Darkreading.com
Fri, 03 May 2024 22:19:59 GMTOur collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: a Tech Tip on setting up DMARC, a DNS mystery from Muddling Meerkat, and a cybersecurity checklist for M&A transitions.
https://www.darkreading.com/vulnerabilities-threats/ciso-corner-
Though Olympics officials appear to have better secured their digital footprint than other major sporting events have, significant risks remain for the Paris Games.
https://www.darkreading.com/vulnerabilities-threats/paris-olympics-cybersecurity-at-risk-via-attack-surface-gaps
The space agency needs to implement stricter policies and standards when it comes to its cybersecurity practices, but doing so the wrong way would put machinery at risk, a federal review found.
https://www.darkreading.com/ics-ot-security/gao-nasa-faces-inconsistent-cybersecurity-across-spacecraft
Charges against the ransomware gang member included damage to computers, conspiracy to commit fraud, and conspiracy to commit money laundering.
https://www.darkreading.com/cybersecurity-operations/revil-affiliate-jail-multimillion-dollar-ransomware-scheme
Patch now: Cyberattackers are exploiting CVE-2023-7028 (CVSS 10) to take over and lock users out of GitLab accounts, steal source code, and more.
https://www.darkreading.com/application-security/critical-gitlab-bug-exploit-account-takeover-cisa
If CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately.
https://www.darkreading.com/vulnerabilities-threats/innovation-not-regulation-will-protect-corporations-from-deepfakes
The AI security startup's platform will allow organizations to define appropriate AI usage and enforce security policies.
https://www.darkreading.com/cyber-risk/new-ai-security-startup-apex-secures-ai-models-apps
The startup says its SaaS platform helps organizations detect and recover from ransomware attacks faster than "traditional" methods.
https://www.darkreading.com/endpoint-security/mimic-launches-with-new-ransomeware-defense-platform
Microsoft has uncovered a common vulnerability pattern in several apps allowing code execution; at least four of the apps have more than 500 million installations each; and one, Xiaomi's File Manager, has at least 1 billion installations.
https://www.darkreading.com/cloud-security/billions-android-devices-open-dirty-stream-attack
Organizations can go a long way toward preventing spoofing attacks by changing one basic parameter in their DNS settings.
https://www.darkreading.com/cloud-security/dprks-kimsuky-apt-abuses-weak-dmarc-policies-feds-warn
Actual legislation is a long shot and a decade away, but policy experts are looking to jump-start the conversation around greater legal liability for insecure software products.
https://www.darkreading.com/cyber-risk/software-security-too-little-vendor-accountability-experts-say
Two years after a warrant went out for his arrest, Aleksanteri Kivimäki finally has been found guilty of thousands of counts of aggravated attempted blackmail, among other charges.
https://www.darkreading.com/cyberattacks-data-breaches/hacker-sentenced-after-years-of-extorting-psychotherapy-patients
Threat actor dropped in to Dropbox Sign production environment and accessed emails, passwords, and other PII, along with APIs, OAuth, and MFA info.
https://www.darkreading.com/application-security/dropbox-breach-exposes-customer-credentials-authentication-data
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.
https://www.darkreading.com/vulnerabilities-threats/name-that-edge-toon-mini-me
Establishing a robust BYOD security strategy is imperative for organizations aiming to leverage the benefits of a mobile-first workforce while mitigating associated risks.
https://www.darkreading.com/endpoint-security/safeguarding-your-mobile-workforce
DMARC adoption is more important than ever following Google's and Yahoo's latest mandates for large email senders. This Tech Tip outlines what needs to be done to enable DMARC on your domain.
https://www.darkreading.com/cybersecurity-operations/tech-tip-why-haven-t-you-set-up-dmarc-yet-
Weaponizing Microsoft's own services for command-and-control is simple and costless, and it helps attackers better avoid detection.
https://www.darkreading.com/cloud-security/microsoft-graph-api-emerges-as-top-attacker-tool-to-plot-data-theft
A recent campaign targeting Middle Eastern government organizations plays standard detection tools like a fiddle. With cyberattackers getting more creative, defenders must start keeping pace.
https://www.darkreading.com/threat-intelligence/dunequixote-shows-stealth-cyberattack-methods-are-evolving
The quest to keep data private while still being able to search may soon be within reach, with different companies charting their own paths.
https://www.darkreading.com/data-privacy/private-internet-search-is-still-finding-its-way
The breach was carried out with stolen Citrix credentials for an account that lacked multifactor authentication. Attackers went undetected for days, and Change Healthcare's backup strategy failed.
https://www.darkreading.com/cyberattacks-data-breaches/unitedhealth-congressional-testimony-rampant-security-fails
Unmanaged and unknown Web services endpoints are just some of the challenges organizations must address to improve API security.
https://www.darkreading.com/application-security/shadow-apis-an-overlooked-cyber-risk-for-orgs
Some customers found that they had the ability to cancel a stranger's flight to another country after opening the app, which was showing other individuals' flight details.
https://www.darkreading.com/cyber-risk/qantas-customers-boarding-passes-exposed-flight-app-mishap
The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses.
https://www.darkreading.com/cloud-security/cuttlefish-zero-click-malware-steals-private-cloud-data
With mergers and acquisitions making a comeback, organizations need to be sure they safeguard their digital assets before, during, and after.
https://www.darkreading.com/cyber-risk/cybersecurity-checklist-that-could-save-your-m-and-a-deal
MOVEit drove a big chunk of the increase, but human vulnerability to social engineering and failure to patch known bugs led to a doubling of breaches since 2023, said Verizon Business.
https://www.darkreading.com/cyberattacks-data-breaches/verizon-dbir-basic-security-gaffes-underpin-bumper-crop-of-breaches
As the social media giant celebrates its two-decade anniversary, privacy experts reflect on how it changed the way the world shares information.
https://www.darkreading.com/data-privacy/facebook-at-20-contemplating-the-cost-of-privacy
The purported metadata for each these containers had embedded links to malicious files.
https://www.darkreading.com/cyber-risk/attackers-planted-millions-of-imageless-repositories-on-docker-hub
London Drugs offered no details about the nature of the incident, nor when its pharmacies would be functioning normally again.
https://www.darkreading.com/cyberattacks-data-breaches/canadian-drug-chain-in-temporary-lockdown-mode-after-cyber-incident
USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.
https://www.darkreading.com/ics-ot-security/to-damage-ot-systems-hackers-tap-usbs-old-bugs-and-malware
Verizon, AT&T, and T-Mobile USA are being fined for sharing location data. They plan to appeal the decision, which is the culmination of a four-year investigation into how carriers sold customer data to third parties.
https://www.darkreading.com/cyber-risk/fcc-fines-wireless-carriers-200m-for-sharing-location-data
Themed "The Art of Possible," this year's conference celebrates new challenges and opportunities in the age of AI.
https://www.darkreading.com/cyberattacks-data-breaches/6-data-security-sessions-you-shouldnt-miss-rsac-2024
The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files.
https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-risk
Okta warns users that the attack requests are made through an anonymizing service like Tor or various commercial proxy networks.
https://www.darkreading.com/vulnerabilities-threats/okta-credential-stuffing-attacks-spike-via-proxy-networks
While other professions are making up ground, cybersecurity still lags behind in female representation, thanks to a lack of respect and inclusion.
https://www.darkreading.com/cybersecurity-operations/cybersecurity-is-becoming-more-diverse-except-by-gender
Tracking code used for keeping tabs on how members navigated through the healthcare giant's online and mobile sites was oversharing a concerning amount of information.
https://www.darkreading.com/cyberattacks-data-breaches/13-4m-kaiser-insurance-members-affected-by-data-leak-to-online-advertisers
Likely China-linked adversary has blanketed the Internet with DNS mail requests over the past five years via open resolvers, furthering Great Firewall of China ambitions. But the exact nature of its activity is unclear.
https://www.darkreading.com/threat-intelligence/muddling-meerkat-poses-nation-state-dns-mystery
By embracing a proactive approach to cyber-risk management, companies can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology.
https://www.darkreading.com/cyber-risk/addressing-risk-caused-by-innovation
Red teaming is a crucial part of proactive GenAI security that helps map and measure AI risks.
https://www.darkreading.com/vulnerabilities-threats/how-to-red-team-genai-challenges-best-practices-and-learnings
The volume of malicious cyber activity against the Philippines quadrupled in the first quarter of 2024 compared to the same period in 2023.
https://www.darkreading.com/cyberattacks-data-breaches/philippines-pummeled-by-assortment-of-cyberattacks-tied-to-china
The business intelligence servers contain vulnerabilities that Qlik patched last year, but which Cactus actors have been exploiting since November. Swathes of organizations have not yet been patched.
https://www.darkreading.com/cyber-risk/more-than-3-000-qlik-sense-servers-vuln-to-cactus-ransomware-attacks
The semiconductor manufacturing giant's security team describes how hardware hackathons, such as Hack@DAC, have helped chip security by finding and sharing hardware vulnerabilities.
https://www.darkreading.com/endpoint-security/intel-harnesses-hackathons-to-tackle-hardware-vulnerabilities
CSO Online
Fri, 03 May 2024 11:51:59 +0000US Cybersecurity Infrastructure and Security Agency (CISA) and the FBI have issued a joint advisory to developers, urging them to check for path traversal vulnerabilities before shipping a software. “Directory traversal or path traversal vulnerabilities remain a persistent class of defect in software products,” CISA said in the advisory. “Software manufacturers continue to put customers at risk by developing products that allow for path traversal exploits.” The advisory was issued in response to the recent critical path traversal vulnerabilities, including the ConnectWise ScreenConnect and Cisco AppDynamics flaws. Directory traversal vulnerabilities involve a user manipulating inputs (i.e. input parameters or file paths) to illicitly access application files and directories that the developer did not intend for the user to access. Implementing “secure by design” With the advisory, the cybersecurity watchdogs look to push for a “secure by design” approach in software development, weeding out the underlying vulnerabilities within the dependencies of a software before its final shipping. “A core tenet of security by design software development is that manufacturers create safe and secure behavior in the products they provide to customers,” CISA added. “Incorporating this risk mitigation at the outset–beginning in the design phase and continuing through product release and updates–reduces both the burden of cybersecurity on customers and risk to the public.” The advisory noted that despite approaches to avoid directory traversal vulnerabilities being readily available, their exploitation by threat actors is still on the rise, especially to impact critical services including hospital and school operations. The prevalence of such vulnerabilities is apparent through CISA’s current listing of 58 path traversal vulnerabilities in its known exploited vulnerabilities (KEV) catalog. Mitigations include auto-indexing or type limitation in file names The advisory encourages developers to use “well-known and effective mitigations” to help prevent directory traversal vulnerabilities. These include generating an identifier for each file and storing associated metadata separately, and if that’s not possible, limiting the type of characters that can be supplied in the file names. CISA pointed out that the above steps can also be applied in the case of cloud services, as they too are affected by these vulnerabilities, in conjunction with other known best approaches. “CISA and FBI encourage manufacturers to learn how to protect their products from falling victim to these exploits and other preventable malicious activities in accordance to three advised principles,” the advisory added. These principles include taking ownership of customer security outcomes, embracing transparency and accountability, and deploying organizational structure and leadership to achieve these goals. Directory traversal vulnerabilities are a strain of menacing flaws plaguing the software ecosystem with at least 350 added this year alone. Recent critical vulnerabilities of this type include ScreenConnect, MLFlow, Kyocera printers, and Apache Struts 2 bugs. Vulnerabilities
https://www.csoonline.com/article/2097868/cisa-fbi-urge-developers-to-patch-path-traversal-bugs-before-shipping.html
Microsoft has added new chief information security officers (CISOs) to product teams and appointed a new deputy CISO to liaise with customers. The moves are part of an ongoing attempt to revamp the company’s approach to security in the wake of a high-profile attack that breached company emails and a sharp rebuke from the federal government on the company’s security practices. The new product-focused security chiefs will report to Igor Tsyganskiy, Microsoft’s global CISO who has only been in his post for about six months, according to a published report by Bloomberg. Meanwhile, longtime security executive Ann Johnson is now deputy CISO for customer outreach and regulated industries and also will report to Tsyganskiy. Johnson’s role will focus on “customer engagement and communication about Microsoft’s own security,” Microsoft said in an email, according to the report. A Microsoft spokesperson said Friday in an email to CSO that the company has nothing to share at the moment about the reported executive changes. Bolstering security strategy The executive moves appear to be an extension of the Secure Future Initiative (SFI) that the company unveiled in November to improve the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats. The new initiative is geared at bringing together “every part of Microsoft” to advance cybersecurity protection incorporating three pillars focused on AI-based cyber defenses, advances in fundamental software engineering, and advocacy for stronger application of international norms, Brad Smith, vice chair and president of Microsoft, said at the time. Indeed, Microsoft products have historically and notoriously been the target of hackers, who long have exploited flaws in them to conduct malicious activities that have affected numerous organizations and caused widespread damage across myriad geographies and industries. In December on the heels of its SFI announcement, Microsoft appointed Tsyganskiy, a relative newcomer to the company, to replace former and longtime CISO Bret Arsenault, who transitioned to an adviser position. Ongoing security struggles Around the same time — but unbeknownst to Microsoft until January — a Russia-based threat group Midnight Blizzard, also known as Nobelium, was hacking the emails of Microsoft employees, including senior staff. The attack was the second known attack on Microsoft by the group; last year Microsoft had accused it of using social engineering to carry out a cyberattack on Microsoft Teams. The US Cybersecurity and Infrastructure Security Agency (CISA) later warned in mid-April that Midnight Blizzard exploited the compromise to steal the emails of government agencies, advising agencies to urgently check their email systems for signs of compromise. If these weren’t troublesome enough for the company, Microsoft also had faced a scathing assessment by a federal review board earlier in April for another state-sponsored cyber-attack that affected the federal government. This one occurred in July 2023 when Chinese threat actors breached Microsoft 365 accounts to target key US government officials. The report released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsoft’s security culture and blamed the company for the attack by the group Storm-0558 that the board said easily could have been avoided. On the right course Microsoft’s revamped security strategy shows the company incorporating feedback and taking corrective steps forward to improve the overall security posture of the company and its products, particularly as external pressure mounts. “Microsoft is doing the right thing to increase focus on security with new senior appointments,” noted Pareekh Jain, CEO of EIIRTrend & Pareekh Consulting, in an email to CSO. “Now not only do individuals or groups of hackers attack, but state-sponsored cybersecurity incidents also happen. Product companies like Microsoft, which have a large consumer, enterprise, and government footprint, need to be a few steps ahead.” Microsoft also will be viewed as an example to other product-focused companies on how to respond to security challenges, so the moves it makes now are crucial for the overall industry security roadmap ahead, he noted. “In a product business, the key metric is time-to-market for new features; [however,] it’s time that focus also shifts to time-to-security,” Jain observed. “The industry will be watching Microsoft moves, and in the future, more product companies will focus on time-to-security and bringing senior security talent in their product groups.” CSO and CISO
https://www.csoonline.com/article/2097863/microsoft-continues-to-add-shuffle-security-execs-in-the-wake-of-security-incidents.html
What is malware? Malware, short for malicious software, is a blanket term for viruses, worms, trojans and other harmful computer programs hackers use to wreak destruction and gain access to sensitive information. In other words, software is identified as malware based on its intended malicious use, rather than a particular technique or technology used to build it. This means that the question of, say, what the difference is between malware and a virus misses the point a bit: a virus is a type of malware, so all viruses are malware (but not every piece of malware is a virus). History of malware Malware has a long, storied history, dating back to infected floppy disks swapped by Apple II hobbyists in the 1980s and the Morris Worm spreading across Unix machines in 1988. Some other high-profile malware attacks over the years have included: ILOVEYOU, a worm that spread like wildfire in 2000 and did more than $15 billion in damage SQL Slammer, which ground internet traffic to a halt within minutes of its first rapid spread in 2003 Conficker, a worm that exploited unpatched flaws in Windows and leveraged a variety of attack vectors – from injecting malicious code to phishing emails – to ultimately crack passwords and hijack Windows devices into a botnet. Zeus, a late ’00s keylogger Trojan that targeted banking information CryptoLocker, the first widespread ransomware attack, whose code keeps getting repurposed in similar malware projects Stuxnet, an extremely sophisticated worm that infected computers worldwide but only did real damage in one place: the Iranian nuclear facility at Natanz, where it destroyed uranium-enriching centrifuges, the mission it was built for by U.S. and Israeli intelligence agencies Ryuk, ransomware that targets vulnerable organizations that are likely to pay a ransom, including hospitals and governments. It is typically distributed via the TrickBot trojan. For a deep dive into the history of malware, see 11 infamous malware attacks: The first and the worst. How do malware infections happen? Malware infections happen in two phases: First there is the initial infection (how the malware gets onto a computer or network) and then the malware spreads. According to Mandiant’s M-Trends report for 2024, exploits were the top initial infection vector in 2023, used in 38% of attacks, followed by phishing (17%), prior compromise (15%), stolen credentials (10%), and brute force (6%) to round out the top 5. Foundry How malware spreads You’ve probably heard the words virus, trojan, and worm used interchangeably. In fact, the terms describe three different kinds of malware, which are distinguished from each other by the process by which they reproduce and spread. A worm is a standalone piece of malicious software that reproduces itself and spreads from computer to computer. Worms’ creators build in knowledge of operating system vulnerabilities, and a worm program seeks these out on computers that it can reach from wherever it’s running and makes copies of itself on those insecure machines. Some of the very first worms were designed to copy themselves to floppy disks and other removable media, then copy themselves again when that disk was inserted into a new computer, but today most worms scan for vulnerable computers connected to their host via a corporate network or the internet. A virus is a piece of computer code that inserts itself within the code of another standalone program, then forces that program to take malicious action and spread itself. The infected program propagates itself in some of the same ways that a worm does, by searching for vulnerabilities on other computers it can reach via the internet or a local network. But the virus code is lurking inside programs that look legitimate, so there are other vectors by which it could it spread: if a hacker can infect an application at the source, an application that includes virus code could be available for download from open source repositories, app stores, or even the software maker’s own servers. A trojan is a program that cannot activate itself but masquerades as something the user wants and tricks them into opening it via social engineering techniques. Often trojans arrive as email attachments with names like “salary.xls” or “resume.doc”, with the malicious code lurking as a Microsoft Office macro. Once it’s running, one of its first jobs is to propagate itself, so it might hijack your email client and send out more copies of itself to potential victims. Malware can also be installed on a computer “manually” by the attackers themselves, either by gaining physical access to the computer or using privilege escalation to gain remote administrator access. How attackers hide malware Why do cybercriminals use malware? While some attackers might create malware as an intellectual exercise or for the thrill of destruction, most are motivated by financial gain. They could be looking for banking passwords or access to secrets they can sell or