InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
DuckDuckGo has unveiled a new feature, AI Chat, which offers users an anonymous way to access popular AI chatbots.
This innovative service includes models like OpenAI’s GPT 3.5 Turbo, Anthropic’s Claude 3 Haiku, and two open-source models, Meta Llama 3 and Mistral’s Mixtral 8x7B.
A New Era Of Private AI Interaction
DuckDuckGo’s AI Chat is designed to provide a private and anonymous experience for users who want to interact with AI chatbots.
This optional feature is free to use within a daily limit and can be easily switched off if desired.
The company emphasizes that all chats are private, anonymized, and not used for any AI model training.
According to the Spreadprivacy blog, Users can access DuckDuckGo AI Chat through various entry points, including duck.ai, duckduckgo.com/chat, the Chat tab on search results pages, or via the !ai and !chat bang shortcuts.
All these routes lead to the same destination, ensuring a seamless user experience.
Why AI Chat?
DuckDuckGo’s mission is to demonstrate that online privacy can be easily maintained.
The company believes people should be able to use the internet and digital tools without sacrificing their privacy.
This philosophy has driven the development of products that add a layer of privacy to everyday online activities, from search and browsing to email and now generative AI with AI Chat.
According to recent Pew research, many U.S. adults have concerns about AI’s impact on privacy, even as they recognize its potential benefits in other areas.
DuckDuckGo AI Chat aims to address these concerns by offering a private and anonymous way to use AI chatbots.
Enhancing The Search Experience
DuckDuckGo takes a thoughtful approach to integrating AI features in the competitive landscape of generative AI.
Before rolling out, the company carefully considers how these features can enhance the search and browsing experience.
AI Chat and search are seen as complementary tools that can help users find information more effectively, especially when exploring new topics.
For instance, users might start with AI Chat to ask a few questions and then switch to traditional search to find reviews, prices, or other primary sources.
Conversely, they might begin with a search and then use AI Chat for follow-up queries.
This flexibility allows users to choose the method that best suits their needs.
How It Works And Ensures Privacy
Users can select their preferred chat model and interact like any other chat interface when they land on the AI Chat page.
All chats are completely anonymous, with DuckDuckGo removing users’ IP addresses and using its own instead.
This ensures that requests appear from DuckDuckGo, not the individual user.
DuckDuckGo does not save or store any chats. While the underlying model providers may temporarily store chats to ensure system functionality, they cannot trace them back to individual users.
Agreements with model providers ensure that any saved chats are deleted within 30 days and are not used for model training.
AI Chat is free to use within a daily limit, maintaining strict user anonymity.
DuckDuckGo plans to keep the current level of access free while exploring a paid plan for higher usage limits and more advanced chat models.
DuckDuckGo is already working on improvements to AI Chat, including new capabilities like custom system prompts and general user experience enhancements.
The company also plans to add more chat models, potentially including DuckDuckGo– or user-hosted options.
Users are encouraged to provide feedback on desired features via the Share Feedback button on the AI Chat screen.
To experience DuckDuckGo AI Chat, visit duck.ai or duckduckgo.com/chat.
You can also find it on your search results page under the Chat tab or initiate a chat using the !ai or !chat bang shortcuts.
If AI Chat isn’t for you, it can be easily disabled in the Search settings menu.
The hardest part of many projects is knowing where to start.
ISO 27001 is no exception. This standard describes best practice for an ISMS (information security management system).
In other words, it lays out the requirements you must meet, but doesn’t show you the how. How you can adopt or implement them.
With ISO 27001:2013 certification no longer available, many organisations are preparing to adopt the 2022 version of the standard – which means tackling a new Annex A control set, among other new requirements.
The implementation project should begin by appointing a project leader.
They’ll work with other members of staff to create a project mandate, which is essentially a set of answers to these questions:
What do we hope to achieve?
How long will the project take?
Does the project have top management support?
What resources – financial and otherwise – will the project need?
2. Develop the ISO 27001 implementation plan
The next step is to use your project mandate to create a more detailed outline of:
Your information security objectives;
Your project risk register;
Your project plan; and
Your project team.
Information security objectives
Your information security objectives should be more granular and specific than your answer to ‘What do we hope to achieve?’ from step 1.
They’ll inform and be included in your top-level information security policy. They’ll also shape how the ISMS is applied.
Project risk register
Your project risk register should account for risks to the project itself, which might be:
Managerial – will operational management continue to support the project?
Budgetary – will funding continue to see the project through?
Legal – are specific legal obligations at risk?
Cultural – will staff resist change?
Each risk in the register should have an assigned owner and a mitigation plan. You should also regularly review the risks throughout the project.
Project plan
The project plan should detail the actions you must take to implement the ISMS.
This should include the following information:
Resources required
Responsibilities
Review dates
Deadlines
Project team
The project team should represent the interests of every part of the organisation and include various levels of seniority.
Drawing up a RACI matrix can help with this. This identifies, for the project’s key decisions, who’s:
Responsible;
Accountable;
Consulted; and
Informed.
One critical person to appoint and include in the project team is the information security manager. They’ll have a central role in the implementation project and eventually be responsible for the day-to-day functioning of the ISMS.
3. ISMS initiation
You’re now ready to initiate your ISMS!
Documentation structure
A big part of this is establishing your documentation structure – any management system is very policy- and procedure-driven.
We recommend a four-tier approach:
A. Policies These are at the top of the ‘pyramid’, defining your organisation’s position and requirements.
B. Procedures These enact the requirements of your policies at a high level.
C. Work instructions These set out how employees implement individual elements of the procedures.
D. Records These track the procedures and work instructions, providing evidence that you’re following them consistently and correctly.
This structure is simple enough for anyone to grasp quickly. At the same time, it provides an effective way of ensuring you implement policies at each level of your organisation. Plus, that you develop well-functioning, cohesive processes.
Tips for more effective policies and procedures
Your policies and procedures must also be effective. Here are four tips:
Keep them practicable by balancing aspirations against the reality. If your policies and/or procedures appear too idealised, staff will be much less likely to follow them.
Keep them clear and straightforward, so staff can easily follow your procedures.
Use version control, so everyone knows which is the latest document.
Avoid duplication. This will also help with the version control.
Make sure you systematically communicate your documentation – particularly new or updated policies – throughout your organisation. Be sure to also communicate them to other stakeholders.
Continual improvement
As part of your ISMS initiation, you’ll need to select a continual improvement methodology.
First, understand that continual improvement might sound expensive, but is cost-effective if done well. As ISO 27001 pioneer Alan Calder explains:
Continual improvement means getting better results for your investment. That typically means one of two things:
1. Getting the same results while spending less money. 2. Getting better results while spending the same amount of money.
Yes, you need to be looking at your objectives, and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.
But many improvements have little financial cost. You can make a process more efficient – perhaps by cutting out a step, or automating some manual work.
While continual improvement is a critical element of an ISO 27001 ISMS, the Standard doesn’t specify any particular continual improvement methodology.
Instead, you can use whatever method you wish, so long as it continually improves the ISMS’s “suitability, adequacy and effectiveness” (Clause 10.1). That can include a continual improvement model you’re already using for another activity.
Legal documents, HR data, source code, and other sensitive corporate information is being fed into unlicensed, publicly available AIs at a swift rate, leaving IT leaders with a mounting shadow AI mess.
Employees at many organizations are engaging in widespread use of unauthorized AI models behind the backs of their CIOs and CISOs, according to a recent study.
Employees are sharing company legal documents, source code, and employee information with unlicensed, non-corporate versions of AIs, including ChatGPT and Google Gemini, potentially leading to major headaches for CIOs and other IT leaders, according to research from Cyberhaven Labs.
About 74% of the ChatGPT use at work is through non-corporate accounts, potentially giving the AI the ability to use or train on that data, says the Cyberhaven Q2 2024 AI Adoption and Risk Report, based on actual AI usage patterns of 3 million workers. More than 94% of workplace use of Google AIs Gemini and Bard are from non-corporate accounts, the study reveals.
Nearly 83% of all legal documents shared with AI tools go through non-corporate accounts, the report adds, while about half of all source code, R&D materials, and HR and employee records go into unauthorized AIs.
The amount of data put into all AI tools saw nearly a five-fold increase between March 2023 and March 2024, according to the report. “End users are adopting new AI tools faster than IT can keep up, fueling continued growth in ‘shadow AI,’” the report adds.
Where does the data go?
At the same time, many users may not know what happens to their companies’ data once they share it with an unlicensed AI. ChatGPT’s terms of use, for example, say the ownership of the content entered remains with the users. However, ChatGPT may use that content to provide, maintain, develop, and improve its services, meaning it could train itself using shared employee records. Users can opt out of ChatGPT training itself on their data.
So far, there have been no high-profile reports about major company secrets spilled by large public AIs, but security experts worry about what happens to company data once an AI ingests it. On May 28, OpenAI announced a new Safety and Security Committee to address concerns.
