InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Our list of cybersecurity books has been curated to steer your professional growth in 2024. This selection aims to provide comprehensive information security insights and knowledge, ensuring you stay ahead in your career learning journey throughout the year.
Cyber for Builders provides an overview of the cybersecurity industry from entrepreneurial lenses, breaks down the role of various industry players, from investors to channel partners and acquirers, and offers insight into the trends shaping the future of security. Moreover, the book is packed with mental models, notes, and advice to help early-stage cybersecurity founders get their ideas off the ground and solve problems young companies face around problem discovery, hiring, building products, and fundraising.
Authors: Dr. Gerald Auger, Jaclyn “Jax” Scott, Jonathan Helmus, Kim Nguyen
This book is designed to help you confidently enter the world of cybersecurity, covering everything from gaining the right certification to tips and tools for finding your first job. The book starts by helping you gain a foundational understanding of cybersecurity, covering cyber law, cyber policy, and frameworks. Next, you’ll focus on choosing the career field best suited to you, from security operations to penetration testing and risk analysis. The book also guides you through the different certification options and the pros and cons of a formal college education versus formal certificate courses.
This book demystifies EDR, taking you on a deep dive into how EDRs detect adversary activity. The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system.
This book delivers an eye-opening exploration of the best―and worst―things the internet has given us. From instant connectivity between any two points on the globe to organized ransomware gangs, the net truly has been a mixed blessing. In this book, the author explores the transformative potential of the future of the internet, as well as those things that threaten its continued existence: government surveillance, censorship, organized crime, and more.
You’ll start by finding out what threat intelligence is and where it can be applied. Next, you’ll discover techniques for performing cyber threat intelligence collection and analysis using open source tools. The book also examines commonly used frameworks and policies as well as fundamental operational security concepts. Later, you’ll focus on enriching and analyzing threat intelligence through pivoting and threat hunting. Finally, you’ll examine detailed mechanisms for the production of intelligence.
Within this book, you’ll learn the fundamentals of cybersecurity architecture as a practical discipline. Once mastered, these fundamentals are evergreen approaches that can be applied and adapted to new and emerging technologies like artificial intelligence and machine learning. You’ll learn how to address and mitigate risks, design secure solutions in a purposeful and repeatable way, communicate with others about security designs, and bring designs to fruition.
This book delivers a hands-on and step-by-step guide to implementing an effective and practical Zero Trust security strategy at your organization. The book is written as an engaging narrative that follows the story of Dylan, a new IT Director at a company that experiences a ransomware attack on his first day. You’ll learn John Kindervags’ 5-step methodology for implementing Zero Trust, the four key Zero Trust design principles, and discover how to align this framework with your company’s operational and commercial requirements.
You’ll learn the most intriguing psychological principles exploited by attackers, including influence, manipulation, rapport, persuasion, and empathy, and gain insights into how attackers leverage technology to enhance their attacks using fake logins, email impersonation, fake updates, and executing attacks through social media. This book will equip you with the skills to develop your own defensive strategy, including awareness campaigns, phishing campaigns, cybersecurity training, and a variety of tools and techniques.
Wiley CISO and CIO Sean D. Mack delivers an expert analysis of how to keep your business secure, relying on the classic triad of people, process, and technology to examine―in depth―every component of DevSecOps. In the book, you’ll learn why DevSecOps is as much about people and collaboration as it is about technology and how it impacts every part of our cybersecurity systems.
This book delivers an incisive and penetrating look at how contemporary and future AI can and will be weaponized for malicious and adversarial purposes. You will explore multiple foundational concepts to include the history of social engineering and social robotics, the psychology of deception, considerations of machine sentience and consciousness, and the history of how technology has been weaponized in the past.
Cybersecurity products can get pricy but there are many excellent open source tools to help secure your systems and data. Here’s a list of some of the most popular with cyber pros.
Cybersecurity tools aren’t just for the enterprise anymore; they’re essential for every type and size of organization.
Some tools specialize in antivirus, while others focus on spear phishing, network security or scripting. Even the best cybersecurity products can only do a few things very well, and there is no room for error.
Effective products, coupled with in-depth cybersecurity planning, are a must for all. Whether businesses have an in-house security team or outsource these services, every entity needs cybersecurity pros to discover and fix any points of weakness in computer systems. This reality can tax the bottom line, but luckily there are many free cybersecurity tools available.
Here is a rundown of some of the top free tools cybersecurity professionals use every day to identify vulnerabilities.
1. Aircrack-ng
Aircrack-ng is a must-have suite of wireless security tools that focus on different aspects of Wi-Fi security. Aircrack-ng focuses on monitoring, attack testing and cracking your Wi-Fi network. This package of tools can capture, analyze and export packet data, spoof access points or routers and crack complex Wi-Fi passwords. The Aircrack-ng suite of programs includes Airdecap-ng, which decrypts WEP or WPA-encrypted capture files; Airodump-ng, a packet sniffer; Airtun-ng, a virtual tunnel interface creator; and Packetforge-ng, which creates encrypted packets for injection. All of it is free and open source.
2. Burp Suite
Burp is a suite of tools specifically focused on debugging and testing web app security. Burp Suite includes a spider for crawling web app content, a randomness tool for testing session tokens and a sophisticated request repeater to resend manipulated requests. The real power of Burp Suite, however, is the intercepting proxy tool, which enables Burp to intercept, inspect, modify and send traffic from the browser to a target. This powerful feature makes it possible to creatively analyze a web app’s attack vectors from all angles — a key reason it’s often ranked as one of the best free cybersecurity tools. The community version of Burp Suite is free, but there is also a paid Enterprise Edition designed for enabling testing in DevSecOps.
3. Defendify
Defendify is an all-in-one product that provides multiple layers of protection and offers consulting services if needed. With Defendify, organizations can streamline cybersecurity assessments, testing, policies, training, detection and response in one consolidated cybersecurity tool.
Features include cybersecurity risk assessments, technology and data use policies, incident response plans, penetration testing, threat alerts, phishing simulations and cybersecurity awareness training.
4. Gophish
Many of the costliest data breaches and ransomware attacks in recent years can be traced back to simple phishing campaigns because many company workers fall for them. One of the best protections is to secretly test your staff to see who is gullible, and for that you can use the free program Gophish. Gophish is open source and provides a full-featured toolkit for security administrators to build their own phishing campaigns with relative ease. The overall goal is not to embarrass staff, but find out who needs greater phishing awareness and foster better security training within their organization.