exploit, or they also could be looking to gain control of your computer and use it as a launching pad for a DDoS attack. Once malware is executing on your computer, it can do a number of things, ranging from simply making it unusable to taking control out of your hands and putting your remote attacker in charge. Malware can also send back information about sensitive data to its creators. Malware can also be part of a politically motivated attack. Hactivists might use malware in their campaigns against companies or governments, and state-sponsored hackers create malware as well. In fact, two high-profile malware waves were almost certainly started by national intelligence services: Stuxnet was created by the U.S. and Israel to sabotage Iran’s nuclear program, while NotPetya may have begun as a Russian cyberattack on Ukrainian computers that quickly spread beyond its intended targets (including back into Russia). What are the types of malware? There are a number of different ways of categorizing malware; the first is by how the malicious software spreads. We covered this in the section above on how malware infections happen. Another way to categorize malware is by what it does once it has successfully infected its victim’s computers. There are a wide range of potential attack techniques used by malware: Spyware, as the name implies, is software that spieson your behavior as you use your computer, and on the data you send and receive, usually with the purpose of sending that information to a third party. A keylogger is a specific kind of spyware that records all the keystrokes a user makes—great for stealing passwords. A rootkit is malware that targets the underlying operating system to give the attacker ultimate control. It gets its name because it’s a kit of tools that (generally illicitly) gain root access (administrator-level control, in Unix terms) over the target system, and use that power to hide their presence. Adware is malware that forces your browser to redirect to web advertisements, which often themselves seek to download further, even more malicious software. As The New York Times notes, adware often piggybacks onto tempting “free” programs like games or browser extensions. Ransomware is a flavor of malware that encrypts your hard drive’s files and demands a payment, usually in Bitcoin, in exchange for the decryption key. Several high-profile malware outbreaks of the last few years, such as Petya, are ransomware. Without the decryption key, it’s mathematically impossible for victims to regain access to their files. So-called scareware is a sort of shadow version of ransomware; it claims to have taken control of your computer and demands a ransom, but actually is just using tricks like browser redirect loops to make it seem as if it’s done more damage than it really has, and unlike ransomware can be relatively easily disabled. Cryptojacking is another way attackers can force you to supply them with Bitcoin—only it works without you necessarily knowing. The crypto mining malware infects your computer and uses your CPU cycles to mine Bitcoin for your attacker’s profit. The mining software may run in the background on your operating system or even as JavaScript in a browser window. Malvertising is the use of legitimate ads or ad networks to covertly deliver malware to unsuspecting users’ computers. For example, a cybercriminal might pay to place an ad on a legitimate website. When a user clicks on the ad, code in the ad either redirects them to a malicious website or installs malware on their computer. In some cases, the malware embedded in an ad might execute automatically without any action from the user, a technique referred to as a “drive-by download.” A remote access trojan (RAT) is malware that gives an attacker control of a victim’s computer, similar to how legitimate remote access software allows helpdesk employees to take over users’ desktops to fix issues, essentially, rootkits that propagate like Trojans. A downloader is a type of Trojan that, as the name suggests, downloads other pieces of malware (sometimes in multiples). Polymorphic malware, also known as mutating malware, changes to avoid detection by antivirus and intrusion detection software. The Storm Worm is one such example. Any specific piece of malware has both a means of infection and a behavioral category. So, for instance, WannaCry is a ransomware worm. And a particular piece of malware might have different forms with different attack vectors: for instance, the Emotet banking malware has been spotted in the wild as both a trojan and a worm. A look at the Center for Internet Security’s top 10 malware offenders for Q4 of 2023 gives you a good sense of the types of malware in use today. NanoCore and Gh0st, are RATs, CoinMiner is cryptocurrency malware, and SocGholish and RogueRaticate are downloaders. Does malware affect mobile devices? In a word, yes, malware affects mobile devices and, according to Kaspersky, the threat is growing. In 2023, attacks on mobile devices increased 52% over the prior year, with adware accounting for 40.8% of all threats detected. Pegasus, mobile spyware that targets both iOS and Android, is on CIS’s top malware offenders list. Some other common types of mobile malware are banking malware, mobile ransomware, and mobile adware. 52%From 2022 to 2023, attacks on mobile devices increased 52%, making up 40.8% of all threats detected, according to antivirus vendor Kaspersky. Mobile malware in the news: Over 60,000 Android apps infected with adware-pushing malware Guerrilla malware is preinfected on 8.9 million Android devices, Trend Micro says Espionage campaign loads VPN spyware on Android devices via social media Android-based banking Trojan Nexus now available as malware-as-a-service Russia points finger at US for iPhone exploit campaign that also hit Kaspersky Lab Apple patches exploits used in spy campaign ‘Operation Triangulation’ Identifying signs of malware It’s fully possible—and perhaps even likely—that your system will be infected by malware at some point despite your best efforts. How can you tell for sure? Security expert Roger Grimes has a great guide on telltale signs you’ve been hacked, which can range from a sudden decline in your computer’s performance to unexpected movements of your mouse pointer. He’s also written a deep dive into how to diagnose your how to detect malware on Windows PCs that you might find helpful. When you get to the level of corporate IT, there are also more advanced visibility tools you can use to see what’s going on in your networks and detect malware infections. Most forms of malware use the network to either spread or send information back to their controllers, so network traffic contains signals of malware infection that you might otherwise miss; there are a wide range of network monitoring tools out there, with prices ranging from a few dollars to a few thousand. There are also SIEM tools, which evolved from log management programs; these tools analyze logs from various computers and appliances across your infrastructure looking for signs of problems, including malware infection. SIEM vendors range from industry stalwarts like IBM and HP Enterprise to smaller specialists like Splunk and Alien Vault. How to prevent malware Much of malware prevention comes down to good cyber hygiene. At minimum, you should be taking these 7 steps: Provide regular security awareness training for users Have a solid patch management program Keep your software updated Keep your asset inventory up-to-date Perform regular vulnerability assessments Monitoring network traffic Keep good backups With spam and phishing email consistently one of the primary vectors by which malware infects computers, one of the best ways to prevent malware is make sure your email systems are locked down tight—and your users know how to spot danger. We recommend a combination of carefully checking attached documents and restricting potentially dangerous user behavior—as well as just familiarizing your users with common phishing scams so that their common sense can kick in. When it comes to more technical preventative measures, there are a number of steps you can take, including keeping all your systems patched and updated, keeping an inventory of hardware so you know what you need to protect, and performing continuous vulnerability assessments on your infrastructure. For ransomware attacks in particular, one way to be prepared is to always make backups of your files, ensuring that you’ll never need to pay a ransom to get them back if your hard drive is encrypted. Malware protection Antivirus software is the most widely known product in the category of malware protection products; despite “virus” being in the name, most offerings take on all forms of malware. While high-end security pros dismiss it as obsolete, it’s still the backbone of basic anti-malware defense. Today’s best antivirus software is from vendors Kaspersky Lab, Symantec and Trend Micro, according to recent tests by AV-TEST. When it comes to more advanced corporate networks, endpoint security offerings provide defense in depth against malware. They provide not only the signature-based malware detection that you expect from antivirus, but anti-spyware, personal firewall, application control and other styles of host intrusion prevention. Gartner offers a list of its top picks in this space, which include products from Cylance, CrowdStrike, and Carbon Black. How to detect malware It’s fully possible—and perhaps even likely—that your system will be infected by malware at some point despite your best efforts. How can you tell for sure? Security expert Roger Grimes has a great guide on telltale signs you’ve been hacked, which can range from a sudden decline in your computer’s performance to unexpected movements of your mouse pointer. He’s also written a deep dive into how to diagnose your PC for potential malware that you might find helpful. When you get to the level of corporate IT, there are also more advanced visibility tools you can use to see what’s going on in your networks and detect malware infections. Most forms of malware use the network to either spread or send information back to their controllers, so network traffic contains signals of malware infection that you might otherwise miss; there are a wide range of network monitoring tools out there, with prices ranging from a few dollars to a few thousand. There are also SIEM tools, which evolved from log management programs; these tools analyze logs from various computers and appliances across your infrastructure looking for signs of problems, including malware infection. SIEM vendors range from industry stalwarts like IBM and HP Enterprise to smaller specialists like Splunk and Alien Vault. Malware protection Antivirus software is the most widely known product in the category of malware protection products; despite “virus” being in the name, most offerings take on all forms of malware. While high-end security pros dismiss it as obsolete, it’s still the backbone of basic anti-malware defense. When it comes to more advanced corporate networks, endpoint security offerings provide defense in depth against malware. They provide not only the signature-based malware detection that you expect from antivirus, but anti-spyware, personal firewall, application control and other styles of host intrusion prevention. CSO offers advice on how to choose an endpoint security offering, and gives an outline of the top vendors, which include BitFinder, Malwarebytes, and Sophos. Malware removal How to remove malware once you’re infected is in fact the million dollar question. Malware removal is a tricky business, and the method can vary depending on the type you’re dealing with. CSO has information on how to remove or otherwise recover from rootkits, ransomware, and cryptojacking. We also have a guide to auditing your Windows registry to figure out how to move forward. If you’re looking for tools for cleansing your system, Tech Radar has a good roundup of free offerings, which contains some familiar names from the antivirus world along with newcomers like Malwarebytes. Malware trends You can count on cyber criminals to follow the money. They will target victims depending on likelihood of delivering their malware successfully and size of potential payout. If you look at malware trends over the past few years, you will see some fluctuation in terms of the popularity of certain types of malware and who the most common victims are—all driven by what the criminals believe will have the biggest ROI. Recent research from cybersecurity firm Mandiant, based on investigations of targeted attack activity the company conducted in 2023, indicate some interesting shifts in malware tactics and targets. These include: Attackers are very focused on avoiding detection with the goal of remaining on networks as long as possible. Despite this, average dwell time dropped from 16 days in 2022 to 10 days in 2023. This can be attributed to an increase in ransomware attacks, which typically have a lower dwell time than other types of malware. Ransomware comprised 23% of Mandiant investigations in 2023, up from 18% in 2022 Attackers engaging in espionage and financially-motivated attacks continue to leverage zero-day vulnerabilities. Vulnerabilities in MOVEit file transfer, Oracle E-Business Suite, and Barracuda Email Security Gateways were the most leveraged by attackers. More than one-third of attacks (36%) were financially motivated. Financial services firms were the most highly targeted by attackers, comprising 17.3% of Mandiant’s investigations, followed by business and professional services (13.3), high tech (12.4%), retail and hospitality (8.6%), and healthcare (8.1%). This article, originally written in 2019, has been updated to reflect current trends. More on malware 9 types of malware and how to recognize them CISA opens its malware analysis and threat hunting tool for public use Surge in “hunter-killer” malware poses significant challenge to security teams Malware variability explained: Changing behavior for stealth and persistence DNS data shows one in 10 organizations have malware traffic on their networks Malware, Phishing, Ransomware, Security
https://www.csoonline.com/article/565999/what-is-malware-viruses-worms-trojans-and-beyond.html
LayerX, pioneer of the LayerX Browser Security platform, today announced $26 million in Series A funding led by Glilot+, the early-growth fund of Glilot Capital Partners, with participation from Dell Technologies Capital and other investors. Lior Litwak, Managing Partner at Glilot Capital and Head of Glilot+, and Yair Snir, Managing Partner at Dell Technologies Capital, will join the LayerX board. The new capital will be used for corporate growth across talent and increasing global market presence. This round brings the company’s total investment to $34 million. Today’s modern enterprise employees rely heavily on browser-based services and SaaS applications. Yet, these fundamental work activities expose organizations to a wide range of security risks, like data leaks, identity and password theft, malicious browser extensions, phishing sites and more. LayerX was purpose-built to secure and govern browser-based work, from both managed and unmanaged devices. “We’ve transformed workforce protection for organizations without requiring the transition to a dedicated secure browser. Unlike other solutions, installed in a matter of minutes, the LayerX Browser Extension does not impact employee efficiency, speed, privacy or the browsing experience, ” said Or Eshed, co-founder and CEO, LayerX. “As the browser becomes more central to the employee, we anticipate it becomes more attractive to the attacker, particularly in the wake of GenAI tools used in browser-related activities,” he continues. “Today’s funding round is a testament to our increasing market opportunity and the innovation behind our platform’s user-friendly approach to a more secure browser experience.” LayerX’s Enterprise Browser Extension is compatible with all commonly used browsers, including Chrome, Firefox, Edge and others, without requiring agents, a VPN or network modifications. Once deployed, the information security or IT team gains visibility into user activities and can block or restrict any threat in real-time, without impacting the user experience. LayerX protects against all threats, whether they were inadvertently or maliciously caused by the employee, or whether they were originated by the attacker. The solution includes an AI engine that granularly monitors the code run by the browser and automatically generates a variety of insights related to user behavior in the browser. “Since inception, LayerX showed super fast growth and adoption by the world’s leading enterprises. The company is at the forefront of defense for modern organizations. By protecting the browser, the central productivity application in organizations, from a wide range of new-generation security risks, LayerX can solve acute security problems that have remained unanswered until now,” said Kobi Samboursky, Founding and Managing Partner at Glilot Capital “We believe that this novel solution for securing browsers will replace most SASE and SSE solutions prevalent today in organizations. At an estimated market size of $7 billion, the potential inherent in LayerX’s technology is tremendous.” “Similar to other successful entrepreneurs in the cybersecurity field we’ve collaborated with, Or and David bring significant experience and knowledge in understanding the technical issues involved in threats to organizations and the motivations of attackers. Consequently, they recognize that effective security measures should adapt to real-world user behaviors, rather than the other way around,” said Yair Snir, Managing Director at Dell Technologies Capital. “In a world where most computer operations are conducted through browsers, LayerX introduces a creative approach to corporate security that is user-friendly, robust, and easily implementable in large organizations. This approach transforms the browser from a major vulnerability to a strength, facilitating secure work across devices. Our investment in LayerX isn’t just driven by the promising opportunity but also by the potential impact of the company’s solution on organizations, regardless of where employees conduct their tasks.” About LayerX LayerX was founded in 2022 by Or Eshed, CEO, and David Weisbrot, CTO, who developed web attack and defense systems during their military service. In 2017, Eshed led the exposure of the largest attack campaign in history on the Chrome browser, which involved tens of millions of compromised browsers and even led to the capture and trial of the hackers. LayerX has Fortune 100 clients worldwide. LayerX Enterprise Browser Extension natively integrates with any browser, turning it into the most secure and manageable workspace, with no impact on the user experience. Enterprises use LayerX to secure their devices, identities, data, and SaaS apps from web-borne threats and browsing risks that endpoint and network solutions can’t protect against. Those include data leakage over the web, SaaS apps and GenAI Tools, malicious browser extensions, phishing, account takeovers, shadow SaaS, and more. Cyberattacks, Security
https://www.csoonline.com/article/2097761/layerx-security-raises-26m-for-its-browser-security-platform-enabling-employees-to-work-securely-from-any-browser-anywhere.html
An Iranian state-sponsored actor known for cyber espionage activities has been using enhanced social engineering tactics, such as posing as journalists and event organizers, to gain access into victim cloud environments, according to a joint Mandiant and Google Cloud research. Tracked by Mandiant as APT42, with believed links to the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), the actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists. “APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest,” Mandiant said in a blog. “APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (IBM X-Force).” Apart from cloud campaigns, the threat actor is also associated with malware-based activities, specifically operating two custom backdoors, NICECURL and TAMECAT. Harvesting Microsoft, Google, and Yahoo credentials Mandiant reported identifying different clusters of infrastructure used by APT42 to harvest credentials from targets in the policy and government sectors, media organizations and journalists, and NGOs and activists. These credentials-harvesting operations began with social engineering to gain initial access to victim networks, “often involving ongoing trust-building correspondence with the victim,” according to the research. “Only then the desired credentials are acquired, and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded),” Mandiant said. These campaigns were carried out in three subsequent steps, Mandiant added. It starts with the victim being tricked into clicking on malicious links with lures that include content related to Iran and other foreign affairs topics. Once clicked the links send victims to fake websites posing as legitimate services, news outlets, and NGOs. Finally, the victims are redirected to fake Microsoft, Google, or Yahoo login pages where harvesting is then carried out. “APT42 enhanced their campaign credibility by using decoy material inviting targets to legitimate and relevant events and conferences,” the blog added. “In one instance, the decoy material was hosted on an attacker-controlled SharePoint folder, accessible only after the victim entered their credentials. Mandiant did not identify malicious elements in the files, suggesting they were used solely to gain the victim’s trust.” To avoid detection, the threat actor deployed multiple defense evasion techniques, that included relying on in-built and publicly available tools of the Microsoft 365 environment, using anonymized infrastructure, and masquerading as the victim’s organization while exfiltrating files to OneDrive. Spear Phishing for dropping malware In addition to the credentials harvesting campaigns, the threat actor was observed deploying two custom backdoors. TAMECAT, a PowerShell toehold that can execute arbitrary PowerShell or C# commands, was identified by Mandiant in March 2024 and dropped by phishing through malicious macro documents. “Mandiant previously observed TAMECAT used in a large-scale APT42 spear-phishing campaign targeting individuals or entities employed by or affiliated with NGOs, government, or intergovernmental organizations around the world,” the blog added. In January 2024, the research came upon a malicious Sothink logo maker (LMK) file downloading NICECURL, a backdoor written in VBScript that can download additional modules to be executed, including data mining and arbitrary command execution. The LMK file was accompanied by a PDF decoy that masqueraded as an Interview Feedback Form of the Harvard T.H. Chan School of Public Health. “Both of these backdoors were delivered with decoy content and provide APT42 operators with initial access to the targets,” Mandiant added. “The backdoors provide a flexible code-execution interface that may be used as a jumping point to deploy additional malware or to manually execute commands on the device.” The blog added a list of Indicators of compromise (IoCs), which included the names of the news outlets and research institutes, legitimate services, generic login services, URL shortening services, mailer daemon, and file sharing services used by the threat actor. Hacker Groups, Social Engineering