It’s difficult to assess the risk of sharing confidential or sensitive information with publicly available AIs, says Brian Vecci, field CTO at Varonis, a cloud security firm. It seems unlikely that companies like Google or ChatGPT developer OpenAI will allow their AIs to leak sensitive business data to the public, given the headaches such disclosures would cause them, he says.
Still, there aren’t many rules governing what AI developers can do with the data users provide them, some security experts note. Many more AI models will be rolled out in the coming years, Vecci says.
“When we get outside of the realm of OpenAI and Google, there are going to be other tools that pop up,” he says. “There are going to be AI tools out there that will do something interesting but are not controlled by OpenAI or Google, which presumably have much more incentive to be held accountable and treat data with care.”
The coming wave of second- and third-tier AI developers may be fronts for hacking groups, may see profit in selling confidential company information, or may lack the cybersecurity protections that the big players have, Vecci says.
“There’s some version of an LLM tool that’s similar to ChatGPT and is free and fast and controlled by who knows who,” he says. “Your employees are using it, and they’re forking over source code and financial statements, and that could be a much higher risk.”
Risky behavior
Sharing company or customer data with any unauthorized AI creates risk, regardless of whether the AI model trains on that data or shares it with other users, because that information now exists outside company walls, adds Pranava Adduri, CEO of Bedrock Security.
Adduri recommends organizations sign licensed deals, containing data use restrictions, with AI vendors so that employees can experiment with AI.
“The problem boils down to the inability to control,” he says. “If the data is getting shipped off to a system where you don’t have that direct control, usually the risk is managed through legal contracts and legal agreements.”
AvePoint, a cloud data management company, has signed an AI contract to head off the use of shadow AI, says Dana Simberkoff, chief risk, privacy, and information security officer at the company. AvePoint thoroughly reviewed the licensing terms, including the data use restrictions, before signing.
A major problem with shadow AI is that users don’t read the privacy policy or terms of use before shoveling company data into unauthorized tools, she says.
“Where that data goes, how it’s being stored, and what it may be used for in the future is still not very transparent,” she says. “What most everyday business users don’t necessarily understand is that these open AI technologies, the ones from a whole host of different companies that you can use in your browser, actually feed themselves off of the data that they’re ingesting.”
Training and security
AvePoint has tried to discourage employees from using unauthorized AI tools through a comprehensive education program, through strict access controls on sensitive data, and through other cybersecurity protections preventing the sharing of data. AvePoint has also created an AI acceptable use policy, Simberkoff says.
Employee education focuses on common employee practices like granting wide access to a sensitive document. Even if an employee only notifies three coworkers that they can review the document, allowing general access can enable an AI to ingest the data.
“AI solutions are like this voracious, hungry beast that will take in anything that they can,” she says.
Using AI, even officially licensed ones, means organizations need to have good data management practices in place, Simberkoff adds. An organization’s access controls need to limit employees from seeing sensitive information not necessary for them to do their jobs, she says, and longstanding security and privacy best practices still apply in the age of AI.
Rolling out an AI, with its constant ingestion of data, is a stress test of a company’s security and privacy plans, she says.
“This has become my mantra: AI is either the best friend or the worst enemy of a security or privacy officer,” she adds. “It really does drive home everything that has been a best practice for 20 years.”
Simberkoff has worked with several AvePoint customers that backed away from AI projects because they didn’t have basic controls such as an acceptable use policy in place.
“They didn’t understand the consequences of what they were doing until they actually had something bad happen,” she says. “If I were to give one really important piece of advice it’s that it’s okay to pause. There’s a lot of pressure on companies to deploy AI quickly.”
OpenAI on Thursday disclosed that it took steps to cut off five covert influence operations (IO) originating from China, Iran, Israel, and Russia that sought to abuse its artificial intelligence (AI) tools to manipulate public discourse or political outcomes online while obscuring their true identity.
These activities, which were detected over the past three months, used its AI models to generate short comments and longer articles in a range of languages, cook up names and bios for social media accounts, conduct open-source research, debug simple code, and translate and proofread texts.
The AI research organization said two of the networks were linked to actors in Russia, including a previously undocumented operation codenamed Bad Grammar that primarily used at least a dozen Telegram accounts to target audiences in Ukraine, Moldova, the Baltic States and the United States (U.S.) with sloppy content in Russian and English.
“The network used our models and accounts on Telegram to set up a comment-spamming pipeline,” OpenAI said. “First, the operators used our models to debug code that was apparently designed to automate posting on Telegram. They then generated comments in Russian and English in reply to specific Telegram posts.”
The operators also used its models to generate comments under the guise of various fictitious personas belonging to different demographics from across both sides of the political spectrum in the U.S.
The other Russia-linked information operation corresponded to the prolific Doppelganger network (aka Recent Reliable News), which was sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) earlier this March for engaging in cyber influence operations.
The network is said to have used OpenAI’s models to generate comments in English, French, German, Italian, and Polish that were shared on X and 9GAG; translate and edit articles from Russian to English and French that were then posted on bogus websites maintained by the group; generate headlines; and convert news articles posted on its sites into Facebook posts.
“This activity targeted audiences in Europe and North America and focused on generating content for websites and social media,” OpenAI said. “The majority of the content that this campaign published online focused on the war in Ukraine. It portrayed Ukraine, the US, NATO and the EU in a negative light and Russia in a positive light.”
The other three activity clusters are listed below –
A Chinese-origin network known as Spamouflage that used its AI models to research public social media activity; generate texts in Chinese, English, Japanese, and Korean for posting across X, Medium, and Blogger; propagate content criticizing Chinese dissidents and abuses against Native Americans in the U.S.; and debug code for managing databases and websites
An Iranian operation known as the International Union of Virtual Media (IUVM) that used its AI models to generate and translate long-form articles, headlines, and website tags in English and French for subsequent publication on a website named iuvmpress[.]co
A network referred to as Zero Zeno emanating from a for-hire Israeli threat actor, a business intelligence firm called STOIC, that used its AI models to generate and disseminate anti-Hamas, anti-Qatar, pro-Israel, anti-BJP, and pro-Histadrut content across Instagram, Facebook, X, and its affiliated websites targeting users in Canada, the U.S., India, and Ghana.
“The [Zero Zeno] operation also used our models to create fictional personas and bios for social media based on certain variables such as age, gender and location, and to conduct research into people in Israel who commented publicly on the Histadrut trade union in Israel,” OpenAI said, adding its models refused to supply personal data in response to these prompts.
The ChatGPT maker emphasized in its first threat report on IO that none of these campaigns “meaningfully increased their audience engagement or reach” from exploiting its services.
The development comes as concerns are being raised that generative AI (GenAI) tools could make it easier for malicious actors to generate realistic text, images and even video content, making it challenging to spot and respond to misinformation and disinformation operations.
“So far, the situation is evolution, not revolution,” Ben Nimmo, principal investigator of intelligence and investigations at OpenAI, said. “That could change. It’s important to keep watching and keep sharing.”
Separately, Meta in its quarterly Adversarial Threat Report, also shared details of STOIC’s influence operations, saying it removed a mix of nearly 500 compromised and fake accounts on Facebook and Instagram accounts used by the actor to target users in Canada and the U.S.
“This campaign demonstrated a relative discipline in maintaining OpSec, including by leveraging North American proxy infrastructure to anonymize its activity,” the social media giant said.
Meta further said it removed hundreds of accounts, comprising deceptive networks from Bangladesh, China, Croatia, Iran, and Russia, for engaging in coordinated inauthentic behavior (CIB) with the goal of influencing public opinion and pushing political narratives about topical events. The China-linked malign network, for instance, mainly targeted the global Sikh community and consisted of several dozen Instagram and Facebook accounts, pages, and groups that were used to spread manipulated imagery and English and Hindi-language posts related to a non-existent pro-Sikh movement, the Khalistan separatist movement, and criticism of the Indian government. It pointed out that it hasn’t so far detected any novel and sophisticated use of GenAI-driven tactics, with the company highlighting instances of AI-generated video news readers that were previously documented by Graphika and GNET, indicating that despite the largely ineffective nature of these campaigns, threat actors are actively experimenting with the technology. Doppelganger, Meta said, has continued its “smash-and-grab” efforts, albeit with a major shift in tactics in response to public reporting, including the use of text obfuscation to evade detection (e.g., using “U. kr. ai. n. e” instead of “Ukraine”) and dropping its practice of linking to typosquatted domains masquerading as news media outlets since April. “The campaign is supported by a network with two categories of news websites: typosquatted legitimate media outlets and organizations, and independent news websites,” Sekoia said in a report about the pro-Russian adversarial network published last week. “Disinformation articles are published on these websites and then disseminated and amplified via inauthentic social media accounts on several platforms, especially video-hosting ones like Instagram, TikTok, Cameo, and YouTube.” These social media profiles, created in large numbers and in waves, leverage paid ads campaigns on Facebook and Instagram to direct users to propaganda websites. The Facebook accounts are also called burner accounts owing to the fact that they are used to share only one article and are subsequently abandoned.
