Cybersecurity News

French Authorities Launch Operation to Remove PlugX Malware from Infected Systems

French judicial authorities, in collaboration with Europol, have launched a so-called "disinfection operation" to rid compromised hosts of a known malware called PlugX. The Paris Prosecutor's Office, Parquet de Paris, said the initiative was launched on July 18 and that it's expected to continue for "several months." It further said around a hundred victims located in France, Malta, Portugal,

Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that targets Apple macOS systems with the goal of stealing users' Google Cloud credentials from a narrow pool of victims. The package, named "lr-utils-lib," attracted a total of 59 downloads before it was taken down. It was uploaded to the registry in early June 2024. "The malware uses a

This AI-Powered Cybercrime Service Bundles Phishing Kits with Malicious Android Apps

A Spanish-speaking cybercrime group named GXC Team has been observed bundling phishing kits with malicious Android applications, taking malware-as-a-service (MaaS) offerings to the next level. Singaporean cybersecurity company Group-IB, which has been tracking the e-crime actor since January 2023, described the crimeware solution as a "sophisticated AI-powered phishing-as-a-service platform"

Offensive AI: The Sine Qua Non of Cybersecurity

"Peace is the virtue of civilization. War is its crime. Yet it is often in the furnace of war that the sharpest tools of peace are forged." - Victor Hugo. In 1971, an unsettling message started appearing on several computers that comprised ARPANET, the precursor to what we now know as the Internet. The message, which read "I'm the Creeper: catch me if you can." was the output of a program named

U.S. DoJ Indicts North Korean Hacker for Ransomware Attacks on Hospitals

The U.S. Department of Justice (DoJ) on Thursday unsealed an indictment against a North Korean military intelligence operative for allegedly carrying out ransomware attacks against healthcare facilities in the country and funneling the payments to orchestrate additional intrusions into defense, technology, and government entities across the world. "Rim Jong Hyok and his co-conspirators deployed

Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining

Cybersecurity researchers are sounding the alarm over an ongoing campaign that's leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining. Cloud security firm Wiz is tracking the activity under the name SeleniumGreed. The campaign, which is targeting older versions of Selenium (3.141.59 and prior), is believed to be underway since at least April 2023. "Unbeknownst to

CrowdStrike Warns of New Phishing Scam Targeting German Customers

CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign. The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter

Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

Progress Software is urging users to update their Telerik Report Server instances following the discovery of a critical security flaw that could result in remote code execution. The vulnerability, tracked as CVE-2024-6327 (CVSS score: 9.9), impacts Report Server version 2024 Q2 (10.1.24.514) and earlier. "In Progress Telerik Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code

North Korean Hackers Shift from Cyber Espionage to Ransomware Attacks

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country. Google-owned Mandiant is tracking the activity cluster under a new moniker APT45, which overlaps with names such as Andariel, Nickel Hyatt,

6 Types of Applications Security Testing You Must Know About

Application security testing is a critical component of modern software development, ensuring that applications are robust and resilient against malicious attacks. As cyber threats continue to evolve in complexity and frequency, the need to integrate comprehensive security measures throughout the SDLC has never been more essential. Traditional pentesting provides a crucial snapshot of an

Meta Removes 63,000 Instagram Accounts Linked to Nigerian Sextortion Scams

Meta Platforms on Wednesday said it took steps to remove around 63,000 Instagram accounts in Nigeria that were found to target people with financial sextortion scams. "These included a smaller coordinated network of around 2,500 accounts that we were able to link to a group of around 20 individuals," the company said. "They targeted primarily adult men in the U.S. and used fake accounts to mask

Webinar: Securing the Modern Workspace: What Enterprises MUST Know about Enterprise Browser Security

The browser is the nerve center of the modern workspace. Ironically, however, the browser is also one of the least protected threat surfaces of the modern enterprise. Traditional security tools provide little protection against browser-based threats, leaving organizations exposed. Modern cybersecurity requires a new approach based on the protection of the browser itself, which offers both

Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform

Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. Tenable has given the vulnerability the name ConfusedFunction. "An attacker could escalate their privileges to the Default Cloud Build Service Account and

Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins (AuthZ) under specific circumstances. Tracked as CVE-2024-41110, the bypass and privilege escalation vulnerability carries a CVSS score of 10.0, indicating maximum severity. "An attacker could exploit a bypass using an API request with Content-Length set

CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software

The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could be exploited to trigger a denial-of-service (DoS) condition. "A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition," the U.S. Cybersecurity and

New Chrome Feature Scans Password-Protected Files for Malicious Content

Google said it's adding new security warnings when downloading potentially suspicious and malicious files via its Chrome web browser. "We have replaced our previous warning messages with more detailed ones that convey more nuance about the nature of the danger and can help users make more informed decisions," Jasika Bawa, Lily Chen, and Daniel Rubery from the Chrome Security team said. To that

How a Trust Center Solves Your Security Questionnaire Problem

Security questionnaires aren’t just an inconvenience — they’re a recurring problem for security and sales teams. They bleed time from organizations, filling the schedules of professionals with monotonous, automatable work. But what if there were a way to reduce or even altogether eliminate security questionnaires? The root problem isn’t a lack of great questionnaire products — it’s the

Telegram App Flaw Exploited to Spread Malware Hidden in Videos

A zero-day security flaw in Telegram's mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos. The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11. "

How to Reduce SaaS Spend and Risk Without Impacting Productivity

There is one simple driver behind the modern explosion in SaaS adoption: productivity. We have reached an era where purpose-built tools exist for almost every aspect of modern business and it’s incredibly easy (and tempting) for your workforce to adopt these tools without going through the formal IT approval and procurement process. But this trend has also increased the attack surface—and with

Patchwork Hackers Target Bhutan with Advanced Brute Ratel C4 Tool

The threat actor known as Patchwork has been linked to a cyber attack targeting entities with ties to Bhutan to deliver the Brute Ratel C4 framework and an updated version of a backdoor called PGoShell. The development marks the first time the adversary has been observed using the red teaming software, the Knownsec 404 Team said in an analysis published last week. The activity cluster, also

CrowdStrike Explains Friday Incident Crashing Millions of Windows Devices

Cybersecurity firm CrowdStrike on Wednesday blamed an issue in its validation system for causing millions of Windows devices to crash as part of a widespread outage late last week. "On Friday, July 19, 2024 at 04:09 UTC, as part of regular operations, CrowdStrike released a content configuration update for the Windows sensor to gather telemetry on possible novel threat techniques," the company

Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza. Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1). The high-severity

CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2012-4792 (CVSS score: 9.3) - Microsoft Internet Explorer Use-After-Free Vulnerability CVE-2024-39891 (CVSS score: 5.3) - Twilio Authy Information Disclosure

Chinese Hackers Target Taiwan and U.S. NGO with MgBot and MACMA Malware

Organizations in Taiwan and a U.S. non-governmental organization (NGO) based in China have been targeted by a Beijing-affiliated state-sponsored hacking group called Daggerfly using an upgraded set of malware tools. The campaign is a sign that the group "also engages in internal espionage," Symantec's Threat Hunter Team, part of Broadcom, said in a new report published today. "In the attack on

New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January. Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop, describing it as the first malware strain to directly use Modbus TCP

How to Securely Onboard New Employees Without Sharing Temporary Passwords

The initial onboarding stage is a crucial step for both employees and employers. However, this process often involves the practice of sharing temporary first-day passwords, which can expose organizations to security risks. Traditionally, IT departments have been cornered into either sharing passwords in plain text via email or SMS, or arranging in-person meetings to verbally communicate these

Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files

Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said. The skimmer is designed to capture all the data into the credit card form on the

Meta Given Deadline to Address E.U. Concerns Over 'Pay or Consent' Model

Meta has been given time till September 1, 2024, to respond to concerns raised by the European Commission over its "pay or consent" advertising model or risk-facing enforcement measures, including sanctions. The European Commission said the Consumer Protection Cooperation (CPC) Network has notified the social media giant that the model adopted for Facebook and Instagram might potentially violate

Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign that targeted a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. The agency attributed the attack to a threat actor it tracks under the name UAC-0063, which was previously observed targeting various government entities to gather sensitive information using

Google Abandons Plan to Phase Out Third-Party Cookies in Chrome

Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web

Experts Uncover Chinese Cybercrime Network Behind Gambling and Human Trafficking

The relationship between various TDSs and DNS associated with Vigorish Viper and the final landing experience for the user A Chinese organized crime syndicate with links to money laundering and human trafficking across Southeast Asia has been using an advanced "technology suite" that runs the whole cybercrime supply chain spectrum to spearhead its operations. Infoblox is tracking the proprietor

PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing

A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. "Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use," Google

How to Set up an Automated SMS Analysis Service with AI in Tines

The opportunities to use AI in workflow automation are many and varied, but one of the simplest ways to use AI to save time and enhance your organization’s security posture is by building an automated SMS analysis service. Workflow automation platform Tines provides a good example of how to do it. The vendor recently released their first native AI features, and security teams have already

MSPs & MSSPs: How to Increase Engagement with Your Cybersecurity Clients Through vCISO Reporting

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, “Your First 100 Days as a vCISO – 5 Steps to Success”, which covers all the phases entailed in launching a successful vCISO engagement, along with recommended

SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale

New Linux Variant of Play Ransomware Targeting VMware ESXi Systems

Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments. "This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a

Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix. The attack chains involve distributing a ZIP archive file named "crowdstrike-hotfix.zip,"

17-Year-Old Linked to Scattered Spider Cybercrime Syndicate Arrested in U.K.

Law enforcement officials in the U.K. have arrested a 17-year-old boy from Walsall who is suspected to be a member of the notorious Scattered Spider cybercrime syndicate. The arrest was made "in connection with a global cyber online crime group which has been targeting large organizations with ransomware and gaining access to computer networks," West Midlands police said. "The arrest is part of

Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike. "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," the company's CEO George Kurtz said in a statement. "Mac and Linux hosts are not impacted. This is

Two Russian Nationals Plead Guilty in LockBit Ransomware Attacks

Two Russian nationals have pleaded guilty in a U.S. court for their participation as affiliates in the LockBit ransomware scheme and helping facilitate ransomware attacks across the world. The defendants include Ruslan Magomedovich Astamirov, 21, of Chechen Republic, and Mikhail Vasiliev, 34, a dual Canadian and Russian national of Bradford, Ontario. Astamirov was arrested in Arizona by U.S. law

Safeguard Personal and Corporate Identities with Identity Intelligence

Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill’s threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk. In the current cyber threat landscape, the protection of personal and corporate identities has become vital.

Pro-Houthi Group Targets Yemen Aid Organizations with Android Spyware

A suspected pro-Houthi threat group targeted at least three humanitarian organizations in Yemen with Android spyware designed to harvest sensitive information. These attacks, attributed to an activity cluster codenamed OilAlpha, entail a new set of malicious mobile apps that come with their own supporting infrastructure, Recorded Future's Insikt Group said. Targets of the ongoing campaign

APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a "sustained campaign" by the prolific China-based APT41 hacking group. "APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since

Summary of "AI Leaders Spill Their Secrets" Webinar

Event Overview The "AI Leaders Spill Their Secrets" webinar, hosted by Sigma Computing, featured prominent AI experts sharing their experiences and strategies for success in the AI industry. The panel included Michael Ward from Sardine, Damon Bryan from Hyperfinity, and Stephen Hillian from Astronomer, moderated by Zalak Trivedi, Sigma Computing's Product Manager. Key Speakers and Their

SolarWinds Patches 8 Critical Flaws in Access Rights Manager Software

SolarWinds has addressed a set of critical security flaws impacting its Access Rights Manager (ARM) software that could be exploited to access sensitive information or execute arbitrary code. Of the 13 vulnerabilities, eight are rated Critical in severity and carry a CVSS score of 9.6 out of 10.0. The remaining five weaknesses have been rated High in severity, with four of them having a CVSS

WazirX Cryptocurrency Exchange Loses $230 Million in Major Security Breach

Indian cryptocurrency exchange WazirX has confirmed that it was the target of a security breach that led to the theft of $230 million in cryptocurrency assets. "A cyber attack occurred in one of our [multi-signature] wallets involving a loss of funds exceeding $230 million," the company said in a statement. "This wallet was operated utilizing the services of Liminal's digital asset custody and

Alert: HotPage Adware Disguised as Ad Blocker Installs Malicious Kernel Driver

Cybersecurity researchers have shed light on an adware module that purports to block ads and malicious websites, while stealthily offloading a kernel driver component that grants attackers the ability to run arbitrary code with elevated permissions on Windows hosts. The malware, dubbed HotPage, gets its name from the eponymous installer ("HotPage.exe"), according to new findings from ESET, which

AppSec Webinar: How to Turn Developers into Security Champions

Let's face it: AppSec and developers often feel like they're on opposing teams. You're battling endless vulnerabilities while they just want to ship code. Sound familiar? It's a common challenge, but there is a solution. Ever wish they proactively cared about security? The answer lies in a proven, but often overlooked, strategy: Security Champion Programs — a way to turn developers from

Automated Threats Pose Increasing Risk to the Travel Industry

As the travel industry rebounds post-pandemic, it is increasingly targeted by automated threats, with the sector experiencing nearly 21% of all bot attack requests last year. That’s according to research from Imperva, a Thales company. In their 2024 Bad Bot Report, Imperva finds that bad bots accounted for 44.5% of the industry’s web traffic in 2023—a significant jump from 37.4% in 2022.