https://www.csoonline.com/article/2097509/iranian-hackers-harvest-credentials-through-advanced-social-engineering-campaigns.html
In a major blow to user trust, Dropbox revealed a security breach in its e-signature platform, Dropbox Sign, formerly known as HelloSign. Unauthorized and unknown entities accessed Dropbox Sign’s environment that contained customer data including usernames, email addresses, and other details, the company confirmed in a blog post. The company learned about this incident on April 24, Dropbox said in a blog post. “Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication,” the post added. Further, the company also admitted that the names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” “We’ve found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information,” the company said. “From a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products,” the company tried to assure the users in the blog post. Customers express concerns Dropbox said it swung into action as soon as it discovered the breach and “launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users.” Its investigation revealed that “a third party gained access to a Dropbox Sign automated system configuration tool.” “The actor compromised a service account that was part of Dropbox Sign’s back-end, which is a type of non-human account used to execute applications and run automated services.” The threat actor, the company said, then used this access to the “production environment to access our customer database.” The company confirmed in the blog post that it had reset users’ passwords, logged users out of all active sessions and devices, and is “coordinating the rotation of all API keys and OAuth tokens.” The company is also notifying users of the breach via email and providing them with instructions on securing their accounts and changing passwords. However, this incident sparked concerns among users regarding the security of their data and the potential consequences of the breach. “As a manpower recruitment and consulting firm, we depend on secure platforms like Dropbox Sign to manage sensitive candidate and client information. News of this breach is unsettling, particularly considering the potential exposure of confidential documents like resumes and contracts,” said Shalu Bindlish, director at Advaita Bedanta Consultants, an India-based manpower company. The breach reinforces the need for robust security protocols within these platforms, Bindlish said. “However, we are encouraged by Dropbox’s commitment to address the issue and improve their security measures. We look forward to a clear understanding of the breach and the steps they’re taking to prevent similar incidents in the future.” Similar concerns were raised by MotorFloor, a marketplace for commercial vehicles. “We rely heavily on Dropbox to securely store and share documents with clients and partners,” said Subrat Kar, founder of MotorFloor. This breach is concerning, especially considering the recent rise in cyberattacks, he said. “However, I’m hopeful that Dropbox will learn from this incident and implement even stronger security measures to regain our trust. We need reliable cloud storage solutions, and I believe Dropbox has the potential to be that solution, provided they prioritize robust cybersecurity.” Impact on the e-signature industry The Dropbox users’ data breach comes at a time when e-signature companies are witnessing rapid growth on account of a surge in remote work and the need for contactless document signatures. This development underscores the critical importance of robust security measures in e-signature applications to ensure user trust, said Neil Shah, VP for research, and partner at Counterpoint Research. “As companies such as Dropbox get bigger with hundreds of millions of users’ scale, they will need to up their game on the security on all fronts, especially for acquired companies. Integration of acquired companies is always a challenge and there is a high chance of security loopholes.” The use of AI in cybersecurity, Shah said, “will be the focus in coming years on how the companies can smartly learn, predict and prevent from bad actors and will need to be at least two steps ahead.” Dropbox, in an attempt to retain user trust, acknowledged its shortcomings and apologized to its customers for the inconvenience and impact caused. “We hold ourselves to a high standard when protecting our customers and their content. We didn’t live up to that standard here, and we’re deeply sorry for the impact it caused our customers,” it said in the blog post. Data Breach
https://www.csoonline.com/article/2097486/dropbox-sign-hack-exposed-user-data-raises-security-concerns-for-e-sign-industry.html
UnitedHealth CEO Andrew Witty testified before the House Energy and Commerce Committee that the personal data of potentially a third of US citizens may have been exposed on the dark web following the ransomware attack on its Change Healthcare unit. Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, Witty admitted that the company cannot confirm whether copies of the data were made or published online. During the hearing, Witty initially indicated that a “substantial proportion” of individuals were impacted based on preliminary targeted data sampling. However, under further questioning, he specified that the breach could affect “maybe a third” of the US population, though he could not provide a definite figure as the investigation is ongoing. Witty also mentioned that efforts to monitor the internet and dark web for any signs of the data leak were ongoing. Additionally, he disclosed hearing of a splinter cybercriminal group that had threatened to release patient information but from whom the company has not received recent communications. Multi-factor authentication and other concerns A significant concern raised by the Committee was UnitedHealth’s failure to implement multi-factor authentication (MFA), a now-standard cybersecurity measure. The committee emphasized that MFA should be a fundamental expectation for an entity like Change Healthcare, given the vast amount of sensitive data it handles. Witty explained that Change Healthcare, which merged into UnitedHealth towards the end of 2022, utilized older technologies that the company had been updating since its acquisition. However, the timing proved critical as the ransomware attack compromised both the primary and backup systems, rendering the backups inoperable and exacerbating the impact of the breach. The committee also highlighted a joint cybersecurity alert issued in December 2023 by the FBI, HHS, and the Cybersecurity Infrastructure Security Agency. This alert detailed the tactics of a sophisticated Russian hacker group known as Alpha 5 or Black Cat that targets critical infrastructure. In response, Witty acknowledged that a server within Change Healthcare lacked the protective measures outlined in the alert, and he confirmed that an investigation into this oversight is underway. The committee further expressed concerns about the potential national security implications if the personal records of federal employees were compromised in the breach. They emphasized the importance of UnitedHealth notifying them promptly if such a breach occurred, underscoring the gravity of the situation. Response to the attack Witty said UnitedHealth is in the process of restoring its operations, a task prolonged by the necessity to rebuild its platforms using modern, often cloud-based technologies that offer enhanced security features compared to pre-attack systems. UnitedHealth has also engaged several third-party vendors to bolster its cybersecurity measures, including Mandiant, Palo Alto Systems, and Bishop Fox. Furthermore, UnitedHealth has appointed Mandiant as a permanent advisor to enhance ongoing security efforts. “… we’ve brought into the organization supplemental screening capabilities with third-party organizations, so making sure that we have secondary and tertiary level screening going on in the organization in addition to our own capabilities,” Witty said. “And we’re also reviewing through our investigations any lessons learned from this attack, which will obviously not only be implemented across United, but we’ll share with other partners in the system.” However, when questioned about which vendors were responsible for cybersecurity at the time of the attack, Witty stated that he did not have the names. The company is also working on new platforms to improve customer confidence after the incident. “We’ve had those platforms tested by all the best cybersecurity companies in the country, including aggressive penetration tests to prove that they can withstand the highest levels of assault, that we share that information with key partners in the system who need to connect with us,” Witty said. Data Breach, Hacking, Ransomware
https://www.csoonline.com/article/2097479/unitedhealth-hack-may-impact-a-third-of-us-citizens-ceo-testimony.html
Themed the Art of Possible, the 2024 RSA Conference takes place between 6 and 9 of May and will offer insights into the latest trends, how to master new skills, and more. More than 640 vendors will exhibit their new products at the expo and CSO has sifted through the upcoming announcements and gathered the products and services that caught our eye. CSO will update this article as more announcements become available. We’ve organized the listings by the day of the announcement. RSA pre-conference announcements Commvault Cloud Cleanroom Recovery Commvault will showcase its Cloud Cleanroom Recovery, an isolated environment designed to test and strengthen cyber resilience. It functions as a classroom to share knowledge with teams about unknown threats and a strategic war room for crafting realistic plans to tackle new compliance challenges. While Cleanroom Recovery typically exists in the cloud, Commvault will be doing a physical demonstration. Cleanroom Recovery capabilities allow organizations to test organization’s cyber recovery plans and backup production systems before an attack occurs, recover data and applications automatically, and rebuild digital infrastructure after cyber incidents. Commvault will be at RSAC booths 4308 and 5778. Trend Micro zero trust security access AI gateway Trend Micro has revealed new capabilities to its Trend Vision One, Zero Trust Secure Access(ZTSA) controls for AI service use. The AI gateway is designed to protect the end user journey when accessing public or private generative AI services. Specifically, it includes centralized management of employee access and usage of AI applications, prompt inspection to prevent data leaks and malicious injections, content filtering to meet compliance requirements and defense against large language model (LLM) attacks. Adaptive Shield SaaS security for generative AI Adaptive Shield SaaS Security Posture Management (SSPM) detection and response capabilities for AI-driven applications is designed to enable enterprises to mitigate the risks introduced by the growing use of generative AI. Some of the features include a security score for each application to help security teams pinpoint those with heightened risk levels; control AI-related security settings within SaaS applications to prevent data leakage or any exposure; discovery and management of shadow apps; management of 3rd party longtail ai-sanctioned apps, securing homegrown applications and data management. Adaptive Shield will be at RSAC booth 1455. Bugcrowd AI penetration testing Bugcrowd added AI penetration testing to its security platform. The addition is designed to help AI adopters detect common security flaws before threat actors take advantage. It helps uncover common flaws in prompt injection, training data extraction, data poisoning, and other types of attacks, using a testing methodology based on its open-source Vulnerability Rating Taxonomy. It does this by finding and fixing common issues; tests target, scope and use cases; checks for vulnerabilities in the OWASP Top 10 for LLMs, along with others; and offers curated pentester teams. Bugcrowd will be at RSAC booth 2245. Legit Security software compliance attestation trust center Legit Security introduced a software compliance attestation trust center, which by using frameworks such as SLSA, PCI DSS, SOC2, and ISO 27001, helps teams quickly assess the state of a software security program to identify gaps that create risk. The trust center also supports new CISA requirements. It includes out-of-the-box controls and automated validation, customizations defined by customers to enable precise compliance reporting, captures and enables users to export required data by using compliance frameworks to determine status when attesting to CISA or other security frameworks, continuous compliance and faster remediation and new dashboard and reporting capabilities. Legit Security will be at RSAC booth 0232. Dope.security cloud access security broker Dope.security’s CASB Neural is a cloud access security broker (CASB) powered by deep learning AI. The product utilizes LLMs to restrict risky SaaS usage and improve DLP by identifying and comprehending externally shared sensitive documents. CASB Neural is designed to identify, extract and understand all externally shared files and display an LLM-generated classification summary when content is sensitive. This enables organizations to identify exposed sensitive data and enables customers to review and/or unshare the data. Orca Security, ModePUSH digital forensics Orca Security in partnership with ModePUSH launched cloud digital forensics and incident response services designed to enable organizations to quickly understand and respond to breaches or compromises across their cloud estates and application layers. This is done by using intelligence from the Orca Cloud Native Application Protection Platform (CNAPP). The integrated capabilities combine data from Orca’s SideScanning snapshots with cloud provider audit logs and third-party agents to detect suspicious activity, potential compromises, or advanced threats. Orca Security will be at RSAC booth 1627. Sevco updates security platform Sevco Security has updated its platform with new capabilities that proactively prioritize, automate, and validate the remediation of exposures, including software and environmental vulnerabilities like missing security tools and IT hygiene issues. A new remediation analytics dashboard enables security leaders to view detailed real-time tracking of issues by date with timestamps when issues surface, when action is taken, and when remediation is complete. Cybersecurity teams gain quantifiable insights to manage remediation programs, highlighting where efforts are working and where they aren’t. Semperis adds ML to identity threat detection and response Semperis Lightning Identity Runtime Protection (IRP) is an identity threat detection and response (ITDR) product that uses machine learning models to detect widespread and successful attack patterns such as password spray, credential stuffing, other brute force attacks, and risky anomalies. Part of the Semperis Lightning platform, IRP uses algorithms trained on Semperis’ experience to detect sophisticated identity attacks. Semperis CEO Mickey Bresman will be on The Cost of Innovation: Complexities of Software Regulation panel on Tuesday, May 7. Halcyon Ransomware Warranty program Halcyon’s Ransomware Warranty program complements the vendor’s ransomware protection offer a step further, with the promise that for any attacks that bypass its defence system Halcyon will provide incident response and recovery services, minimizing downtime and impact on business operations. The level of professional services provided is based on the number of purchased endpoint licenses during the warranty period. The warranty covers all endpoints within the customer’s protected environment where Halcyon’s anti-ransomware solution is operational. To be eligible, organizations must maintain an active Halcyon subscription, ensure their endpoints are in a Blocking Security Posture, and comply with Halcyon’s Subscription Services Agreement. Halcyon will be at RSAC booth 3324. RSA Conference, Security
https://www.csoonline.com/article/2097067/most-interesting-products-to-see-at-rsac-2024.html
Amid serious cyberattacks by Russian and Chinese threat actors, the Biden administration issued a new National Security Memorandum (NSM-22) to update Presidential Policy Director 21 (PPD-21) from the Obama administration to secure and enhance the resilience of US critical infrastructure in “a comprehensive effort to protect US infrastructure against all threats and hazards, current and future.” The NSM is a wide-ranging document that: Places the Department of Homeland Security (DHS) at the forefront of the whole-of-government approach to secure US critical infrastructure by designating the Cybersecurity & Infrastructure Security Agency (CISA) as the National Coordinator for Security and Resilience to coordinate efforts. Directs the US intelligence community, consistent with the goals outlined in the 2023 National Intelligence Strategy, to collect, produce, and share intelligence and information with federal departments and agencies, state and local partners, and the owners and operators of critical infrastructure. Reaffirms the designation of 16 critical infrastructure sectors and a federal department or agency as the Sector Risk Management Agency (SRMA) for each sector. Earlier this year, some discussion suggested expanding the sixteen sectors to include new security terrains such as space. Elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment. Changes in the threat environment prompted update During a press call, Jen Easterly, the director of CISA, underscored the collaborative nature of the NSM-22. She emphasized the significant changes in the threat environment since the Obama administration and the US government’s substantial investments in protecting critical infrastructure. “This NSM really builds on important work that has been happening across the government and, in particular, CISA and agencies, working with industry undertaking a partnership to ensure that we can understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day,” Easterly said, inviting all stakeholders to join in this crucial effort. “What they’re doing with this policy is they’re updating the executive branch approach to critical infrastructure security resilience, working in partnership with the private sector and state local governments to advance this mission in the face of what they take to be the current threat environment,” Bob Kolaksy, senior vice president for critical infrastructure at Exiger, tells CSO. Kolasky, who was instrumental in implementing PPD-21 during his time in government, said the NSM also relies on “lessons learned from the previous policies, making sure that it is aligned to organize the federal government as effectively as possible to deal with today’s risks to critical infrastructure.” The NSM is the executive branch’s fourth iteration of a comprehensive policy to protect critical infrastructure. Before PPD-21, there was the Homeland Security Presidential Directive 7 in 2003 and the Presidential Decision Directive/NSC-63 in 1997. Principles and objectives driving the NSM The NSM cites eight core principles that drive the NSM. First among these is a sense of shared responsibility by government entities and the owners of critical to come together in a “national unity of effort.” Related to this united effort is the principle that government regulatory and oversight entities “have a responsibility to prioritize establishing and implementing minimum requirements for risk management, including those requirements that address sector-specific and cross-sector risks.” Among the other principles cited in the NSM is that critical infrastructure security and resilience require a risk-based approach that considers “all threats and hazards, likelihood, vulnerabilities, and consequences, including shocks and stressors.” Another value stressed in the NSM is the ever-important exchange of “timely and actionable” information between government organizations and the private sector to reduce risk. Easterly said during the press call that “CISA will continue to support the work of our partners across the US government by leveraging existing relationships, processes, and networks to share critical information and guidance and then provide additional guidance and resources to aid sector risk management agencies in the execution of the roles and responsibilities in the new NSM.” CISA’s more defined role could bring the private sector to the table The NSM more clearly defines and arguably expands CISA’s role with DHS. Among other things, CISA will coordinate with the SRMAs to fulfill “their roles and responsibilities and implement national priorities consistent with strategic guidance and the National Infrastructure Risk Management Plan (National Plan), as required by statute.” CISA’s director also co-chairs, with a non-CISA SRMA official who serves a two-year term, the Federal Senior Leadership Council (FSLC), which under the NSM will “be the consensus-based body that coordinates and deconflicts the shared responsibilities and activities of Federal departments and agencies,” informed by engagement with the National Security Council. The NSM also directs the development and maintenance of a non-public list of “systematically important entities” whose disruption or malfunction would cause significant and cascading negative impacts on national security. During the press call, Easterly said CISA had already begun working to establish this list, and a senior administration official said the list currently has less than 500 entities. Although the federal government and the NSM can’t prescribe what private sector organizations should do, CISA must, by necessity, work closely with the private sector to develop the minimum requirements for risk management and the list of systematically important entities. The private sector must be at the table “in defining what minimum requirements are and what it means to be a systemically important entity, what expectations are placed on systemically important entities, and what the relationship is between the government and systemically important entities” Kolasky says. Emphasis on water sector security Perhaps because of the recent high-profile attacks on US water systems attributed to Iran, China, and Russia, the Biden administration emphasized the importance of the NSM in protecting this critical sector. “The policy is particularly relevant today, given continued disruptive ransomware attacks, cyberattacks on US water systems by our adversaries,” Easterly said during the press briefing. “Cybersecurity and climate change threats pose serious risks to the drinking water and wastewater services that people in this country rely on every day, and recent cyber-attacks on water systems underscore the urgency of increased and coordinated action to protect public health and the environment,” EPA Deputy Administrator Janet McCabe said. Future actions in implementing the NSM The NSM stipulates that within one year of its date and annually after that, on June 30, the Director of National Intelligence (DNI), in coordination with the intelligence community, must submit to the President a report on intelligence collection against threats to US critical infrastructure. It also says that the DNI must submit to the President a report on intelligence and information sharing on threats to the US critical infrastructure with owners and operators and SRMAs annually. Finally, within 12 months of the date of the NSM, the DNI must establish implementing guidance to ensure the intelligence community, to the maximum extent possible, timely notifies appropriate Federal departments and agencies, including the FBI, CISA, and relevant SRMAs, when intelligence elements are aware of specific and credible threats to the United States critical infrastructure. Another critical future step is to ensure that CISA has the budget to accomplish its new responsibilities in the NSM. “Saying CISA’s got more authority, saying that the sector risk management agencies have to do a more robust job of being sector risk management agencies, has to come with the budget and resources for them to do the robust job,” Kolasky says. Critical Infrastructure, Government, Security Practices, Threat and Vulnerability Management