The French cybersecurity firm described the industrial-scale campaigns – which are geared towards both Ukraine’s allies and Russian-speaking domestic audiences on Kremlin’s behalf – as multi-layered, leveraging the social botnet to initiate a redirection chain that passes through two intermediate websites in order to lead users to the final page.Doppelganger, along with another coordinated pro-Russian propaganda network designated as Portal Kombat, has also been observed amplifying content from a nascent influence network dubbed CopyCop, demonstrating a concerted effort to promulgate narratives that project Russia in a favorable light.
Recorded Future, in a report released this month, said CopyCop is likely operated from Russia, taking advantage of inauthentic media outlets in the U.S., the U.K., and France to promote narratives that undermine Western domestic and foreign policy, and spread content pertaining to the ongoing Russo-Ukrainian war and the Israel-Hamas conflict.
“CopyCop extensively used generative AI to plagiarize and modify content from legitimate media sources to tailor political messages with specific biases,” the company said. “This included content critical of Western policies and supportive of Russian perspectives on international issues like the Ukraine conflict and the Israel-Hamas tensions.”
Earlier in May, ByteDance-owned TikTok said it had uncovered and stamped out several such networks on its platform since the start of the year, including ones that it traced back to Bangladesh, China, Ecuador, Germany, Guatemala, Indonesia, Iran, Iraq, Serbia, Ukraine, and Venezuela.
TikTok, which is currently facing scrutiny in the U.S. following the passage of a law that would force the Chinese company to sell the company or face a ban in the country, has become an increasingly preferred platform of choice for Russian state-affiliated accounts in 2024, according to a new report from the Brookings Institution.
What’s more, the social video hosting service has emerged as a breeding ground for what has been characterized as a complex influence campaign known as Emerald Divide (aka Storm-1364) that is believed to be orchestrated by Iran-aligned actors since 2021 targeting Israeli society.
“Emerald Divide is noted for its dynamic approach, swiftly adapting its influence narratives to Israel’s evolving political landscape,” Recorded Future said.
“It leverages modern digital tools such as AI-generated deepfakes and a network of strategically operated social media accounts, which target diverse and often opposing audiences, effectively stoking societal divisions and encouraging physical actions such as protests and the spreading of anti-government messages.”
Maintaining a list of assets, their business criticality, and who/where they are is the first step to establishing control over your environment. To do this, start with these steps:
Identify the systems, data, and people assets that you need to protect.
Identify the threats to those assets, and prioritize them.
Identify what you want to do to protect your priority assets from their most significant threats.
2. Identify the activities you need to complete
It is important to establish a list of security activities and the cadence on which they will need to happen in order to meet your compliance requirements. Some activities only need to be done once a year, while others might need done quarterly or even monthly. For example, you may only need to do an annual penetration test, but how often do you need to perform pen testing, internal vulnerability scans? Establishing the list of compliance management activities you need to complete and when they need to be completed will be a great starting point for your 2024 compliance program.
DISC llc provides you with a full list of Information Security activities (GRC) required to achieve a successful data security program. This list includes activities such as:
Review policies and procedures (including Acceptable Use Policy)
Complete a risk assessment – this should be done annually
Review security training – to ensure new employees, as well as current employees, are up to date on all their training
Test and update your Business Continuity Plan – this should be done on an annual basis to account for any new situations that may occur
Review regulatory and legal compliance requirements – especially important for organizations that need to consider regulations such as ISO 27001:2022, SOC2, GDPR, CPRA, etc.
Conduct an inventory of your data assets – data assets change over the year so it is important this document is updated regularly.
3. Assign the right people and resources(RACI Matrix)
It is important to ensure you have the right team members in place. This means not only people qualified to be a part of the team but also team members from all departments. You will also need to select the compliance management tools that you will use to support your planning. Selecting a tool that includes risk management as well as data security will help protect your company as you grow.
4. Schedule all your meetings and tasks for the year(Audit/ Assessment planning)
It might seem a little early to schedule a meeting in July but by planning ahead of time all your key team members will have the time blocked on their calendars and available for your meetings. It will also allow you to run different assessments at different times of the year to avoid inconvenient times for other departments, such as the accounting department.
If it is not documented then it didn’t happen. Make sure you have policies and procedures in place to document all your business actions. If you are not sure how to write appropriate policies and procedures, seek expert advice. Make sure all the required policies are approved and reviewed on regular basis.
6. Plan ahead to future-proof your security program
Identify the frameworks you may want to tackle down the road and use a helpful platform that will crosswalk to get it done. This will save you time in the future when you wish to consider multiple frameworks for your organization. If you are unsure where to start, speak to a security expert for advice on the frameworks that best suit your industry and your needs. DISC llc performs Security Risk Assessments based on diverse standards and regulations, aligning them with the standard of your preference.
To learn more about compliance management you should seek expert advice from serious security professionals like the DISC Professional Services team.
Attackers in South Korea are distributing malware disguised as cracked software, including RATs and crypto miners, and registering themselves with the Task Scheduler to ensure persistence.
Even after removing the initial malware, the Task Scheduler triggers PowerShell commands to download and install new variants, which persists because the PowerShell commands keep changing, leaving unpatched systems vulnerable to information theft, proxy abuse, and cryptocurrency mining.
Attack flow
Malicious actors are leveraging file-sharing platforms to distribute malware disguised as cracked MS Office, which retrieves the download URL and target platform during infection, potentially enabling them to tailor attacks and evade detection.
Cybercriminals are distributing malware disguised as cracked software. The malware, developed in.NET, uses obfuscation to hide its malicious code, and initially, it accessed Telegram to retrieve a download URL.
Newer versions contain two Telegram URLs and a Mastodon URL, each with a string linked to a Google Drive or GitHub URL.
The threat actor hides malicious PowerShell commands within these cloud storage locations, using Base64 encoding for further obfuscation, and once executed, these commands install additional malware strains.
Commands encrypted in Base64
The updater malware, “software_reporter_tool.exe,” leverages a PowerShell script to download and maintain persistence, which creates a malicious executable at “C:\ProgramData\KB5026372.exe” and uses a compromised 7zip installation (“C:\ProgramData\Google\7z.exe”) to decompress a password-protected archive from GitHub or Google Drive (password: “x”) by mirroring tactics from a previous campaign.
Malware installation using 7z and PowerShell
Additionally, the updater registers itself with the Task Scheduler to ensure continuous operation after a reboot, and the scheduled task triggers the PowerShell script for further updates and potential malware installation.
The attackers deployed Orcus RAT and XMRig on the compromised system.
Orcus RAT can steal information through keylogging, webcam, and screenshot capture, while XMRig mines cryptocurrency.
3Proxy’s configuration file
XMRig is configured to stop mining when resource-intensive programs are running and to terminate processes competing for resources, such as security software installers, while 3Proxy is used to turn the infected machine into a proxy server by adding a firewall rule and injecting itself into a legitimate process.
A Korean security program unable to operate properly due to the AntiAV malware
According to ASEC, PureCrypter downloads and executes further payloads, and AntiAV malware disrupts security products by modifying their configuration files.
Attackers are distributing malware disguised as popular Korean software (Windows, MS Office, Hangul) through file-sharing sites, and the malware bypasses file detection with frequent updates and utilizes the Task Scheduler for persistence, leading to repeated infections upon removal.
Some inauthentic networks used artificial intelligence in their campaigns to push certain political agendas, according to Meta.
Meta says it cracked down on propaganda campaigns on its platforms, including one that used AI to influence political discourse and create the illusion of wider support for certain viewpoints, according to its quarterly threat report published today. Some campaigns pushed political narratives about current events, including campaigns coming from Israel and Iran that posted in support of the Israeli government.
The networks used Facebook and Instagram accounts to try to influence political agendas around the world. The campaigns — some of which also originated in Bangladesh, China, and Croatia — used fake accounts to post in support of political movements, promote fake news outlets, or comment on the posts of legitimate news organizations.
A network originating in China, for example, consisted of several dozen Instagram and Facebook accounts, pages, and groups and was used to target global Sikh communities, Meta says. Another campaign traced to Israel used more than 500 Facebook and Instagram accounts to pose as local Jewish students, African Americans, and “concerned” citizens praising Israeli military actions and discussing campus antisemitism, among other types of content.
Some of the content shared by those two networks was likely created using generative AI tools, Meta writes. Accounts in the China-based campaign shared AI-generated images, and the Israeli campaign posted AI-generated comments, Meta found. The report says that, for now, AI-powered influence campaigns are not sophisticated enough to evade existing systems of detection.
Influence campaigns are regularly discovered on social media platforms. Earlier in May, TikTok said it had uncovered and disrupted a dozen such networks on its platform, including one that it traced to China.
North Korea’s newest threat actor uses every trick in the nation-state APT playbook, and most of cybercrime’s tricks, too. It also developed a whole video game company to hide malware.
Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and developers.
In the beginning, Microsoft explained in a blog post, Moonstone Sleet heavily overlapped with the known DPRK advanced persistent threat (APT) Diamond Sleet. The former copped from the latter’s malware — like the Comebacker Trojan — as well as its infrastructure and preferred techniques — such as delivering Trojanized software via social media. Moonstone Sleet has since differentiated itself, though, moving to its own infrastructure and establishing for itself a unique, if rather erratic identity.