5. Have I Been Pwned
Created by award-winning cybersecurity thought leader and teacher Troy Hunt, Have I Been Pwned is a website where you enter your email address to check if your address has been revealed in a data breach. Have I Been Pwned’s database is filled with billions of usernames, passwords, email addresses and other information that hackers have stolen and published online. Just enter your address in the search box.
6. Kali Linux
Kali Linux is a Debian Linux derivative specifically designed toward testing for security tasks, such as penetration testing, security auditing and digital forensics. Kali includes roughly 600 pre-installed programs, each included to help computer security experts carry out a specific attack, probe or exploit against a target. Aircrack-ng, Nmap, Wireshark and Metasploit are a few of the pre-installed tools that ship with the Kali Linux download.
7. Metasploit Framework
Similar to Kali Linux but at the application layer rather than OS, the Metasploit Framework can test computer system vulnerabilities or can be used to break into remote systems. It is, in other words, a network penetration “Swiss Army knife” used by both ethical hackers and criminal gangs to probe networks and applications for flaws and weaknesses. There is both a free and a commercial version — known as the Framework and Pro editions, respectively — which are available for trial. Both editions are de facto standard for penetration testing with more than 1,500 exploits. Metasploit comes pre-installed on Kali Linux.
8. Nmap
Nmap is a free network mapper used to discover network nodes and scan systems for vulnerability. This popular free cybersecurity tool provides methods to find open ports, detect host devices, see which network services are active, fingerprint operating systems and locate potential backdoors.
While Nmap provides users immense power and capability to explore networks, the program has a rather steep learning curve to get over before one becomes truly proficient in using it.
9. Nikto
Nikto is an ultra-powerful, command-line tool useful for uncovering vulnerabilities in web apps, services and web servers. Originally launched in the early 2000s, Nikto is still widely used by both blue and red teams that want to quickly scan web servers for unpatched software, misconfigurations and other security issues. The program also features built-in support for SSL proxies and intrusion detection system evasion. Nikto can run on any computer capable of supporting the Perl programming language.
10. Open Vulnerability Assessment Scanner
OpenVAS is an all-in-one vulnerability scanner that comprehensively tests for security holes, misconfigured systems and outdated software. The scanner gets the tests for detecting vulnerabilities from a feed with daily updates. Much of the program’s power stems from its built-in programming interface, which enables developers to create custom scans that fit niche needs.
Its capabilities include unauthenticated and authenticated testing, high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
11. OSSEC
OSSEC is a free program for cybersecurity professionals that’s been touted as one of the most popular systems for intrusion detection and prevention. Made up of multiple components — including a server, agent and router monitor — OSSEC is capable of rootkit detection, system integrity checking, threat alerts and response. One of OSSEC’s highlights is its comprehensive log analysis tool, empowering users to compare and contrast log events from many different sources.
OSSEC comes in three versions: standard; OSSEC+, which includes machine learning and real-time community update; and Atomic OSSEC, with more advanced functions.
12. Password managers
Using only strong passwords — and keeping them secure — is an essential step in the security of any system. But since a best practice is to use a unique password for every website, app and service, that can get tricky. A good password manager makes it possible to safely store all passwords together so a user only needs to remember one master key rather than dozens of unique passwords. This is especially true for cybersecurity professionals tasked with guarding passwords to mission-critical systems. Fortunately, there are free password management tools. Three good, free options for cybersecurity pros are KeePass, Bitwarden and Psono.
13. PfSense
The firewall/router software pfSense can be installed on either a physical computer or virtual machine to protect networks. PfSense is based on the FreeBSD OS, and has become one of the most popular open source firewall/router projects available. PfSense can also be configured for intrusion detection and prevention, traffic shaping, load balancing and content filtering. The pfSense site includes a tour, a community page, a link to both training and support and a download of the latest version of the community edition of the software.
14. P0f
Endpoint fingerprinting is analysis of web traffic to find patterns, responses and packets sent and received in a particular direction — even if they are encrypted. This works even with “dumb” devices that don’t interact with the network but can still enable unauthorized access to an organization’s systems.
P0f is a simple yet powerful network-level fingerprinting and forensics program. While other free cybersecurity programs do a similar job, p0f is unique in that it’s designed for stealth. Where most other programs rely on active scanning and packet injection, p0f can identify fingerprints and other vital information without network interference. Being passive rather than active means p0f is nearly impossible to detect and even harder to block, making it a favorite tool for ethical hackers and cybercriminals alike.
15. REMnux
Normally the dissection and examination of malware is left to the antimalware vendors. But if you would like to do the job yourself, there is REMnux, a free Linux toolkit for reverse-engineering and analyzing malware.
Included in every REMnux distribution are tools to analyze Windows executables, reverse-engineer binaries and inspect suspicious documents. It also includes a collection of free tools cybersecurity professionals can use to monitor networks, gather data and conduct memory forensics.
16. Security Onion
Security Onion is an open source software collection based on the Linux kernel that helps cybersecurity professionals develop a comprehensive profile of their system’s security posture. Security Onion provides network monitoring using full packet capture, host-based and network-based intrusion detection systems, log indexing, search and data visualization features.
The operating system emphasizes ease of use and makes it possible to interweave data and analytics from multiple tools into a unified dashboard. The overarching goal of the project is to offer teams a foolproof security monitoring solution that reduces decision paralysis and false alerts.
17. Snort
Snort is an open source network intrusion prevention and intrusion detection system capable of real-time traffic analysis and logging. It uses a series of rules to identify malicious network activity, find the packets and generate alerts. This packet sniffer — managed by Cisco — actively searches and analyzes networks to detect probes, attacks and intrusions. Snort accomplishes this by fusing a sniffer, packet logger and intrusion detection engine into a single package.
Its developer recently released version 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, use of a shared configuration and attribute table, access to more than 200 plugins, rewritten TCP handling and new performance monitoring.
18. Sqlmap
Sqlmap is an open source penetration testing tool that automates detecting and exploiting SQL injection flaws of database servers, enabling a remote hacker to take control. It comes with a detection engine and many niche features for the ultimate penetration tester. It supports a variety of databases — including Oracle and open source — and a number of injection types.
19. Wireshark
Wireshark is considered by many to be an indispensable tool to locate, identify and examine network packets to diagnose critical issues and spot security weaknesses. The website for Wireshark outlines its broad set of features and provides a user’s guide and other resources for putting this free cybersecurity tool to best use.
20. Zed Attack Proxy (ZAP)
ZAP is an open source penetration testing tool designed specifically for testing web applications. It is known as a “man-in-the-middle proxy,” where it intercepts and inspects messages sent between browsers and web applications.