https://www.csoonline.com/article/2097026/__trashed-101.html
The US National Institute of Standards and Technology (NIST) this week published four guides designed to give AI developers and cybersecurity professionals a deeper dive on the risks addressed by the organization’s influential 2023 “AI Risk Management Framework” (AI RMF). Issued in draft form, the documents are the latest building blocks put in place by federal agencies following US President Joe Biden’s October 2023 executive order setting how the US government will require the tech industry to mitigate different types of AI risk. Although all make good background reading for decision-makers in tech, the first three cover areas of more acute concern for people in cybersecurity: Generative AI risks Drawing on NIST’s generative AI working group, the “AI RMF Generative AI Profile” (NIST AI 600-1) lists 13 risks relating to generative AI, including malware coding, cyberattack automation, the spreading of disinformation, social engineering, AI hallucinations (“confabulation”), and the possibility that generative AI might over-consume resources. The document concludes with 400 recommendations developers can adopt to mitigate these risks. Malicious training data An add-on to NIST’s “Secure Software Development Framework” (SSDF), the guide “Secure Software Development Practices for Generative AI and Dual-Use Foundation Models” (NIST Special Publication (SP) 800-218A) is broadly concerned with where AI gets its data from and whether this and the models weighting it are open to tampering. According to NIST, “Some models may be complex to the point that they cannot easily be thoroughly inspected, potentially allowing for undetectable execution of arbitrary code.” Synthetic Content Risks Today’s first-generation AI systems are capable of maliciously synthesizing images, sound, and video well enough for it to be indistinguishable from genuine content. The guide “Reducing Risks Posed by Synthetic Content” (NIST AI 100-4) examines how developers can authenticate, label, and track the provenance of content using technologies such as watermarking. A fourth and final document, “A Plan for Global Engagement on AI Standards” (NIST AI 100-5), examines the broader issue of AI standardization and coordination in a global context. This is probably less of a worry now but will eventually loom large. The US is only one albeit major jurisdiction; without some agreement on global standards, the fear is AI might eventually become a chaotic free-for-all. “In the six months since President Biden enacted his historic Executive Order on AI, the Commerce Department has been working hard to research and develop the guidance needed to safely harness the potential of AI, while minimizing the risks associated with it,” said US Secretary of Commerce Gina Raimondo. “The announcements we are making today show our commitment to transparency and feedback from all stakeholders and the tremendous progress we have made in a short amount of time.” NIST guides are likely to become required cybersecurity reading Once the documents are finalized later this year, they are likely to become important reference points. Although NIST’s AI RMF is not a set of regulations organizations must comply with, it sets out clear boundaries on what counts as good practice. Even so, assimilating a new body of knowledge on top of NIST’s industry-standard Cybersecurity Framework (CSF) will still be a challenge for professionals said Kai Roer, CEO and founder of Praxis Security Labs, who in 2023 participated in a Norwegian Government committee on ethics in AI. “CISOs already give lots of attention to NIST cybersecurity regulations and those with enough resources may also start looking at AI. However, most are unlikely to be able to give it the focus it really needs,” Roer told CSO Online. When regulation arrives, it will create a new layer of compliance anxiety. “What keeps them [CISOs] up at night is new regulatory demands that might be impossible to implement.” This included the likelihood that employees or supply chain partners would adopt AI for perfectly good reasons but without seeking approval or assessing a project against any rules. All this at a time when criminals will surely pounce on AI as a way of improving automation and the scale of attacks. “CISOs are already playing catchup in many areas, and AI is not going to improve that. However, AI is also likely to present better, more effective tools. The challenge will be to weed out the vaporware and identify the tools and vendors able to provide real value,” Roer said. Government, Regulation, Security, Security Practices
https://www.csoonline.com/article/2097119/nist-publishes-new-guides-on-ai-risk-for-developers-and-cisos.html
Cyber criminals are deploying new and innovative lines of attacks along with variations on tried-and-true methods that remain successful, Verizon’s 2024 Data Breach Investigations Report has found. The report, now in its 17th year, analyzed more than 30,000 real-world security incidents, including a record high of just over 10,000 confirmed data breaches, spanning 94 countries. “We’ve seen an overall increase in the volume of data breaches as the threat landscape continues to expand,” Rob Le Busque, regional VP at Verizon Business, told CSO. The top three most popular vectors for data breaches were unauthorized uses of web application credentials, email phishing and exploiting vulnerabilities in web applications, when excluding errors and misuse, typically honest mistakes by employees. It paints a picture of a complex, changing environment of global cyber-crime impacting organizations of all sizes and types. Main findings of Verizon’s data breach report In all, the report reveals areas where organizations need to be more vigilant and where the results of awareness training are showing positive signs. 1. MOVEit zero-day vulnerability drives big jump in breaches The headline finding for this year is the almost triple increase (up 180%) in attacks involving the exploitation of vulnerabilities. Not surprising in the year that saw the mass exploitation of the MOVEit zero-day vulnerability and other similar ones. These attacks were primarily leveraged by ransomware and other extortion-related threat actors, and the main entry point was web applications, the report noted. Analyzing the data also reveals a significant area of weakness among many organizations — bad actors are more quickly harnessing vulnerabilities than organizations can patch them. It takes organizations approximately 55 days to fix half of these vulnerabilities, while large-scale scanning for those same vulnerabilities by threat actors is happening within five days, Verizon found. While many organizations have robust, mature vulnerability management and patching programs, complacency can be a danger when it comes to reviewing these elements of the cybersecurity posture. “Going forward, they need to dust off those plans, relook at the strategies and even increase funding to elevate the level of risk and importance patching has,” said Le Busque. 2. Ransomware and extortion attacks continue to grow Attacks involving ransomware or extortion have seen strong growth over the past year, accounting for a high of 32% of all breaches. Given the prevalence of ransomware attacks, it was a top threat across 92% of industries, and the average cost of attacks was also on the up. “It suggests a refining and maturity of ransomware attacks because criminals are gaining a higher payout for the same effort,” Le Busque told CSO. It also reveals a cybersecurity truism, that ransomware is a business for cyber criminals and financially motivated threat actors invariably utilize attack techniques providing the best return on investment. 3. The human element still accounts for a substantial percentage of breaches Some 68% of breaches, roughly the same as the previous year, involve a non-malicious human element, demonstrating how people remain a vulnerable link in the security chain. This indicates that there’s still significant scope for security awareness to reduce the impact of breaches on organizations. “The more we educate and train people and the more awareness we can build, both at a company level and as an industry, the better off everyone will be,” said Le Busque. 4. Unintended errors are leading to incidents Breaches involving errors are growing, accounting for almost a third of incidents in 2023. Errors include misconfigurations, clicking on links and sending information or data unencrypted outside of the organization that falls into the wrong hands. The inclusion of several new mandatory breach notification entities may have helped push this up, the report noted. Given these directives now compel some organizations to declare incidents, it suggests that until now these types of errors have been more common in breaches than media or traditional incident response-driven data has suggested. For organizations, it reveals there’s an opportunity to tighten the guardrails to ensure stronger adherence to security governance procedures and eliminate avoidable lapses as much as possible. “It’s ensuring robust policies and frameworks around data governance that help reduce the opportunity for these errors to be made,” Le Busque said. 5. Education is improving how people identify phishing attempts The 2023 data showed that 20% of people correctly identified phishing in simulation engagements, while 11% of people who clicked on an email also reported they had done so. This continues an upward trend where the rate of users reporting phishing in simulation engagements has been rising over the past few years. It represents a positive sign that organizational education and awareness training continues to be working to help people identify phishing attempts. However, the median time for someone to fall for a phishing email is less than 60 seconds, giving organizations just a small window of time to base their education around. “We need to continue building awareness because real time responsiveness is critical,” he said. Data and Information Security, Data Breach, Zero-day vulnerability
https://www.csoonline.com/article/2096991/5-key-takeways-from-verizons-2024-data-breach-investigations-report.html
There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don’t have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by experts. Fortunately, plenty of great conferences are coming up in the months ahead. If keeping abreast of security trends and evolving threats is critical to your job — and we know it is — then attending some top-notch security conferences is on your must-do list for 2024. From major events to those that are more narrowly focused, this list from the editors of CSO, will help you find the security conferences that matter the most to you. We’ll keep it updated with new conferences so check back often. While we don’t expect this calendar to be comprehensive, we do aim to have it be highly relevant. If there’s something we’ve missed, let us know. You can email your additions, corrections and updates to Samira Sarraf. May 2024 Minneapolis Cybersecurity Conference, Minneapolis, Minnesota: May 2 BSidesSF, San Francisco, California: May 4 – 5 CSA AI Summit at RSAC, San Francisco, California: May 6 RSA Conference, San Francisco, California: May 6 – 9 Identity Management (IDM) Nordics, Stockholm, Sweden: May 7 ItaliaSec, Milano, Italy: May 7 – 8 ECS Nordics Enterprise Cyber Security, Stockholm, Sweden: May 8 SANS Security West San Diego 2024, Virtual and San Diego, California: May 9 – 14 BSides312, Chicago, Illinois: May 11 IDC CISO Roundtable, Dubai, UAE: May 15 Dallas Cybersecurity Conference, Dallas, Texas: May 16 SANS Cybersecurity Leadership Summit 2024 — Eastern US, Virtual: May 16 BSidesAdelaide, Adelaide, Australia: May 17 – 18 BSidesDublin, Dublin, Ireland: May 18 BsidesSP, Sao Paulo, Brazil: May18-19 BSidesVitoria, Vitoria, Brasil: May 18 SIA GovSummit, Washington, DC: May 21 – 22 SecureWorld Atlanta, Atlanta, Georgia: May 22 Cloud & Cyber Security Expo Frankfurt 2024, Frankfurt, Germany: May 22 – 23 Tampa Cybersecurity Conference, Virtual and Tampa, Florida: May 23 BSidesBUD, Budapest, Hungary: May 23 Government IT Security Conference (GovSec) UK, London, UK: May 23 IDC Digital Strategy & Cybersecurity Roadshow Brazil, TBD, Brazil: May 23 BSidesKnoxville, Knoxville, Tennessee: May 24 Hack in the Box (HITB) Security Conference, Bangkok: May 25 SPHERE24, Helsinki, Finland: May 28 – 29 Identiverse, Las Vegas, Nevada: May 28 – 31 *Security Forum France, TBD France, May 29 BSidesBarcelona, Barcelona, Spain: May 29 – 30 CyberSec Europe, Brussels, Belgium: May 29 – 30 Cybsec-Expo, Piacenza, Italy: May 29-31 SecureWorld Miami, Miami, Florida: May 30 SANS Ransomware Summit 2024 — Eastern US, Virtual: May 31 * This event is presented by Foundry, the parent company of CSO. June 2024 BSidesCheltenham, Cheltenham, UK: June 1 Gartner Security & Risk Management Summit, National Harbor, Maryland: June 3 – 5 IDC Security Roadshow, Riyadh, Saudi Arabia: June 4 Confidential Computing Summit, San Francisco, US: June 5-6 Kansas City Cybersecurity Conference, Virtual and Kansas City, Missouri: June 6 SecureWorld Chicago, Chicago, Illinois: June 6 IDC Security Roadshow, Doha, Qatar: June 10 AWS re:Inforce, Philadelphia, Pennsylvania: June 10 – 12 AppSec SoCal, Santa Monica, California: June 12 Boston Cybersecurity Conference, Boston, Massachusetts: June 13 Cybersecurity Soiree, Paris, France: June 13 Montreal Cybersecurity Conference, Virtual and Montreal, Quebec: June 13 BSidesLeeds, Leeds, UK: June 15 ICS Security Summit & Training 2024, Virtual and Orlando, Florida: June 17 – 24 IDC Security Forum — Resilient Security: Evolving Strategies for 2024, Milan, Italy: June 18 Identity Management (IDM) UK, London, UK: June 18 OT Cybersecurity Summit, London, UK: June 18 – 19 Cybersecurity Summit: North America Midwest, Chicago, Illinois: June 20 Security LeadHER, Phoenix, Arizona: June 24 – 25 BSidesBangalore, Bangalore, India: June 26 – 28 BSidesTLV, Tel Aviv, Israel: June 27 Chicago Cybersecurity Conference, Chicago, Illinois: June 27 Orange County Cybersecurity Conference, Virtual and Orange County, California: June 27 Neurodiversity in Cybersecurity Summit 2024 — Eastern US, Virtual: June 27 July 2024 MSSP Virtual Cybersecurity Summit 2024, Virtual: July 11 Pittsburgh Cybersecurity Conference, Virtual and Pittsburgh, Pennsylvania: July 11 Healthcare Cybersecurity Summit, New York, New York: July 18 Phoenix Cybersecurity Conference, Phoenix, Arizona: July 18 BSidesCDMX, Mexico City, Mexico: July 19 BSidesAlbuquerque, Albuquerque, New Mexico: July 19 – 20 BSidesIndore, Indore, India: July 20 – 21 Gartner Security & Risk Management Summit, Tokyo, Japan: July 24 – 26 Denver Cybersecurity Conference, Virtual and Denver, Colorado: July 25 SLED/FED Virtual Cybersecurity Summit, Virtual: July 25 BSidesExeter, Exeter, UK: July 27 SANS Security Awareness Summit & Training 2024, Virtual and Norfolk, Virginia: July 29 – August 2 *CSO’s SecureIT New York, New York, New York: July 11 * This event is presented by Foundry, the parent company of CSO. August 2024 Black Hat USA 2024, Las Vegas, Nevada: August 3 – 8 BSidesLV, Las Vegas, Nevada: August 6 – 7 Cybersecurity & Business Transformation Summit, Delhi, India: August 8 Denver Cybersecurity Conference, Denver, Colorado: August 8 DEF CON 32, Las Vegas, Nevada: August 8 – 11 AcceleRISE, Denver, Colorado: August 14 – 16 33rd USENIX Security Symposium, Philadelphia, Pennsylvania: August 14 – 16 Salt Lake City Cybersecurity Conference, Virtual and Salt Lake City, Utah: August 15 Virtual Cybersecurity Summit, Virtual: August 15 IDC Digital Strategy & Cybersecurity Roadshow Mexico, Virtual and TBD, Mexico: August 22 Washington DC Cybersecurity Conference, Virtual and Washington, DC: August 22 DFIR Summit & Training 2024, Virtual and Salt Lake City, Utah: August 22 – 29 Philadelphia Cybersecurity Conference, Philadelphia, Pennsylvania: August 29 September 2024 15th Annual Billington Cybersecurity Summit, Washington, DC: September 3-6 SecureWorld St. Louis, St. Louis, Missouri: September 4 – 12 Charlotte Cybersecurity Conference, Virtual and Charlotte, North Carolina: September 5 Blue Team Con 2024, Chicago, Illinois: September 6 – 8 SECtember 2024, Seattle, Washington: September 9 – 13 Identity Week, Washington, DC: September 11 – 12 DC/Baltimore Cybersecurity Conference, TBD, September 12 IDC Digital Strategy & Cybersecurity Roadshow Chile, Virtual and TBD, Chile: September 12 CrowdStrike Fal.Con, TBD: September 16 – 19 Cybersecurity Summit, London, UK: September 17 SecureWorld Detroit, Detroit, Michigan: September 18 *Security Forum Finland, TBD Finland: September 18 International Cryptographic Module Conference, San Jose, California: September 18 – 20 Des Moines Cybersecurity Conference, Virtual and Des Moines, Iowa: September 19 GRC Virtual Cybersecurity Summit, Virtual: September 19 IDC CISO Roundtable, Cairo, Egypt: September 23 Gartner Security & Risk Management Summit, London, UK: September 23 – 25 Global Security Exchange (GSX), Orlando, Florida: September 23 – 25 InfoSec World, Lake Buena Vista, Florida: September 23 – 25 International Cyber Expo, London, UK: September 24 – 25 *Security Forum Norway, TBD Norway: September 25 Relativity Fest, Chicago, Illinois: September 25 – 27 Cybersecurity Summit Africa, Virtual: September 26 *Security Forum Denmark, TBD Denmark: September 26 Cybersecurity Summit Canada East, Toronto, Ontario: September 26 BSidesCLT, Charlotte, North Carolina: September 28 – 29 IDC CISO Roundtable, Doha, Qatar: September 30 ECS UK Enterprise Cyber Security, London, UK: September TBD * This event is presented by Foundry, the parent company of CSO. October 2024 Identity Management (IDM) Europe, Utrecht, Netherlands: October 2 Columbus Cybersecurity Conference, Virtual and Columbus, Ohio: October 3 SecureWorld Dallas, Dallas, Texas: October 3 *Security Forum Netherlands, Amsterdam, Netherlands; October 3 Toronto Cybersecurity Conference, Toronto, Ontario: October 3 BSidesSantaFe, Santa Fe, New Mexico: October 5 Securing New Ground, New York, New York: October 8 – 9 IDC Digital Strategy & Cybersecurity Roadshow Colombia, TBD, Columbia: October 10 SecureWorld Denver, Denver, Colorado: October 10 POLAR, Quebec city, Canada, October 12 ISC2 Security Congress, Virtual and Las Vegas, Nevada: October 14 – 16 Authenticate 2024 The FIDO Conference, California, US: October 14-16 SentinelOne OneCon24, Las Vegas, Nevada: October 14 – 17 National Cyber Security Strategy Confex (CyberGov), London, UK: October 15 Boston Cybersecurity Conference, Virtual and Boston, Massachusetts: October 17 Government Cybersecurity Summit, Washington, DC: October 17 Vancouver Cybersecurity Conference, Vancouver, British Columbia: October 17 CISO Engage Offsite, TBD: October 18 – 19 *CSO50 Conference + Awards, Fort McDowell, Arizona: October 21 – 23 it-sa, Nuremberg, Germany: October 22 – 24 SecureWorld New York City, New York, New York: October 22 – 24 LASCON 2024, TBD: October 22 – 25 SecTor, Toronto, Ontario: October 23 – 26 *Security and Cloud Forum, Porto, Portugal: October 24 IDC CISO Roundtable, Riyadh, Saudi Arabia: October 29 Phoenix Cybersecurity Conference, Virtual and Phoenix, Arizona: October 30 CISO-CIO Forum, La Jolla, US: October 30 * This event is presented by Foundry, the parent company of CSO. November 2024 BSidesChicago, Chicago, Illinois: November 2 Identity Management (IDM) UK, London, UK: November 5 SecureWorld Seattle, Seattle, Washington: November 6 – 7 Financial Services Cybersecurity Summit, New York, New York: November 7 Mexico City Cybersecurity Conference, Mexico City, Mexico: November 7 Cybersecurity Summit, Mumbai, India: November 13 Canada Virtual Cybersecurity Summit, Virtual: November 14 IDC Digital Strategy & Cybersecurity Roadshow Central America, TBD, Mexico: November 14 IT/OT Cybersecurity Summit: Germany, Frankfurt, Germany: November 14 Nashville Cybersecurity Conference, Virtual and Nashville, Tennessee: November 14 Tanium Converge, Virtual and Orlando, Florida: November 18 – 21 Identity Management (IDM) Nordics, Stockholm, Sweden: November 19 ISC East, New York, New York: November 19 – 21 San Diego Cybersecurity Conference, Virtual and San Diego, California: November 21 Global Cyber Conference, Zurich, Switzerland: November 26 – 27 Enterprise Security & Risk Management (ESRM) UK, London, UK: November 28 December 2024 Houston Cybersecurity Conference, Virtual and Houston, Texas: December 4 Dallas Cybersecurity Conference, Dallas, Texas: December 5 Virtual IOT and OT Security Summit, Virtual: December 5 Forrester Security & Risk, Baltimore, Maryland: December 9 – 11 Gartner Identity & Access Management Summit, Grapevine, Texas: December 9 – 11 Atlanta Cybersecurity Conference, Virtual and Atlanta, Georgia: December 11 Planet Cyber Sec Conference, Long Beach, US: December 11 Financial Virtual Cybersecurity Summit, Virtual: Dec 12 Application Security, Careers, Cloud Computing, Events, IT Skills, Security, Software Development, Technology Industry
https://www.csoonline.com/article/559539/the-cso-guide-to-top-security-conferences.html