For one thing, where some of Kim Jong-Un’s threat groups focus on espionage and others focus on stealing money, Moonstone Sleet does both. Having its hands in every pie is reflected in its tactics, techniques, and procedures (TTPs), too, which in various cases have involved fake job offers, custom ransomware, and even a fully functional fake video game.
“Moonstone Sleet’s ability to blend traditional cybercriminal methodologies with those of nation-state actors is particularly alarming,” says Adam Gavish, co-founder and CEO at DoControl. “Their multifaceted strategies — ranging from setting up fake companies to deliver custom ransomware to using compromised tools for direct infiltration — showcase a versatility that complicates defensive measures.”
Moonstone Sleet’s Grab Bag of TTPs
To Gavish, “One tactic that stands out is their utilization of trusted platforms, like LinkedIn and Telegram, and developer freelancing websites to target victims. This exploits the inherent trust associated with these platforms, making it easier for them to trick victims into interacting with malicious content.”
To add to the realism, Moonstone Sleet uses the common North Korean strategy of engaging with victims from the perspective of a seemingly legitimate company.
From January to April of this year, for example, the group masqueraded as a software development company called “StarGlow Ventures.” With a sleek custom domain, made-up employees, and social media accounts to go along with it all, StarGlow Ventures targeted thousands of organizations in the software and education sectors. In phishing emails, the faux company complemented its victims and offered to collaborate on upcoming projects.
In other cases, the group used another fake company — C.C. Waterfall — to spread an especially creative ruse.
In emails from C.C. Waterfall since February, Moonstone Sleet has been reaching out to victims with a link to download a video game. “DeTankWar” — also called DeFiTankWar, DeTankZone, or TankWarsZone — is marketed as a community-driven, play-to-earn tank combat game. It has its own websites, and X accounts for fake personas used to promote it.
Remarkably, DeTankWar is a fully functional (if atavistic) video game. When users launch it, though, they also download malicious DLLs with a custom loader called “YouieLoad.” YouieLoad loads malicious payloads to memory, and creates services that probe victim machines and collect data, and allow its owners to perform extra hands-on command execution.
Whack-a-Mole Cyber Defense
Fake companies and fake video games are just some of Moonstone Sleet’s tricks. Its members also try to get hired for remote tech jobs with real companies. It spreads malicious npm packages on LinkedIn and freelancer websites. It has its own ransomware, FakePenny, which it uses in conjunction with a ransom note ripped from NotPetya to solicit millions of dollars worth of Bitcoin.
In the face of such varied TTPs and malicious tools, Gavish says, “The answer is fundamentally the same as for any other threat: Defenders must adopt a multi-layered security posture. This involves a combination of endpoint protection, network monitoring, and threat hunting to detect and respond to anomalous activities early.” Microsoft took a similarly broad stance in its blog, highlighting network and tamper protections, endpoint detection and response (EDR), and more steps organizations can take to layer their cyber defenses.
“Ultimately,” says Gavish, “the dynamic nature of threats like Moonstone Sleet requires a holistic and adaptive approach to cybersecurity — one that balances technical defenses with strategic intelligence and continuous vigilance.”
The cyber intrusion into MITRE’s environment was a meticulously planned and executed operation, highlighting the attackers’ advanced technical capabilities and understanding of virtualized environments. The attackers exploited specific vulnerabilities in Ivanti Connect Secure (ICS), identified as CVE-2023-46805 and CVE-2024-21887. These vulnerabilities allowed unauthorized access to the VMware infrastructure, providing the attackers with a foothold within the network.
Initial Penetration and Exploitation: The attackers began by identifying and exploiting weaknesses in the Ivanti Connect Secure (ICS) infrastructure. The vulnerabilities in question were zero-day exploits, meaning they were unknown to the vendor and had no existing patches or mitigations at the time of the attack. By exploiting these vulnerabilities, the attackers could bypass authentication mechanisms and gain administrative access to the virtualized environment.
Deployment of Rogue Virtual Machines (VMs): Once inside the network, the attackers created and deployed rogue VMs. These VMs were crafted to mimic legitimate virtual machines, allowing them to blend into the existing infrastructure and evade detection. The deployment of rogue VMs served multiple purposes:
Persistence: Rogue VMs provided a stable and resilient presence within the network, ensuring that the attackers could maintain access over an extended period.
Evasion: By operating within the virtualized environment, the rogue VMs could bypass traditional security measures that focus on physical or network-based threats.
Expansion: The rogue VMs acted as a base for further malicious activities, including data exfiltration, lateral movement within the network, and the deployment of additional malware.
Command and Control (C2) Operations: The attackers established robust C2 channels to maintain control over the rogue VMs. These channels allowed the attackers to issue commands, receive data, and monitor the status of their malicious operations. The C2 infrastructure was designed to be resilient, utilizing techniques such as encryption and redundancy to avoid detection and disruption.
TECHNICAL DEEP DIVE: UNDERSTANDING THE ATTACK
To fully appreciate the sophistication of the attack, it is essential to delve into the technical aspects of the methodologies employed by the attackers.
Vulnerability Exploitation:
The vulnerabilities exploited, CVE-2023-46805 and CVE-2024-21887, were critical flaws within the Ivanti Connect Secure (ICS) software. These flaws allowed the attackers to execute arbitrary code and gain administrative privileges within the virtualized environment.
The attackers used a combination of social engineering, phishing, and advanced scanning techniques to identify vulnerable systems. Once identified, they deployed custom exploit scripts to gain access.
Rogue VM Deployment:
The deployment process involved creating VMs that were virtually identical to legitimate ones, making detection difficult. The attackers leveraged existing VM templates and modified them to include their malicious payloads.
These rogue VMs were configured to operate with minimal resource usage, further reducing the likelihood of detection through performance monitoring.
Rogue VMs are created and managed through service accounts directly on the hypervisor, rather than through the vCenter administrative console. As a result, these VMs do not appear in the inventory.
The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.
By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.
Persistence Mechanisms:
To ensure persistence, the attackers implemented several techniques within the rogue VMs. These included installing rootkits and other low-level malware that could survive reboots and updates.
The attackers also manipulated the VM management tools to hide the presence of the rogue VMs from administrators.
Evasion Tactics:
The attackers employed various evasion tactics to avoid detection by security tools. These included using encrypted communication channels, obfuscating malicious code, and leveraging legitimate administrative tools to carry out their activities.
They also frequently rotated their command and control servers to avoid being blacklisted or shut down.
IMPLICATIONS FOR CYBERSECURITY
The MITRE cyber intrusion serves as a stark reminder of the evolving tactics used by cybercriminals and the vulnerabilities inherent in virtualized environments. This incident highlights several critical areas for improvement in cybersecurity practices:
Enhanced Vulnerability Management: Organizations must adopt rigorous vulnerability management practices to identify and remediate vulnerabilities promptly. This includes regular patching, conducting vulnerability assessments, and staying informed about emerging threats.
Advanced Detection Mechanisms: Traditional security measures are often inadequate in virtualized environments. Organizations need to implement advanced detection mechanisms that can identify anomalous activities within virtualized infrastructures. This includes behavior-based monitoring, anomaly detection, and machine learning algorithms to identify suspicious activities.
Comprehensive Security Training: Human factors remain a significant vulnerability in cybersecurity. Comprehensive training programs for employees can help reduce the risk of social engineering and phishing attacks, which are often the initial vectors for intrusions.
Robust Incident Response Plans: Having a well-defined incident response plan is crucial for mitigating the impact of cyber intrusions. This plan should include procedures for identifying, containing, and eradicating threats, as well as recovery strategies to restore normal operations.
DETECTING ADVERSARY ACTIVITY IN VMWARE ECOSYSTEM
In VMware’s environment, spotting adversary activity demands meticulous scrutiny. For instance, adversaries might enable SSH on hypervisors and log in by routing traffic through the vCenter Server. This technique underscores the importance of monitoring SSH activity for signs of unauthorized access.
WHAT TO LOOK FOR:
Anomalous SSH Enablement: Keep a close watch for unexpected occurrences of “SSH login enabled” messages. Any activation of SSH outside the normal administrative cycle could indicate malicious activity.
Unusual SSH Sessions: Monitor for deviations from the expected pattern of SSH sessions being opened. Look out for instances where “SSH session was opened for” messages occur unexpectedly or at unusual times.
NOTABLE ATT&CK TECHNIQUES: DEPLOYING ROGUE VMS
Moving forward to January 7, 2024, the adversary accessed VMs and deployed malicious payloads, the BRICKSTORM backdoor and the BEEFLUSH web shell. The adversary also used a default VMware account, VPXUSER, to make seven API calls that enumerated a list of mounted and unmounted drives.
The adversary bypassed detection mechanisms by deploying rogue VMs, as VPXUSER, directly onto hypervisors using SFTP to write files then executed them with /bin/vmx. By doing this, these rogue VMs were not discoverable via vCenter, the ESXi web interface, and even some on-hypervisor command-line utilities that query the API.