ZAP provides functionality for developers, testers new to security testing and security testing specialists. There are also versions for each major operating system and Docker. Additional functionality is available via add-ons in the ZAP Marketplace.
Every cybersecurity expert carries a different set of tools, depending on their mission and skill set. However, the free cybersecurity tools here serve as an entry point for those looking to increase their cybersecurity skills and knowledge. Cyberthreats are getting more lethal every year — and more efficient.
A deepfake video conference call paired with social engineering tricks has led to the theft of over US$25 million from a multinational firm, the South China Morning Post has reported.
The scheme and the deepfake video conference call
The attack started with messages sent to several of the firm’s employees, but it seems that only one – employed in the finance department of the company’s Hong Kong branch’s – was ultimately bamboozled.
According to the SCMP, the employee’s suspicion were raised when they received the message, purportedly by the company’s UK-based Chief Financial Officer, asking the employee to carry out a secret transaction. But they have been later quelled by a group video conference to which the employee was invited.
Present in the video conference were the company’s CFO, other company staff and even outsiders – or so it seemed.
In reality, the fraudsters used previous video and audio footage and artificial intelligence technology to create the illusion these individuals were present on the call and make these digital recreations “speak” to pull off the illusion.
Baron Chan Shun-ching, a superintendent with Hong Kong Police’s cyber security division, told the SCMP that “during the video conference, the scammers asked the victim to do a self-introduction but did not actually interact with the person. The fake images on screen mainly gave orders before the meeting ended abruptly.”
After the call, the scammers delivered additional instructions via IM, emails and one-on-one video calls. As instructed, the employee sent a total of HK$200 million to five local bank accounts.
Several other employees at the same company branch have also contacted by the scammers, the Hong Kong police said, but did not share how those interactions unfolded.
Deepfakes are getting more difficult to spot
AI-generated deepfakes (whether audio or video) are increasingly being leveraged by scammers and other crooks.
Most people overestimate their deepfake detection skills. This is all new territory, and deepfakes are getting more realistic and more difficult to spot by the day.
“We want to alert the public to these new deception tactics. In the past, we would assume these scams would only involve two people in one-on-one situations, but we can see from this case that fraudsters are able to use AI technology in online meetings, so people must be vigilant even in meetings with lots of participants,” Chan Shun-ching said during a press event.
The Hong Kong Police has advised the public to ask questions during these meetings, ask the participants to move, and confirm requests made during those calls via alternative communication channels.
The recent discovery of a significant flaw in the GNU C Library (glibc), a fundamental component of major Linux distributions, has raised serious security concerns. This flaw grants attackers root access, posing a critical threat to the security of Linux systems.
Vulnerability in GNU C Library (glibc): The GNU C Library, commonly known as glibc, is an essential part of Linux distributions. It provides the core libraries for the system, including those used for file handling, mathematical computations, and system calls.
Root Access Granted: The flaw discovered in glibc allows attackers to gain full root access to Linux machines. Root access means having complete control over the system, enabling an attacker to perform any action, including installing software, accessing all files, and modifying system configurations.
CVE ID: CVE-2023-6246
Description: This vulnerability is related to a dynamic memory buffer overflow and is classified as a Local Privilege Escalation (LPE) issue. It was found in glibc’s __vsyslog_internal() function, which is called by the widely-used syslog and vsyslog functions.
Impact: The flaw allows unprivileged attackers to gain root access on various major Linux distributions in their default configurations. This level of access can enable attackers to take complete control over the affected system.
Severity: Given its potential for granting root access, this vulnerability is considered highly severe.
HOW THE FLAW WORKS
Local Privilege Escalation: The vulnerability is a local privilege escalation (LPE) issue. This means that an attacker who already has access to the system (even with limited privileges) can exploit this flaw to gain root-level access.
Exploitation Requirements: To exploit this flaw, attackers need a Set-User-ID (SUID) binary. SUID is a special type of file permission that allows users to execute a program with the permissions of the file owner, which in many cases is the root user.
IMPACT AND SEVERITY
Widespread Impact: Given the ubiquitous use of glibc in Linux distributions, the impact of this vulnerability is widespread, affecting a vast number of systems and applications.
High Severity: The flaw is considered high severity due to its potential to grant attackers complete control over the affected systems.
MITIGATION AND RESPONSE
Disabling SUID Binaries: One suggested mitigation is to disable SUID binaries using “no new privileges” mode, which can be implemented with tools like systemd or bwrap.
Patch and Update: Users and administrators are urged to apply patches and updates provided by their Linux distribution as soon as they become available. Staying updated is crucial in preventing the exploitation of this vulnerability.
The discovery of the glibc flaw that grants root access to major Linux distributions is a stark reminder of the importance of system security and the need for constant vigilance. Users and administrators must take immediate action to mitigate the risk by applying patches and employing security best practices. As Linux continues to be a backbone for many systems and networks, ensuring its security is paramount for the integrity of countless applications and services.
The FritzFrog botnet, originally identified in 2020, is an advanced peer-to-peer botnet built in Golang that can operate on both AMD and ARM-based devices. With constant updates, the malware has developed over time, adding and enhancing features.
A new strain of the FritzFrog botnet was discovered exploiting the Log4Shell vulnerability to target all hosts in the internal network.
Additionally, by using weak SSH credentials, the malware attacks servers that are accessible over the internet.
“Newer variants now read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable,” Akamai shared with Cyber Security News.
The Exploitation Chain
The only infection vector used by FritzFrog was SSH brute force; however, more recent iterations of the malware have added the Log4Shell exploitation dubbed “Frog4Shell”.
A vulnerability called Log4Shell was found in the popular open-source Log4j web tool in 2021. Governments and security firms carried out a global initiative to patch the technology.
Presently, the malware targets every host on the internal network as part of its routine for spreading. The malware is attempting to connect to every address on the local network to accomplish this.
According to the researchers, internal computers, which were less likely to be exploited, were frequently overlooked and went unpatched—a situation that FritzFrog takes advantage of.
FritzFrog scanning the local network to identify targets
“This means that even if the “high-profile” internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,” researchers said.
FritzFrog searches for HTTP servers on ports 8080, 8090, 8888, and 9000 to find possible Log4Shell targets. The malware is currently targeting as many vulnerable Java applications as possible.
Log4Shell exploitation flow
Additionally, FritzFrog enhanced its capacity to identify targets for SSH brute force, which is its primary infection vector.
FritzFrog will now attempt to identify specific SSH targets by counting multiple system logs on each of its victims, in addition to targeting randomly generated IP addresses.
The malware now includes a module that exploits CVE-2021-4034, a privilege escalation in the polkit Linux component. On susceptible servers, this module allows the malware to operate as root.