It’s getting ever harder to keep a network safe and secure from attacks, whether cloud-based, hybrid, or on-premises. Bad actors are employing a dizzying variety of methods, from social engineering to attacking edge devices, to gain a foothold in our networks. Security teams are urged to take action to secure networks using techniques ranging from patch management to the implementation of zero trust. But even organizations as big as US government agencies and Microsoft itself are proving to be vulnerable to attacks. Every month we have an increasing number of vulnerabilities and CVEs to manage while performing critical upgrades such as removing NTLM from our networks and implementing Oauth integrations and monitoring and blocking malicious attacks. In the midst of all of this, we are patching vulnerabilities that may — or may not — be a true risk for our firms. It’s time to slow down and really consider whether some of these represent risks we need to be putting our efforts into. Here are three examples of vulnerabilities that take time, evaluation, and resources from your security team and yet may not provide much in the way of true protection — in fact, they may provide more risk by making machines unbootable. Secure boot and KB5025885 Secure boot was touted as “a security standard developed by members of the PC industry to help ensure that a device boots using only software that’s trusted by the original equipment manufacturer (OEM).” Your organization’s device management policies may require you to enable it on your enrolled Windows device. Devices that don’t meet this requirement may be unable to access work or school resources. In firms, often you are purchasing computers and laptops that have Windows 11 preloaded. As a result, these systems come with Secure Boot enabled and a TPM chip. Furthermore, many of you are mandated to deploy Bitlocker to provide for disk encryption. While Bitlocker does not provide protection and encryption for data while the computer system is running, it does provide protection for data at rest and often is mandated by policy and cyber insurance mandates. Yet managing and maintaining secure boot is turning into a headache and a near full-time project. For example, there are a plethora of steps a patching team needs to take to proactively patch and protect from the BlackLotus bootkit (KB5025885 details the process). First, you must install security updates to supported Windows machines that are included in security updates released after April 9, 2024 (and later). Then you need to ensure that machines have their firmware up to date before taking the next actions. Failure to install firmware updates may make machines ranging from laptops to servers to virtual machines fail to boot, triggering additional workload for your security staff. You’ll need to first ensure that recovery media is up to date with fixed or patched media because if you need to reboot or recover the machine, you’ll need media that matches the system you are attempting to recover. Microsoft notes that at this time they have not tested all interactions with the mitigations with vendor configurations. As the note in the KB, “Please first test these mitigations on a single device per device class in your environment to detect possible firmware issues. Do not deploy broadly before confirming all the device classes in your environment have been evaluated.” In my own firm, where I have machines with HP Sure start deployed, Microsoft notes that “these devices need the latest firmware updates from HP to install the mitigations. The mitigations are blocked until the firmware is updated.” Is your firm prepared to know what level of bios is on each computer and what version level they are? Next up, you need to be aware of where the Bitlocker recovery key is located. As noted in the KB, “Some devices may go into BitLocker recovery.” So, ensure that you have a process to look up and supply recovery keys where needed. Next, you will have your security management teams perform the following steps. As you read through the provided guidance from Microsoft you will note how many times the machines will need to be rebooted — sometimes twice in a row — before proceeding to the next step. At this time you need to be testing and determining an efficient process. If you use config manager, I’ll recommend reviewing resources to assist you in the process. It’s my opinion that this is not a process that can be done remotely in a fashion that will provide your teams with the necessary feedback to ensure it’s being carried out correctly. I predict that you may wish to perform these actions in a phased manner requesting that devices be swapped out over time. The bottom line: review your hardware and your vendor specifications. You may decide to perform these steps as you change out hardware. Certificate-based authentication changes on domain controllers In February 2025, or later if Microsoft decides we are not ready for the change, Microsoft will put Full Enforcement mode in its hardening of certificate-based authentication (detailed in KB5014754). Once full enforcement mode is enabled, unless a certificate is strongly mapped, authentication will be denied. At this time, you’ll want to be monitoring the audit logs on your domain controllers. Look for event 39 which will indicate issues. For example, the error may say “The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user through explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.” Windows Recovery Environment update for Windows 10 Back in January of 2024, Microsoft released KB5034441 which automatically applies Safe OS Dynamic Update (KB5034232) to the Windows Recovery Environment (WinRE) for Windows 10, version 21H2 and 22H2 on a running PC to address a security vulnerability that could allow attackers to bypass BitLocker encryption by using WinRE. However, on computers with a smaller recovery partition, many of them failed to install the update. In order to properly install the patch, you had to manually increase the partition size through the use of third-party tools or scripting. All three of these vulnerabilities need to be analyzed to see if you truly feel you are at risk. All of them introduce risk merely by following the recommended steps for deployment. Will your vulnerability scanner flag these as needing action? Will these take resources and hours away from patching something that may actually be more impactful to your security stance? My guess is that the answer is yes, for many organizations. Determining what needs to be patched versus what your vulnerability scanners tell you needs to be patched will often keep you from protecting what you need. Patch Management Software, Security Practices, Vulnerabilities, Windows Security
https://www.csoonline.com/article/2096872/3-windows-vulnerabilities-that-patching-may-be-a-waste-of-time-or-create-more-risk.html
For the past five years, a threat actor that’s likely connected to the Chinese government has been sending out unusual DNS queries to IP addresses over the internet to map open DNS resolvers inside networks and potentially gather other information in preparation for future attacks. Researchers from security firm Infoblox detected the unusual DNS request patterns occurring intermittently going back as far as 2019 and attributed them to a group they’ve now dubbed Muddling Meerkat. Because the requests are triggering a very specific and seemingly planned behavior from the so-called Great Firewall (GFW) of China, a combination of government-run internet censorship technologies, Infoblox suspects Muddling Meerkat has some links to the GFW operators. “The choice of Muddling Meerkat target domains demonstrates sophistication in DNS,” the Infoblox researchers said in a research paper released Monday. “Muddling Meerkat operators induce selective responses from the GFW that do not occur in normal GFW censorship. To do so, they have chosen target domains they do not control, which security appliances are very unlikely to block. Moreover, they use query types that are not commonly monitored and create a volume of queries that blends with normal DNS traffic.” Mail exchange queries for non-existing subdomains While the researchers have found Muddling Meerkat queries for various DNS record types, mail exchange (MX) ones stand out amongst the most common and unusual. A domain’s MX records consist of hostnames for the servers that handle email for that specific domain. Muddling Meerkat sends MX queries for a select number of domains they don’t own, as well as for randomly generated and non-existent subdomains of those primary domains. The targeted domains are not owned by the attackers and were intentionally chosen to be very old — some registered over 20 years ago — and be very short, their name being composed of only two to four letters. The exact reasons why the attackers chose these target domains is unclear but the researchers advance some possibilities: The old age of the domains makes them unlikely to be in any regularly maintained DNS blocklists and their short names makes it likely that they could be used for Active Directory inside networks. Even though it’s bad practice and insecure to use a fully qualified domain you don’t own as the internal Active Directory domain, some organizations have historically done so for convenience. Let’s say for example, an organization doesn’t own the domain name that’s the acronym of its full name followed by .com or .org because that domain was registered decades ago in the early days of the internet. However, it chooses to use it internally on its Windows network because it’s easy to remember and type and it’s not intended to be accessed externally. However, networks are complex and their topology changes over time, so at some point some internal application or a computer taken outside the network could start making queries for that domain on the open internet, exposing information about the network. The organization could also accidentally expose an internal DNS resolver — a server that’s meant to resolve DNS for local clients — to the internet or will open a port in its router or firewall to direct DNS request to an internal resolver. This then becomes an “open resolver” on the internet and open resolvers are resources that attackers can abuse to launch DDoS attacks through techniques such as DNS reflection and amplification. Normally MX record queries for a domain would be forwarded by a DNS resolver to the authoritative DNS server for that domain. If the domain doesn’t have an MX record, the response will be an NXDOMAIN (non-existent domain) error. Such should be the case for most of the queries sent by Muddling Meerkat because they are querying IP addresses on the internet for MX records for non-existing subdomains, probably with the intention of identifying open resolvers inside networks that would accept their requests. Great Firewall of China DNS injection What the Infoblox researchers observed is that the IP addresses making the queries were primarily Chinese and didn’t seem spoofed, making it more likely the group was using dedicated servers to perform the probing. Also, some of the chosen target domains had their authoritative name servers also hosted in China. This means that the GFW was in the routing path for these requests and could therefore inject responses. Normally, GFW is known for injecting bogus DNS responses for domains and websites the government doesn’t want users to access and those responses will direct requests to a series of IP addresses probably controlled by the government. Infoblox noticed similar GFW behavior for the MX queries initiated by Muddling Meerkat, where instead of NXDOMAIN errors, the responses included Chinese IP addresses that didn’t actually have port 53 open, so they weren’t DNS servers either. This was baffling because it is the first time when GFW spoofs MX responses and it appears to do so for non-existent and randomly generated subdomains that have no censorship value because many of the main targeted domains themselves are inactive and don’t serve any content. Moreover, the researchers didn’t manage to get GFW to perform these unusual response injections when they tried to replicate the requests themselves. So, they concluded that either the injection rules are in place only when Muddling Meerkat runs its probing activities, or there are certain identifying elements in the Muddling Meerkat requests that they can’t replicate and which GFW looks for. “In order to induce selective responses like those we have observed over four years, it seems that Muddling Meerkat must somehow be connected to the GFW operators,” Renée Burton, the vice president of Threat Intelligence at Infoblox, said in the paper. “While I also don’t know how these selective responses are triggered, it is possible that signatures contained in the IP packets, like those observed in ExploderBot traffic, are used to signal a different response from the GFW.” Similarities to Slow Drip DDoS attacks When they initially discovered the Muddling Meerkat DNS probes, the researchers thought they were part of a type of DNS distributed denial-of-service (DDoS) attack known as Slow Drip that was associated many years ago with a botnet called ExploderBot. Also known as random-prefix DDoS attacks, Slow Drip attacks also abuse open DNS resolvers to route DNS requests for non-existing subdomains. However, the goal is to overwhelm the authoritative DNS servers of the targeted domain with bogus requests so they can’t respond to legitimate requests anymore. That doesn’t seem to be the case with Muddling Meerkat, which doesn’t match the volume of requests needed to cause disruption nor does it use the source and destination address spoofing that is typical of Slow Drip attacks. “Queries for random hostnames of a target domain typify a Slow Drip DDoS attack; however, Muddling Meerkat queries differ from those in ExploderBot or other Slow Drip attacks,” Burton said. “The host names are short. Additionally, while some Slow Drip attacks do include a range of query types, the most common type is still an A record for an IPv4 address. I have not previously seen the type of MX record activity that characterizes Muddling Meerkat.” While the motivation of Muddling Meerkat remains unclear and can only be speculated on, this unusual and persistent probing activity over the span of multiple years should be a reminder to organizations to identify and remove all open DNS resolvers from their networks and to stop using fully qualified domain names they don’t own for DNS Search and Active Directory purposes. Cyberattacks, Network Security
https://www.csoonline.com/article/2096774/chinese-threat-actor-engaged-in-multi-year-dns-resolver-probing-effort.html
To address the emerging threats around generative artificial intelligence (gen AI) systems and applications, cybersecurity provider Securiti has launched a firewall offering for large language models (LLMs), Securiti LLM Firewalls. Future applications are going to be more conversational and hence need to undergo a layer of in-line checks to detect attempts at external attacks, according to the company. “The conversational nature of genAI has opened the door for brand new types of threats and attack vectors and Securiti LLM Firewalls are designed to protect against it,” said Securiti CEO Rehan Jalil. “Internal or public facing prompts interfaces are a new pathway to enterprise data.” Securiti isn’t the first to identify this nascent risk to enterprise genAI applications. In March, Cloudflare announced similar features through a new web application firewall (WAF) offering, Firewall for AI. “Securiti LLM Firewalls inherently know the context of what they are protecting,” Jalil added. “To protect a genAI system, the context of the enterprise data and use case for which the genAI system is being designed for can help inspect the prompts for relevancy, topics and jailbreak attempts.” Distributed firewalls for varied genAI threats Securiti’s distributed LLM firewall is designed to be deployed at various stages of a genAI application workflow such as user prompts, LLM responses, and retrievals from vector databases, and can detect and stop a variety of LLM based attacks in-line and in real time, the company said, including prompt injection, insecure output handling, sensitive data disclosure, and training data poisoning. Prompt injections, the most common form of LLM attacks, involve bypassing filters or manipulating the LLM to make it ignore previous instructions and to perform unintended actions, while training data poisoning involves manipulation of LLM training data to introduce vulnerabilities, backdoors and biases. “The firewall monitors user prompts to pre-emptively identify and mitigate potential malicious use,” Jalil said. “At times, users can try to maliciously override LLM behavior and the firewall blocks such attempts. It also redacts sensitive data, if any, from the prompts, making sure that LLM models do not access any protected information.” Additionally, the offering deploys a firewall that monitors and controls the data retrieved during the retrieval augmented generation (RAG) process, which references an authoritative knowledge base outside of the model’s training data sources, to check the retrieved data for data poisoning or indirect prompt injection, Jalil added. Although it’s still early days for genAI applications, said John Grady, principal analyst for Enterprise Strategy Group (ESG), “These threats are significant. We’ve seen some early examples of how genAI apps can inadvertently provide sensitive information. It’s all about the data, and as long as there’s valuable information behind the app, attackers will look to exploit it. I think we’re at the point where, as the number of genAI-powered applications in use begins to rise and gaps exist on the security side, we’ll begin to see more of these types of successful attacks in the wild.” This offering, and those like it, fills a significant gap and will become more important as genAI usage expands, Grady added. Enabling AI complianceSecuriti LLM Firewalls are also aimed at helping enterprises meet compliance goals, whether legislative (such as the EU AI Act) or internally mandated policies (for example, following the NIST AI Risk Management framework, AI RMF). Organizations working to Gartner’s AI Trust, Risk, and Security Management (TRiSM) framework will also be able to use the firewalls for key components, Securiti said. Securiti expects the firewall offering, combined with existing capabilities in its Data Command Center, to cover all aspects of OWASP’s list of the 10 most critical large language model vulnerabilities, extending protection from additional LLM threats such as jailbreaks, authentication phishing, and use of offensive and abusive language. The Securiti LLM Firewalls are available now as part of the company’s overall “AI security and governance” solution announced by the company earlier this year. Generative AI
https://www.csoonline.com/article/2096737/securiti-adds-distributed-llm-firewalls-to-secure-genai-applications.html
Amid strong calls for enhanced cybersecurity measures in healthcare, UnitedHealth is set to testify this week that, on February 12, hackers exploited compromised credentials to gain remote access to a Citrix portal used by its Change Healthcare unit. In the written testimony before the House Energy and Commerce Committee, CEO Andrew Witty said after gaining access, the threat actor moved laterally within the systems using sophisticated methods and exfiltrated data. On the morning of February 21, a cybercriminal known as ALPHV or BlackCat made a ransomware attack within Change Healthcare’s information technology environments. This attack encrypted the company’s systems, making them inaccessible. “Our response was swift and forceful,” Witty said in the statement. “Not knowing the entry point of the attack at the time, we immediately severed connectivity with Change’s data centers to eliminate the potential for further infection. While shutting down many Change environments was extremely disruptive, it was the right thing to do.” The company paid a ransom to the hackers to secure the decryption. The amount of the payment has not been disclosed, but a Reuters report suggests it could be $22 million. “As chief executive officer, the decision to pay a ransom was mine,” Witty said in the statement. “This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.” Calls for better response amid consolidation Meanwhile, the ransomware attack on Change Healthcare has triggered demands for mandatory baseline security standards for healthcare providers. Earlier this month, UnitedHealth faced criticism for its handling of the attack during a three-hour session before the House Energy and Commerce Committee. Significantly, the incident has brought concerns about healthcare consolidation. UnitedHealth, a conglomerate of health insurance enterprises, merged with Change Healthcare in 2022. During the Congressional hearing, E&C Chair Cathy McMorris Rodgers cautioned that as the healthcare system consolidates, the effects of successful cyberattacks could become more widespread. Sub-committee member Anna Eshoo characterized the healthcare sector as a “hackers’ playground,” noting that UnitedHealth is particularly vulnerable due to its size. “The attack shows how UnitedHealth’s anticompetitive practices present a national security risk because its operations now extend through every point of our health care system,” Eshoo said. “The cyberattack laid bare the vulnerability of our nation’s healthcare infrastructure.” Concerns about Citrix This incident has also brought Citrix’s vulnerability under the scanner. In 2022, the NSA reported that a hacking group named APT5 — believed to be Chinese — exploited a vulnerability in Citrix networking gear to conduct espionage. Earlier this year, Citrix alerted its NetScaler ADC and NetScaler Gateway customers about two critical zero-day vulnerabilities that were actively being exploited. Experts have pointed out that the lack of adequate remote access authentication likely facilitated the attack. Crucially, the application was missing multi-factor authentication controls — contrary to industry best practices — exposing it to vulnerabilities. The cybercriminals lingered within the health provider’s systems for nine days, during which they stole data and eventually launched a ransomware attack. Cyberattacks, Hacker Groups, Vulnerabilities
https://www.csoonline.com/article/2096621/unitedhealth-hackers-exploited-citrix-vulnerabilities-ceo-to-testify.html