These rogue VMs contained the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets within the prototyping network.
LEVERAGING THE VPXUSER ACCOUNT
Adversaries often can leverage the VPXUSER account to perform various administrative tasks, such as enumerating VMs, accessing configuration settings, and interacting with the underlying hypervisor infrastructure. Additionally, adversaries may deploy rogue VMs directly onto hypervisors to evade detection mechanisms and maintain persistence within the environment. Rogue VMs, which are created and operated without proper authorization and management by the hypervisor, provide adversaries with a stealthy foothold for conducting malicious activities. These VMs can bypass visibility controls within VMware management interfaces, making them difficult to detect and mitigate.
DETECTING ROGUE VMS
Safeguarding against rogue VMs and any ensuing persistence demands a vigilant approach. Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs. This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.
WHAT TO LOOK FOR:
Command-Line Usage: Utilize the following commands on an ESXi hypervisor to identify unregistered VMs:
vim-cmd vmsvc/getallvms
esxcli vm process list | grep Display
Comparison of VM Lists: Compare the output of vim-cmd (API-based VM check) with the list of running VMs obtained from esxcli. Differences in the list of VMs between the output of a vim-cmd (that will check for VMs via the API) and the list of running VMs that esxcli sees (which directly queries the host hypervisor) indicate a potential problem. A VM running on a hypervisor that is not seen via the registered VM data via API warrants further investigation as a possible unregistered/rogue VM.
DETECTING VMWARE PERSISTENCE
To address the persistence of these rogue VMs, it is crucial to scrutinize the hypervisor’s startup scripts.
WHAT TO LOOK FOR:
Persistence Mechanism: Monitor for modification of the legitimate /etc/rc.local.d/local.sh file to include the following line:
Persistence Identification: Search for invocations of the /bin/vmx binary within /etc/rc.local.d/ or more specifically by manually reviewing the local.sh startup script with the following commands:
grep -r \/bin\/vmx /etc/rc.local.d/
cat /etc/rc.local.d/local.sh
The infiltration of MITRE’s network through VMware vulnerabilities underscores the need for heightened vigilance and advanced security measures in virtualized environments. As attackers continue to refine their techniques, organizations must evolve their defenses to protect against these sophisticated threats. By adopting comprehensive security practices, staying informed about emerging vulnerabilities, and fostering a culture of cybersecurity awareness, organizations can better defend against future intrusions.
Cybersecurity journalist Joseph Cox, author of the new book Dark Wire, tells us the wild, true story behind secure phone startup Anom.
On today’s episode of Decoder, I sat down with Joseph Cox, one of the best cybersecurity reporters around. Joseph spent a long time working at Vice’s tech vertical Motherboard, but last year, after Vice imploded, he and three other journalists co-founded a new site, called 404 Media, where they’re doing some really great work.
Criminals like drug traffickers represent a market for encrypted, secure communications away from the eyes of law enforcement. In the early mobile era, that gave rise to a niche industry of specialized, secured phones criminals used to conduct their business.
Joseph’s done a ton of reporting on this over the years, and the book ends up telling a truly extraordinary story: After breaking into a few of these encrypted smartphone companies, the FBI ended up running one of these secure phone services itself so it could spy on criminals around the world. And that means the FBI had to actually run a company, with all the problems of any other tech startup: cloud services, manufacturing and shipping issues, customer service, expansion, and scale.
The company was called Anom, and for about three years, it gave law enforcement agencies around the world a crystal-clear window into the criminal underworld. In the end, the feds shut it down in large part because it was too successful — again, a truly wild story. Now, with the rise of apps like Signal, most criminals no longer need specialized hardware, but that, of course, raises a whole new set of issues.
The book is a great read, but it also touches on a lot of things we talk about a lot here on Decoder. There really are bad people out there using tech to help them do bad things, but the same tools that keep their communications private help give everyone else their privacy, too — whistleblowers, dissenters, ordinary people like you and me.
There’s a deep tension between privacy and security that constantly runs through tech, and you’ll hear us really dig into the way tech companies and governments are forever going back and forth on it. There’s a lot here, and it’s a fun one.
A consumer-grade spyware app named pcTattletale has been discovered running on the check-in systems of at least three Wyndham hotels across the United States.
This alarming discovery was made by TechCrunch, which reported that the app stealthily captured screenshots of hotel booking systems, exposing sensitive guest details and customer information.
Due to a security flaw in the spyware, these screenshots were accessible to anyone on the internet, not just the intended users of the spyware.
Sensitive Guest Information Exposed
The spyware, pcTattletale, allows remote viewing of the target’s Android or Windows device and its data from anywhere in the world.
The app runs invisibly in the background, making it undetectable to the user.
However, a significant bug in the app means that anyone who understands the security flaw can download the screenshots directly from pcTattletale’s servers.
Security researcher Eric Daigle, who discovered the compromised hotel check-in systems, attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed.
Screenshots from two Wyndham hotels revealed the names and reservation details of guests on a web portal provided by travel tech giant Sabre.
Additionally, the screenshots displayed guests’ partial payment card numbers.
Another screenshot showed access to a third Wyndham hotel’s check-in system, logged into Booking.com’s administration portal used to manage guest reservations.
Hotel And Corporate Responses
The discovery has raised serious concerns about the security measures in place at these hotels.
The manager of one affected hotel expressed surprise, stating they were unaware that the spyware was taking screenshots of their check-in computer.
The managers of the other two hotels did not respond to TechCrunch’s calls or emails.
Wyndham spokesperson Rob Myers clarified that Wyndham is a franchise organization, meaning all its U.S. hotels are independently owned and operated.
However, Wyndham did not confirm whether it was aware of pcTattletale’s use on the front-desk computers of its branded hotels or if such use was approved by Wyndham’s policies.Booking.com, whose administration portal was accessed by the spyware, stated that its systems were not compromised.
Angela Cavis, a spokesperson for Booking.com, highlighted that this incident seemed to be an example of how cybercriminals target hotel systems through sophisticated phishing tactics.
These tactics often lead to unauthorized access to hotel accounts and attempts to impersonate the hotel or Booking.com to request customer payments.
This incident is the latest example of consumer-grade spyware exposing sensitive information due to security flaws. pcTattletale, marketed for child and employee monitoring, has also been promoted for use against spouses suspected of infidelity.
The app requires physical access to the target’s device for installation and offers a service to help customers install the spyware on the target’s computer.
Despite the serious implications of this security breach, Bryan Fleming, the founder of pcTattletale, did not respond to TechCrunch’s request for comment.
The exposure of sensitive guest information at these hotels underscores the urgent need for more robust cybersecurity measures and regulatory oversight to protect personal data from unauthorized access and misuse.
As investigations continue, the hospitality industry must reassess its security protocols to prevent such breaches in the future.
The Principle of Least Privilege (PoLP) is a foundational concept in cybersecurity, aimed at minimizing the risk of security breaches. By granting users and applications the minimum levels of access—or permissions—needed to perform their tasks, organizations can significantly reduce their attack surface. In the context of cloud computing, implementing PoLP is critical. This article explores how to enforce PoLP in the three major cloud platforms(cloud security): Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
AWS (AMAZON WEB SERVICES)
1. Identity and Access Management (IAM)
AWS IAM is the core service for managing permissions. To implement PoLP:
Create Fine-Grained Policies: Define granular IAM policies that specify exact actions allowed on specific resources. Use JSON policy documents to customize permissions precisely.
Use IAM Roles: Instead of assigning permissions directly to users, create roles with specific permissions and assign these roles to users or services. This reduces the risk of over-permissioning.
Adopt IAM Groups: Group users with similar access requirements together. Assign permissions to groups instead of individual users to simplify management.
Enable Multi-Factor Authentication (MFA): Require MFA for all users, especially those with elevated privileges, to add an extra layer of security.
2. AWS Organizations and Service Control Policies (SCPs)
Centralized Management: Use AWS Organizations to manage multiple AWS accounts. Implement SCPs at the organizational unit (OU) level to enforce PoLP across accounts.
Restrict Root Account Usage: Ensure the root account is used sparingly and secure it with strong MFA.
3. AWS Resource Access Manager (RAM)
Share Resources Securely: Use RAM to share AWS resources securely across accounts without creating redundant copies, adhering to PoLP.
Define Custom Roles: Create custom roles tailored to specific job functions, limiting permissions to only what is necessary.
Use Built-in Roles: Start with built-in roles which already follow PoLP principles for common scenarios, then customize as needed.
Assign Roles at Appropriate Scope: Assign roles at the narrowest scope possible (management group, subscription, resource group, or resource).
2. Azure Active Directory (Azure AD)
Conditional Access Policies: Implement conditional access policies to enforce MFA and restrict access based on conditions like user location or device compliance.
Privileged Identity Management (PIM): Use PIM to manage, control, and monitor access to important resources within Azure AD, providing just-in-time privileged access.
3. Azure Policy
Policy Definitions: Create and assign policies to enforce organizational standards and PoLP. For example, a policy to restrict VM sizes to specific configurations.