SAP AI Core Vulnerabilities Expose Customer Data to Cyber Attacks

Cybersecurity researchers have uncovered security shortcomings in SAP AI Core cloud-based platform for creating and deploying predictive artificial intelligence (AI) workflows that could be exploited to get hold of access tokens and customer data. The five vulnerabilities have been collectively dubbed SAPwned by cloud security firm Wiz. "The vulnerabilities we found could have allowed attackers

Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

Google says it recently fixed an authentication weakness that allowed crooks to circumvent email verification needed to create a Google Workspace account, and leverage that to impersonate a domain holder to third-party services that allow logins through Google's "Sign in with Google" feature.

Phish-Friendly Domain Registry “.top” Put on Notice

The Chinese company in charge of handing out domain names ending in “.top” has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in “.com.”

Global Microsoft Meltdown Tied to Bad Crowdstrike Update

A faulty software update from cybersecurity vendor Crowdstrike crippled countless Microsoft Windows computers across the globe today, disrupting everything from airline travel and financial institutions to hospitals and businesses online. Crowdstrike said a fix has been deployed, but experts say the recovery from this outage could take some time, as Crowdstrike's solution needs to be applied manually on a per-machine basis.

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven't set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn't yet been registered, merely by supplying an email address tied to an existing domain.

Crooks Steal Phone, SMS Records for Nearly All AT&T Customers

AT&T Corp. disclosed today that a new data breach has exposed phone call and text message records for roughly 110 million people -- nearly all of its customers. AT&T said it delayed disclosing the incident in response to "national security and public safety concerns," noting that some of the records included data that could be used to determine where a call was made or text message sent. AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed).

The Stark Truth Behind the Resurgence of Russia’s Fin7

The Russia-based cybercrime group dubbed "Fin7," known for phishing and malware attacks that have cost victim organizations an estimated $3 billion in losses since 2013, was declared dead last year by U.S. authorities. But experts say Fin7 has roared back to life in 2024 -- setting up thousands of websites mimicking a range of media and technology companies -- with the help of Stark Industries Solutions, a sprawling hosting provider is a persistent source of cyberattacks against enemies of Russia.

Microsoft Patch Tuesday, July 2024 Edition

Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.

The Not-So-Secret Network Access Broker x999xx

Most accomplished cybercriminals go out of their way to separate their real names from their hacker handles. But among certain old-school Russian hackers it is not uncommon to find major players who have done little to prevent people from figuring out who they are in real life. A case study in this phenomenon is "x999xx," the nickname chosen by a venerated Russian hacker who specializes in providing the initial network access to various ransomware groups.

KrebsOnSecurity Threatened with Defamation Lawsuit Over Fake Radaris CEO

On March 8, 2024, KrebsOnSecurity published a deep dive on the consumer data broker Radaris, showing how the original owners are two men in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites. The subjects of that piece are threatening to sue KrebsOnSecurity for defamation unless the story is retracted. Meanwhile, their attorney has admitted that the person Radaris named as the CEO from its inception is a fabricated identity.

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years.

Friday Squid Blogging: Sunscreen from Squid Pigments

They’re better for the environment.

Blog moderation policy.

Compromising the Secure Boot Process

This isn’t good:

On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it’s not clear when it was taken down...

The CrowdStrike Outage and Market-Driven Brittleness

Friday’s massive internet outage, caused by a mid-sized tech company called CrowdStrike, disrupted major airlines, hospitals, and banks. Nearly 7,000 flights were canceled. It took down 911 systems and factories, courthouses, and television stations. Tallying the total cost will take time. The outage affected more than 8.5 million Windows computers, and the cost will surely be in the billions of dollarseasily matching the most costly previous cyberattacks, such as NotPetya.

The catastrophe is yet another reminder of how brittle global internet infrastructure is. It’s complex, deeply interconnected, and filled with single points of failure. As we experienced last week, a single problem in a small piece of software can take large swaths of the internet and global economy offline...

Data Wallets Using the Solid Protocol

I am the Chief of Security Architecture at Inrupt, Inc., the company that is commercializing Tim Berners-Lee’s Solid open W3C standard for distributed data ownership. This week, we announced a digital wallet based on the Solid architecture.

Details are here, but basically a digital wallet is a repository for personal data and documents. Right now, there are hundreds of different wallets, but no standard. We think designing a wallet around Solid makes sense for lots of reasons. A wallet is more than a data store—data in wallets is for using and sharing. That requires interoperability, which is what you get from an open standard. It also requires fine-grained permissions and robust security, and that’s what the Solid protocols provide...

Robot Dog Internet Jammer

Supposedly the DHS has these:

The robot, called “NEO,” is a modified version of the “Quadruped Unmanned Ground Vehicle” (Q-UGV) sold to law enforcement by a company called Ghost Robotics. Benjamine Huffman, the director of DHS’s Federal Law Enforcement Training Centers (FLETC), told police at the 2024 Border Security Expo in Texas that DHS is increasingly worried about criminals setting “booby traps” with internet of things and smart home devices, and that NEO allows DHS to remotely disable the home networks of a home or building law enforcement is raiding. The Border Security Expo is open only to law enforcement and defense contractors. A transcript of Huffman’s speech was obtained by the Electronic Frontier Foundation’s Dave Maass using a Freedom of Information Act request and was shared with 404 Media...

2017 ODNI Memo on Kaspersky Labs

It’s heavily redacted, but still interesting.

Many more ODNI documents here.

Snake Mimics a Spider

This is a fantastic video. It’s an Iranian spider-tailed horned viper (Pseudocerastes urarachnoides). Its tail looks like a spider, which the snake uses to fool passing birds looking for a meal.

Friday Squid Blogging: Peru Trying to Protect its Squid Fisheries

Peru is trying to protect its territorial waters from Chinese squid-fishing boats.

Blog moderation policy.

Brett Solomon on Digital Rights

Brett Solomon is retiring from AccessNow after fifteen years as its Executive Director. He’s written a blog post about what he’s learned and what comes next.

Criminal Gang Physically Assaulting People for Their Cryptocurrency

This is pretty horrific:

…a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elderly North Carolina couple, whose home St. Felix and one of his accomplices broke into before physically assaulting the two victims—both in their seventies—and forcing them to transfer more than $150,000 in Bitcoin and Ether to the thieves’ crypto wallets...

Student Loan Breach Exposes 2.5M Records

2.5 million people were affected, in a breach that could spell more trouble down the line.

Watering Hole Attacks Push ScanBox Keylogger

Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms

Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Ransomware Attacks are on the Rise

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.

Cybercriminals Are Selling Access to Chinese Surveillance Cameras

Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.

Twitter Whistleblower Complaint: The TL;DR Version

Twitter is blasted for security and privacy lapses by the company’s former head of security who alleges the social media giant’s actions amount to a national security risk.

Firewall Bug Under Active Attack Triggers CISA Warning

CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.

Fake Reservation Links Prey on Weary Travelers

Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.

iPhone Users Urged to Update to Patch 2 Zero-Days

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.

Google Patches Chrome’s Fifth Zero-Day of the Year

An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

IAM for MSPs Provider Evo Security Raises $6 Million

TechOperators leads a $6 million Series A funding round for Evo Security, a provider of IAM solutions for MSPs.

The post IAM for MSPs Provider Evo Security Raises $6 Million appeared first on SecurityWeek.

Industry Moves for the week of July 22, 2024 - SecurityWeek

Explore industry moves and significant changes in the industry for the week of July 22, 2024. Stay updated with the latest industry trends and shifts.

Progress Patches Critical Telerik Report Server Vulnerability

Progress Software calls attention to a critical remote code execution flaw in the Telerik Report Server product.

The post Progress Patches Critical Telerik Report Server Vulnerability appeared first on SecurityWeek.

Threat Actors Exploit Fresh ServiceNow Vulnerabilities in Attacks

Threat actors have started exploiting critical-severity vulnerabilities in ServiceNow shortly after public disclosure.

The post Threat Actors Exploit Fresh ServiceNow Vulnerabilities in Attacks appeared first on SecurityWeek.

In Other News: FBI Cyber Action Team, Pentagon IT Firm Leak, Nigerian Gets 12 Years in Prison

Noteworthy stories that might have slipped under the radar: FBI article on agency’s Cyber Action Team, data of Pentagon IT provider Leidos leaked, Nigerian cybercriminal sentenced to 12 years in prison.

The post In Other News: FBI Cyber Action Team, Pentagon IT Firm Leak, Nigerian Gets 12 Years in Prison appeared first on SecurityWeek.

US Offers $10 Million Reward for Information on North Korean Hacker

The US is offering a reward of up to $10 million for information on Rim Jong Hyok, a member of the North Korean hacking group APT45.

The post US Offers $10 Million Reward for Information on North Korean Hacker appeared first on SecurityWeek.

PKfail Vulnerability Allows Secure Boot Bypass on Hundreds of Computer Models

A vulnerability dubbed PKfail can allow attackers to run malicious code during the boot process, which can be used to deliver UEFI bootkits.

The post PKfail Vulnerability Allows Secure Boot Bypass on Hundreds of Computer Models appeared first on SecurityWeek.

97% of Devices Disrupted by CrowdStrike Restored as Insurer Estimates Billions in Losses

CrowdStrike says 97% of Windows systems impacted by its bad update are back online, just as an insurer predicts billions in losses for major companies.

The post 97% of Devices Disrupted by CrowdStrike Restored as Insurer Estimates Billions in Losses appeared first on SecurityWeek.

North Korean Charged in Cyberattacks on US Hospitals, NASA and Military Bases

A man who allegedly carried out attacks for a North Korean military intelligence agency has been indicted in a conspiracy to hack healthcare firms, NASA, military bases and other entities.

The post North Korean Charged in Cyberattacks on US Hospitals, NASA and Military Bases appeared first on SecurityWeek.

Chainguard Raises $140 Million, Expands Tech to Secure AI Workloads

Software supply chain security startup Chainguard raises a $140 million Series C round that values the company at $1.2 billion.

The post Chainguard Raises $140 Million, Expands Tech to Secure AI Workloads appeared first on SecurityWeek.

BIND Updates Resolve High-Severity DoS Vulnerabilities

The latest BIND security updates address remotely exploitable vulnerabilities leading to denial-of-service.

The post BIND Updates Resolve High-Severity DoS Vulnerabilities appeared first on SecurityWeek.