Companies spend thousands of dollars (sometimes hundreds of thousands) to recruit the right person, put them through the interview cycle, then onboard them. Once an employee is within the corporate ecosystem, far too many entities forget all that effort and expect whatever system is in place to ensure the employee remains compliant and security remains intact. But retained access creates risk. Rare is the organization with a robust enough system to observe lateral movement or offboarding and companies lacking such processes and procedures become vulnerable when employee movements occur. To avoid this risk, CISOs must make retained access a key performance indicator for not only the information technology team they support but also the various entities with whom they must collaborate, including human resources, finance, logistics, research and development, and operational business units. We should think of retained access along the lines of the old farmer’s axiom: it is of no use to close the door after the horse has bolted. People are a company’s greatest asset and greatest risk Employees, contractors, and partners are granted access to corporate infrastructure because having such provides value. Human resources, logistics, accounting, and business units all have engagements with outside entities: some have contractors on staff, and all have employees. Their access to information is provided via the information technology teams during onboard provisioning and their access to data is determined by their supervisory hierarchy. Visibility into their access must be an always-on, always-available metric and the same goes for devices — laptops, phones, tablets, mobile storage, etc. Inventory control and retained access to devices post-employment should be a line item on every entity’s offboarding process. The 2021 Proofpoint lawsuits are a case in point. All who live in the realm of insider risk management are aware that once an employee or contractor has determined they are leaving, many choose to take the intellectual property of their employer with them. Whether the separation was amicable matters little, many (too many) see their work as “their property” and carry it out the door. Others know that their work or that of others belongs to the employer yet have no problem swallowing their ethics and taking it with them. Such was the case with the Proofpoint lawsuits, as the company found itself chasing its intellectual property down the road when a former channel sales director admitted to having a “USB drive containing some of his work-related documents from Proofpoint.” The mindset of what’s mine is mine and what’s yours is also mine, is alive and well. Transparency around access should be paramount Those who have been reading or listening to me for the past 20-something years have heard me mention time and time again the need for processes and procedures to follow people movement to ensure individuals have access to what they need, and that the access has been reviewed via process or hierarchy as necessary. If you don’t know who is still engaged, then how will the IT or CISO know that what the logs are revealing isn’t simply the status quo on a normal day? I engage in consulting from time to time and have found myself as the one reminding the entity to remove my access when the gig has concluded. This scenario has happened so often, that I now have as part of my “close out” process: “remind to remove my access.” It would be far better if those doing the contracting, hiring, or engagement management had it in their built-in process that when a contract concludes or an employee moves or departs, IT is informed, accounting is informed, and human resources is informed. It’s absurd to allow an employee to simply walk away and wait for a “no activity” alert — or in the case of the nefarious, a “too much activity” alert as they fleece or compromise the infrastructure to which they once had authorized access and now have “unauthorized” access. Need-to-know 101 Admittedly, I’ve been steeped in the philosophy of “need-to-know” since I was a teen entering on duty at the CIA as a file clerk in the file room of the Office of Security. In the intelligence world, individuals are “read in” or “read out” of programs. It’s more than symbolic that the first thing that happens when someone is read out is the retrieval of their badge, which removes physical access to the premises. I was taught on day one the meanings of limited access and environmental security and saw with my own eyes the machinations that took place when one transferred out of the unit to ensure their access was not retained — door combinations changed, access control logs updated, databases adjusted to reflect access, badge access deactivated (and yes, all of these are largely analog, as I am that old that these files were paper). You see, the concept of least privileged access isn’t new, it is simply new to some and should always be viewed as “table stakes.” The retained access conundrum affects government entities Illustrating the need for control over retained access was the revelation by the United States Department of Energy’s Office of Inspectors General in 2021 that more than 10,000 contractors and federal employees who had separated from the department retained their badges and other means to access the department’s facilities. Yes, the same facilities where the US government conducts nuclear research. Their report showed that 39% of those separated had not had their employment status updated in the system, 66% of IDs were not retrieved, and 30% didn’t have their access clearances terminated. In-house collaboration is a necessity if you want to avoid such fiascos, says Jon Taylor, director, and principal of security at Versa Networks. “There needs to be coordination between HR and infosec — both in personnel moves as well as onboarding and offboarding, have a process in place. Use the process,” Taylor tells CSO. My advice? The CISO needs to ensure that when changes of need-to-know, position, or employment occur, so does the requisite access to sensitive data and/or the infrastructure. It just doesn’t happen, make it happen. The old farmer also has a message. Close the barn door now, dammit. Access Control, CSO and CISO, Data and Information Security, Human Resources
https://www.csoonline.com/article/2095857/close-the-barn-door-now-avoid-the-risk-of-not-monitoring-retained-access-before-its-a-problem.html
As the landscape of cybercrime evolves, the challenge of navigating the fog of uncertainty is intensifying. The increasing frequency of false or misleading reports is creating a web of misinformation that sometimes makes discerning the truth about criminal cyber incidents virtually impossible. Over the past four months alone, the press, social media accounts, and some researchers have reported several high-profile incidents that turned out to be false or at least far different from what they initially seemed. In late January, a person claimed on a hacking forum to be selling the data for 48,606,700 Europcar.com customers. However, Europcar said the data was fake and was fabricated using artificial intelligence. In late February, the ransomware group LockBit seemingly reemerged with new dark web sites after it was disrupted in an epic law enforcement takedown. A seemingly reconstituted LockBit gang threatened to release a trove of files it stole from Fulton County, Georgia in an attack earlier that month unless the county paid a ransom. The extortion effort proved a head fake when Fulton County called the gang’s bluff and no stolen files materialized. False narratives about hacks have been increasing in recent months Also In late February, a little-known threat actor group called Mogilevich claimed it had hacked gaming giant Epic Games and stolen 189GB of data, which Epic Games denied. The audacity of this claim, made by a group that Brett Callow, threat analyst at Emsisoft, said is not likely a group but is “probably just one idiot,” was further highlighted when they also claimed to have hacked Ireland’s Department of Finance (DFA), which it denied. Faced with these denials, Mogilevich conceded its claims were not valid, saying they were “professional fraudsters” out to scam some quick cash. In early April, a threat actor called DoD offered on BreachForums three gigabytes of data allegedly stolen from the US Environmental Protection Agency’s (EPA) systems, claiming it was a contact list of critical infrastructure organizations worldwide. The EPA said that DoD had confirmed it had never breached the agency and that the data posted was already publicly available. In mid-April, a new ransomware group called RansomHub added insult to injury by posting to its dark web site the sale of four terabytes of data it claimed had been stolen in a devastating ransomware attack on Change Healthcare by the once-disrupted but now-reincarnated AlphV/BlackCat group. At that point, Change Healthcare was reeling from the still-ongoing disaster the ransomware attack had on healthcare providers and pharmacies across the US, even though it was later revealed that Change Healthcare had paid the attackers $22 million to stanch the damage. Although cybersecurity experts believe, but are not sure, that RansomHub’s claims of having the data are real, confusion surrounds whether RansomHub is actually AlphV/BlackCat itself using an alias or an affiliate of that group or a brand-new group. Pressure to get money fuels the false narratives What frequently makes grasping the facts surrounding breaches difficult are the tactics hackers use to pressure organizations into paying ransom quickly, often based on false or exaggerated claims. “Wow, it’s almost like we can’t trust criminals to give us a true answer,” Troy Hunt, founder of the data breach search website HaveIBeenPwned, tells CSO. “We’ve got to recognize that the folks we’re dealing with here are criminals, and their motives are clearly not pure. They’ll construct whatever narrative they need to service their own requirements.” “The gangs try to push organizations into paying quickly,” Callow tells CSO. “They do not want to wait until organizations have had time to do the forensics and find that they didn’t lose as much data as the gang claims or that the data wasn’t as sensitive as the gang claimed it was. It’s in their interests to try and force payments quickly, very often on the back of bluffs.” Callow thinks the misinformation problem, an enduring feature of cybercrime, accompanies greater turmoil in the threat actor world. “What is new is the increased rate of disruptions, creating a more unpredictable ecosystem,” he tells CSO. “Ransomware has always been unpredictable, but now it’s even more unpredictable.” Complicating the problem are acts of betrayal by ransomware gangs toward their affiliates due to the chaos spawned by law enforcement disruptions. In the case of RansomHub, for example, “Change Healthcare reportedly paid $22 million to AlphV, who was already in a somewhat dazed state from the law enforcement disruption and allegedly took off with the money not paying the affiliate,” Callow says. “The affiliate had the data and was attempting to extort United Health for a second time. Supposedly. It could also have been AlphV trying for a second round of extortion. A scam within a scam.” The accelerating spread of misinformation online Fueling the rise of data breach misinformation is the speed at which fake data breach reports are spread online. In a recent blog post, Hunt wrote: “There are a couple of Twitter accounts in particular that are taking incidents that appear across a combination of a popular clear web hacking forum and various dark web ransomware websites and ‘raising them to the surface,’ so to speak. Incidents that may have previously remained on the fringe are being regularly positioned in the spotlight where they have much greater visibility.” “It’s getting very difficult at the moment because not only are there more breaches than ever, but there’s just more stuff online than ever,” Hunt says. “It’s just a nonstop stream of all of these data breaches regularly numbering in the hundreds of thousands or millions of records, and that’s up there on the surface of the web for all to see.” Although Hunt says most reported incidents are what they appear to be, “it does mean that there’s just a huge amount of data floating around, and you’ve still got to do all the due diligence and verification on them.” Some press outlets contribute to the breach misinformation problem by uncritically reporting incidents posted on leak sites without much verification as they race to land scoops. “Any responsible journalist will be as cautious as they can be so as not to risk becoming, effectively, tools of the criminals,” Callow says. “It’s always a matter of balancing assisting the criminals against the public’s right to know. And some of these alleged incidents are very newsworthy.” Purported security researchers who continually produce reports of breach incidents can also be blamed for the misinformation. “I’ll put security researchers in quote marks there who try to build a following by tweeting details of each and every breach,” Callow says. “And they are very often assisting the criminals.” Companies also spread misinformation It’s not only cybercriminals contributing to the current tide of breach misinformation. Companies, long loth to go public with cyber incidents affecting their customers, often initially deny breaches, only to get dragged by journalists and others over time from denial to admission. AT&T, for example, recently started out denying a 2021 breach affecting 71 million of its customers, only to finally confirm that the breach affected 73 million customers. Hunt says, “As much as we say that there are breaches out there that are not breaches or misattributed, we’ve also got the problem where we’ve got organizations saying that there’s no breach, and then you give it time, and they’re like, oh no, okay, hang on. There is a breach.” “It’s not just threat actors misrepresenting things,” Hunt says. “It’s organizations not acknowledging that there is a breach when it has happened.” No easy solutions to the problem Few easy solutions to the misinformation problem exist aside from skeptically examining and conducting due diligence regarding the breaches claimed by threat actors. Hunt thinks the truth always lies in the data. “Until there is evidence to support a claim, it’s just a claim, and we remain skeptical. The truth is always there in the data. It’s just a question of analyzing it. I think for the press, particularly if you’re communicating with the threat actor involved in this, you can always put the question to them: can you prove this is legitimate? What are the indicators here that show that this is what you say?” And for companies that have experienced breaches or are the subject of false breach reports, sunlight is the best disinfectant. “We need to get everything out from in the shadows,” Callow says. “Far too much happens in the shadows. The more light can be shone on it, the better. That would be great in multiple ways. It’s not just a matter of removing some of the leverage threat actors have. It’s also giving the cybersecurity community and the government access to better data. Far too much goes unreported.” “I don’t think we are ever going to get to the point where things are clear and concise,” Hunt says. “For me, particularly running HaveIBeenPwned, all I want is the truth to come out of the data. If an organization has been breached, whether it’s breached or scraped, or whatever else, then let that truth come out. If they haven’t, then let that truth come out.” CSO and CISO, Data Breach, IT Leadership, Security Practices
https://www.csoonline.com/article/2095897/cyber-breach-misinformation-creates-a-haze-of-uncertainty.html
Attackers continue to aggressively target small and mid-size businesses using high-profile vulnerabilities dating back a decade or more, network telemetry shows. Between January and March this year, five high-severity flaws stood out above all others in terms of their frequency in intrusion prevention system (IPS) data from SonicWall’s predominantly SMB customer base. At the top of the list was the Apache Log4j (CVE-2021-44228) vulnerability, detected in traffic to 43% of organizations. Tied on 35% were the Fortinet SSL VPN Path Traversal (CVE-2018-13379) flaw and the infamous Heartbleed (CVE-2014-0160) mega-flaw, with the less discussed but still significant Atlassian Pre-Auth Arbitrary File Read (CVE-2021-26085) and VMware SSRF (CVE-2021-21975) on 32% and 28% respectively. According to SonicWall, these five stood out above all others; the sixth most targeted vulnerability was aimed at only 10% of customers, with a long tail of others in single digits below that. Why these flaws? Interestingly, only two of the vulnerabilities (Log4j and Fortinet) were given the highest priority Common Vulnerability Scoring System (CVSS) rating of ‘critical’ at the time of their discovery. The other three were rated ‘high’ (Heartbleed and VMware) and ‘medium’ (Atlassian). However, relying on CVSS scores alone can give a misleading picture of a vulnerability’s attractiveness to an attacker, said SonicWall executive director of threat research Douglas McKee, speaking to CSO Online. A bigger consideration was how likely they were to have been patched. “Vulnerabilities that are known to work are a good first bet for a threat actor to try. Attackers are using them because they’re still working.” Bombarding SMBs with exploits for possibly unpatched flaws was simply the easiest way to find the laggards among organizations whose patching routines are not always rigorous. The bigger question, then, might be why organizations fail to patch. A noticeable feature of the vulnerabilities is their age. Three are from 2021, one is from 2018, and the final, Heartbleed, was made public as long ago as April 2014. Given that four of the five were also rated ‘critical’ or ‘high’, in theory they should have been patched as a priority some time ago. According to McKee, an important feature of the top five vulnerabilities was their ubiquity. “All five are on widely used products. Attackers are willing to put the time in for vulnerabilities that are going to provide them with a pay-off for more than one victim,” he said. The everywhere flaw A characteristic that gives any flaw longevity among attackers is how difficult it is to patch. In Log4j’s case, this was underlined by an unusual feature. When McKee studied the telemetry, he noticed that it had become steadily more popular among attackers since its discovery in late 2021. “It’s almost the inverse of what you would expect. With all these patches and mitigations, why has it trended in an upward direction?” Most likely, it was because Log4J was a supply chain vulnerability affecting a wide range of software used by almost every possible target. “In my opinion, we still don’t know everywhere that it exists,” observed McKee. “The reason you’re seeing a trend upward is that attackers are still finding more places that it’s working.” If this is correct, it suggests that some organizations haven’t patched Log4J because they don’t know they are affected. The oldest flaw in the top five, Heartbleed, exhibited the same problem. “It’s similar to Log4J in that Heartbleed is in SSL [Secure Sockets Layer, an older VPN protocol]. It’s not a single piece of software where you can patch one thing. It’s another library that exists in a multitude of software.” The priority for CISOs was working out which vulnerabilities should be patched first. As threats recede over time, it becomes easier to forget they exist or matter. Ten years on, Heartbleed is a warning of how this can be difficult to get on top of. McKee’s recommendation was to focus on the complex flaws by doing regular assessments of the software supply chain hiding inside key applications. “We can’t fix what we don’t know about. That’s often the hardest question. Do I even have the version of Log4J that’s vulnerable? I would prioritize fixing those things over the latest zero-day that an attacker cannot use,” said McKee. Network Security, Threat and Vulnerability Management, Vulnerabilities
https://www.csoonline.com/article/2096402/most-attacks-affecting-smbs-target-five-older-vulnerabilities.html
Although 55% of organizations are currently piloting or using a generative AI (GenAI) solution, securely deploying the technology remains a significant focus for cyber leaders. A recent ISMG poll of business and cybersecurity professionals revealed that some of the top concerns around GenAI implementation include data security or leakage of sensitive data, privacy, hallucinations, misuse and fraud, and model or output bias. As organizations look for better ways to innovate responsibly with the latest advancements in artificial intelligence, red teaming is one way for security professionals and machine learning engineers to proactively uncover risks in their GenAI systems. Keep reading to learn how. 3 unique considerations when red-teaming GenAI Red teaming AI systems is a complex, multistep process. At Microsoft, we leverage a dedicated interdisciplinary group of security, adversarial machine learning (ML), and responsible AI experts to map, measure, and minimize AI risks. Over the past year, the Microsoft AI Red Team has proactively assessed several high-value GenAI systems and models before they were released to Microsoft customers. In doing so, we found that red-teaming GenAI systems differ from red-teaming classical AI systems or traditional software in three prominent ways: GenAI red teams must simultaneously evaluate security and responsible AI risks: While red teaming traditional software or classical AI systems mainly focuses on identifying security failures, red teaming GenAI systems includes identifying both security risk as well as responsible AI risks. Like security risks, responsible AI risks can vary widely ranging from generating content that includes fairness issues to producing ungrounded or inaccurate content. AI red teams must simultaneously explore the potential risk space of security and responsible AI failures to provide a truly comprehensive evaluation of the technology. GenAI is more probabilistic than traditional red teaming: GenAI systems have multiple layers of non-determinism. So, while executing the same attack path multiple times on traditional software systems would likely yield similar results, the same input can provide different outputs on an AI system. This can happen due to the app-specific logic; the GenAI model itself; the orchestrator that controls the output of the system can engage different extensibility or plugins; and even the input (which tends to be language), with small variations can provide different outputs. Unlike traditional software systems with well-defined APIs and parameters that can be examined using tools during red teaming, GenAI systems require a red teaming strategy that considers the probabilistic nature of their underlying elements. GenAI systems architecture varies widely: From standalone applications to integrations in existing applications to the input and output modalities, such as text, audio, images, and videos, GenAI systems architectures vary widely. To surface just one type of risk (for example, violent content generation) in one modality of the application (for example, a browser chat interface), red teams need to try different strategies multiple times to gather evidence of potential failures. Doing this manually for all types of harm, across all modalities across different strategies, can be exceedingly tedious and slow. Why automate GenAI red teaming? When red-teaming GenAI, manual probing is a time-intensive but necessary part of identifying potential security blind spots. However, automation can help scale your GenAI red teaming efforts by automating routine tasks and identifying potentially risky areas that require more attention. At Microsoft, we released the Python Risk Identification Tool for generative AI (PyRIT)—an open-access framework designed to help security researchers and ML engineers assess the robustness of their LLM endpoints against different harm categories such as fabrication/ungrounded content like hallucinations, misuse issues like machine bias, and prohibited content such as harassment. PyRIT is battle-tested by the Microsoft AI Red Team. It started off as a set of one-off scripts as we began red teaming GenAI systems in 2022, and we’ve continued to evolve the library ever since. Today, PyRIT acts as an efficiency gain for the Microsoft AI Red Team—shining a light on risk hot spots so that security professionals can then explore them. This allows the security professional to retain control of the AI red team strategy and execution. PyRIT simply provides the automation code to take the initial dataset of harmful prompts provided by the security professional and uses the LLM endpoint to generate more harmful prompts. It can also change tactics based on the response from the GenAI system and generate the next input. This automation will continue until PyRIT achieves the security professional’s intended goal. While automation is not a replacement for manual red team probing, it can help augment an AI red teamer’s existing domain expertise and offload some of the tedious tasks for them. To learn more about the latest emergent security trends, visit Microsoft Security Insider. Security