Initiative Definitions: Group multiple policies into initiatives to ensure comprehensive compliance across resources.
GCP (GOOGLE CLOUD PLATFORM)
1. Identity and Access Management (IAM)
GCP IAM allows for detailed access control:
Custom Roles: Define custom roles to grant only the necessary permissions.
Predefined Roles: Use predefined roles which provide granular access and adhere to PoLP.
Least Privilege Principle in Service Accounts: Create and use service accounts with specific roles instead of using default or highly privileged accounts.
2. Resource Hierarchy
Organization Policies: Use organization policies to enforce constraints on resources across the organization, such as restricting who can create certain resources.
Folder and Project Levels: Apply IAM policies at the folder or project level to ensure permissions are inherited appropriately and follow PoLP.
3. Cloud Identity
Conditional Access: Implement conditional access using Cloud Identity to enforce MFA and restrict access based on user and device attributes.
Context-Aware Access: Use context-aware access to allow access to apps and resources based on a user’s identity and the context of their request.
IMPLEMENTING PRINCIPLE OF LEAST PRIVILEGE IN AWS, AZURE, AND GCP
As a Cloud Security Analyst, ensuring the Principle of Least Privilege (PoLP) is critical to minimizing security risks. This comprehensive guide will provide detailed steps to implement PoLP in AWS, Azure, and GCP.
AWS
STEP 1: REVIEW IAM POLICIES AND ROLES
Access the IAM Console:
Navigate to the AWS IAM Console.
Review existing policies under the “Policies” section.
Look for policies with wildcards (*), which grant broad permissions, and replace them with more specific permissions.
Audit IAM Roles:
In the IAM Console, go to “Roles.”
Check each role’s attached policies. Ensure that each role has the minimum required permissions.
Remove or update roles that are overly permissive.
STEP 2: USE IAM ACCESS ANALYZER
Set Up Access Analyzer:
In the IAM Console, select “Access Analyzer.”
Create an analyzer and let it run. It will provide findings on resources shared with external entities.
Review the findings and take action to refine overly broad permissions.
STEP 3: TEST POLICIES WITH IAM POLICY SIMULATOR
Simulate Policies:
Go to the IAM Policy Simulator.
Simulate the policies attached to your users, groups, and roles to understand what permissions they actually grant.
Adjust policies based on the simulation results to ensure they provide only the necessary permissions.
STEP 4: MONITOR AND AUDIT
Enable AWS CloudTrail:
In the AWS Management Console, go to “CloudTrail.”
Create a new trail to log API calls across your AWS account.
Enable logging and monitor the CloudTrail logs regularly to detect any unauthorized or suspicious activity.
Use AWS Config:
Navigate to the AWS Config Console.
Set up AWS Config to monitor and evaluate the configurations of your AWS resources.
Implement AWS Config Rules to check for compliance with your least privilege policies.
STEP 5: UTILIZE AUTOMATED TOOLS
AWS Trusted Advisor:
Access Trusted Advisor from the AWS Management Console.
Review the “Security” section for recommendations on IAM security best practices.
AWS Security Hub:
Enable Security Hub from the Security Hub Console.
Use Security Hub to get a comprehensive view of your security posture, including IAM-related findings.
AZURE
STEP 1: REVIEW AZURE AD ROLES AND PERMISSIONS
Azure AD Roles:
Navigate to the Azure Active Directory.
Under “Roles and administrators,” review each role and its assignments.
Ensure users are assigned only to roles with necessary permissions.
Role-Based Access Control (RBAC):
Go to the “Resource groups” or individual resources in the Azure portal.
Under “Access control (IAM),” review role assignments.
Remove or modify roles that provide excessive permissions.
STEP 2: CHECK RESOURCE-LEVEL PERMISSIONS
Review Resource Policies:
For each resource (e.g., storage accounts, VMs), review the access policies to ensure they grant only necessary permissions.
Network Security Groups (NSGs):
Navigate to “Network security groups” in the Azure portal.
Review inbound and outbound rules to ensure they allow only necessary traffic.
STEP 3: MONITOR AND AUDIT
Azure Activity Logs:
Access the Activity Logs.
Monitor logs for changes in role assignments and access patterns.
Azure Security Center:
Open Azure Security Center.
Regularly review security recommendations and alerts, especially those related to IAM.
STEP 4: UTILIZE AUTOMATED TOOLS
Azure Policy:
Create and assign policies using the Azure Policy portal.
Enforce policies that require the use of least privilege access.
Azure Blueprints:
Use Azure Blueprints to define and deploy resource configurations that comply with organizational standards.
Privileged Identity Management (PIM):
In Azure AD, go to “Privileged Identity Management” under “Manage.”
Enable PIM to manage, control, and monitor privileged access.
GCP
STEP 1: REVIEW IAM POLICIES AND ROLES
Review IAM Policies:
Access the IAM & admin console.
Review each policy and role for overly permissive permissions.
Avoid using predefined roles with broad permissions; prefer custom roles with specific permissions.
Create Custom Roles:
In the IAM console, navigate to “Roles.”
Create custom roles that provide the minimum necessary permissions for specific job functions.
STEP 2: CHECK RESOURCE-BASED POLICIES
Service Accounts:
In the IAM & admin console, go to “Service accounts.”
Review the permissions granted to each service account and ensure they are scoped to the least privilege.
VPC Firewall Rules:
Navigate to the VPC network section and select “Firewall rules.”
Review and restrict firewall rules to allow only essential traffic.
STEP 3: MONITOR AND AUDIT
Cloud Audit Logs:
Enable and configure Cloud Audit Logs for all services.
Regularly review logs to monitor access and detect unusual activities.
IAM Recommender:
In the IAM console, use the IAM Recommender to get suggestions for refining IAM policies based on actual usage patterns.
Access Transparency:
Enable Access Transparency to get logs of Google Cloud administrator accesses.
STEP 4: UTILIZE AUTOMATED TOOLS
Security Command Center:
Access the Security Command Center for a centralized view of your security posture.
Use it to monitor and manage security findings and recommendations.
Forseti Security:
Deploy Forseti Security for continuous monitoring and auditing of your GCP environment.
Policy Intelligence:
Use tools like Policy Troubleshooter to debug access issues and Policy Analyzer to compare policies.
STEP 5: CONDUCT REGULAR REVIEWS
Schedule Periodic Reviews:
Regularly review IAM roles, policies, and access patterns across your GCP projects.
Use the Resource Manager to organize resources and apply IAM policies efficiently.
By following these detailed steps, you can ensure that the Principle of Least Privilege is effectively implemented across AWS, Azure, and GCP, thus maintaining a secure and compliant cloud environment.
Implementing the Principle of Least Privilege in AWS, Azure, and GCP requires a strategic approach to access management. By leveraging the built-in tools and services provided by these cloud platforms, organizations can enhance their security posture, minimize risks, and ensure compliance with security policies. Regular reviews, continuous monitoring, and automation are key to maintaining an effective PoLP strategy in the dynamic cloud environment.
The core section of the standard retains its 11 clauses with minor modifications, while significant structural revisions have been implemented in the Annex A controls. Control categories have been rearranged, resulting in a reduction in the total number of controls. Broadly speaking, 11 new controls have been added, 57 controls have been consolidated, 23 controls have been rebranded, and three controls have been eliminated. The introduction of these 11 new controls underscores the heightened significance of Cloud, DevOps, and Personal Information, which have evolved over the past decade.
A.5.7 Threat intelligence
A.5.23 Information security for the use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.14.1.4 Secure development policy
A.16.2.4 Security of supplier services
A.18.2.3 Protection of personal information in public clouds
ISO 27002:2022 has three control types, #Preventive, #Corrective and #Detective. Some of these controls share more than one control types. There are total 12 Detective, 13 Corrective, and 83 Preventive controls and 15 controls (12+13+83 = 108 -15 = 93) which share more than one control type in ISO 27002:2022 latest guidance. If you like to know more about how and when to start complying with new and latest control guidance, please contact us to book an appointment to discuss the details, how DISC llc can assist your organization with ISO 27001 compliance or certification plans.
Ensuring the security of your organization’s information systems is crucial in today’s digital landscape.
Access Control is a fundamental aspect of cybersecurity that safeguards sensitive data and protects against unauthorized access. To assist you in establishing robust access control measures, we are pleased to offer a comprehensive Access Control Policy Template, available for download.
What does the Access Control Policy template include?
Our Access Control Policy template is designed to provide a clear, structured framework for managing access to your organization’s information systems.
Here are some of the key components included in the template:
Document Control;
Purpose and Scope;
Policy Statement;
Roles & Responsibilities;
Access Control Principles;
Access Control Measures;
Access Control Technologies;
Monitoring and Auditing;
Incident Management;
Policy Compliance;
Policy Review.
Benefits of using our Access Control Policy template
Implementing an effective access control policy offers several key benefits:
Enhanced security: Protects sensitive data and systems from unauthorized access and potential breaches.
Regulatory compliance: Helps ensure compliance with relevant regulations and standards.
Operational efficiency: Clearly defined roles and responsibilities streamline access management processes.