CrowdStrike meets Murphy's Law: Anything that can go wrong will

And boy, did last Friday's Windows fiasco ever prove that yet again

Opinion CrowdStrike's recent Windows debacle will surely earn a prominent place in the annals of epic tech failures. On July 19, the cybersecurity giant accomplished what legions of hackers could only dream of – bringing millions of Windows systems worldwide to their knees with a single botched update.…

Progress discloses second critical flaw in Telerik Report Server in as many months

These are the kinds of bugs APTs thrive on, just ask the Feds

Progress Software's latest security advisory warns customers about the second critical vulnerability targeting its Telerik Report Server in as many months.…

North Korean chap charged for attacks on US hospitals, military, NASA – and even China

Microsoft, Mandiant, weigh in with info about methods used by Andariel gang alleged to have made many, many, heists

The US Department of Justice on Thursday charged a North Korean national over a series of ransomware attacks on stateside hospitals and healthcare providers, US defense companies, NASA, and even a Chinese target.…

Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank

May even have targeted other malware gangs, and infosec researchers

Infosec researchers have discovered a network of over three thousand malicious GitHub accounts used to spread malware, targeting groups including gamers, malware researchers, and even other threat actors who themselves seek to spread malware.…

CrowdStrike update blunder may cost world billions – and insurance ain't covering it all

We offer this formula instead: RND(100.0)*(10^9)

The cost of CrowdStrike's apocalyptic Falcon update that brought down millions of Windows computers last week may be in the billions of dollars, and insurance isn't covering most of that.…

Beware of fake CrowdStrike domains pumping out Lumma infostealing malware

PSA: Only accept updates via official channels ... ironically enough

CrowdStrike is the latest lure being used to trick Windows users into downloading and running the notorious Lumma infostealing malware, according to the security shop's threat intel team, which spotted the scam just days after the Falcon sensor update fiasco.…

FYI: Data from deleted GitHub repos may not actually be deleted

And the forking Microsoft-owned code warehouse doesn't see this as much of a problem

Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn't necessarily deleted.…

Uncle Sam accuses telco IT pro of decade-long spying campaign for China

Beijing has a long history of recruiting US residents to carry out various espionage activities

The US is looking to prosecute a Chinese immigrant over claims he has been drip-feeding information of interest to Beijing since at least 2012.…

You should probably fix this 5-year-old critical Docker vuln fairly sharpish

For some unknown reason, initial patch was omitted from later versions

Docker is warning users to rev their Docker Engine into patch mode after it realized a near-maximum severity vulnerability had been sticking around for five years.…

Kaspersky says Uncle Sam snubbed proposal to open up its code for third-party review

Those national security threat claims? 'No evidence,' VP tells The Reg

Exclusive Despite the Feds' determination to ban Kaspersky's security software in the US, the Russian business continues to push its proposal to open up its data and products to independent third-party review – and prove to Uncle Sam that its code hasn't been and won't be compromised by Kremlin spies.…

Patch management still seemingly abysmal because no one wants the job

Are your security and ops teams fighting to pass the buck?

Comment Patching: The bane of every IT professional's existence. It's a thankless, laborious job that no one wants to do, goes unappreciated when it interrupts work, and yet it's more critical than ever in this modern threat landscape.…

How a cheap barcode scanner helped fix CrowdStrike'd Windows PCs in a flash

This one weird trick saved countless hours and stress – no, really

Not long after Windows PCs and servers at the Australian limb of audit and tax advisory Grant Thornton started BSODing last Friday, senior systems engineer Rob Woltz remembered a small but important fact: When PCs boot, they consider barcode scanners no differently to keyboards.…

The months and days before and after CrowdStrike's fatal Friday

'In the short term, they're going to have to do a lot of groveling'

Analysis The great irony of the CrowdStrike fiasco is that a cybersecurity company caused the exact sort of massive global outage it was supposed to prevent. And it all started with an effort to make life more difficult for criminals and their malware, with an update to its endpoint detection and response tool Falcon.…

Oops. Apple relied on bad code while flaming Google Chrome's Topics ad tech

Yes, you can be fingerprinted and tracked via Privacy Sandbox – tho the risk isn't as high as feared

Apple last week celebrated a slew of privacy changes coming to its Safari browser and took the time to bash rival Google for its Topics system that serves online ads based on your Chrome history.…

Uncle Sam opens probe into CrowdStrike turbulence at Delta Air Lines

Concerns abound over why it has taken so long to recover compared to competitors

The US Department of Transportation (DoT) is investigating Delta Air Lines over its handling of the global IT outage caused by CrowdStrike's content update.…

Windows Patch Tuesday update might send a user to the BitLocker recovery screen

Not now, Microsoft

Some Windows devices are presenting users with a BitLocker recovery screen upon reboot following the installation of July's Patch Tuesday update.…

Data pilfered from Pentagon IT supplier Leidos

With numerous US government agency customers, any leak could be serious

Updated Internal documents stolen from Leidos Holdings, an IT services provider contracted with the Department of Defense and other US government agencies, have been leaked on the dark web.…

School gets an F for using facial recognition on kids in canteen

Watchdog reprimand follows similar cases in 2021

The UK's data protection watchdog has reprimanded a school in Essex for using facial recognition for canteen payments, nearly three years after other schools were warned about doing the same.…

Forget security – Google's reCAPTCHA v2 is exploiting users for profit

Web puzzles don't protect against bots, but humans have spent 819 million unpaid hours solving them

Updated Google promotes its reCAPTCHA service as a security mechanism for websites, but researchers affiliated with the University of California, Irvine, argue it's harvesting information while extracting human labor worth billions.…

CrowdStrike blames a test software bug for that giant global mess it made

Something called 'Content Validator' did not validate the content, and the rest is history

CrowdStrike has blamed a bug in its own test software for the mass-crash-event it caused last week.…

Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil

If it can happen to folks that run social engineering defence training, what hope for the rest of us?

Cybersecurity awareness and training provider KnowBe4 hired a North Korean fake IT worker for a software engineering role on its AI team, and only realized its mistake once the guy started using his company-provided computer for evil.…

Philippines wipes out its legit online gambling industry to take down scammers

President apologizes in advance for job losses

The Philippines has decided to dismantle the worst of its offshored industries: the bits that run gambling and scam operations.…

How did a CrowdStrike file crash millions of Windows computers? We take a closer look at the code

Maybe next time some staged rollouts? A bit of QA too?

Analysis Last week, at 0409 UTC on July 19, 2024, antivirus maker CrowdStrike released an update to its widely used Falcon platform that caused Microsoft Windows machines around the world to crash.…

Administrators have update lessons to learn from the CrowdStrike outage

How could this happen to us? We were supposed to be two versions behind?

If administrators have learned anything from the CrowdStrike chaos, it's to understand exactly what delayed updates mean – or don't mean – in the anti-malware world.…

Protecting AI systems from cyber threats

Join Intel, DETASAD, Juniper Networks, and Arqit to hear essential strategies in this webinar on July 30th

Webinar Artificial Intelligence (AI) is revolutionizing industries worldwide, but with great power comes great responsibility.…

Cybercrooks spell trouble with typosquatting domains amid CrowdStrike crisis

Latest trend follows various malware campaigns that began just hours after IT calamity

Thousands of typosquatting domains are now registered to exploit the desperation of IT admins still struggling to recover from last week's CrowdStrike outage, researchers say.…

Alphabet's reported $23B bet on Wiz fizzles out

Cybersecurity outfit to go its own way to IPO and $1B ARR

On the day of Alphabet's Q2 earnings call, cybersecurity firm Wiz has walked from a $23 billion takeover bid by Google's parent company.…

Securing AI around the world

Gain insight by joining this AI security webinar on July 31

Webinar As artificial intelligence (AI) continues to transform industries in the Middle East, protecting systems from cyber threats is critical.…

Google's plan to drop third-party cookies in Chrome crumbles

Ad giant promises to protect privacy, as critics say surveillance continues

Google no longer intends to drop support for third-party cookies – the online identifiers used by the ad industry to track people and target them with ads based on their online activities.…

Global cops power down world's 'most prolific' DDoS dealership

One arrest was made weeks ago but no word on the suspect's identity yet

A DDoS-for-hire site described by the UK's National Crime Agency (NCA) as the world's most prolific operator in the field is out-of-action following a law enforcement sting dubbed Operation Power Off.…

LA County Superior Court closes doors to reboot justice after ransomware attack

Some rest for the wicked?

Los Angeles County Superior Court, the largest trial court in America, closed all 36 of its courthouses today following an "unprecedented" ransomware attack on Friday.…

Cybercrooks crafting solo careers in wake of ransomware takedowns

More baddies go it alone as trust in big gangs withers, claims Europol

A fresh report from Europol suggests that the recent disruption of ransomware-as-a-service (RaaS) groups is fragmenting the threat landscape, making it more difficult to track.…

Oracle coughs up $115M to make privacy case go away

Big Red agrees not to capture personal details after two-year class action

Oracle has agreed to cough up $115 million to settle a two-year class action lawsuit that alleged misuse of user data.…

EU gave CrowdStrike the keys to the Windows kernel, claims Microsoft

Was a 2009 agreement on interoperability to blame?

Did the EU force Microsoft to let third parties like CrowdStrike run riot in the Windows kernel as a result of a 2009 undertaking? This is the implication being peddled by the Redmond-based cloud and software titan.…

Two Russians sanctioned over cyberattacks on US critical infrastructure

Supposed hacktivist efforts previously linked to the Kremlin's GRU

Flying under the radar on Clownstrike day last week, two members of the Cyber Army of Russia Reborn (CARR) hacktivist crew are the latest additions to the US sanctions list.…

Cellebrite got into Trump shooter's Samsung device in just 40 minutes

Also: Second-string Russian hackers sanctioned; Senators demand answers from Snowflake, and more

Infosec in brief Unable to access the Samsung smartphone of the deceased Trump shooter for clues, the FBI turned to a familiar – if controversial – source to achieve its goal: digital forensics tools vendor Cellebrite.…

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

Rapid restore tool being tested as Microsoft estimates 8.5M machines went down

Updated CrowdStrike's now-infamous Falcon Sensor software, which last week led to widespread outages of Windows-powered computers, has also been linked to crashes of Linux machines.…

UK cops arrest teen suspect in MGM Resorts cyberattack probe

17-year-old cuffed as FBI says it will 'relentlessly pursue' miscreants around the globe

Cops in the UK have arrested a suspected member of the notorious Scattered Spider crime gang, which is accused of crippling MGM Resorts in Las Vegas with ransomware last summer.…

CrowdStrike Windows patchpocalypse could take weeks to fix, IT admins fear

Our vultures gather to review this very freaky Friday

Kettle If you're an IT administrator with Windows boxes on your network, Friday can't have been a lot of fun. What's likely millions of systems were or still are stuck in blue-screen boot loop hell, mostly requiring manual intervention to fix.…

CrowdStrike file update bricks Windows machines around the world

Falcon Sensor putting hosts into deathloop - but there's a workaround

Updated An update to a product from infosec vendor CrowdStrike is bricking computers running Windows globally.…

North Korea likely behind takedown of Indian crypto exchange WazirX

Firm halts trades after seeing $230 million disappear

Indian crypto exchange WazirX has revealed it lost virtual assets valued at over $230 million after a cyber attack that has since been linked to North Korea.…

Beijing's attack gang Volt Typhoon was a false flag inside job conspiracy: China

Run by the NSA, the FBI, and Five Eyes nations, who fooled infosec researchers, apparently

China has wildly claimed the Volt Typhoon gang, which Five Eyes nations accuse of being a Beijing-backed attacker that targets critical infrastructure, was in fact made up by the US intelligence community.…

Judge mostly drags SEC's lawsuit against SolarWinds into the recycling bin

Russia-invaded software biz 'grateful for the support we have received'

A judge has mostly thrown out a lawsuit brought by America's financial watchdog that accused SolarWinds and its chief infosec officer of misleading investors about its computer security practices and the backdooring of its Orion product.…

Kaspersky challenges US government to put up or shut up about Kremlin ties

Stick an independent probe in our software, you won't find any Putin.DLL backdoor

Kaspersky has hit back after the US government banned its products – by proposing an independent verification that its software is above board and not backdoored by the Kremlin.…

Russia’s FIN7 is peddling its EDR-nerfing malware to ransomware gangs

Major vendors' products scuppered by novel techniques

Prolific Russian cybercrime syndicate FIN7 is using various pseudonyms to sell its custom security solution-disabling malware to different ransomware gangs.…

Maximum-severity Cisco vulnerability allows attackers to change admin passwords

You’re going to want to patch this one

Cisco just dropped a patch for a maximum-severity vulnerability that allows attackers to change the password of any user, including admins.…

Firms skip security reviews of major app updates about half the time

Complicated, costly, time-consuming – pick three

Updated Cybersecurity workers review major updates to software applications only 54 percent of the time, according to a poll of tech managers.…

Release the hounds! Securing datacenters may soon need sniffer dogs

Nothing else can detect attackers with implants designed to foil physical security

Sniffer dogs may soon become a useful means of improving physical security in datacenters, as increasing numbers of people are adopting implants like NFC chips that have the potential to enable novel attacks on access control tools.…

Merged Exabeam and LogRhythm cut jobs, face lawsuit

Unconfirmed reports suggest 30 percent reduction in headcount

Exabeam and LogRhythm – a pair of cyber security firms – finalized their merger on Wednesday, an occasion The Register understands was marked by swift job cuts and shareholder action to investigate the transaction.…

Kaspersky gives US customers six months of free updates as a parting gift

So long, farewell, do svidaniya, goodbye

Updated Embattled Russian infosec shop Kaspersky is giving US customers six months of security updates for free as a parting gift as Uncle Sam kicks the antivirus maker out of the American market.…

Synnovis Restores Systems After Cyber-Attack, But Blood Shortages Remain

Synnovis has rebuilt “substantial parts” of its systems following the Qilin ransomware attack on June 3, enabling the restoration of core blood supplies to NHS hospitals