“Since it is installed by default on most Linux distributions, many unpatched machines are still vulnerable to this CVE today,” researchers said.
Recommendation
The network segmentation can stop the lateral movement of the malware. Software-based segmentation has the potential to be a long-lasting protective measure that is comparatively easy to implement.
For use on SSH servers, a FritzFrog detection script is given that searches for the following FritzFrog indicators:
a. Running processes named nginx, ifconfig, php-fpm, apache2, or libexec, whose executable file no longer exists on the file system (as seen below)
One of the best ways to stay safe and secure when using your computers and other electronic devices is to be aware of the risks. For the past decade, that’s precisely what I’ve been doing.
Most risks are obvious: use strong passwords, don’t download and install software from untrustworthy websites, or hand your unlocked device to a third party.
However, there are less obvious — yet equally dangerous — risks that can result in device or network intrusion, or even device destruction.
Watch out: Some of the most effective and dangerous hacking tools are hard to tell apart from benign devices. They can even be cute.
According to a recent Dynatrace report, only 50% of CISOs believe that development teams have thoroughly tested the software for vulnerabilities before deploying it into the production environment.
This is a statistic that needs to change and the only way to change it is to make sure developers are on the same page as security practitioners.
The challenges
Making developers accept the importance of security in their software development process comes with numerous challenges. They can be split into four categories:
Tool-related challenges
Practice-related challenges
Infrastructure-related challenges
People-related challenges
Integrating security tools into existing DevOps tools can be complicated. “A significant barrier in implementing security into [DevSecOps] is the differences in tool-sets between security and other teams,” researchers Roshan N. Rajapaksea, Mansooreh Zahedia, M. Ali Babara and Haifeng Shenc noted. Also, each team member has their own preferences in tools based on specific advantages.
Some toolsets may also be inadequate, and without standards or documentation developers will have even more difficulties with the integration.
Practice-related challenges involve automation and deployment. DevOps processes are mostly automated, but security requires human action, i.e., manual security practices that are difficult to automate.
Developers are also all about pushing the product as soon as possible, yet, by implementing DevSecOps, the development process needs to slow down to allow possible vulnerabilities to be fixed.
When it comes to infrastructure, a complex cloud environment can slow down secure software development, while a multi-cloud environment can pose difficulties when securing data. Highly regulated environments (air-gapped environments, medical infrastructure, etc.) can also make DevSecOps adoption difficult.
Finally, there’s the people-related challenges: developers may have difficulties with the imminent changes that DevSecOps bring to the development process, and may lack security skills required to carry out certain security practices in DevSecOps.
CISOs and developers (69% and 64%, respectively) both see that the lack of communication and collaboration between developers and security teams is a significant problem.
Implementing DevSecOps will also not work without the right knowledge, which developers have yet to build.
The solutions
To make developers accept DevSecOps, they need to be heard, which means making sure they have a say when security decisions are made. This can contribute to a more productive and constant collaboration and communication between security and development engineers, while also defining roles and responsibilities.
Shifting left is a must, but developers need to know exactly what is expected of them when it comes to secure coding.
“A big part of improving the DevSecOps experience is not introducing more tooling, but getting clear on the process and expectations of how developers should use the tools they already have. Clear communication about policies ensures an organized and consistent approach to implementing security throughout the SDLC,” says Nick Liffen, director at GitHub Advanced Security.
Training is an important part of DevSecOps implementation, but developers need to be reassured that their job will not be disrupted when security gets integrated into coding.
To further motivate them, it’s good to let them see that knowing how to code securely can contribute to both the company’s success and their personal growth.
Learning that being a DevSecOps professional is a good career choice can additionally boost their motivation.
“Between 2021 and 2028, the DevSecOps market is expected to grow at a CAGR of 24.1%. DevSecOps professionals have several job opportunities as a result of this rapid rise. This demand is expected to grow as more companies adopt DevSecOps practices,” said Misbah Thevarmannil, content lead at Practical DevSecOps.
Aembit Becomes the First Workload IAM Platform to Integrate with the Industry-Leading CrowdStrike Falcon Platform to Drive Workload Conditional Access
Aembit, the Workload Identity and Access Management (IAM) platform that enables DevOps and security teams to discover, manage, enforce and audit access between workloads, today announced the availability of a new integration with the industry-leading CrowdStrike Falcon® platform to give enterprises the ability to dynamically manage and enforce conditional access policies based on the real-time security posture of their applications and services.
This integration signifies a significant leap in Aembit’s mission to empower organizations to apply Zero Trust principles to make workload-to-workload access more secure and manageable.
Workload IAM transforms enterprise security by securing workload-to-workload access through policy-driven, identity-based, and secretless access controls, moving away from the legacy unmanaged, secrets-based approach.
Through this partnership, the Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload and evaluates its real-time security posture to drive workload access decisions to applications and data.
With this approach, now enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional customer benefits from this partnership include:
Managed Workload-to-Workload Access: Enforce and manage workload access to other applications, SaaS services, and third-party APIs based on identity and policy set by the security team, driving down risk.
Seamless Deployment: Drive consolidation by effortlessly integrating the Aembit Workload IAM Platform with the Falcon platform in a few clicks, providing a unified experience for managing workload identities while understanding workload security posture.
Zero Trust Security Model: Embrace a Zero Trust approach, ensuring that every access request, regardless of the source, is verified before granting access rights. Aembit’s solution enforces the principle of least privilege based on identity, policy, and workload security posture, minimizing potential security vulnerabilities.
Visibility and Monitoring: Gain extensive visibility into workload identities and access permissions, enabling swift detection and response to potential security threats. Monitor and audit access logs based on identity for comprehensive security oversight.
This industry-first collaboration builds on the recent CrowdStrike Falcon Fund strategic investment in Aembit, underscoring the global cybersecurity leader’s commitment to fostering innovation within the space. The investment reflects the recognition of the growing demands for securing workload access.
Josh Summitt, the creator of Faction, has always disliked the process of writing reports, preferring to focus on uncovering bugs. A key frustration for him was the redundant step of using a separate note-taking app for storing screenshots and findings before compiling the final report.
He envisioned an integrated solution where the report generation tool would serve as the note-taking platform, incorporating all the standard templates typically used in reports. He hopes Faction will help others save time, reduce stress, and improve their information security workflow.
“I built Faction to be extendable in ways like you would extend BurpSuite. It’s designed to be flexible and extended to fit seamlessly in any environment. It is easy for internal teams to build and support their small modules versus a large code base. In addition, I hope the project will get a growing list of prebuilt modules developed by the community to expand capabilities without requiring internal development,” Summitt told Help Net Security.