Risk mitigation: Regular monitoring and auditing identify and address vulnerabilities proactively.
To take advantage of our comprehensive Access Control Policy Template, simply click on the links at the top of the article to download them. The download will start automatically.
You can then customize the template to fit the specific needs and context of your organization.
By doing so, you’ll be taking a significant step towards securing your information systems and safeguarding your valuable data.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company’s social media channels. Her contributions amplify the brand’s voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
Tycoon 2FA, a recently emerged Phishing-as-a-Service (PhaaS) platform, targets Microsoft 365 and Gmail accounts, which leverage an Adversary-in-the-Middle (AitM) technique to steal user session cookies, bypassing multi-factor authentication (MFA) protections.
By acting as an intermediary between the user and the legitimate login page, Tycoon 2FA captures cookies that grant attackers unauthorized access to compromised accounts and cloud services, even if additional security measures are implemented.
The Tycoon 2FA phishing kit received an update in March 2024, specifically designed to bypass security defenses, and the update enhanced the kit’s evasion capabilities through obfuscated JavaScript and HTML code, making the code unreadable, hindering analysis.
Tycoon 2FA to facilitate MFA token theft and bypass.
On Telegram, it sells pre-made phishing pages targeting Microsoft 365 and Gmail credentials, which lowers the technical barrier for attackers by offering easy-to-use templates.
Proofpoint TAP Dashboard campaign snapshot from December campaigns.
The attack works through a reverse proxy, capturing login credentials and relaying them to the real service to bypass the login page, as the attackers steal the session cookies returned during successful logins, granting unauthorized access even with MFA enabled.
It facilitates credential theft by bypassing multi-factor authentication (MFA), and attackers use various lures such as emails with fake authentication links, voicemail-themed threats, and PDFs with QR codes leading to phishing pages.
QR code and voicemail lure examples for the Tycoon 2FA threats that were seen in late 2023.
The pages often include CAPTCHAs to appear legitimate and steal login credentials and MFA tokens. Security researchers at Proofpoint identified rules to detect Tycoon landing pages based on these tactics.
AI-powered behavioral analytics and a URL sandbox are used to identify and block malicious landing pages and phishing activity associated with Tycoon 2FA and similar threats that are achieved by combining threat intelligence with machine learning to recognize suspicious behaviors.
Global threat intelligence feeds give information about bad infrastructure, which helps defenders stop known and new threats before they happen by making it easier to find them, fix problems, and manage human risk when it comes to new phishing techniques.
The Polish computer emergency response team CERT.pl has issued a warning about an ongoing cyberattack campaign by the notorious APT28 hacking group, also known as Fancy Bear or Sofacy. The campaign is targeting various Polish government institutions with a new strain of malware.
According to the CERT.pl analysis, the attack begins with spear-phishing emails containing malicious attachments or links.
The malware is deployed once the victim opens the attachment or clicks the link, establishing a foothold in the targeted network.
Subject: I solved your problem
Hello Paweł!
I did a little research and found this mysterious Ukrainian woman.
Now she is in Warsaw.
She runs a rather unusual company that sells used underwear.
also has clients from senior authorities in Poland and Ukraine.
All information on this subject is available at this link - ALINA-BOKLAN (Link)
Threat actors are increasingly using free, commonly-used services like run.mocky.io and webhook.site to deliver malware while evading detection.
This technique involves redirecting through these services to obfuscate the final malicious payload. The link first goes to run.mocky.io, a free API testing service, which then redirects to webhook.site for logging requests.
A ZIP archive disguised as an image file (e.g. IMG-238279780.zip) is downloaded from webhook.site.
With default Windows settings hiding extensions and hidden files, the victim sees the ZIP as an image, potentially leading them to open the malicious payload.
entire attack flow
Using free services reduces costs and makes malicious links harder to flag as they blend in with legitimate developer traffic. This stealthy approach is becoming a trend across many APT groups.
“The malware used in this campaign is a new variant of the X-Agent backdoor, which allows the attackers to execute arbitrary commands, exfiltrate data, and move laterally within the compromised network,” explained CERT.pl in their report.
CERT.pl urges all Polish government agencies and critical infrastructure operators to remain vigilant and implement security measures.
‼️This week we observed a large-scale malware campaign targeting Polish government institutions. Based on technical indicators and similarity to attacks described in the past, the campaign can be associated with the APT28 activity set. More➡️ https://t.co/Szv62K060q
APT28 is a highly sophisticated cyber-espionage group believed to be associated with the Russian military intelligence agency GRU.
The group has been active since at least 2007 and has been linked to numerous high-profile cyberattacks, including the 2016 Democratic National Committee email leak and the 2017 NotPetya ransomware outbreak.
This latest campaign highlights the persistent threat posed by state-sponsored hacking groups and the importance of maintaining robust cybersecurity measures, especially for critical government and infrastructure systems.
The report details the attack flow, providing indicators of compromise (IOCs) and recommendations for detecting and mitigating the threat.
The Damselfly Advanced Persistent Threat (APT) group, also known as APT42, has been actively utilizing custom backdoor variants, NiceCurl and TameCat, to infiltrate Windows machines.
These backdoors are primarily delivered through spear-phishing campaigns, marking a significant escalation in the capabilities and focus of this Iranian state-sponsored hacking group.
Sophisticated Tools For Stealthy Operations
The NiceCurl and TameCat backdoors represent a sophisticated toolkit in Damselfly’s arsenal, enabling threat actors to gain initial access to targeted environments discreetly.
NiceCurl, a VBScript-based malware, is designed to download and execute additional malicious modules, enhancing the attackers’ control over compromised systems.
On the other hand, the TameCat backdoor facilitates the execution of PowerShell and C# scripts, allowing for further exploitation by downloading additional arbitrary content.
These tools are part of a broader strategy employed by Damselfly to conduct espionage and potentially disrupt operations at targeted facilities.
According to Broadcom report, the group’s activities have been primarily directed at energy companies and other critical infrastructure sectors across the U.S., Europe, and the Middle East.
The sophistication of their methods and the critical nature of their targets underscore the high level of threat they pose.
These include adaptive, behavior, file, and network-based detection mechanisms, ensuring robust defense against Damselfly’s tactics.
The security firm’s efforts are crucial in mitigating the risks posed by such state-sponsored cyber activities, characterized by their complexity and stealth.
The operations of the Damselfly group highlight the ongoing challenges in cybersecurity, where state-sponsored actors employ advanced techniques and malware to achieve their objectives.
Using custom backdoors like NiceCurl and TameCat, coupled with spear-phishing campaigns, enables these actors to maintain persistence in their target networks and carry out their missions with a high degree of secrecy and efficiency.
The Certified Information Systems Security Professional (CISSP) is the most widely recognized certification in the information security industry. CISSP certifies that an information security professional possesses extensive technical and managerial expertise for designing, engineering, and managing an organization’s security stance.
In this article, CISSP-certified cybersecurity leaders provide practical tips and strategies to help candidates navigate the extensive study requirements and effectively manage their CISSP exam prep time. Whether you’re just starting your study journey or in the final stages of preparation, these guidelines will help ensure you are well-equipped to tackle the CISSP certification exam.
My preparation for the CISSP exam took exactly 10 sunny afternoons while working on a project in Palo Alto. Every day after work, I took “Shon Harris,” at that time the so-called “CISSP exam prep Bible.” I remember studying by the pool, swimming in between the chapters, so overall, it was a fun way to spend these afternoons without feeling like I was missing the sunny California weather.
I divided the contents of the book in a way that allowed me to read it all in eight days, while I dedicated the last two entire days to practicing exam questions and revisiting domains where my answers were incorrect, studying them a bit deeper. I remember that at that time (2013), there was a very popular site where colleagues from the profession would discuss questions or topics they struggled with, and “talking” to colleagues on that platform was of huge help.
The exam itself, I think, took about an hour and a half, and I passed on the first attempt. Now, this may all sound easy, but the truth is that by the time I decided to pursue the CISSP, I already had 13 years of experience, numerous other industry certifications, and had been deeply involved in the cybersecurity field since the day I graduated; my Master’s thesis was also in cybersecurity.
Looking back at the exam itself, I believe that having a strong knowledge foundation, coupled with real-life experience, and a network of colleagues you can always turn to and discuss certain topics you are less familiar with, is the key to success in passing the CISSP exam.
Shannon Brewster, Executive Director, General Manager, AT&T Cybersecurity
Passing the CISSP exam is an ambitious goal, especially if you hope to pass on your first attempt. I recommend a 90-day preparation plan tailored to reinforce key cybersecurity concepts and identify weaker areas through regular practice.
Being intentional with your time is crucial; consider mapping out each domain as a “sprint” and mapping core concepts to learn each week. Schedule daily dedicated study time and regular practice exams. Testing with approved sample questions helps gauge your readiness and pinpoint specific topics you need to shore up on.
Most security professionals will find themselves very strong in the domains they work in most often, and weak in others. Cryptology is the Achilles’ heel for many.