https://www.csoonline.com/article/2096432/want-to-drive-more-secure-genai-try-automating-your-red-teaming.html
CISO2CISO.com
Sun, 05 May 2024 06:00:29 +0000Source: www.bleepingcomputer.com – Author: Bill Toulas The Iranian state-backed threat actor tracked as APT42 is employing social engineering attacks, including posing as journalists, to breach corporate networks and cloud environments of Western and Middle Eastern targets. APT42 was first documented by Mandiant in September 2022, who reported that the threat actors were active since 2015, having carried […] La entrada Iranian hackers pose as journalists to push backdoor malware – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/iranian-hackers-pose-as-journalists-to-push-backdoor-malware-source-www-bleepingcomputer-com/
Source: www.bleepingcomputer.com – Author: Sergiu Gatlan Image: Midjourney A Mullvad VPN user has discovered that Android devices leak DNS queries when switching VPN servers even though the “Always-on VPN” feature was enabled with the “Block connections without VPN” option. “Always-on VPN” is designed to start the VPN service when the device boots and keep it running while the […] La entrada Android bug leaks DNS queries even when VPN kill switch is enabled – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/android-bug-leaks-dns-queries-even-when-vpn-kill-switch-is-enabled-source-www-bleepingcomputer-com/
Source: www.cyberdefensemagazine.com – Author: Stevin By Jyoti Bansal, CEO and Co-Founder, Traceable AI In the dynamic world of digital transformation, I’ve observed a paradigm shift that is reshaping the very fabric of cybersecurity: the monumental rise of APIs. As the CEO of Traceable, I’ve witnessed firsthand how APIs, once merely technical facilitators, have evolved into […] La entrada Navigating the API Security Landscape: A CEO’s Perspective on Embedding Zero Trust Principles – Source: www.cyberdefensemagazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/navigating-the-api-security-landscape-a-ceos-perspective-on-embedding-zero-trust-principles-source-www-cyberdefensemagazine-com/
Source: securityaffairs.com – Author: Pierluigi Paganini Blackbasta gang claimed responsibility for Synlab Italia attack The Blackbasta extortion group claimed responsibility for the attack that in April severely impacted the operations of Synlab Italia. Since April 18, Synlab Italia, a major provider of medical diagnosis services, has been experiencing disruptions due to a cyber attack. The […] La entrada Blackbasta gang claimed responsibility for Synlab Italia attack – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/blackbasta-gang-claimed-responsibility-for-synlab-italia-attack-source-securityaffairs-com/
Source: www.schneier.com – Author: Bruce Schneier HomeBlog Comments ResearcherZero • May 3, 2024 8:53 PM Journalist killings are at their highest levels in almost a decade. ‘https://www.project-syndicate.org/commentary/attacks-on-journalists-media-indicates-democratic-erosion-by-jodie-ginsberg-2024-05 Governments are not protecting press freedom. At the international level, this year is notable for a clear lack of political will on the part of the international community […] La entrada Friday Squid Blogging: Squid Purses – Source: www.schneier.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/friday-squid-blogging-squid-purses-source-www-schneier-com/
Source: www.darkreading.com – Author: Dark Reading Staff 1 Min Read Source: Ihor Sveitukha via Alamy Stock Photo The number of ransomware and associated extortion attacks is growing, with reports nearly every day about damage inflicted on organizations. These attacks disrupt business operations and result in significant downtime. In some cases, data is stolen. Educational institutions, […] La entrada Mimic Launches With New Ransomware Defense Platform – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/mimic-launches-with-new-ransomware-defense-platform-source-www-darkreading-com/
Source: go.theregister.com – Author: Team Register Dating apps ask people to disclose all kinds of personal information in the hope of them finding love, or at least a hook-up. What many may not know is that the majority of these lonely-hearts corners vacuum up way more user info than they need to, and they also […] La entrada Dating apps kiss’n’tell all sorts of sensitive personal info – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/dating-apps-kissntell-all-sorts-of-sensitive-personal-info-source-go-theregister-com/
Source: go.theregister.com – Author: Team Register AI built by Russian infosec firm Kaspersky was used in Russian drones for its war on Ukraine, volunteer intelligence gatherers claim. The OSINT analysts at InformNapalm, which sprung up in the wake of Russia’s 2014 annexation of Crimea, made those allegations after poring over 100 GB of data stolen […] La entrada Kaspersky hits back at claims its AI helped Russia develop military drone systems – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/kaspersky-hits-back-at-claims-its-ai-helped-russia-develop-military-drone-systems-source-go-theregister-com/
Source: thehackernews.com – Author: . Czechia and Germany on Friday revealed that they were the target of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as APT28, drawing condemnation from the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S. The Czech Republic’s Ministry of Foreign […] La entrada Microsoft Outlook Flaw Exploited by Russia’s APT28 to Hack Czech, German Entities – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/microsoft-outlook-flaw-exploited-by-russias-apt28-to-hack-czech-german-entities-sourcethehackernews-com/
Source: securityboulevard.com – Author: Arun Dhamija Recently, I wrapped up my first work trip with Balbix—a whirlwind tour of customer roundtables in Singapore, Melbourne and Sydney. We were joined by local EY teams that have been working with us for almost an entire year to explore the topic of Cyber Risk Management in the region. […] La entrada The Real Risk is Not Knowing Your Real Risk: Perspectives from Asia Pacific Tour with EY – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
https://ciso2ciso.com/the-real-risk-is-not-knowing-your-real-risk-perspectives-from-asia-pacific-tour-with-ey-source-securityboulevard-com/
Hackread.com
Sat, 04 May 2024 18:02:42 +0000By Uzair Amir Remember Minesweeper? It's not just a game - it's a hidden training ground for work skills! Sharpen your decision-making, focus, and strategic thinking with every click. This is a post from HackRead.com Read the original post: A Mind at Play: Rediscovering Minesweeper in the Professional Arena
https://www.hackread.com/rediscovering-minesweeper-in-professional-arena/
By Uzair Amir Is your coding class engaging and effective? Learn what makes the best online coding classes for kids fun, effective, and future-proof! This is a post from HackRead.com Read the original post: A Checklist for What Every Online Coding Class for Kids Needs
https://www.hackread.com/checklist-online-coding-class-kids/
By Waqas A new botnet called Goldoon targets D-Link routers and NAS devices putting them at risk of DDoS attacks and more. Learn how weak credentials leave you vulnerable and how to secure your network. pen_spark This is a post from HackRead.com Read the original post: New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw
https://www.hackread.com/goldoon-botnet-targeting-d-link-devices/
By Cyber Newswire Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience This is a post from HackRead.com Read the original post: LayerX Security Raises $24M for Browser Security: Empowering Secure Remote Work
https://www.hackread.com/layerx-security-browser-security-secure-remote-work/
By Deeba Ahmed Uncover the "Muddling Meerkat," a China-linked threat actor manipulating the DNS. Infoblox research reveals a sophisticated group with deep DNS expertise and potential ties to the Great Firewall. Learn their tactics and how to stay protected. This is a post from HackRead.com Read the original post: Muddling Meerkat Group Suspected of Espionage via Great Firewall of China
https://www.hackread.com/muddling-meerkat-espionage-great-firewall-china/
By Deeba Ahmed New Android malware alert! Brokewell steals data, takes over devices & targets your bank. Learn how this sneaky malware works & what you can do to protect yourself. Stop Brokewell before it stops you! This is a post from HackRead.com Read the original post: Fake Chrome Updates Hide Android Brokewell Malware Targeting Your Bank
https://www.hackread.com/fake-chrome-updates-android-brokewell-malware/
By Deeba Ahmed Beware! Agent Tesla & Taskun Malware are targeting US Education & Gov. This cyberattack steals data & exploits vulnerabilities. Learn how to protect schools & government agencies from this double threat! This is a post from HackRead.com Read the original post: Agent Tesla and Taskun Malware Targeting US Education and Govt Entities
https://www.hackread.com/agent-tesla-taskun-malware-us-education-govt/
By Waqas The Department of Homeland Security (DHS) has formed an AI Safety Board to ensure secure AI use in critical infrastructure. This is a post from HackRead.com Read the original post: DHS Establishes AI Safety Board with Tech Titans and Experts
https://www.hackread.com/dhs-establishes-ai-safety-board-tech-titans/
By Deeba Ahmed Hackers are dusting off old tricks! A recent attack exploited vulnerabilities in systems running outdates Microsoft Office to deliver Cobalt Strike malware. Learn how to protect yourself! This is a post from HackRead.com Read the original post: 7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike
https://www.hackread.com/microsoft-office-0-day-exploited-cobalt-strike/
By Waqas The official website of Samourai Wallet has been seized, while its official app on the Apple Store and Google Play has been removed. This is a post from HackRead.com Read the original post: Feds Bust Privacy-Centric Samourai Wallet Over BTC Money Laundering
https://www.hackread.com/feds-bust-samourai-wallet-btc-money-laundering/
theregister.com/security
2024-05-04T18:00:13.00ZPrivacy Not Included label slapped on 22 of 25 top lonely-hearts corners Interview Dating apps ask people to disclose all kinds of personal information in the hope of them finding love, or at least a hook-up.…
https://go.theregister.com/feed/www.theregister.com/2024/05/04/dating_apps_privacy_mozilla/
Ready, set, sanctions? AI built by Russian infosec firm Kaspersky was used in Russian drones for its war on Ukraine, volunteer intelligence gatherers claim.…
https://go.theregister.com/feed/www.theregister.com/2024/05/03/kaspersky_russia_military_drone_claims/
Sure, we're waking to the risk, but we gotta get outta bed, warns Endor Labs founder Varun Badhwar interview The more cybersecurity news you read, the more often you seem to see a familiar phrase: Software supply chain (SSC) vulnerabilities. Varun Badhwar, founder and CEO at security firm Endor Labs, doesn't believe that's by coincidence. …
https://go.theregister.com/feed/www.theregister.com/2024/05/03/it_might_take_a_decade/
Cops prevented crims from bilking victims out of more than €10m - but couldn't stop crime against art A Europol-led operation dubbed “Pandora” has shut down a dozen phone scam centers, and arrested 21 suspects. The cops reckon the action prevented criminals from bilking victims out of more than €10 million (£8.6 million, $11 million).…
https://go.theregister.com/feed/www.theregister.com/2024/05/03/operation_pandora_europol/
A 'murky' web sees many purchases run through Singapore in a way that hides potential users Indonesia has acquired spyware and surveillance technologies through a "murky network" that extends into Israel, Greece, Singapore and Malaysia for equipment sourcing, according to Amnesty International.…
https://go.theregister.com/feed/www.theregister.com/2024/05/03/amnesty_indonesia_surveillance/
Bad configurations, insecure versions of jQuery, and crummy cookies are some of myriad problems Exclusive Five Chinese researchers examined the configurations of nearly 14,000 government websites across the country and found worrying lapses that could lead to malicious attacks, according to a not-yet-peer-reviewed study released last week.…
https://go.theregister.com/feed/www.theregister.com/2024/05/03/china_gov_web_vuln/
Windows giant extends passwordless tech to everyone else Microsoft today said it will now let us common folk — not just commercial subscribers — sign into their Microsoft accounts and apps using passkeys with their face, fingerprint, or device PIN.…
https://go.theregister.com/feed/www.theregister.com/2024/05/02/microsoft_google_passkeys/
Operation busted after dodgy devices ended up at Air Force Miami resident Onur Aksoy has been sentenced to six and a half years in prison for running a multi-million-dollar operation selling fake Cisco equipment that ended up in the US military.…
https://go.theregister.com/feed/www.theregister.com/2024/05/02/fake_cisco_prison/
Ten vulnerabilities in total for admins to apply Network admins are being urged to patch a bundle of critical vulnerabilities in ArubaOS that lead to remote code execution as a privileged user.…
https://go.theregister.com/feed/www.theregister.com/2024/05/02/hpe_aruba_patches/
Warning comes exactly a year after the vulnerability was introduced The US Cybersecurity and Infrastructure Security Agency (CISA) is forcing all federal agencies to patch a critical vulnerability in GitLab's Community and Enterprise editions, confirming it is very much under "active exploit."…
https://go.theregister.com/feed/www.theregister.com/2024/05/02/critical_gitlab_vulnerability/
Taking down TikTok won't stop the CCP's attempt to control global narratives Chinese tech companies that serve as important links in the world's digital supply chains are helping Beijing to execute and refine its propaganda strategy, according to an Australian think tank.…
https://go.theregister.com/feed/www.theregister.com/2024/05/02/china_big_data_proganda/
After extorting $700 million from thousands of victims A Ukrainian man has been sentenced to almost 14 years in prison and ordered to pay more than $16 million in restitution for his role in infecting thousands of victims with REvil ransomware.…
https://go.theregister.com/feed/www.theregister.com/2024/05/02/revil_ransomware_prison/
Man arrested and blackmail charges expected after allegations of unpaid contractors and iffy infosec Updated Over a million records describing Australians who visited local pubs and clubs have apparently been posted online.…
https://go.theregister.com/feed/www.theregister.com/2024/05/02/australian_pubs_data_breach/
Only from its digital doc-signing service, which is isolated from its cloudy storage Dropbox has revealed a major attack on its systems that saw customers' personal information accessed by unknown and unauthorized entities.…
https://go.theregister.com/feed/www.theregister.com/2024/05/02/dropbox_sign_attack/
Developer of Square and Cash App reportedly has big back-end problems it was slow to fix Fintech biz Block is reportedly under investigation by US prosecutors over claims by a former employee that lax compliance checks mean its Square and Cash App services may have been used by terrorists – or in countries that US orgs are not permitted to do business.…
https://go.theregister.com/feed/www.theregister.com/2024/05/02/prosecutors_probe_block_square_cashapp/
Intrusion investors went through Blount farce trauma, says SEC Jack Blount, the now-ex CEO of Intrusion, has settled with the SEC over allegations he made false and misleading statements about his infosec firm's product as well as his own background and experience.…
https://go.theregister.com/feed/www.theregister.com/2024/05/01/sec_blount_settlement/
Vulnerable elderly people tricked into paying tens of thousands over fake car accidents Sixteen people are facing charges from US prosecutors for allegedly preying on the elderly and scamming them out of millions of dollars.…
https://go.theregister.com/feed/www.theregister.com/2024/05/01/us_charges_16_grandparent_scammers/
Issue now resolved and isn't thought to be the work of criminals Aussie airline Qantas says its app is now stable following a data breach that saw boarding passes take off from passengers' accounts.…
https://go.theregister.com/feed/www.theregister.com/2024/05/01/qanta_app_glitch/
An ACE in the hole for miscreants Updated The open source R programming language – popular among statisticians and data scientists for performing visualization, machine learning, and suchlike – has patched an arbitrary code execution hole that scored a preliminary CVSS severity rating of 8.8 out of 10.…
https://go.theregister.com/feed/www.theregister.com/2024/05/01/r_programming_language_ace_vuln/
Vastaamo villain more than doubled reported crime in Nordic nation A cyber-thief who snatched tens of thousands of patients' sensitive records from a psychotherapy clinic before blackmailing them and then leaking their files online has been caged for six years and three months.…
https://go.theregister.com/feed/www.theregister.com/2024/04/30/finnish_psychotherapy_center_crook_sentenced/
Congress to hear how Citrix MFA snafu led to massive data theft, $870M+ loss Updated UnitedHealth CEO Andrew Witty will tell US lawmakers Wednesday the cybercriminals who hit Change Healthcare with ransomware used stolen credentials to remotely access a Citrix portal that didn't have multi-factor authentication enabled.…
https://go.theregister.com/feed/www.theregister.com/2024/04/30/unitedhealth_ceo_ransom/
Tried to sell top secret docs for the low, low price of $85K A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.…
https://go.theregister.com/feed/www.theregister.com/2024/04/30/nsa_employee_guilty_sentence/
Europe takes action after Facebook parent withdraws monitoring tool The European Commission has launched formal proceedings against Meta, alleging failure to properly monitor distribution by "foreign actors" of political misinformation before June's European elections.…
https://go.theregister.com/feed/www.theregister.com/2024/04/30/european_commission_launches_proceedings_meta_misinformation/
Infosec eggheads find iGiant left EU iOS 17 users open to being tracked around the web Apple's grudging accommodation of European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential web activity tracking.…
https://go.theregister.com/feed/www.theregister.com/2024/04/30/apple_safari_europe_tracking/
Carriers claim real culprits are getting away with it - the data brokers The FCC on Monday fined four major US telcos almost $200 million for "illegally" selling subscribers' location information to data brokers.…
https://go.theregister.com/feed/www.theregister.com/2024/04/29/fcc_telecom_fines/
Third of a million developer accounts kiboshed, too Google says it stopped 2.28 million Android apps from being published in its official Play Store last year because they violated security rules.…
https://go.theregister.com/feed/www.theregister.com/2024/04/29/google_rejected_apps/
Canadian stores shuttered 'until further notice' Updated Canadian pharmacy chain London Drugs closed all of its stores over the weekend until further notice following a "cybersecurity incident."…
https://go.theregister.com/feed/www.theregister.com/2024/04/29/canada_london_drugs/
Finance minister says government has interests in IT giant's 'sovereign activities' The French government has tabled an offer to buy key assets of ailing IT giant Atos after the company late last week almost doubled its estimate of the cash it will need to stay afloat in the near future.…
https://go.theregister.com/feed/www.theregister.com/2024/04/29/france_buy_atos_assets/
New laws mean vendors need to make clear how long you'll get updates too Smart device manufacturers will have to play by new rules in the UK as of today, with laws coming into force to make it more difficult for cybercriminals to break into hardware such as phones and tablets.…
https://go.theregister.com/feed/www.theregister.com/2024/04/29/uk_lays_password_legislation/
Ad tech rewrite to replace web cookies still not to regulatory taste The UK Competition and Markets Authority (CMA) still has privacy and competition concerns about Google's Privacy Sandbox advertising toolkit, which explains why the ad giant recently again delayed its plan to drop third-party cookies in Chrome until 2025.…
https://go.theregister.com/feed/www.theregister.com/2024/04/29/uk_cma_google/
How SSH Communications Security cuts through the hype around Zero Trust to secure the connections that matter Sponsored Feature As business enters the 2020s, organizations find themselves protecting fast-expanding digital estates using security concepts that are decades old.…
https://go.theregister.com/feed/www.theregister.com/2024/04/29/the_next_step_up_for/
ALSO: Infostealer spotted hiding in CDN cache, antivirus update hijacked to deliver virus, and some critical vulns Updated - Infosec in brief They say sunlight is the best disinfectant, and that appears to have been true in the case of Discord data harvesting site Spy.pet – as it was recently and swiftly dismantled after its existence and purpose became known.…
https://go.theregister.com/feed/www.theregister.com/2024/04/29/infosec_in_brief/
Ouch! Millions of Kaiser Permanente patients' data was likely handed over to Google, Microsoft Bing, X/Twitter, and other third-parties, according to the American healthcare giant.…