Faction features
With Faction, you can:
Streamline penetration testing and security assessment reporting through automation.
Facilitate peer review and monitor modifications in reports.
Design docx templates for various assessments and follow-up retests.
Collaborate in real-time with assessors using the web application and extensions for Burp Suite.
Oversee assessment teams and monitor organizational progress.
Monitor the remediation of vulnerabilities with tailored SLA warnings and notifications.
Leverage a comprehensive Rest API for seamless integration with other tools.
Other features:
LDAP, OAuth 2.0 and SMTP Integration.
Extendable with Custom Plugins similar to Burp Extender.
Custom Report Variables.
Future plans
The developer is currently working on enhancing the extendability of Faction by introducing a full app store, reminiscent of those found in platforms like Slack and Burp. This expansion will allow for the inclusion of additional features such as custom UI elements.
“Faction has had a strong focus on penetration testing from an application security mindset. I want to expand that to be more Red and Blue Team inclusive. Not that it won’t work for these teams out of the box but it could be more flexible,” Summitt added.
2024 is shaping up to be a record-breaking year for data breaches, according to Experian. Despite 2023 being labeled as a ‘successful’ year for malicious actors, the upcoming months may bring forth developments that could further disrupt the cybersecurity landscape.
Supply chain vulnerabilities amplified
There’s no question third-party data breaches have made headlines. With increased data collection, storage, and movement, there are plenty of partners down the supply chain that could be targeted. We predict attacks on systems four, five or six degrees from the source as vendors outsource data and technology solutions who outsource to another expert and so on.
Digital transformation is expanding threat surfaces. SaaS platforms and public cloud infrastructures, are pushing the perimeter out into the internet itself—putting users at greater risk.
When trying to achieve a goal, it’s said that taking small steps can lead to big results. Hackers could apply that same rule. Instead of making drastic moves and trying to reap instant reward such as with ransomware, bad actors may manipulate or alter the tiniest bits of data to stay under the radar such as changing a currency rate or adjusting the coordinates for transportation, which can have a major impact.
It’s widely known who the major players are globally that sponsor attacks and a new country in South Asia may join the international stage with their large population of engineers and programmers. While reportedly having been in the game focusing cyberattacks regionally due to political tensions, this country may broaden their sights in the future.
Plutonium, terbium, silicon wafers — these rare earth materials that are the building blocks for today’s hardware are rapidly becoming the most sought-after resources on the planet. Any disruption to an strained supply chain could send the industry (and the economy that relies on these materials) spinning.
This presents an intriguing opportunity for threat actors seeking mass disruption or nations looking to corner markets.
“Cybercriminals are continually working smarter, not harder,” said Michael Bruemmer, VP, Global Data Breach Resolution at Experian. “They are leveraging new technologies like artificial intelligence and applying their talents in different ways to be more strategic and stay a step ahead. Organizations should not ignore even the slightest security abnormalities and be more aware of what global interests may make them a target.”
Winning from the inside
Like drug cartels, cybergangs are forming sophisticated organizations as joining like-minded actors can be incredibly advantageous. This spans globally with countries potentially helping each other to advance common goals and interests. We’ll see more hackers for trade, crews looking to expand their monopolies, and cyberwarfare alliances.
In 2024, enterprising threat actors may target more publicly traded companies to gain insights to cheat the stock market or plan their attacks and sell their stash before value nosedives. Rather than breach an organization and play in the underground with stolen data, threat actors could leverage data extraction and their talents in plain sight as everyday investors.
“Today, perpetrators can come from anywhere in the world and bring with them robust resources and expertise,” added Jim Steven, Head of Crisis and Data Response Services at Experian Global Data Breach Resolution in the United Kingdom. “There are many global crime syndicates and nation-backed operations, so companies need to invest in sophisticated prevention and response methods to protect themselves.”
The digital landscape is under siege. Surging browser-based phishing attacks, a 198% increase in just the second half of 2023, paint a chilling picture of cyber threats outsmarting traditional security.
Menlo Security’s 2023 State of Browser Security Report unveils this alarming trend, sounding the alarm for organizations and individuals alike.
The Rise Of Evasive Attacks
Gone are the days of easily identifiable phishing scams.
Cybercriminals are now armed with highly evasive techniques, bypassing conventional defenses like network filters and email scanners.
These HEATs (Highly Evasive Adaptive Threats), making up 30% of all browser-based attacks, employ tactics like:
SMS Phishing (Smishing): Luring victims with seemingly legitimate text messages.
Adversary in the Middle (AITM): Intercepting and manipulating web traffic on the fly.
Image-Based Phishing: Embedding malicious code within seemingly harmless images.
Brand Impersonation: Mimicking trusted websites to steal login credentials.
Multi-Factor Authentication (MFA) Bypass: Finding ways to circumvent even two-factor security.
Traditional security, built for known threats, stumbles against the lightning speed of zero-hour attacks.
These novel phishing campaigns, observed at over 11,000 in just 30 days, exploit the vast and vulnerable attack surface of modern browsers.
Worryingly, 75% of these attacks hide on trusted websites, cloaked in a veneer of legitimacy.
Despite technological advancements, the human element remains the weakest link.
Phishing preys on our inherent trust and cognitive biases, tricking us into divulging sensitive information.
This makes browser security the ultimate line of defense, protecting users at the point of interaction with the web.
Menlo Security: Shining A Light On The Dark Web
The report paints a stark picture, but not a hopeless one. Menlo Security offers a beacon of hope with its advanced browser security solutions.
Leveraging cutting-edge AI and machine learning, Menlo’s technology detects and thwarts even the most sophisticated evasive attacks.
Key Takeaways for a Safer Web:
Evasive threats demand a new approach: Traditional security falls short. Look to advanced browser security solutions powered by AI.
Zero-hour attacks lurk everywhere: Don’t let trusted websites lull you into a false sense of security. Remain vigilant and practice safe browsing habits.
Your browser is the frontline: Prioritize comprehensive browser security to shield yourself from evolving cyber threats
David Miller, Policy Advocate: “This report calls for increased collaboration between cybersecurity researchers, technology companies, and policymakers. We need to share threat intelligence, develop best practices, and create regulatory frameworks that incentivize stronger browser security measures.”
Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape withTrustifiAI-powered Email security solutions.
A US court has rejected spyware vendor NSO Group’s motion to dismiss a lawsuit filed by Apple that alleges the developer violated computer fraud and other laws by infecting customers’ iDevices with its surveillance software.