Hacktivists Claim Leak of CrowdStrike Threat Intelligence

CrowdStrike has acknowledged the claims by the USDoD hacktivist group, which has provided a link to download the alleged threat actor list on a cybercrime forum

Despite Bans, AI Code Tools Widespread in Organizations

Despite bans on AI code generation tools, widespread use and lack of governance are creating significant security risks for organizations

North Korean Hackers Target Critical Infrastructure for Military Gain

A joint advisory by the UK, US and South Korea have warned of a global espionage campaign by a North Korea threat actor, Andariel, targeting CNI organizations

Ransomware and BEC Make Up 60% of Cyber Incidents

Cisco Talos found that ransomware and BEC accounted for 60% of all cyber incidents in Q2 2024, with ransomware rising by 22% compared to Q1

Malware Attacks Surge 30% in First Half of 2024

SonicWall observed a surge in malware attacks in H1 2024, with strains becoming more adept at defense evasion

Most IT Leaders Say Severity of Cyber-Attacks has Increased

Appsbroker CTS found that nine in 10 IT leaders believe the severity of cyber-attacks has increased over the past year

CrowdStrike Shares How a Rapid Response Content Update Caused Global Outage

CrowdStrike has published a preliminary Post Incident Review into the global IT outage on July 19, revealing the issue came from a Rapid Response Content update

North Korean Hackers Targeted Cybersecurity Firm KnowBe4 with Fake IT Worker

KnowBe4 revealed it was duped into hiring a fake IT worker from North Korea resulting in attempted insider threat activity

Google Criticized for Abandoning Cookie Phase-Out

Google’s decision to abandon the phase out of third-party cookies on Chrome has been criticized, with the tech giant accused of neglecting user privacy

Chinese Espionage Group Upgrades Malware Arsenal to Target All Major OS

Symantec said Chinese espionage group Daggerfly has updated its malware toolkit as it looks to target Windows, Linux, macOS and Android operating systems

Russia Shifts Cyber Focus to Battlefield Intelligence in Ukraine

A new report published by RUSI highlighted how Russia’s intelligence services have adapted their cybersecurity strategy to the demands of a long war in Ukraine

Ledger Flex: Secure self-custody with E Ink touchscreen display

Ledger today launched Ledger Flex, featuring secure E Ink touchscreen displays powered by Ledger’s Secure OS. It’s available to purchase for $249, shipping immediately. The Ledger Flex features a high-resolution, 2.8” display that provides clarity when signing transactions or approving logins. E Ink offers energy efficiency, so the battery can last for weeks or months on one charge. “After a decade of setting the standard for security and self-custody in crypto and digital assets, I’m … More →

The post Ledger Flex: Secure self-custody with E Ink touchscreen display appeared first on Help Net Security.

Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327)

Progress Software has fixed a critical vulnerability (CVE-2024-6327) in its Telerik Report Server solution and is urging users to upgrade as soon as possible. About CVE-2024-6327 (and CVE-2024-6096) Telerik Report Server is an enterprise solution for storing, creating, managing and viewing reports in web and desktop applications. CVE-2024-6327 is an insecure (untrusted data) deserialization vulnerability that may allow attackers to remotely execute code on the underlying server through CVE-2024-6096, an insecure type resolution vulnerability that … More →

The post Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327) appeared first on Help Net Security.

16% of organizations experience disruptions due to insufficient AI maturity

While sysadmins recognize AI’s potential, significant gaps in education, cautious organizational adoption, and insufficient AI maturity hinder widespread implementation, leading to mixed results and disruptions in 16% of organizations, according to Action1. Knowledge gap and training needs Sysadmins’ views remained steady over the past year, identifying the following top three areas for AI automation in the next two years: (i) log analysis, (ii) server CPU and memory monitoring, and (iii) patch management. As with last … More →

The post 16% of organizations experience disruptions due to insufficient AI maturity appeared first on Help Net Security.

AI-generated deepfake attacks force companies to reassess cybersecurity

As AI-generated deepfake attacks and identity fraud become more prevalent, companies are developing response plans to address these threats, according to GetApp. In fact, 73% of US respondents report that their organization has developed a deepfake response plan. This concern stems from the growing sophistication of AI-driven impersonation attacks that can undermine traditional security measures like biometric authentication, which were previously considered highly secure but are now being called into question. Companies are developing deepfake … More →

The post AI-generated deepfake attacks force companies to reassess cybersecurity appeared first on Help Net Security.

Most CISOs feel unprepared for new compliance regulations

With the new stringent regulations, including the SEC’s cybersecurity disclosure rules in the USA and the Digital Operational Resilience Act (DORA) in the EU, a significant challenge is emerging for many organizations, according to Onyxia Cyber. CISO role has changed in recent years The job of a CISO has changed dramatically over the past few years. What used to be a technically minded cybersecurity role has evolved to include a greater emphasis on security strategy … More →

The post Most CISOs feel unprepared for new compliance regulations appeared first on Help Net Security.

New infosec products of the week: July 26, 2024

Here’s a look at the most interesting products from the past week, featuring releases from GitGuardian, LOKKER, Permit.io, Secure Code Warrior, and Strata Identity. GitGuardian’s tool helps companies discover developer leaks on GitHub GitGuardian released a tool to help companies discover how many secrets their developers have leaked on public GitHub, both company-related and personal. The audit generates a score ranging from A to E. This score factors in the volume of hardcoded secrets detected, … More →

The post New infosec products of the week: July 26, 2024 appeared first on Help Net Security.

Chainguard raises $140 million to strengthen open source software security

Chainguard has completed a $140 million Series C round of funding led by Redpoint Ventures, Lightspeed Venture Partners, and IVP, bringing the company’s total funding raised to $256 million. Existing investors, including Amplify, Mantis VC, Sequoia Capital, and Spark Capital also participated in the round. Demand for the company’s Chainguard Images solution continues to see rapid adoption among enterprises, with a more than 5X increase in its customer base year-over-year and an over 175 percent … More →

The post Chainguard raises $140 million to strengthen open source software security appeared first on Help Net Security.

Docker fixes critical auth bypass flaw, again (CVE-2024-41110)

A critical-severity Docker Engine vulnerability (CVE-2024-41110) may be exploited by attackers to bypass authorization plugins (AuthZ) via specially crafted API request, allowing them to perform unauthorized actions, including privilege escalation. About CVE-2024-41110 CVE-2024-41110 is a vulnerability that can be exploited remotely, without any user interaction, and even the attack complexity is low. “An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request … More →

The post Docker fixes critical auth bypass flaw, again (CVE-2024-41110) appeared first on Help Net Security.

Learning from CrowdStrike’s quality assurance failures

CrowdStrike has released a preliminary Post Incident Review (PIR) of how the flawed Falcon Sensor update made its way to millions of Windows systems and pushed them into a “Blue Screen of Death” loop. The PIR is a bit confusing to read and parse, because it attempts to assure readers that the company carefully and comprehensively tests their products – even though the company’s failures on that front are obvious. Here is the heart of … More →

The post Learning from CrowdStrike’s quality assurance failures appeared first on Help Net Security.

CAST SBOM Manager automates creation and handling of SBOMs

CAST launched CAST SBOM Manager, a new freemium product designed for product owners, release managers, and compliance specialists. CAST SBOM Manager automates and simplifies the creation and handling of Software Bill of Materials (SBOMs), which North American and European governments now regularly require from their software providers. As the software supply chain faces unprecedented threats, maintaining accurate SBOMs has become critical for any organization that supplies software especially regulated device manufacturers with embedded software, government … More →

The post CAST SBOM Manager automates creation and handling of SBOMs appeared first on Help Net Security.

Building cyber-resilience: Lessons learned from the CrowdStrike incident

Organizations, including those that weren’t struck by the CrowdStrike incident, should resist the temptation to attribute the IT meltdown to exceptional circumstances

Beyond the blue screen of death: Why software updates matter

The widespread IT outages triggered by a faulty CrowdStrike update have put software updates in the spotlight. Here’s why you shouldn’t dread them.

How a signed driver exposed users to kernel-level threats – Week in Security with Tony Anscombe

A purported ad blocker marketed as a security solution leverages a Microsoft-signed driver that inadvertently exposes victims to dangerous threats

The complexities of cybersecurity update processes

If a software update process fails, it can lead to catastrophic consequences, as seen today with widespread blue screens of death blamed on a bad update by CrowdStrike

Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android

ESET researchers discovered a zero-day Telegram for Android exploit that allows sending malicious files disguised as videos

The tap-estry of threats targeting Hamster Kombat players

ESET researchers have discovered threats abusing the success of the Hamster Kombat clicker game

Hello, is it me you’re looking for? How scammers get your phone number

Your humble phone number is more valuable than you may think. Here’s how it could fall into the wrong hands – and how you can help keep it out of the reach of fraudsters.

Should ransomware payments be banned? – Week in security with Tony Anscombe

Blanket bans on ransomware payments are a much-debated topic in cybersecurity and policy circles. What are the implications of outlawing the payments, and would the ban be effective?

Understanding IoT security risks and how to mitigate them | Cybersecurity podcast

As security challenges loom large on the IoT landscape, how can we effectively counter the risks of integrating our physical and digital worlds?

HotPage: Story of a signed, vulnerable, ad-injecting driver

A study of a sophisticated Chinese browser injector that leaves more doors open!

Social media and teen mental health – Week in security with Tony Anscombe

Social media sites are designed to make their users come back for more. Do laws restricting children's exposure to addictive social media feeds have teeth or are they a political gimmick?

5 common Ticketmaster scams: How fraudsters steal the show

Scammers gonna scam scam scam, so before hunting for your tickets to a Taylor Swift gig or other in-demand events, learn how to stop fraudsters from leaving a blank space in your bank account

Small but mighty: Top 5 pocket-sized gadgets to boost your ethical hacking skills

These five formidable bits of kit that can assist cyber-defenders in spotting chinks in corporate armors and help hobbyist hackers deepen their understanding of cybersecurity

Key trends shaping the threat landscape in H1 2024 – Week in security with Tony Anscombe

Learn about the types of threats that 'topped the charts' and the kinds of techniques that bad actors leveraged most commonly in the first half of this year

AI in the workplace: The good, the bad, and the algorithmic

While AI can liberate us from tedious tasks and even eliminate human error, it's crucial to remember its weaknesses and the unique capabilities that humans bring to the table

No room for error: Don’t get stung by these common Booking.com scams

From sending phishing emails to posting fake listings, here’s how fraudsters hunt for victims while you’re booking your well-earned vacation

Cyber insurance as part of the cyber threat mitigation strategy

Why organizations of every size and industry should explore their cyber insurance options as a crucial component of their risk mitigation strategies

The long-tail costs of a data breach – Week in security with Tony Anscombe

Understanding and preparing for the potential long-tail costs of data breaches is crucial for businesses that aim to mitigate the impact of security incidents

Buying a VPN? Here’s what to know and look for

VPNs are not all created equal – make sure to choose the right provider that will help keep your data safe from prying eyes

ESET Threat Report H1 2024

A view of the H1 2024 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

Hijacked: How hacked YouTube channels spread scams and malware

Here’s how cybercriminals go after YouTube channels and use them as conduits for fraud – and what you should watch out for when watching videos on the platform

My health information has been stolen. Now what?

As health data continues to be a prized target for hackers, here's how to minimize the fallout from a breach impacting your own health records

Hacktivism is evolving – and that could be bad news for organizations everywhere

Hacktivism is nothing new, but the increasingly fuzzy lines between traditional hacktivism and state-backed operations make it a more potent threat

How Arid Viper spies on Android users in the Middle East – Week in security with Tony Anscombe

The spyware, called AridSpy by ESET, is distributed through websites that pose as various messaging apps, a job search app, and a Palestinian Civil Registry app

Preventative defense tactics in the real world

Don’t get hacked in the first place – it costs far less than dealing with the aftermath of a successful attack

ESET Research Podcast: APT Activity Report Q4 2023–Q1 2024

The I-SOON data leak confirms that this contractor is involved in cyberespionage for China, while Iran-aligned groups step up aggressive tactics following the Hamas-led attack on Israel in 2023

Arid Viper poisons Android apps with AridSpy

ESET researchers discovered Arid Viper espionage campaigns spreading trojanized apps to Android users in Egypt and Palestine

WeLiveSecurity wins Best Cybersecurity Vendor Blog award!

The results of the 2024 European Cybersecurity Blogger Awards are in and the winner of the Best Cybersecurity Vendor Blog is... drumroll, please... WeLiveSecurity!