https://go.theregister.com/feed/www.theregister.com/2024/04/26/kaiser_patient_data/
Analysts brand deal a 'nail in the coffin' for UK tech investment Private equity investor Thoma Bravo has successfully completed a second acquisition attempt of UK-based cybersecurity company Darktrace in a $5.3 billion deal.…
https://go.theregister.com/feed/www.theregister.com/2024/04/26/thoma_bravo_darktrace/
Only minor changes from original proposals that kicked up privacy storm The UK's contentious Investigatory Powers (Amendment) Bill (IPB) 2024 has officially received the King's nod of approval and will become law.…
https://go.theregister.com/feed/www.theregister.com/2024/04/26/investigatory_powers_bill/
Check out the SANS CISO Primer for tips on hardening your organisation’s security posture in 2024 Sponsored Post Ever get nostalgic for the good old days of cybersecurity protection? When attacks were for the most part amateurish and infrequent, and perhaps more in the nature of an occasional nuisance rather than a daily existential threat?…
https://go.theregister.com/feed/www.theregister.com/2024/04/26/four_trends_to_top_the/
Huawei is OK, but Xiaomi, OPPO, and Samsung are in strife. And Honor isn't living its name Many Chinese keyboard apps, some from major handset manufacturers, can leak keystrokes to determined snoopers, leaving perhaps three quarters of a billion people at risk according to research from the University of Toronto’s Citizen Lab.…
https://go.theregister.com/feed/www.theregister.com/2024/04/26/pinyin_keyboard_security_risks/
Athletics boss accused of deep-faking Baltimore school principal Baltimore police have arrested Dazhon Leslie Darien, the former athletic director of Pikesville High School (PHS), for allegedly impersonating the school's principal using AI software to make it seem as if he made racist and antisemitic remarks.…
https://go.theregister.com/feed/www.theregister.com/2024/04/25/ai_voice_arrest/
Cash to go out as refunds to punters The FTC today announced it would be sending refunds totaling $5.6 million to Ring customers, paid from the Amazon subsidiary's coffers.…
https://go.theregister.com/feed/www.theregister.com/2024/04/25/ring_ftc_settlement/
Suspects in Portugal and the US said to have laundered over $100M Two men alleged to be co-founders of cryptocurrency biz Samourai Wallet face serious charges and potentially decades in US prison over claims they owned a product that facilitated the laundering of over $100 million in criminal cash.…
https://go.theregister.com/feed/www.theregister.com/2024/04/25/samourai_wallet_laundering_charges/
Google security crew reveal ‘the four Ds’ to be on the watch for It may come as a surprise to absolutely nobody that experts say, in revealing the most prevalent and likely tactics to meddle with elections this year, that state-sponsored cybercriminals pose the biggest threat.…
https://go.theregister.com/feed/www.theregister.com/2024/04/25/mandiant_russia_and_iran_pose/
After two years of warnings, and outages, regulators ran out of patience with Kotak Mahindra Bank India’s central bank has banned Kotak Mahindra Bank from signing up new customers for accounts or credit cards through its online presence and app.…
https://go.theregister.com/feed/www.theregister.com/2024/04/25/rbi_india_kotak_mahindra_bank/
And warn that AI is already being used by extremists to plot attacks The director general of Australia’s lead intelligence agency and the commissioner of its Federal Police yesterday both called for social networks to offer more assistance to help their investigators work on cases involving terrorism, child exploitation, and racist nationalism.…
https://go.theregister.com/feed/www.theregister.com/2024/04/25/asio_afp_accountable_encryption/
Don't get too comfortable: 'Line Dancer' malware may be targeting other vendors, too A previously unknown and "sophisticated" nation-state group compromised Cisco firewalls as early as November 2023 for espionage purposes — and possibly attacked network devices made by other vendors including Microsoft, according to warnings from the networking giant and three Western governments.…
https://go.theregister.com/feed/www.theregister.com/2024/04/24/spies_cisco_firewall/
Doctorow: 'The most amazing part is that this isn't already the way it's done' Collaboration software used by federal government agencies — this includes apps from Microsoft, Zoom, Slack, and Google — will be required to work together and be securely end-to-end encrypted, if legislation proposed by US Senator Ron Wyden (D-OR) passes.…
https://go.theregister.com/feed/www.theregister.com/2024/04/24/wyden_government_interoperability/
Secure-by-default... if your pockets are deep enough Microsoft has come under fire for charging for security add-ons despite the company's own patchy record when it comes to vulnerabilities and breaches.…
https://go.theregister.com/feed/www.theregister.com/2024/04/24/microsoft_security_addons/
The firm 'fessed up to staff misconduct and avoided criminal liability A company contracted to manage an Amarillo, Texas nuclear weapons facility has to pay US government $18.4 million in a settlement over allegations that its atomic technicians fudged their timesheets to collect more money from Uncle Sam.…
https://go.theregister.com/feed/www.theregister.com/2024/04/24/management_company_settles_for_184m/
Privacy Sandbox slips into 2025 after challenges from UK authorities Google's plan to phase out third-party cookies in Chrome is being postponed to 2025 amid wrangling with the UK's Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO).…
https://go.theregister.com/feed/www.theregister.com/2024/04/24/google_delays_cookie_cull/
Their holiday options are now far more restricted The US has charged and sanctioned four Iranian nationals for their alleged roles in various attacks on US companies and government departments, all of whom are claimed to have worked for fake companies linked to Iran's military.…
https://go.theregister.com/feed/www.theregister.com/2024/04/24/iranians_charged_cyber_espionage/
One wonders why are there adverts on public-sector portals at all Exclusive At least 18 public-sector websites in the UK and US send visitor data in some form to various web advertising brokers – including an ad-tech biz in China involved in past privacy controversies, a security firm claims.…
https://go.theregister.com/feed/www.theregister.com/2024/04/24/ads_on_gov_uk_websites/
Exploit ONe
Thu, 25 Apr 2024 23:51:30 +0000The Cybersecurity and Infrastructure Security Agency (CISA) has recently flagged two critical vulnerabilities in Cisco’s network security products, prompting urgent attention from IT professionals worldwide. These vulnerabilities, identified as CVE-2024-20353Read More → The post Critical Vulnerabilities in Cisco ASA & FTD Exposed! Learn How to Exploit CVE-2024-20353 and CVE-2024-20359 appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/cyber-security/critical-vulnerabilities-in-cisco-asa-ftd-exposed-learn-how-to-exploit-cve-2024-20353-and-cve-2024-20359/
In recent months, several hospitals across France have fallen victim to devastating cyberattacks, forcing them to postpone medical procedures and ramp up their cybersecurity defenses. These incidents highlight the growingRead More → The post Healthcare Hack Horror: Cyberattacks Leave French Hospitals in Chaos for $10 Million appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/data-breach/healthcare-hack-horror-cyberattacks-leave-french-hospitals-in-chaos-for-10-million/
In a groundbreaking analysis, security researcher Bartek Nowotarski has detailed a new class of vulnerabilities within the HTTP/2 protocol, known as the CONTINUATION Flood. This technical deep dive into HTTP/2‘sRead More → The post How HTTP/2 CONTINUATION Flood Vulnerability Lead to CPU Exhaustion, Memory Overflow & Evasion of Logging appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/forensics/how-http-2-continuation-flood-vulnerability-lead-to-cpu-exhaustion-memory-overflow-evasion-of-logging/
In a significant development in the realm of cybersecurity, two critical vulnerabilities in Microsoft SharePoint Server, identified as CVE-2023-24955 and CVE-2023-29357, have been brought to light, underscoring the persistent threatRead More → The post Dual Vulnerabilities in Microsoft SharePoint Server: Essential Steps to Mitigate Vulnerabilities appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/vulnerabilities/dual-vulnerabilities-in-microsoft-sharepoint-server-essential-steps-to-mitigate-vulnerabilities/
In a significant cybersecurity incident, the Cybersecurity and Infrastructure Security Agency (CISA) was breached last month due to vulnerabilities in Ivanti software products. This breach underscores the ongoing threat dataRead More → The post Hacking the Unhackable: The Story of How CISA Was Breached appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/cyber-security/hacking-the-unhackable-the-story-of-how-cisa-was-breached/
HiddenLayer’s recent research has uncovered a series of concerning vulnerabilities within Google’s latest Large Language Models (LLMs) family, known as Gemini. These vulnerabilities present significant security risks, including the manipulationRead More → The post Google Gemini Under Fire: Critical Security Vulnerabilities You Need to Know to hack Gemini appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/tutorials/google-gemini-under-fire-critical-security-vulnerabilities-you-need-to-know-to-hack-gemini/
At the recent SO-CON security conference, researchers have brought to light significant misconfigurations in Microsoft’s System Center Configuration Manager (SCCM), now known as Configuration Manager. These misconfigurations, if exploited, couldRead More → The post Cracking SCCM Wide Open: Pentesting System Center Configuration Manager with Misconfiguration Manager appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/tutorials/cracking-sccm-wide-open-pentesting-system-center-configuration-manager-with-misconfiguration-manager/
In recent times, the cybersecurity landscape has witnessed a significant uptick in the exploitation of misconfigured servers across various platforms, including YARN (Yet Another Resource Negotiator), Docker, Confluence, and Redis.Read More → The post How the 8220 Gang Is Compromising YARN, Docker, Confluence, and Redis Servers for Cryptomining appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/cyber-security/how-the-8220-gang-is-compromising-yarn-docker-confluence-and-redis-servers-for-cryptomining/
The recent findings from McAfee Labs have unveiled a worrying trend in the cybersecurity landscape: a significant increase in malware distribution through PDF files. This revelation is particularly concerning becauseRead More → The post The Dark Side of PDFs: How Opening a Simple PDF Could Unleash a Cybersecurity Nightmare appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/cyber-security/the-dark-side-of-pdfs-how-opening-a-simple-pdf-could-unleash-a-cybersecurity-nightmare/
In the ever-evolving landscape of cybersecurity, a new vulnerability identified as CVE-2023-40547 has emerged, casting a shadow over the security of most Linux systems. This vulnerability, discovered within the shimRead More → The post Exploiting the High-Risk Vulnerabilities in Secure Boot of Most Linux Devices on the Planet appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/vulnerabilities/exploiting-the-high-risk-vulnerabilities-in-secure-boot-of-most-linux-devices-on-the-planet/
In a significant cybersecurity incident, Cloudflare, a leading web security and performance company, disclosed that it had been targeted by a sophisticated hacking attempt by a nation-state actor. The attack,Read More → The post The Cloudflare Hack: A Hacker, 5000 Credentials, and Operation Code Red appeared first on Cyber Security News | Exploit One | Hacking News.
https://www.exploitone.com/data-breach/the-cloudflare-hack-a-hacker-5000-credentials-and-operation-code-red/
Info Security
3 May 2024The US warns that the North Korea-linked Kimsuky group is exploiting poorly configured DMARC protocols to spoof legitimate domains in espionage phishing campaigns
https://www.infosecurity-magazine.com/news/north-korean-spoofing-journalist/
Amnesty International found in Indonesia a murky ecosystem of surveillance suppliers, brokers and resellers that obscures the sale and transfer of surveillance technology
https://www.infosecurity-magazine.com/news/indonesia-spyware-haven-amnesty/
Microsoft illustrated the severity of the issue via a case study involving Xiaomi’s File Manager
https://www.infosecurity-magazine.com/news/android-flaw-apps-4-billion/
Sweden experienced a wave of DDoS attacks as the country was working towards joining NATO, Netscout found
https://www.infosecurity-magazine.com/news/nato-sweden-surge-ddos-attacks/
Dynatrace research claims global CISOs are concerned AI is driving advanced app security threats and poor developer practices
https://www.infosecurity-magazine.com/news/threequarters-cisos-app-security/
Attackers accessed emails, usernames, phone numbers, hashed passwords and authentication information
https://www.infosecurity-magazine.com/news/security-breach-dropbox-sign/
A US court has sentenced a Ukrainian national to 13 years and seven months in prison for his role in over 2500 ransomware attacks using the REvil strain
https://www.infosecurity-magazine.com/news/revil-ransomware-affiliate/
The US and its allies claim Russian hacktivists are disruptive operations in water, energy, food and agriculture sectors
https://www.infosecurity-magazine.com/news/us-uk-warn-disruptive-russian-ot/
The data from ReliaQuest also suggests LockBit faced a significant setback due to law enforcement action
https://www.infosecurity-magazine.com/news/lockbit-black-basta-play/
Andrew Witty made the claims in a written testimony submitted before a House subcommittee hearing
https://www.infosecurity-magazine.com/news/unitedhealth-breach-stolen/
Comparitech found that 18% of ransomware incidents in the US led to a lawsuit in 2023, with 59% of completed lawsuits since 2018 proving successful
https://www.infosecurity-magazine.com/news/ransomware-attacks-trigger-lawsuit/
New report from Netwrix reveals unplanned expenses impact half of breached firms, including a surge in lawsuits
https://www.infosecurity-magazine.com/news/lawsuits-company-devaluations/
The growth of software supply chain attacks pushed vulnerability exploits to the third most used initial access method, Verizon found
https://www.infosecurity-magazine.com/news/dbir-vulnerability-exploits-triple/
Join Claire Williams at Infosecurity Europe to learn how F1 leadership strategies can inspire cybersecurity leaders
https://www.infosecurity-magazine.com/news/infosecurity-europe-keynote-claire/
The UK’s National Cyber Security Centre claims its AMS model will protect firms from state-backed mobile threats
https://www.infosecurity-magazine.com/news/ncscs-mobile-risk-model-highthreat/
The US Department of Homeland Security has released new guidelines for securing critical infrastructure and CBRN from AI threats
https://www.infosecurity-magazine.com/news/us-releases-new-resources-ai/
The first quarter of 2024 saw the most ransomware activity ever recorded, Corvus Insurance found in a new analysis
https://www.infosecurity-magazine.com/news/ransomware-rising-takedowns-corvus/
Central YMCA was fined £7,500 for a data breach exposing HIV information of support program participants, prompting the ICO to call for stronger privacy protections for people with HIV
https://www.infosecurity-magazine.com/news/ico-raises-concerns-privacy-hiv/
According to JFrog, approximately 25% of all repositories lack useful functionality and serve as vehicles for spam and malware
https://www.infosecurity-magazine.com/news/malicious-containers-found-docker/
Meta’s moderation failings could allow coordinated disinformation campaigns to thrive in the run-up to the EU election
https://www.infosecurity-magazine.com/news/eu-probe-faceboo-instagram/
HelpNetSecurity
Sun, 05 May 2024 08:00:57 +0000Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades There are proof-of-concept techniques allowing attackers to achieve persistence on Palo Alto Networks firewalls after CVE-2024-3400 has been exploited, the company has confirmed on Monday, but they are “not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.” Microsoft, … More → The post Week in review: PoCs allow persistence on Palo Alto firewalls, Okta credential stuffing attacks appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/05/week-in-review-pocs-allow-persistence-on-palo-alto-firewalls-okta-credential-stuffing-attacks/
Google has drastically increased the rewards bug hunters can get for reporting vulnerabilities in Android apps it develops and maintains. “We increased reward amounts by up to 10x in some categories (for example Remote Arbitrary Code Execution in a Tier 1 app went from $30,000 to $300,000),” Google information security engineer Kristoffer Blasiak has pointed out. Google is also ready to pay more for high-quality reports, so that the Mobile Vulnerability Reward Program team can … More → The post Bug hunters can get up to $450,000 for an RCE in Google’s Android apps appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/03/google-android-apps-vulnerabilities/
Trellix has unveiled Trellix Wise, a powerful suite of traditional and Generative Artificial Intelligence (GenAI) tools to drastically reduce cyber risk. Trellix Wise extends across the Trellix XDR Platform to discover and neutralize threats more efficiently while lowering security operations costs. The AI-driven platform automates workflows, delivering increased analyst efficiencies and improved threat prevention, detection, investigation, and remediation. Security Operations teams, largely understaffed, are looking for solutions to help alleviate stresses and strengthen operational resilience … More → The post Trellix Wise automates security workflows with AI, streamlining threat detection and remediation appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/03/trellix-wise/
Since 2013, the first Thursday in May is marked as World Password Day, a day dedicated to raising awareness about the need for using strong, unique passwords to secure out digital lives. Despite decades of often-repeated statements proclaiming the death of the password as a means for digital authentication, the password isn’t dead yet. It also doesn’t seem like it will die imminenty, despite the increased layered use of additional authentication methods (biometrics, hardware security … More → The post Microsoft, Google widen passkey support for its users appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/03/microsoft-google-passkey-support/
Cyble is launching Cyble Vision X, the successor to its Cyble Vision 2.0 threat intelligence platform, to elevate the user experience by empowering decision-makers with immediate access to critical information. The comprehensive release infuses artificial intelligence (AI) into every aspect of the customer journey and introduces the revamped “Executive Insights” dashboard, which consolidates the most consequential intelligence in one easy-to-use interface. In addition, an enhanced filter allows users to effortlessly navigate through their data, and … More → The post Cyble Vision X covers the entire breach lifecycle appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/03/cyble-vision-x-platform/
BlackBerry introduced the new and expanded CylanceMDR, offering comprehensive Managed Detection & Response (MDR) protection powered by the Cylance AI platform and augmented with award-winning security operations center analysts for 24×7 threat coverage. CylanceMDR (formerly CylanceGUARD) now offers three new packages – Standard, Advanced, and On-Demand. Each package is designed to address the unique cybersecurity challenges businesses face today, from AI detection to expert support, providing a comprehensive solution for all. “CylanceMDR offers more than … More → The post BlackBerry CylanceMDR improves cybersecurity defensive strategy appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/03/blackberry-cylancemdr/
Fortinet announced a new next-generation firewall (NGFW) appliance with the security and networking performance needed to serve as the backbone of the modern campus. Built on the Fortinet operating system, FortiOS, and the latest, fifth-generation Fortinet security processing unit (SP5), the FortiGate 200G series delivers increased firewall throughput, FortiGuard AI-Powered Security Services, and 5GE ports for the new Wi-Fi 7 wireless standard. These features enable organizations to efficiently support and secure the growing volume of … More → The post FortiGate 200G series boosts campus connectivity for Wi-Fi 7 appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/03/fortigate-200g-series/
Nokod Security launched the Nokod Security Platform, enabling organizations to protect against security threats, vulnerabilities, compliance issues, and misconfigurations introduced by LCNC applications and robotic process automations (RPAs). Most organizations currently lack any formal processes, procedures and tools for monitoring and managing the security risks associated with LCNC apps. By integrating with leading LCNC and RPA development platforms such as Microsoft Power Apps, UiPath, ServiceNow, Salesforce, and more, Nokod enables organizations to detect vulnerabilities as … More → The post Nokod Security Platform secures low-code/no-code development environments and apps appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/03/nokod-security-platform-secures-low-code-no-code-development-environments-and-apps/
Lenovo has launched its new AI-based Cyber Resiliency as a Service (CRaaS) leveraging Lenovo device telemetry and the Microsoft security software portfolio including Microsoft Copilot for Security and Defender for Endpoint. With AI offering protection at multiple levels, the new solution integrates greater visibility with cyber protection, detection, response and recovery across digital estates and devices. This benefits customers by helping them operate more securely across devices, users, apps, data, networks, and cloud services and … More → The post Lenovo launches AI-based Cyber Resiliency as a Service appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/03/lenovo-ai-based-cyber-resiliency-as-a-service/
Edgio launched its Attack Surface Management (ASM) solution. ASM is designed to discover all web assets, provide full inventory of technologies, detect security exposures and manage exposure response across an organization from a centralized management interface. ASM, combined with Edgio’s comprehensive web security solutions and managed security services, provides edge-enabled continuous web application threat management service. In an era where AI-driven threats are escalating at an unprecedented rate, it is crucial to deploy solutions that … More → The post Edgio ASM reduces risk from web application vulnerabilities appeared first on Help Net Security.
https://www.helpnetsecurity.com/2024/05/03/edgio-asm/