I incorporated tools like handwritten index cards for constant review to boost memory retention. This method of repetition embeds critical information, making it more readily recalled.
An important element of my preparation was participating in a 6-day bootcamp. The bootcamp was a source of confidence because I had the benefit of a thorough review of the all the content that was necessary to understand. It also helped me build a new network of peers who supported each other as accountability partners and encouragement.
Make sure you take the exam within two weeks of a bootcamp to maximize the “cone of learning” on memory retention.
Lastly, don’t forget about the physical dimension, staying focused on your health and wellness throughout your preparation. Deep sleep is required for memory retention and recall, so avoiding alcohol and practicing sleep hygiene will improve your score. I brought a jump rope to my test and stepped out regularly to infuse fresh blood to my brain, vastly improving my focus.
This strategy worked for me to pass on my first attempt, I hope these ideas might work for you.
Here’s how I effectively studied for the CISSP certification, relying solely on comprehensive study materials rather than quick-fix dumps or quizlets. This method ensured a deep understanding of the content required to pass the CISSP exam:
1. Bootcamp: I started my preparation with a rigorous week-long bootcamp (40 hours). This intensive course helped establish a solid foundation and highlighted areas where I needed further study. Even though I had over five years of experience in cybersecurity and over ten years in IT, my practical knowledge was only in specific domains (i.e. Security and Risk Management, Asset Security, Communications and Network Security, etc.). A good bootcamp will expose your weak areas and help you to hone in on where you need to obtain more knowledge.
2. Targeted reading: After identifying my weak spots during the bootcamp, I skimmed the Official ISC2 CISSP Common Body of Knowledge (CBK) specifically focusing on those areas.
3. In-depth study guides: I read the ISC2 CISSP Official Study Guide from cover to cover to ensure a comprehensive grasp of all domains. Additionally, I went through the Eleventh Hour CISSP: Study Guide twice, which is excellent for refreshing your memory due to its concise format.
4. Video courses and webinars:
I watched Kelly Henderhan’s Cybrary CISSP course twice. Her engaging teaching style and clear explanations helped reinforce the key concepts.
Larry Greenblatt’s series, “CISSP Practice Question with Spock & Kirk”, was instrumental in applying theoretical knowledge practically through scenario-based questions.
Pearson VUE’s Complete CISSP Video Course was another resource I used, which also included domain challenge questions that tested my understanding as I progressed.
5. Motivational prep: Before the exam, I watched Kelly Henderhan’s motivational video, “Why you WILL pass the CISSP”. This not only boosted my confidence but also put me in the right mindset to tackle the exam.
This structured approach to studying for the CISSP took approximately 6 months, using a mix of reading, practical exercises, and motivational content, equipped me with the knowledge and confidence to successfully pass the exam.
Stein A. J. Mollerhaug, Senior Cybersecurity Advisor
For most people, passing the CISSP exam is the main obstacle. In addition to passing the exam, you must also document at least five years of experience in two or more of the eight CISSP knowledge domains. But don’t worry, if you miss that experience, you can get an associate status while you work on gaining the needed experience. Once the experience is documented, you will get upgraded without the need for a new exam.
You don’t need to follow any official course to sit for the CISSP exam and get CISSP certified, but the feedback from almost all students is that following an official course with an official instructor helps – a lot.
In my experience, there are three critical success factors for passing the exam:
1. Understand the basics of cybersecurity and information technology. 2. Understand how management systems work for the key processes in information security. 3. Be able to apply that knowledge to real life situations or imagined scenarios.
If you are unable to explain how the encryption in AES actually works, you are still fine with regards to the exam. If you don’t know that AES is a symmetrical algorithm and what it can be used for, you have some learning to do before sitting for the exam. This is just one example. CISSP is not a technical course, but as a cyber- or information security leader, you must know the basic technology you are going to use.
Management systems ensure the quality of the security implementations. Standards like ISO/IEC 27001 contain some of the framework for having measurability and the ability to improve your cybersecurity. There are such standards in almost all areas of cybersecurity. Knowledge of them is key to passing the exam.
The exam itself often asks for “best”, “most” or “not”. The key here is that you are to apply your knowledge and experience to find the right answer. Even if you don’t know a specific answer, you should be able to apply your knowledge to find the right answer through the process of elimination. That means you have to think and not just recall from memory when you sit for the exam.
This is also why many find the exam to be very exhausting. For each question, you need to read the answer alternatives and the question, think – and then answer. The good news is that for almost all questions, there will be two answer alternatives that you can easily eliminate – if you know your cybersecurity – and have read the question properly. Then you spend your time to choose between the two remaining.
And another piece of good news: You don’t need to be 100% right, 70% is the requirement for passing. And to destroy a myth: Time is not a key issue. Exhaustion is. Take breaks, even if the clock is not stopping during the breaks.
Andrea Szeiler-Zengo, President of the Women4Cyber Hungarian Chapter
When I decided to get CISSP certified, I signed up for local training, but honestly, I learned more independently than in class.
The CISSP is unlike other exams where you can memorize the answers. You must understand the security domains. When I took the CISSP exam, the cloud and third-party risk sections were a big focus. However, these topics were not discussed in detail in the study materials.
You absolutely need to plan how you will prepare for it.
I gave myself a deadline, registered for the exam, and spent six months studying. I read all the study materials and did practice questions, but I also kept up with news and new technologies.
I tried to set aside 30 minutes each day to review materials. I read on public transport, at the beach, and pretty much everywhere else. The most significant help arrived via my network. They helped me out with questions and motivated me during these challenging days.
You might be asking yourself – why bother getting the CISSP certification in the first place? It makes you more recognizable to employers who trust people holding the certification. And let’s be honest, they’re more likely to pay you more. So, go for it, good luck!
Earning my CISSP in 1999 was a different experience from today’s process. Back then, comprehensive study guides and boot camps weren’t a thing. We had a two-week course delivered in segments—a week-long session followed by three weeks off, then another week to wrap up. We relied heavily on ISC2’s list of recommended books.
Sitting in that George Mason University classroom in Virginia, I was surrounded by a wealth of information security knowledge, a term not yet replaced by cybersecurity. I wanted to absorb everything. The discussions were phenomenal – a constant back-and-forth exchange of ideas among experienced professionals. I mostly listened, soaking it all in, occasionally contributing my thoughts. This became my learning model throughout my career.
The saying goes, “If you’re the smartest person in the room, you’re in the wrong room.” This held true for me. I actively sought out those more experienced in cybersecurity.
My advice is to start small, find mentors, and become a knowledge sponge. Don’t limit yourself to books—seek practical knowledge as well. Talk to veterans in the field, learn from their experiences, and integrate your ideas as you grow.
In the latest edition of Verizon’s Data Breach Investigations Report (DBIR) for 2024, a concerning trend has been highlighted, a significant 68% of data breaches are now occurring due to social engineering attacks.
This revelation underscores the increasing sophistication and prevalence of these tactics in the cyber threat landscape.
Social engineering exploits the human factor, manipulating individuals into breaking normal security procedures.
The DBIR’s findings suggest that despite advancements in technology, human vulnerabilities remain a critical weak point.
The report indicates that phishing, pretexting, and other forms of social engineering are not only prevalent but are also becoming more sophisticated.
Breakdown of breaches by attack type
Verizon’s 2024 DBIR has revised its methodology to provide clearer insights into breaches involving the human element.
It excludes cases of malicious privilege misuse to focus on incidents that could potentially be mitigated through improved security awareness and training.
The Role Of Ransomware And Extortion
The report also sheds light on the role of ransomware and extortion in the cybersecurity threat landscape.
Approximately one-third of all breaches involved these tactics, with pure extortion attacks marking a significant rise over the past year.
This shift indicates a strategic evolution among cybercriminals, who are increasingly leveraging ransomware and extortion to capitalize on their attacks.
Breakdown of breaches by attack type.
The combination of ransomware and other forms of extortion has been particularly impactful, affecting 32% of breaches and being a top threat across 92% of industries surveyed.
This highlights the critical need for organizations to enhance their defensive strategies against these forms of cyberattacks.
Third-Party Vulnerabilities And Preventive Measures
An expanded concept of breaches involving third-party entities was introduced in this year’s report.
This includes incidents where partner infrastructure is compromised or where indirect software supply chain issues occur.
The report notes a 68% increase in such breaches, primarily fueled by zero-day exploits used in ransomware and extortion attacks.
68% increase in such breaches
This finding emphasizes the importance of diligent vendor selection and the need for organizations to prioritize security in their supply chains.
By choosing partners with robust security measures, companies can significantly mitigate the risk of being compromised through third-party vulnerabilities.
Verizon’s 2024 DBIR provides a stark reminder of the persistent and evolving threats in the digital world.
With a significant portion of breaches attributable to social engineering, the human element continues to be a critical battleground in cybersecurity.
Organizations must prioritize comprehensive security training and robust protocols to safeguard against these insidious attacks.
Meanwhile, the rise of ransomware and extortion, along with the vulnerabilities in third-party partnerships, calls for an urgent reassessment of current security strategies and vendor management practices.
.webp)