560 million Ticketmaster customer data for sale? – Week in security with Tony Anscombe

Ticketmaster seems to have experienced a data breach, with the ShinyHunters hacker group claiming to have exfiltrated 560 million customer data

The job hunter’s guide: Separating genuine offers from scams

$90,000/year, full home office, and 30 days of paid leave for a junior data analyst – what's not to like? Except that these kinds of job offers are only intended to trick unsuspecting victims into giving up their data.

What happens when facial recognition gets it wrong – Week in security with Tony Anscombe

A facial recognition system misidentifies a woman in London as a shoplifter, igniting fresh concerns over the technology's accuracy and reliability

The murky world of password leaks – and how to check if you’ve been hit

Password leaks are increasingly common and figuring out whether the keys to your own kingdom have been exposed might be tricky – unless you know where to look

AI in HR: Is artificial intelligence changing how we hire employees forever?

Much digital ink has been spilled on artificial intelligence taking over jobs, but what about AI shaking up the hiring process in the meantime?

ESET World 2024: Big on prevention, even bigger on AI

What is the state of artificial intelligence in 2024 and how can AI level up your cybersecurity game? These hot topics and pressing questions surrounding AI were front and center at the annual conference.

Mandatory reporting of ransomware attacks? – Week in security with Tony Anscombe

As the UK mulls new rules for ransomware disclosure, what would be the wider implications of such a move, how would cyber-insurance come into play, and how might cybercriminals respond?

Beyond the buzz: Understanding AI and its role in cybersecurity

A new white paper from ESET uncovers the risks and opportunities of artificial intelligence for cyber-defenders

Introducing Nimfilt: A reverse-engineering tool for Nim-compiled binaries

Available as both an IDA plugin and a Python script, Nimfilt helps to reverse engineer binaries compiled with the Nim programming language compiler by demangling package and function names, and applying structs to strings

What happens when AI goes rogue (and how to stop it)

As AI gets closer to the ability to cause physical harm and impact the real world, “it’s complicated” is no longer a satisfying response

The who, where, and how of APT attacks – Week in security with Tony Anscombe

This week, ESET experts released several research publications that shine the spotlight on a number of notable campaigns and broader developments on the threat landscape

Untangling the hiring dilemma: How security solutions free up HR processes

The prerequisites for becoming a security elite create a skills ceiling that is tough to break through – especially when it comes to hiring skilled EDR or XDR operators. How can businesses crack this conundrum?

ESET APT Activity Report Q4 2023–Q1 2024

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2023 and Q1 2024

How to talk about climate change – and what motivates people to action: An interview with Katharine Hayhoe

We spoke to climate scientist Katharine Hayhoe about climate change, faith and psychology – and how to channel anxiety about the state of our planet into meaningful action

In it to win it! WeLiveSecurity shortlisted for European Cybersecurity Blogger Awards

We’re thrilled to announce that WeLiveSecurity has been named a finalist in the Corporates – Best Cybersecurity Vendor Blog category of the European Cybersecurity Blogger Awards 2024

It's a wrap! RSA Conference 2024 highlights – Week in security with Tony Anscombe

More than 40,000 security experts descended on San Francisco this week. Let's now look back on some of the event's highlights – including the CISA-led 'Secure by Design' pledge also signed by ESET.

RSA Conference 2024: AI hype overload

Can AI effortlessly thwart all sorts of cyberattacks? Let’s cut through the hyperbole surrounding the tech and look at its actual strengths and limitations.

To the Moon and back(doors): Lunar landing in diplomatic missions

ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs

Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain

One of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of compromised servers, and it has diversified to include credit card and cryptocurrency theft

Inspiring the next generation of scientists | Unlocked 403: Cybersecurity podcast

As Starmus Earth draws near, we caught up with Dr. Garik Israelian to celebrate the fusion of science and creativity and venture where imagination flourishes and groundbreaking ideas take flight

Pay up, or else? – Week in security with Tony Anscombe

Organizations that fall victim to a ransomware attack are often caught between a rock and a hard place, grappling with the dilemma of whether to pay up or not

Adding insult to injury: crypto recovery scams

Once your crypto has been stolen, it is extremely difficult to get back – be wary of fake promises to retrieve your funds and learn how to avoid becoming a victim twice over

How space exploration benefits life on Earth: An interview with David Eicher

We spoke to Astronomy magazine editor-in-chief David Eicher about key challenges facing our planet, the importance of space exploration for humanity, and the possibility of life beyond Earth

Major phishing-as-a-service platform disrupted – Week in security with Tony Anscombe

The investigation uncovered at least 40,000 phishing domains that were linked to LabHost and tricked victims into handing over their sensitive details

MDR: Unlocking the power of enterprise-grade security for businesses of all sizes

Faced with expanding attack surfaces and a barrage of threats, businesses of all sizes are increasingly looking to unlock the manifold capabilities of enterprise-grade security

The hacker’s toolkit: 4 gadgets that could spell security trouble

Their innocuous looks and endearing names mask their true power. These gadgets are designed to help identify and prevent security woes, but what if they fall into the wrong hands?

What makes Starmus unique? Q&A with award-winning filmmaker Todd Miller

The director of the Apollo 11 movie shares his views about the role of technology in addressing pressing global challenges, as well as why he became involved with Starmus

How technology drives progress: Q&A with Nobel laureate Michel Mayor

We spoke to Michel Mayor about the importance of public engagement with science and how to foster responsibility among the youth for the preservation of our changing planet

The vision behind Starmus: Q&A with the festival’s co-founder Garik Israelian

Dr. Israelian talks about Starmus's vision and mission, the importance of inspiring and engaging audiences, and a sense of community within the Starmus universe

Protecting yourself after a medical data breach – Week in security with Tony Anscombe

What are the risks and consequences of having your health data exposed and what are the steps to take if it happens to you?

The many faces of impersonation fraud: Spot an imposter before it’s too late

What are some of the most common giveaway signs that the person behind the screen or on the other end of the line isn’t who they claim to be?

The ABCs of how online ads can impact children’s well-being

From promoting questionable content to posing security risks, inappropriate ads present multiple dangers for children. Here’s how to help them stay safe.

eXotic Visit includes XploitSPY malware – Week in security with Tony Anscombe

Almost 400 people in India and Pakistan have fallen victim to an ongoing Android espionage campaign called eXotic Visit

Bitcoin scams, hacks and heists – and how to avoid them

Here’s how cybercriminals target cryptocurrencies and how you can keep your bitcoin or other crypto safe

Beyond fun and games: Exploring privacy risks in children’s apps

Should children’s apps come with ‘warning labels’? Here's how to make sure your children's digital playgrounds are safe places to play and learn.

The devil is in the fine print – Week in security with Tony Anscombe

Temu's cash giveaway where people were asked to hand over vast amounts of their personal data to the platform puts the spotlight on the data-slurping practices of online services today

Gripped by Python: 5 reasons why Python is popular among cybersecurity professionals

Python’s versatility and short learning curve are just two factors that explain the language’s 'grip' on cybersecurity

RDP remains a security concern – Week in security with Tony Anscombe

Much has been written about the risks that poorly-secured RDP connections entail, but many organizations continue to leave themselves at risk and get hit by data breaches as a result

How often should you change your passwords?

And is that actually the right question to ask? Here’s what else you should consider when it comes to keeping your accounts safe.

Malware hiding in pictures? More likely than you think

There is more to some images than meets the eye – their seemingly innocent façade can mask a sinister threat.

AceCryptor attacks surge in Europe – Week in security with Tony Anscombe

The second half of 2023 saw massive growth in AceCryptor-packed malware spreading in the wild, including courtesy of multiple spam campaigns where AceCryptor packed the Rescoms RAT

Borrower beware: Common loan scams and how to avoid them

Personal loan scams prey on your financial vulnerability and might even trap you in a vicious circle of debt. Here’s how to avoid being scammed when considering a loan.

Cybercriminals play dirty: A look back at 10 cyber hits on the sporting world

This rundown of 10 cyberattacks against the sports industry shows why every team needs to keep its eyes on the ball when it comes to cybersecurity

Cybersecurity starts at home: Help your children stay safe online with open conversations

Struggle to know how to help children and teens stay safe in cyberspace? A good ol’ fashioned chat is enough to put them on the right track.

A prescription for privacy protection: Exercise caution when using a mobile health app

Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data

Healthcare still a prime target for cybercrime gangs – Week in security with Tony Anscombe

Healthcare organizations remain firmly in attackers' crosshairs, representing 20 percent of all victims of ransomware attacks among critical infrastructure entities in the US in 2023

Threat intelligence explained | Unlocked 403: Cybersecurity podcast

We break down the fundamentals of threat intelligence and its role in anticipating and countering emerging threats

Rescoms rides waves of AceCryptor spam

Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries

How to share sensitive files securely online

Here are a few tips for secure file transfers and what else to consider when sharing sensitive documents so that your data remains safe

APT attacks taking aim at Tibetans – Week in security with Tony Anscombe

Evasive Panda has been spotted targeting Tibetans in several countries and territories with payloads that included a previously undocumented backdoor ESET has named Nightdoor

Election cybersecurity: Protecting the ballot box and building trust in election integrity

What cyberthreats could wreak havoc on elections this year and how worried should we as voters be about the integrity of our voting systems?

Top 10 scams targeting seniors – and how to keep your money safe

The internet can be a wonderful place. But it’s also awash with fraudsters preying on people who are susceptible to fraud.

Irresistible: Hooks, habits and why you can’t put down your phone

Struggle to part ways with your tech? You’re not alone. Here’s why your devices are your vices.

Deceptive AI content and 2024 elections – Week in security with Tony Anscombe

As the specter of AI-generated disinformation looms large, tech giants vow to crack down on fabricated content that could sway voters and disrupt elections taking place around the world this year

Evasive Panda leverages Monlam Festival to target Tibetans

ESET researchers uncover strategic web compromise and supply-chain attacks targeting Tibetans

eXotic Visit campaign: Tracing the footprints of Virtual Invaders

ESET researchers uncovered the eXotic Visit espionage campaign that targets users mainly in India and Pakistan with seemingly innocuous apps

Vulnerabilities in business VPNs under the spotlight

As adversaries increasingly set their sights on vulnerable enterprise VPN software to infiltrate corporate networks, concerns mount about VPNs themselves being a source of cyber risk

PSYOP campaigns targeting Ukraine – Week in security with Tony Anscombe

Coming in two waves, the campaign sought to demoralize Ukrainians and Ukrainian speakers abroad with disinformation messages about war-related subjects

10 things to avoid posting on social media – and why

Do you often take to social media to broadcast details from your life? Here’s why this habit may put your privacy and security at risk.

Cyber-insurance and vulnerability scanning – Week in security with Tony Anscombe

Here's how the results of vulnerability scans factor into decisions on cyber-insurance and how human intelligence comes into play in the assessment of such digital signals

What is AI, really? | Unlocked 403: Cybersecurity podcast

Artificial intelligence is on everybody’s lips these days, but there are also many misconceptions about what AI actually is and isn’t. We unpack AI's basics, applications and broader implications.

Operation Texonto: Information operation targeting Ukrainian speakers in the context of the war

A mix of PSYOPs, espionage and … fake Canadian pharmacies!

Everything you need to know about IP grabbers

Unsuspecting users beware, IP grabbers do not ask for your permission.

Watching out for the fakes: How to spot online disinformation

Why and how are we subjected to so much disinformation nowadays, and is there a way to spot the fakes?

Ransomware payments hit a record high in 2023 – Week in security with Tony Anscombe

Called a "watershed year for ransomware", 2023 marked a reversal from the decline in ransomware payments observed in the previous year

Deepfakes in the global election year of 2024: A weapon of mass deception?

As fabricated images, videos and audio clips of real people go mainstream, the prospect of a firehose of AI-powered disinformation is a cause for mounting concern

7 reasons why cybercriminals want your personal data

Here's what drives cybercriminals to relentlessly target the personal information of other people – and why you need to guard your data like your life depends on it

Blue Team toolkit: 6 open-source tools to assess and enhance corporate defenses

Here’s how the blue team wards off red teamers and a few open-source tools it may leverage to identify chinks in the corporate armor

Grandoreiro banking malware disrupted – Week in security with Tony Anscombe

The banking trojan, which targeted mostly Brazil, Mexico and Spain, blocked the victim’s screen, logged keystrokes, simulated mouse and keyboard activity and displayed fake pop-up windows

The buck stops here: Why the stakes are high for CISOs

Heavy workloads and the specter of personal liability for incidents take a toll on security leaders, so much so that many of them look for the exits. What does this mean for corporate cyber-defenses?