Apple sued NSO, developer of the notorious Pegasus spyware, back in November 2021 and asked the court to permanently ban NSO from using any Apple software, services, or devices. The lawsuit alleges that company violated the US Computer Fraud and Abuse Act (CFAA), California’s Unfair Competition Law, and the terms of use for Apple’s own iCloud when its spyware was installed on victims’ devices without their knowledge or consent. NSO now must answer Apple’s complaint by February 14.
Pegasus infected Apple customers’ devices via a zero-click exploit called FORCEDENTRY, according to Cupertino. Once it lands on phones, the spyware allows users to snoop on phone calls, messages, and access the phone’s camera and microphone without permission.
Despite the surveillance-software maker’s claims that it only sells to government agencies, and even then, only to investigate terrorism or other serious crimes, the software has repeatedly been used to spy on journalists, activists, political dissidents, diplomats and government officials. This has led to US sanctions against the company and several lawsuits.
Last March, NSO asked the court to toss Apple’s lawsuit, arguing that Cupertino should be required to sue the developer in Israel, its home jurisdiction. It also claimed that Apple can’t sue over CFAA violations because the iGiant itself didn’t suffer any damages or loss [PDF].
The court, in its ruling on Monday, dismissed these arguments, noting that “the anti-hacking purpose of the CFAA fits Apple’s allegations to a T, and NSO has not shown otherwise.”
“A ‘loss’ is ‘any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service’ … That is precisely the loss Apple has alleged here,” the judge continued [PDF].
When asked about the judge’s ruling, an NSO Group spokesperson said the software maker will fight on.
“The motion to dismiss is part of the legal process in this case,” the NSO spokesperson told The Register. “The technology in question is critical to law enforcement and intelligence agencies in their efforts to maintain public safety. We are confident that once the arguments are presented, the Court will rule in our favor.”
Apple, meanwhile, took the win, and a spokesperson told The Register that this lawsuit is just one of the ways the iGiant is fighting back against spyware vendors.
These include the new Lockdown Mode security feature, the threat notifications it sends to users who may be targets in nation-state attacks, and a $10 million grant to support civil society organizations that research spyware threats and conduct advocacy on the topic through the Ford Foundation.
The cybersecurity field continuously generates new terms and concepts as it evolves with time. It also repurposes words to describe new concepts. There’s a never-ending flow of jargon that some refer to as an alphabet soup of complexity. From NGAV to XDR, it appears unlikely for cybersecurity to run out of new acronyms and terminologies.
Meanwhile, some popular terms used in cybersecurity can have contradicting meanings. These are the so-called contronyms, which may add some spice to the insipidity of tech terms. Here’s a list of some famous cybersecurity words or phrases many would probably think they are already familiar with but are likely to be surprised to learn about their other meanings.
HACKING
Most people tend to equate hacking to cybercrime, an attempt to illegally access, damage, or take over a computer system. This is not surprising given that most news articles that mention hacking use the term in its negative connotation, referring to cyber attacks aimed at bypassing access controls or security measures to prevent the unauthorized use of IT resources.
However, hacking can mean something positive or useful. In cybersecurity, system hacking can refer to an authorized effort to break existing security measures to test their effectiveness and spot weaknesses. The term often used for this action is “ethical hacking,” but hacking by itself is neither good nor bad. It’s how it is used that spells the difference.
Hacking in both its malicious and ethical instances follows the same stages. Also, they use similar techniques, from password cracking to phishing, the deployment of rootkits and trojans, exploitation of buffer overflows, privilege escalation, and the use of keyloggers. These steps and techniques are observed in attempts to exploit vulnerabilities and detect security weaknesses so that they can be plugged or resolved.
PATCHING
In contrast to hacking, patching is often perceived as a positive term. It is mostly known as the application of a software patch to address a vulnerability or add new functions. Software publishers regularly release patches for their software in response to developments in the cyber threat landscape and to provide improvements in their software products.
Negatively, patching refers to the unauthorized modification of a software or system by taking advantage of system vulnerabilities. Cybercriminals can infiltrate or corrupt software pipelines, allowing them to send out malicious software patches to unsuspecting users. This works because many tend to excessively trust their automated software pipelines or they carelessly obtain their software updates from unofficial sources.
SNIFFING
Among those involved in network administration, sniffing is a legitimate process that entails the tracking and analysis of network traffic. This is done to undertake a troubleshooting task, monitor network performance, or facilitate network security-related actions. It is one of the vital actions in Intrusion Detection Systems (IDS).
However, sniffing can also refer to malicious packet sniffing, wherein an attacker intercepts the packets transmitted through a network. Sniffing allows bad actors to steal login credentials and other sensitive information. It can help them gain access to online accounts or steal crucial data. Sniffing is often used as a form of cyber attack on devices that connect to the internet through public WiFi networks.
Sniffing in the negative context is not new. It has been used as an attack for decades. Cybersecurity advocates pointed out the threat of sniffing more than a decade ago amid the proliferation of businesses that offer free public WiFi connection without strong security.
SCRIPTING
Scripting refers to the writing and deployment of scripts for the automation of repetitive tasks. It is used to automate routine actions, which enables the efficient management of systems. Scripting is also employed in penetration testing to simulate cyber attacks on a system. Similarly, it is used in log analysis and monitoring, day-to-day security operations, forensics and incident response, and cross-platform compatibility testing.
However, scripting can also be malicious, as used by threat actors. Cybercriminals can turn to malicious scripting to automate the execution of files that have been successfully introduced into a system. Successfully deceiving a computer user into downloading a file is not enough for the malicious file to inflict damage. Scripts are necessary to unleash the effects of malicious files and detect security vulnerabilities.
BACKDOOR
The term backdoor is usually known for its negative implication. Most news and articles refer to backdoors in an unfavorable context. This should not come as a surprise since backdoors are often used by cybercriminals. They serve as a way to bypass normal authentication for any computer-related system, facilitating unauthorized access or the introduction of malicious files to a computer or network.
However, backdoors can be a feature intentionally added to the software. They can be deliberately put in an app to provide an optional means of access in cases when conventional access methods are unavailable. This “necessary” version of a backdoor was in the spotlight some years ago when the US FBI asked Apple to purposely build a backdoor on their iPhones.
KILL CHAIN
The cyber kill chain is a framework developed by Lockheed Martin as part of its patented Intelligence Driven Defense model for cyber attack identification and prevention. It consists of a series of steps that represent the different stages of a cyber attack, from early reconnaissance to command and control and “actions on objectives.” This model helps organizations visualize and comprehend the different stages of an attack, focusing on critical points in the attack, developing strategies to mitigate threats, and boosting incident response capabilities.
