrary code on the target systems, trigger a Denial of Service condition, or disclose confidential information.
Dr. Web set up one of its honeypots to analyze the impact of the Log4J vulnerabilities on systems exposed online and discovered an intense activity between December 17th-20th.
“We record attacks using exploits for the vulnerabilities on one of our honeypots–a special server used by Doctor Web specialists as bait for fraudsters. The most active threat occurred between December 17th-20th, but attacks still continue.” reads the analysis published by DrWeb.
Day
Number of attacks
December 10
7
December 11
20
December 12
25
December 13
15
December 14
32
December 15
21
December 16
24
December 17
47
December 18
51
December 19
33
December 20
32
December 21
14
December 22
35
December 23
36
The attacks are carried out from 72 different IP addresses, most of them were German IP addresses (21%), followed by Russia (19.4%), the USA and China (9.7%).
Security researchers spotted a campaign that is employing a new stealthy malware tracked as BLISTER that targets windows systems.
Elastic Security researchers uncovered a malware campaign that leverages a new malware and a stealthy loader tracked as BLISTER, that uses a valid code signing certificate issued by Sectigo to evade detection.
BLISTER loads second-stage payloads that are executed directly in the memory of the Windows system and maintain persistence. The malicious code has a low detection rate and implements multiple tricks to avoid detection.
“A valid code signing certificate is used to sign malware to help the attackers remain under the radar of the security community. We also discovered a novel malware loader used in the campaign, which we’ve named BLISTER. The majority of the malware samples observed have very low, or no, detections in VirusTotal.” “The infection vector and goals of the attackers remain unknown at this time.”
The certificate used to sign the loader code was issued by Sectigo for a company called Blist LLC, which has an email address from a Russian provider Mail.Ru.
The loader is embedded into legitimate libraries, such as colorui.dll, to avoid raising suspicion, it can be initially written to disk from simple dropper executables.
Upon execution, BLISTER decodes bootstrapping code stored in the resource section with a simple 4-byte XOR routine. The malware authors heavily obfuscated the bootstrapping code that initially sleeps for 10 minutes before executing in an attempt to evade sandbox analysis.
Then the loader decrypts the embedded malware payload, experts reported the use of CobaltStrike and BitRat as embedded payloads. The payload is loaded into the current process or injected into a newly pawned WerFault.exe process.
In order to achieve persistence, BLISTER copy itself to the C:\ProgramData folder and re-names a local copy of rundll32.exe. Then it creates a link to the current user’s Startup folder to launch the malware at logon as a child of explorer.exe.
Elastic’s researchers shared Yara rules for this campaign along with indicators of compromise.
Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
InfoSec is the page where the InfoSec community interacts, and share InfoSec & compliance related information.
“You Become What You Think About Ask; and it shall be given to you Seek; and you shall find Knock; and it shall be opened unto you.”
![NIST Cybersecurity Framework: A pocket guide by [Alan Calder]](https://m.media-amazon.com/images/I/31zbdJvBpPL.jpg)
![Log4Shell You can experience the vulnerability of log4j within two hours: Recommended for Java Engineers (Japanese Edition) by [MORINO SERI]](https://m.media-amazon.com/images/I/51ekitcpa5L.jpg)
![Cobalt Strike, a Defender’s Guide (The DFIR Report's 2021 Intrusions) by [The DFIR Report]](https://m.media-amazon.com/images/I/41wnjq4jKAL.jpg)
![Trace and Log Analysis: A Pattern Reference for Diagnostics and Anomaly Detection by [Dmitry Vostokov, Software Diagnostics Institute]](https://m.media-amazon.com/images/I/5148hRrenTL.jpg)
![Log4J by [J. Steven Perry]](https://m.media-amazon.com/images/I/51U1ZwdVJXL.jpg)