Could your Valentine be a scammer? How to avoid getting caught in a bad romance

With Valentine’s Day almost upon us, here’s some timely advice on how to prevent scammers from stealing more than your heart

ESET Research Podcast: ChatGPT, the MOVEit hack, and Pandora

An AI chatbot inadvertently kindles a cybercrime boom, ransomware bandits plunder organizations without deploying ransomware, and a new botnet enslaves Android TV boxes

FAQ: How Are STIGs, SRGs, SCAP, and CCIs Related?

In the world of government-adjacent security and compliance, there are many different terms and acronyms you’ll encounter for the processes you have to perform. Often, these terms are interrelated in a single process, so you tend to learn them in clusters. One such cluster includes STIGs, SRGs, SCAP, and CCIs. What are these, what do […]

The post FAQ: How Are STIGs, SRGs, SCAP, and CCIs Related? appeared first on Security Boulevard.

Response to CISA Advisory (AA24-207A): North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

AttackIQ has released a new assessment template in response to the CISA Advisory (AA24-207A) published on July 25, 2024, that highlights cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju.

The post Response to CISA Advisory (AA24-207A): North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs appeared first on AttackIQ.

The post Response to CISA Advisory (AA24-207A): North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs appeared first on Security Boulevard.

CrowdStrike Update Created Widespread Outage

As a recap, a widespread Microsoft Windows outage began on July 19 and expanded throughout the day due to a CrowdStrike content update for Microsoft Windows hosts. Pondurance and its systems were not affected by the issue, and Pondurance continued its security services delivery without incident. What happened During the outage, Windows computers experienced a...

The post CrowdStrike Update Created Widespread Outage appeared first on Pondurance.

The post CrowdStrike Update Created Widespread Outage appeared first on Security Boulevard.

Negotiate Your Next Cyber Insurance Policy With This 6-Step Playbook

TL;DR: Cyber liability insurance is essential, but premiums are increasing, and numerous exclusions exist. Important steps to lower premiums include preparation, articulating your risk, and demonstrating progressive improvement in security through measurable metrics. Why Do Organizations Need Cyber Liability Insurance? Cyber liability insurance has become an important component of every organization’s cyber strategy. There are …

The post Negotiate Your Next Cyber Insurance Policy With This 6-Step Playbook appeared first on Security Boulevard.

USENIX Security ’23 – SQIRL: Grey-Box Detection of SQL Injection Vulnerabilities Using Reinforcement Learning

Authors/Presenters:Salim Al Wahaibi, Myles Foley, Sergio Maffeis

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – SQIRL: Grey-Box Detection of SQL Injection Vulnerabilities Using Reinforcement Learning appeared first on Security Boulevard.

What is Cloud Security Automation? Why You Need it

The post What is Cloud Security Automation? Why You Need it appeared first on AI-enhanced Security Automation.

The post What is Cloud Security Automation? Why You Need it appeared first on Security Boulevard.

Scams to steer clear of as a college student, from a college student

Scammers target people of all ages, and with the internet at their fingertips, no one is immune to their devious plans. And college students are often particularly vulnerable to online scams. After all, we’re at the beginning of our careers, learning the ropes.

The post Scams to steer clear of as a college student, from a college student appeared first on Security Boulevard.

PKfail: 800+ Major PC Models have Insecure ‘Secure Boot’

An open padlock on a PC keyboard, with the word “FAIL” superimposed

Big BIOS bother: Hundreds of PC models from vendors such as HP, Lenovo, Dell, Intel, Acer and Gigabyte shipped with useless boot protection—using private keys that aren’t private.

The post PKfail: 800+ Major PC Models have Insecure ‘Secure Boot’ appeared first on Security Boulevard.

Randall Munroe’s XKCD ‘President Venn Diagram’

via the comic & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘President Venn Diagram’ appeared first on Security Boulevard.

Your Headaches, Our Solutions: How To Find & Manage Compromised Accounts in Google Workspace/Microsoft 365

Many people are unaware of the amount of work IT leaders in education dedicate to keeping their district’s data safe and secure. That’s why at ManagedMethods, we care about improving your jobs (and reducing your headaches!) One of the most appreciated features of Cloud Monitor, as told by our customers, is its ability to control ...

The post Your Headaches, Our Solutions: How To Find & Manage Compromised Accounts in Google Workspace/Microsoft 365 appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post Your Headaches, Our Solutions: How To Find & Manage Compromised Accounts in Google Workspace/Microsoft 365 appeared first on Security Boulevard.

Crypto exchange Gemini discloses third-party data breach

Cryptocurrency exchange Gemini is warning it suffered a data breach incident caused by a cyberattack at its Automated Clearing House (ACH) service provider, whose name was not disclosed. [...]

Google fixes Chrome Password Manager bug that hides credentials

Google has fixed a bug in Chrome's Password Manager that caused user credentials to disappear temporarily for more than 18 hours. [...]

FBCS data breach impact now reaches 4.2 million people

Debt collection agency Financial Business and Consumer Solutions (FBCS) has again increased the number of people impacted by a February data breach, now saying it affects 4.2 million people in the US. [...]

July Windows Server updates break Remote Desktop connections

Microsoft has confirmed that July's security updates break remote desktop connections in organizations where Windows servers are configured to use the legacy RPC over HTTP protocol in the Remote Desktop Gateway. [...]

Acronis warns of Cyber Infrastructure default password abused in attacks

Acronis warned customers to patch a critical Cyber Infrastructure security flaw that lets attackers bypass authentication on vulnerable servers using default credentials. [...]

Russian ransomware gangs account for 69% of all ransom proceeds

Russian-speaking threat actors accounted for at least 69% of all crypto proceeds linked to ransomware throughout the previous year, exceeding $500,000,000. [...]

PKfail Secure Boot bypass lets attackers install UEFI malware

Hundreds of UEFI products from 10 vendors are susceptible to compromise due to a critical firmware supply-chain issue known as PKfail, which allows attackers to bypass Secure Boot and install malware. [...]

Critical ServiceNow RCE flaws actively exploited to steal credentials

Threat actors are chaining together ServiceNow flaws using publicly available exploits to breach government agencies and private firms in data theft attacks. [...]

Windows 11 KB5040527 update fixes Windows Backup failures

Microsoft has released the optional KB5040527 preview cumulative update for Windows 11 23H2 and 22H2, which includes fixes for Windows Backup and upgrade failures. [...]

US offers $10M for tips on DPRK hacker linked to Maui ransomware attacks

The U.S. State Department is offering a reward of up to $10 million for information that could help capture a North Korean military hacker. [...]

Meta nukes massive Instagram sextortion network of 63,000 accounts

Meta has removed 63,000 Instagram accounts from Nigeria that were involved in sextortion scams, including a coordinated network of 2,500 accounts linked to 20 individuals targeting primarily adult men in the United States. [...]

Progress warns of critical RCE bug in Telerik Report Server

Progress Software has warned customers to patch a critical remote code execution security flaw in the Telerik Report Server that can be used to compromise vulnerable devices. [...]

French police push PlugX malware self-destruct payload to clean PCs

The French police and Europol are pushing out a "disinfection solution" that automatically removes the PlugX malware from infected devices in France. [...]

CrowdStrike’s rivals stand to benefit from its update fail debacle

CrowdStrike competes with a number of vendors, including SentinelOne and Palo Alto Networks but also Microsoft, Trellix, Trend Micro and Sophos, in the endpoint security market.

WazirX halts withdrawals after losing $230 million, nearly half its reserves

The Mumbai-based firm said one of its multisig wallets had suffered a security breach, and it was temporarily pausing all withdrawals from the platform.

Deepfake-detecting firm Pindrop lands $100M loan to grow its offerings

Pindrop builds deepfake-combatting and multi-factor authentication products targeting businesses in banking, finance and related industries.

How to tell if your online accounts have been hacked

This is a guide on how to check whether someone compromised your online accounts.

Apple warns iPhone users in 98 countries of spyware attacks

Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. It’s the second such alert campaign from the company this year, following a similar notification sent to users in 92 nations in April. Since 2021, Apple has been regularly sending these notifications, reaching […]

India’s Airtel dismisses data breach reports amid customer concerns

Airtel, India’s second-largest telecom operator, on Friday denied any breach of its systems following reports of an alleged security lapse that has caused concern among its customers. The telecom group, which also sells productivity and security solutions to businesses, said it had conducted a “thorough investigation” and found that there has been no breach whatsoever […]

A new startup from Figure’s founder is licensing NASA tech in a bid to curb school shootings

Cover says what sets it apart is the underlying technology it employs, which has been exclusively licensed from NASA’s Jet Propulsion Laboratory.

Hugging Face says it detected ‘unauthorized access’ to its AI model hosting platform

Late Friday afternoon, a time window companies usually reserve for unflattering disclosures, AI startup Hugging Face said that its security team earlier this week detected “unauthorized access” to Spaces, Hugging Face’s platform for creating, sharing and hosting AI models and resources. In a blog post, Hugging Face said that the intrusion related to Spaces secrets, […]

WitnessAI is building guardrails for generative AI models

Generative AI makes stuff up. It can be biased. Sometimes it spits out toxic text. So can it be “safe”? Rick Caccia, the CEO of WitnessAI, believes it can. “Securing AI models is a real problem, and it’s one that’s especially shiny for AI researchers, but it’s different from securing use,” Caccia, formerly SVP of […]

Google adds live threat detection and screen-sharing protection to Android

The company said it is increasing the on-device capability of its Google Play Protect system to detect fraudulent apps trying to breach sensitive permissions.

Google expands passkey support to its Advanced Protection Program ahead of the US presidential election

Ahead of the U.S. presidential election, Google is bringing passkey support to its Advanced Protection Program (APP), which is used by people who are at high risk of targeted attacks, such as campaign workers, candidates, journalists, human rights workers, and more. APP traditionally required the use of hardware security keys, but soon users can enroll […]

Citigroup’s VC arm invests in API security startup Traceable

In 2019, Jyoti Bansal co-founded San Francisco-based security company Traceable alongside Sanjay Nagaraj. With Traceable, Bansal — who previously co-launched app performance management startup AppDynamics, acquired by Cisco in 2017 — sought to build a platform to protect customers’ APIs from cyberattacks. Attacks on APIs — the sets of protocols that establish how platforms, apps […]

With $175M in new funding, Island is putting the browser at the center of enterprise security

When a company raises $175M at a $3B valuation, it gets your attention. When that startup is a browser company, all the more.

SafeBase taps AI to automate software security reviews

Security review automation platform SafeBase has raised new cash from investors including Zoom's corporate VC arm.

Despite complaints, Apple hasn’t yet removed an obviously fake app pretending to be RockAuto

Apple’s App Store isn’t always as trustworthy as the company claims. The latest example comes from RockAuto, an auto parts dealer popular with home mechanics and other DIYers, which is upset that a fake app masquerading as its official app has not been removed from the App Store, despite numerous complaints to Apple. RockAuto co-founder […]

Simbian brings AI to existing security tools

Simbian is a cybersecurity platform that effectively controls other cybersecurity platforms as well as security apps and tooling.

Apple alerts users in 92 nations to mercenary spyware attacks

Apple sent threat notifications to iPhone users in 92 countries on Wednesday, warning them that they may have been targeted by mercenary spyware attacks. The company said it sent the alerts to individuals in 92 nations at 12 p.m. Pacific Time Wednesday. The notification, which TechCrunch has seen, did not disclose the attackers’ identities or […]

Google injects generative AI into its cloud security tools

At Cloud Next, many of the announcements had to do with Gemini, Google's flagship family of generative AI models.

Zscaler buys Avalor to bring more AI into its security tools

Zscaler, a cloud security company with headquarters in San Jose, California, has acquired cybersecurity startup Avalor 26 months after its founding, reportedly for $310 million in cash and equity. In a press release announcing the news, Zscaler founder and CEO Jay Chaudhry said that the deal would expand Zscaler’s platform with capabilities including streamlined reporting of […]

Reach Security taps a company’s existing tools to fight cyber threats

Thanks to an uncertain economy, cybersecurity budgets are in a tight spot. According to a 2023 survey from IANS and recruiting firm Artico Search, more than a third of chief information security officers (CISOs) kept their security spending the same — or slightly reduced — in 2023. A separate report from PwC suggests that one […]

Enhancing Hosting with TSplus Remote Access and Server Monitoring

Nowadays, maintaining secure efficient server operations is crucial for businesses. For hosting providers and IT professionals, tools that offer seamless remote access and robust server monitoring are indispensable. To KoDDoS clients, choosing the right hosting service is crucial for maintaining a robust online presence. Domains play a foundational role, acting as the digital address for … Continue reading Enhancing Hosting with TSplus Remote Access and Server Monitoring

The post Enhancing Hosting with TSplus Remote Access and Server Monitoring appeared first on KoDDoS Blog.