Essentially, the kill chain is a process that is supposed to help organizations prepare for cyber attacks, successfully fend off an assault, and mitigate problems that emerge in the wake of a cyber attack. However, the phrase kill chain, in colloquial use, may refer to a successful cyber attack.
AN EXERCISE IN CYBERSECURITY JARGON COMPLEXITY
It may sound confusing, but contronyms exist everywhere. Interestingly, these words still make sense despite the auto-contradiction. In cybersecurity, contronyms reflect the complexity and flexibility of language, showing how words can change in meaning depending on their context and usage.
Isn’t it counterintuitive for cybersecurity terms to bear contradicting meanings? Possibly. However, what is ultimately important is the understanding that cybersecurity terms are far from straightforward. It is a must to properly get acquainted with them to understand what they really mean, especially with the rise of a plethora of acronyms and jargon introduced by security solution providers. Many of which tend to be marketing-speak or misnomers.
North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor
Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.
“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.
The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).
Earlier this week, North Korean state media reported that the country had carried out a test of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.
The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.
While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.
There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.
SentinelOne said its investigation also uncovered malware – two LNK files (“inteligence.lnk” and “news.lnk”) as well as shellcode variants delivering RokRAT – that’s said to be part of the threat actor’s planning and testing processes.
While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.
Both LNK files have been observed deploying the same decoy document, a legitimate threat intelligence report about the Kimsuky threat group published by South Korean cybersecurity company Genians in late October 2023, in a move that implies an attempt to expand its target list.
This has raised the possibility that the adversary could be looking to gather information that could help it refine its operational playbook and also target or mimic cybersecurity professionals to infiltrate specific targets via brand impersonation techniques.
The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi in an apparent effort to circumvent detection in response to public disclosure about its tactics and techniques.
“ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies,” the researchers said.
“This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”
Artificial Intelligence (AI) has arisen as a wildly disruptive technology across many industries. As AI models continue to improve, more industries are sure to be disrupted and affected. One industry that is already feeling the effects of AI is digital security. The use of this new technology has opened up new avenues of protecting data, but it has also caused some concerns about its ethicality and effectiveness when compared with what we will refer to as traditional or established security practices.
This article will touch on the ways that this new tech is affecting already established practices, what new practices are arising, and whether or not they are safe and ethical.
HOW DOES AI AFFECT ALREADY ESTABLISHED SECURITY PRACTICES?
It is a fair statement to make that AI is still a nascent technology. Most experts agree that it is far from reaching its full potential, yet even so, it has still been able to disrupt many industries and practices. In terms of already established security practices, AI is providing operators with the opportunity to analyze huge amounts of data at incredible speed and with impressive accuracy. Identifying patterns and detecting anomalies is easy for AI to do, and incredibly useful for most traditional data security practices.
Previously these systems would rely solely on human operators to perform the data analyses, which can prove time-consuming and would be prone to errors. Now, with AI help, human operators need only understand the refined data the AI is providing them and act on it.
IN WHAT WAYS CAN AI BE USED TO BOLSTER AND IMPROVE EXISTING SECURITY MEASURES?
AI can be used in several other ways to improve security measures. In terms of access protection, AI-driven facial recognition and other forms of biometric security can easily provide a relatively foolproof access protection solution. Using biometric access can eliminate passwords, which are often a weak link in data security.
AI’s ability to sort through large amounts of data means that it can be very effective in detecting and preventing cyber threats. An AI-supported network security program could, with relatively little oversight, analyze network traffic, identify vulnerabilities, and proactively defend against any incoming attacks.
THE DIFFICULTIES IN UPDATING EXISTING SECURITY SYSTEMS WITH AI SOLUTIONS
The most pressing difficulty is that some old systems are simply not compatible with AI solutions. Security systems designed and built to be operated solely by humans are often not able to be retrofitted with AI algorithms, which means that any upgrades necessitate a complete, and likely expensive, overhaul of the security systems.
One industry that has been quick to embrace AI-powered security systems is the online gambling industry. For those who are interested in seeing what AI-driven security can look like, visiting a casino online and investigating its security protocols will give you an idea of what is possible. Having an industry that has been an early adoption of such a disruptive technology can help other industries learn what to do and what not to do. In many cases, online casinos staged entire overhauls of their security suites to incorporate AI solutions, rather than trying to incorporate new tech, with older non-compatible security technology.
Another important factor in the difficulty of incorporating AI systems is that it takes a very large amount of data to properly train an AI algorithm. Thankfully, other companies are doing this work, and it should be possible to buy an already trained AI, fit to purpose. All that remains is trusting that the trainers did their due diligence and that the AI will be effective.
EFFECTIVENESS OF AI-DRIVEN SECURITY SYSTEMS
AI-driven security systems are, for the most part, lauded as being effective. With faster threat detection and response times quicker than humanly possible, the advantage of using AI for data security is clear.
AI has also proven resilient in terms of adapting to new threats. AI has an inherent ability to learn, which means that as new threats are developed and new vulnerabilities emerge, a well-built AI will be able to learn and eventually respond to new threats just as effectively as old ones.
It has been suggested that AI systems must completely replace traditional data security solutions shortly. Part of the reason for this is not just their inherent effectiveness, but there is an anticipation that incoming threats will also be using AI. Better to fight fire with fire.
IS USING AI FOR SECURITY DANGEROUS?
The short answer is no, the long answer is no, but. The main concern when using AI security measures with little human input is that they could generate false positives or false negatives. AI is not infallible, and despite being able to process huge amounts of data, it can still get confused.
It could also be possible for the AI security system to itself be attacked and become a liability. If an attack were to target and inject malicious code into the AI system, it could see a breakdown in its effectiveness which would potentially allow multiple breaches.
The best remedy for both of these concerns is likely to ensure that there is still an alert human component to the security system. By ensuring that well-trained individuals are monitoring the AI systems, the dangers of false positives or attacks on the AI system are reduced greatly.
ARE THERE LEGITIMATE ETHICAL CONCERNS WHEN AI IS USED FOR SECURITY?
Yes. The main ethical concern relating to AI when used for security is that the algorithm could have an inherent bias. This can occur if the data used for the training of the AI is itself biased or incomplete in some way.
Another important ethical concern is that AI security systems are known to sort through personal data to do their job, and if this data were to be accessed or misused, privacy rights would be compromised.
Many AI systems also have a lack of transparency and accountability, which compounds the problem of the AI algorithm’s potential for bias. If an AI is concluding that a human operator cannot understand the reasoning, the AI system must be held suspect.