Navigating the Digital SEO and Cybersecurity Landscape

In the rapidly evolving digital landscape, two critical aspects of online business management stand out: Search Engine Optimization (SEO) and cybersecurity. While these fields might seem disparate at first glance, they intersect in significant ways that can have a huge impact on a business’s online presence and overall security posture. Understanding the relationship between SEO … Continue reading Navigating the Digital SEO and Cybersecurity Landscape

The post Navigating the Digital SEO and Cybersecurity Landscape appeared first on KoDDoS Blog.

Stolen Data Threat: Rhysida Ransomware Gang Targets Prospect Medical Holdings

Recently, Prospect Medical Holdings suffered a massive cyberattack that allegedly stole around 500,000 social security numbers. In addition, the hackers also managed to get away with patient records and even some corporate documents. Since then, a ransomware gang called Rhysida has stepped up to claim responsibility for the breach. Details about the attack Researchers believe … Continue reading Stolen Data Threat: Rhysida Ransomware Gang Targets Prospect Medical Holdings

The post Stolen Data Threat: Rhysida Ransomware Gang Targets Prospect Medical Holdings appeared first on KoDDoS Blog.

Compromised routers allowed online criminals to target Pentagon contract site

A hacking campaign that went dark earlier this year has resumed operations. According to a new warning issued by Black Lotus Labs researchers, the hackers’ goal is to target US Department of Defense procurement sites and organizations based in Taiwan. Similarities with the March attacks The hacking campaign initially emerged in the spring of 2023. … Continue reading Compromised routers allowed online criminals to target Pentagon contract site

The post Compromised routers allowed online criminals to target Pentagon contract site appeared first on KoDDoS Blog.

1.2 million customers of Mom’s Meals were affected after the recent data breach

A recent hacking attack hit PurFoods, which operates in the US under the name of Mom’s Meals. The attack affected over 1.2 million customers and employees alike, stealing their personal data. PurFoods, or Mom’s Meals, is a medical meal delivery service that provides its services to self-paying customers and people eligible for government assistance, according … Continue reading 1.2 million customers of Mom’s Meals were affected after the recent data breach

The post 1.2 million customers of Mom’s Meals were affected after the recent data breach appeared first on KoDDoS Blog.

How VPNs Can Defend Against the Threat of Hacking

As our reliance on the internet grows, so does our exposure to a myriad of online threats. Malware, DDoS attacks, DNS spoofing, and Man-In-The-Middle (MITM) attacks are just some of the hacking techniques cybercriminals use to exploit the internet’s vulnerabilities and gain access to our most sensitive data. Hacking has emerged as a prominent threat, … Continue reading How VPNs Can Defend Against the Threat of Hacking

The post How VPNs Can Defend Against the Threat of Hacking appeared first on KoDDoS Blog.

Terra Developers Shut Down Website Amid A Phishing Campaign

The website of layer one blockchain network Terra has been targeted by a hacking campaign over the weekend. During this hacking campaign, hackers used unauthorized access to run a phishing campaign on visitors to the site. These visitors are usually forced to link their online and hardware wallets to the website, which is compromised. Terra’s … Continue reading Terra Developers Shut Down Website Amid A Phishing Campaign

The post Terra Developers Shut Down Website Amid A Phishing Campaign appeared first on KoDDoS Blog.

Foreign Spies And Hackers Target The US Space Industry

Intelligence agencies in the United States have warned about foreign spies targeting the US space sector. According to these agencies, hackers have also been launching hacking campaigns against the US space industry, which could significantly affect the US satellite infrastructure. Foreign spies and hackers target the US space industry The National Counterintelligence and Security Center … Continue reading Foreign Spies And Hackers Target The US Space Industry

The post Foreign Spies And Hackers Target The US Space Industry appeared first on KoDDoS Blog.

High-Severity WinRAR Flaw Allows Hackers To Assume Control Over PCs

A recent study has detected a high-severity vulnerability with the WinRAR file archiver utility for Windows. Millions of people use WinRAR, which can be deployed to execute commands on a computer whenever a user opens an archive. WinRAR flaw allows hackers to assume control over PCs The flaw in question is tracked as CVE-2023-40477, allowing … Continue reading High-Severity WinRAR Flaw Allows Hackers To Assume Control Over PCs

The post High-Severity WinRAR Flaw Allows Hackers To Assume Control Over PCs appeared first on KoDDoS Blog.

Chinese Hacker Group Targets Southeast Asian Gambling Industry Using Stolen Ivacy VPN Certificate

A Chinese hacker group, Bronze Starlight, has launched a hacking campaign against the Southeast Asian gambling industry. The hacker group has used a valid certificate to launch this malicious campaign while also using the Ivacy Virtual Private Network (VPN). Bronze Starlight hacker group linked to a recent campaign The activities of this hacker group were … Continue reading Chinese Hacker Group Targets Southeast Asian Gambling Industry Using Stolen Ivacy VPN Certificate

The post Chinese Hacker Group Targets Southeast Asian Gambling Industry Using Stolen Ivacy VPN Certificate appeared first on KoDDoS Blog.

SEXi / APT Inc Ransomware - What You Need To Know

SEXi? Seriously? What are you talking about this time? Don't worry, I'm not trying to conjure images in your mind of Rod Stewart in his iconic leopard print trousers. Instead, I want to warn you about a cybercrime group that has gained notoriety for attacking VMware ESXi servers since February 2024. Excuse me for not knowing, but what is VMWare EXSi? EXSi is a hypervisor - allowing businesses who want to reduce costs and simplify management to consolidate multiple servers onto a single physical machine. ESXi is a popular choice with cloud providers and data centres that have a require to host...

The Dual Impact of AI on Power Grids: Efficiency and Vulnerability

Artificial intelligence (AI) has emerged as a promising solution to modernize power grids. The technology, alongside other upgrades like Internet of Things (IoT) connectivity, could make energy infrastructure more reliable and sustainable. However, AI power grids also pose significant cybersecurity risks. Attacks against critical infrastructure are becoming more common. As energy authorities ramp up their investments in AI, they should pay attention to these risks to enable a safer tech transformation. The Current State of AI Power Grids The use of AI in power grids is still a new concept...

The Importance of Ethics in Cybersecurity

Cybersecurity has become an integral part of our daily lives, impacting everyone around the world. However, the question arises: are rules and regulations alone sufficient to make cyberspace secure? Ethics, which are the principles that guide our decisions and help us discern right from wrong, play a crucial role in this context. They aim to create positive impacts and promote the betterment of society. Ethics are essential to cybersecurity because they ensure adherence to principles and guidelines that uphold the Confidentiality, Integrity, and Availability of information while respecting...

Securing Diverse Environments: Security Configuration Management

In our technologically advanced era, where cyber threats and data breaches are constantly evolving, it's crucial for companies to focus on Security Configuration Management (SCM) to protect their resources and information. Whether dealing with infrastructure, cloud services, industrial installations, or outsourced solutions, each environment presents unique security challenges that require customized approaches and tools for effective protection. Let's explore SCM, its significance, and the specialized strategies and methods used in different settings. Understanding Security Configuration...

MitM Attacks: Understanding the Risks and Prevention Strategies

As our interactions with the digital world grow, connections will be established within seconds, leading to more online attacks. One type of attack we may be exposed to is known as a Man-in-the-Middle (MitM) — a technique cyber attackers use to take over our online communications. The best way to stay safe online is with a better understanding of the problems caused by these digital attacks and identification of the dangers and consequences they entail. Understanding MitM Attacks This form of attack happens when an adversary intercepts a communication process. The attacker positions himself...

5 Phased Approach to Vulnerability Management: Best Practices

Vulnerability management is a foundational cornerstone for reducing your organization’s cyber risk, but what are vulnerabilities and why is it important to create a strong vulnerability management program? The National Institute of Science and Technology ( NIST) defines a vulnerability as, “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” With hundreds of thousands of vulnerabilities that have been discovered, it is increasingly more important to get vulnerability management right and...

What are the Current Trends in Cloud Technology?

In recent years, cloud technology has become integral to business operations. Compared to on-premises infrastructure, it allows for improved scalability and flexibility, cost savings, collaboration, security, and data loss prevention. The cloud computing market is set to reach $679 billion in value in 2024. But what are the trends currently defining the cloud computing market? According to Donnie MacColl, Senior Director of International Support and Global Data Protection Officer at Fortra, the cloud technology landscape 2024 is characterized by several key trends, many of which are evolutions...

HardBit Ransomware - What You Need To Know

What's happened? A new strain of the HardBit ransomware has emerged in the wild. It contains a protection mechanism in an attempt to prevent analysis from security researchers. HardBit? I think I've heard of that before. Quite possibly. HardBit first emerged in late 2022, and quickly made a name for itself as it attempted to extort ransom payments from corporations whose data it had encrypted. That doesn't sound unusual. What made HardBit different?, and demand that You're right. In many ways, HardBit is like other ransomware. It is a ransomware-as-a-service (RaaS) operation made available -...

Looking for a Job in Cyber? Tips and Advice From the Pros

A career in cybersecurity can be rewarding, challenging, and, frankly, lucrative. But it's not the easiest industry to break into: the skills required for a cybersecurity role are both niche and specific, the bar for entry is relatively high, and there are very few entry-level jobs available. But don't be disheartened. The cybersecurity industry is crying out for fresh talent. With hard work, a little luck, and the right advice, you can set yourself up for a long and satisfying career in cybersecurity. With this in mind, we spoke to two industry veterans to get their thoughts on breaking into...

The Role Regulators Will Play in Guiding AI Adoption to Minimize Security Risks

With Artificial Intelligence (AI) becoming more pervasive within different industries, its transformational power arrives with considerable security threats. AI is moving faster than policy, whereas the lightning-quick deployment of AI technologies has outpaced the creation of broad regulatory frameworks, raising questions about data privacy, ethical implications, and cybersecurity. This gap is driving regulators to intervene with guidance in creating standards that reduce the risks. A report by the World Economic Forum suggests that best-practice guidelines are necessary for maintaining...

Senate Intel chair warns confluence of factors make election threats worse

Sen. Mark Warner said influence operations are easy and cheap, and their social media audience is more willing to believe them.

The post Senate Intel chair warns confluence of factors make election threats worse appeared first on CyberScoop.

North Korean hacker used hospital ransomware attacks to fund espionage

U.S. prosecutors say Rim Jong Hyok used ransom payments from American health care providers to steal military secrets.

The post North Korean hacker used hospital ransomware attacks to fund espionage appeared first on CyberScoop.

Banking, oil and IT industry reps call on Congress to harmonize cyber regulations … again

Industry representatives in a House hearing pointed to the Biden administration’s cyber reporting mandate as an example of overlapping regulations.

The post Banking, oil and IT industry reps call on Congress to harmonize cyber regulations … again appeared first on CyberScoop.

North Korean hacking group makes waves to gain Mandiant, FBI spotlight

The newly designated APT45 pursues military intelligence but has been expanding its targets, Mandiant says.

The post North Korean hacking group makes waves to gain Mandiant, FBI spotlight appeared first on CyberScoop.

Cyber firm KnowBe4 hired a fake IT worker from North Korea

The security awareness training company said in a blog post that the software engineer used stolen U.S. credentials and an AI-enhanced photo.

The post Cyber firm KnowBe4 hired a fake IT worker from North Korea appeared first on CyberScoop.

Cyberattacks may follow CrowdStrike outage, warns MS-ISAC

Cybercriminals are using the chaos of the CrowdStrike outage to launch phony websites and new phishing campaigns, said a director with the Multi-State Information Sharing and Analysis Center.

The post Cyberattacks may follow CrowdStrike outage, warns MS-ISAC appeared first on CyberScoop.

Low-level cybercriminals are pouncing on CrowdStrike-connected outage

The malicious activity comes as CrowdStrike customers continue to recover from the July 18 outage.

The post Low-level cybercriminals are pouncing on CrowdStrike-connected outage appeared first on CyberScoop.

Simple ‘FrostyGoop’ malware responsible for turning off Ukrainians’ heat in January attack

The attack is the latest in a string targeting Ukrainian critical infrastructure and illustrates the growing ease of targeting industrial systems.

The post Simple ‘FrostyGoop’ malware responsible for turning off Ukrainians’ heat in January attack appeared first on CyberScoop.

Police nab 17-year-old linked to group behind MGM Resorts cyberattack

A 17-year-old arrested by British police Thursday is believed to be a member of the cybercriminal gang behind last year’s ransomware attack on MGM Resorts and a number of other major companies. The unidentified boy was released on bail as the investigation, which includes examination of a number of digital devices, continues, police said in […]

The post Police nab 17-year-old linked to group behind MGM Resorts cyberattack appeared first on CyberScoop.