CONCLUSION
AI could be a great boon to security systems and is likely an inevitable and necessary upgrade. The inability of human operators to combat AI threats alone seems to suggest its necessity. Coupled with its ability to analyze and sort through mountains of data and adapt to threats as they develop, AI has a bright future in the security industry.
However, AI-driven security systems must be overseen by trained human operators who understand the complexities and weaknesses that AI brings to their systems.
“Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.”
OSINVGPT is an AI-based system that helps security analysts with open-source investigations and tool selection. While this tool was developed by “Very Simple Research.”
This tool can assist security analysts in gathering relevant information, sources, and tools for their investigations. It even helps researchers produce reports and summaries of their results.
OSINVGPT is available on ChatGPT and is useful for security researchers as it saves both time and effort.
Here below, we have mentioned all the key aspects that OSINVGPT can do:-
Data Analysis
Interpretation
Guidance on Methodology
Case Studies
Examples
Document Analysis
Fact-Checking
Verification
Recommendations Based on External Sources
Ethical Considerations
OSINVGPT’s data analysis and interpretation involve examining information from diverse open sources to form readable narratives and address specific queries. At the same time, guidance is offered on conducting transparent and accurate open-source investigations.
Detailed insights and suggestions are provided using real-world examples within the knowledge base. Appropriate data is analyzed and extracted from the uploaded documents for open-source investigations.
To ensure investigation accuracy, assistance is given in fact-checking using open-source data. Recommendations based on external sources are provided for queries beyond the direct knowledge base, with a focus on ethical considerations in open-source investigations for responsible conduct.
Moreover, if you want, you can access the OSINVGPT tool from here for open-source investigation.
CISA warns that a critical authentication bypass vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) and MobileIron Core device management software (patched in August 2023) is now under active exploitation.
Tracked as CVE-2023-35082, the flaw is a remote unauthenticated API access vulnerability affecting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below,.
Successful exploitation provides attackers access to personally identifiable information (PII) of mobile device users and can let them backdoor compromised servers when chaining the bug with other flaws.
“Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply the RPM script,” the company said in August. “More detailed information can be found in this Knowledge Base articleon the Ivanti Community portal.”
Cybersecurity company Rapid7, which discovered and reported the vulnerability, provides indicators of compromise(IOCs) to help admins detect signs of a CVE-2023-35082 attack.
Shodan’s data also reveals that the more than 150 instances linked to government agencies worldwide can be directly accessed via the Internet.
Internet-exposed Ivanti EPMM user portals (Shodan)
While it has yet to provide further details on CVE-2023-35082 active exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation and says there’s no evidence of abuse in ransomware attacks.
The cybersecurity agency also ordered U.S. federal agencies to patch it by February 2, as required by a binding operational directive (BOD 22-01) issued three years ago.
Ivanti has yet to update its Augustadvisories or issue another notification warning that attackers are using this security vulnerability in the wild.
Two other Ivanti Connect Secure (ICS) zero-days, an auth bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) are now also under mass exploitation by multiple threat groups, starting January 11.
Victims compromised so far range from small businesses to multiple Fortune 500 companies from various industry sectors, with the attackers having already backdoored over 1,700 ICS VPN appliances using a GIFTEDVISITOR webshell variant.
Today, DDoS attacks stand out as the most widespread cyber threat, extending their impact to APIs.
When successfully executed, these attacks can cripple a system, presenting a more severe consequence than DDoS incidents targeting web applications.
The increased risk amplifies the potential for reputational damage to the company associated with the affected APIs.
How Does DDoS Affect Your APIs?
A DDoS attack on an API involves overwhelming the targeted API with a flood of traffic from multiple sources, disrupting its normal functioning and causing it to become unavailable to legitimate users.
This attack can be particularly damaging as APIs play a crucial role in enabling communication between different software applications, and disruption can impact the overall functionality of interconnected systems.
The impact of DDoS attacks is particularly severe for businesses and organizations that depend on their APIs to deliver essential services to customers. These attacks, employing methods such as UDP floods, SYN floods, HTTP floods, and others, pose a significant threat.
Typically orchestrated through botnets—networks of compromised devices under the control of a single attacker—DDoS attacks can cripple a target’s functionality.
DDoS attacks on APIs focus on the server and each part of your API service. But how do attackers manage to exploit DDoS attacks on APIs?
This Webinar on API attack simulation shows an example of a DDoS attack on APIs and how WAAP can protect the API endpoints.
Several factors can make APIs vulnerable to DDoS attacks:
Absence or insufficient Rate-Limiting: If an API lacks robust rate-limiting mechanisms, attackers can exploit this weakness by sending a massive volume of requests in a short period, overwhelming the system’s capacity to handle them.
Inadequate Authentication and Authorization: Weak or compromised authentication measures can allow malicious actors to gain unauthorized access to an API. Once inside, they may misuse the API by flooding it with requests, leading to a DDoS scenario.
Insufficient Monitoring and Anomaly Detection: Ineffective monitoring and anomaly detection systems can make identifying abnormal traffic patterns associated with a DDoS attack challenging. Prompt detection is crucial for implementing mitigation measures.
Scalability Issues: APIs that cannot scale dynamically in response to increased traffic may become targets for DDoS attacks. A sudden surge in requests can overload the system if it cannot scale its resources efficiently.
How Do WAAP Solutions Protect Against DDoS Attacks on API?
Web Application and API Protection (WAAP) platform offers in-line blocking capabilities for all layer seven traffic, comprehensively securing web applications and APIs.
To guarantee robust security, WAFs incorporated into WAAP solutions provide immediate defense by filtering, monitoring, detecting, and automatically blocking malicious traffic, thereby preventing its access to the server.
Active monitoring of traffic on an API endpoint enables the identification of abnormal traffic patterns commonly linked to DDoS attacks. Instances of sudden spikes in traffic volume serve as red flags for potential attacks, and a proficient monitoring system can promptly detect and address such increases.
In addition, WAAP enforces rate limits by assessing the number of requests from an IP address. API rate limiting is critical in mitigating DDoS damage and reducing calls, data volume, and types. Setting limits aligned with API capacity and user needs enhances security and improves the user experience.
To avoid impacting genuine users, find solutions that use behavioral analysis technologies to establish a baseline for rate limiting.
AppTrana WAAP’s DDoS mitigation employs adaptive behavioral analysis for comprehensive defense, detecting and mitigating various DDoS attacks with a layered approach. It distinguishes between “flash crowds” and real DDoS attacks, using real-time behavioral analysis for precise mitigation. This enhances accuracy compared to static rate limit-based systems.