FCC, Tracfone Wireless reach $16M cyber and privacy settlement

The agency’s settlement with the prepaid phone provider, which CyberScoop is first to report, is the first ever to specify API protections.

The post FCC, Tracfone Wireless reach $16M cyber and privacy settlement appeared first on CyberScoop.

A bug in Chrome Password Manager caused user credentials to disappear

Google addressed a Chrome’s Password Manager bug that caused user credentials to disappear temporarily for more than 18 hours. Google has addressed a bug in Chrome’s Password Manager that caused user credentials to disappear temporarily. An 18-hour outage impacted Google Chrome’s Password Manager on Wednesday, impacting users who rely on the tool to store and […]

BIND updates fix four high-severity DoS bugs in the DNS software suite

The Internet Systems Consortium (ISC) released BIND security updates that fixed several remotely exploitable DoS bugs in the DNS software suite. The Internet Systems Consortium (ISC) released security updates for BIND that address DoS vulnerabilities that could be remotely exploited. An attacker can exploit these vulnerabilities to disrupt DNS services. ISC addressed four high-severity vulnerabilities […]

Terrorist Activity is Accelerating in Cyberspace – Risk Precursor to Summer Olympics and Elections

Terrorist groups are increasingly using cyberspace and digital communication channels to plan and execute attacks. Yesterday Federal Bureau of Investigation (FBI) Director Christopher Wray expressed growing concerns over the potential for a coordinated foreign terrorist attack in the United States. During his testimony to the House Oversight Committee, Mr. Wray cited the ISIS-K attack on […]

Progress Software fixed critical RCE CVE-2024-6327 in the Telerik Report Server

Progress Software addressed a critical remote code execution vulnerability, tracked as CVE-2024-6327, in the Telerik Report Server. Telerik Report Server is a web-based application designed for creating, managing, and delivering reports in various formats. It provides tools for report design, scheduling, and secure delivery, allowing organizations to centralize their reporting processes. Progress Software addressed a critical […]

Critical bug in Docker Engine allowed attackers to bypass authorization plugins

A critical flaw in some versions of Docker Engine can be exploited to bypass authorization plugins (AuthZ) under specific circumstances. A vulnerability, tracked as CVE-2024-41110 (CVSS score of 10.0), in certain versions of Docker Engine can allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. “An attacker could exploit a bypass using an API request with […]

Hackers exploit Microsoft Defender SmartScreen bug CVE-2024-21412 to deliver ACR, Lumma, and Meduza Stealers

The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers such as ACR Stealer, Lumma, and Meduza. Fortinet FortiGuard Labs researchers observed a malware campaign exploiting the vulnerability CVE-2024-21412 (CVSS score: 8.1) to spread information stealer, such as ACR Stealer, Lumma, and Meduza. The CVE-2024-21412 is an Internet Shortcut Files Security Feature Bypass Vulnerability. The flaw […]

Michigan Medicine data breach impacted 56953 patients

A cyber attack against Michigan Medicine resulted in the compromise of the personal and health information of approximately 57,000 patients. The academic medical center of the University of Michigan, Michigan Medicine, suffered a data breach that impacted 56953 patients. The security incident exposed the personal and health information of the patients. Michigan Medicine notified patients […]

U.S. CISA adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: Below are the descriptions of the flaws added to the KEV catalog: CVE-2012-4792 (CVSS score of […]

China-linked APT group uses new Macma macOS backdoor version

China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland) Evasive Panda has been spotted using an updated version of the macOS backdoor Macma. The China-linked APT group Daggerfly (aka Evasive Panda or Bronze Highland) has significantly updated its malware arsenal, adding a new malware family based on the MgBot framework and an updated Macma macOS backdoor. […]

FrostyGoop ICS malware targets Ukraine

In April 2024, Dragos researchers spotted the malware FrostyGoop that interacts with Industrial Control Systems (ICS) using the Modbus protocol. In April 2024, Dragos researchers discovered a new ICS malware named FrostyGoop that interacts with Industrial Control Systems using the Modbus protocol. FrostyGoop is the ninth ICS malware that was discovered an that a nation-state […]

Unveiling the Latest Banking Trojan Threats in Latin America

The malicious Chrome extension campaign in LATAM involves infecting victims through phishing websites and installing rogue extensions to steal sensitive information. The extensions mimic Google Drive, giving them access to a wide range of user data.

Phishing Campaign Targeting Mobile Users in India Using India Post Lures

FortiGuard Labs Threat Research team has identified a fraud campaign targeting India Post users on social media, specifically iPhone users through smishing attacks. The Smishing Triad, a Chinese threat actor, is believed to be behind this campaign.

PKfail Secure Boot bypass Lets Attackers Install UEFI Malware

The issue originates from a test Secure Boot key provided by American Megatrends International (AMI) that was not replaced by OEMs, resulting in devices shipping with untrusted keys.

Chainguard Raises $140M to Drive AI Support, Global Growth

Chainguard, a supply chain security startup, recently raised $140 million in a Series C funding round led by Redpoint Ventures, Lightspeed Venture Partners, and JVP. It aims to expand globally and strengthen its presence in the U.S. public sector.

National Defense University Cyber Professor Tapped as ONCD Deputy Director

The Office of the National Cyber Director (ONCD) announced Wednesday that former Navy SEAL and National Defense University cyberspace professor Harry Wingo has been selected as its deputy director.

The Most Urgent Security Risks for GenAI Users are all Data-Related

GenAI users face significant security risks related to data, with regulated data making up a large share of sensitive information shared with GenAI applications, posing a threat of costly data breaches.

Software Maker MCG Health Settles Data Breach Suit for $8.8M

MCG Health has agreed to a settlement of $8.8 million for a data breach lawsuit following a hacking incident in 2020. The lawsuit alleges that it took MCG Health two years to discover and report the data theft affecting around 1.1 million people.

How Cyber Insurance Coverage is Evolving

While purchasing cyber insurance won't completely prevent data breaches, it does improve the cyber posture as it requires strict underwriting processes. However, only a quarter of companies currently have standalone cyber insurance policies.

Belarus-linked Hackers Target Ukrainian Organizations with PicassoLoader Malware

GhostWriter, also known as UAC-0057, used PicassoLoader and Cobalt Strike Beacon to infect victims, including local government offices and groups associated with USAID’s Hoverla project.

Ransomware and BEC Make Up 60% of Cyber Incidents

According to Cisco Talos, ransomware and BEC attacks made up 60% of all incidents in Q2 2024, with technology being the most targeted sector at 24%. Other highly targeted sectors included retail, healthcare, pharmaceuticals, and education.

Malicious Inauthentic CrowdStrike Falcon Crash Reporter Installer Distributed to German Entity

An unidentified threat actor is taking advantage of the recent Falcon Sensor update issues to distribute fake installers via a fraudulent website impersonating a German entity.

How CISOs Enable ITDR Approach Through the Principle of Least Privilege

Least privilege begins by addressing dormant user accounts and then scrutinizing access privileges, using Context-based access control (CBAC), Attribute-based access control (ABAC), and Role-based access control (RBAC) to determine user access.

SeleniumGreed Cryptomining Campaign Exploiting Publicly Exposed Grid Services

Researchers at Wiz have identified an ongoing campaign targeting exposed Selenium Grid services for illicit cryptocurrency mining. The campaign, known as SeleniumGreed, is exploiting older versions of Selenium to run a modified XMRig miner.

US Indicts Alleged North Korean State Hacker for Ransomware Attacks on Hospitals

The US has indicted a North Korean state hacker for ransomware attacks on hospitals and healthcare companies. The hacker, Rim Jong Hyok, is a member of the Andariel Unit within North Korea's intelligence agency.

ISC Releases Security Advisories for BIND 9

The Internet Systems Consortium (ISC) has released patches to fix multiple security vulnerabilities in the BIND 9 DNS software suite that could lead to denial-of-service attacks.

DTX + UCX London is back: Global brands, cutting-edge technology and world-renowned speakers take centre stage

DTX London, the UK’s leading digital transformation event, has announced its doors will open on 2-3 October 2024, for what is set to be one of the most exciting technology exhibitions of the year. To maximise the experience, DTX will be co-located with Unified Communications EXPO (UCX) – the UK’s biggest show for colleague and […]

The post DTX + UCX London is back: Global brands, cutting-edge technology and world-renowned speakers take centre stage first appeared on IT Security Guru.

The post DTX + UCX London is back: Global brands, cutting-edge technology and world-renowned speakers take centre stage appeared first on IT Security Guru.

Security Serious Unsung Heroes Awards 2024 open for nominations

Eskenzi PR has opened nominations for its ninth annual Security Serious Unsung Heroes Awards. The awards are all about celebrating the UK’s cybersecurity professionals, teachers, lecturers, leaders, and those working to make the industry not only more secure, but also more diverse and healthier for employees. Key sponsors include KnowBe4, Hornetsecurity, ThinkCyber, Pulse Conferences and The Zensory. […]

The post Security Serious Unsung Heroes Awards 2024 open for nominations first appeared on IT Security Guru.

The post Security Serious Unsung Heroes Awards 2024 open for nominations appeared first on IT Security Guru.

Over Half of UK Workers Haven’t Received Training on Avoiding Phishing Scams

Security Awareness pros KnowBe4 have published findings on cybersecurity training among UK employees and the adoption of ‘best practice’ policies by organisations. The report, entitled ‘UK Cybersecurity Practices at Work’, highlights the various cybersecurity threats faced by modern organisations and expresses concern over the insufficient training received by employees across the UK. According to the […]

The post Over Half of UK Workers Haven’t Received Training on Avoiding Phishing Scams first appeared on IT Security Guru.

The post Over Half of UK Workers Haven’t Received Training on Avoiding Phishing Scams appeared first on IT Security Guru.

Mimecast Announces Acquisition of Code42, Expands Human Risk Management Platform with Visibility into Insider Threats

Mimecast, a leading global human risk management platform, announced today the acquisition of Code42, a leader in insider threat and data loss protection. Expanding on the success of their existing technology partnership, this acquisition marks a critical step in Mimecast’s strategy to revolutionize how organizations manage and mitigate human-centered security risks. Financial terms of the deal […]

The post Mimecast Announces Acquisition of Code42, Expands Human Risk Management Platform with Visibility into Insider Threats first appeared on IT Security Guru.

The post Mimecast Announces Acquisition of Code42, Expands Human Risk Management Platform with Visibility into Insider Threats appeared first on IT Security Guru.

CISOs and CIOs confront growing data protection challenges in the era of AI and cloud

Keepit, a global provider of a comprehensive cloud backup and recovery platform, today released a survey conducted by Foundry, as well as a study based on in-depth interviews conducted by Keepit. Both reveal critical gaps in disaster recovery strategies and highlight the pressing need for enhanced data security measures. In an evolving technological landscape, enterprise […]

The post CISOs and CIOs confront growing data protection challenges in the era of AI and cloud first appeared on IT Security Guru.

The post CISOs and CIOs confront growing data protection challenges in the era of AI and cloud appeared first on IT Security Guru.

Enhancing the cybersecurity talent pool is key to securing our digital future

As the global digital industry continues to grow, there has been an increased demand for both businesses and Governments to prioritise cybersecurity. Cybercrime rates are quickly rising as according to Cybersecurity Ventures, damage costs are set to increase by 15% per year until 2025 where it’s estimated that global expenditure on cybercrime could reach US$10.5 […]

The post Enhancing the cybersecurity talent pool is key to securing our digital future first appeared on IT Security Guru.

The post Enhancing the cybersecurity talent pool is key to securing our digital future appeared first on IT Security Guru.

Privilege escalation: unravelling a novel cyber-attack technique

Cyber criminals are notoriously relentless and unforgiving in their quest to exploit vulnerabilities through ever-evolving tactics. Organisations may believe that their security frameworks are robust, but when confronted with unprecedented attack methods, nobody is entirely immune to infiltration. Earlier this year, a multinational agriculture company learnt this the hard way when they fell victim to […]

The post Privilege escalation: unravelling a novel cyber-attack technique first appeared on IT Security Guru.

The post Privilege escalation: unravelling a novel cyber-attack technique appeared first on IT Security Guru.

Worldwide IT Outages: Cybersecurity Experts Weigh In

Today (19th July 2024), outages have been reported across almost every facet of society, from airlines and airports, supermarkets and banking to communication services, NHS and trains. EDR org Crowdstrike said the problem was caused by “a defect found in a single content update for Windows hosts”. Whilst the company have confirmed that it was […]

The post Worldwide IT Outages: Cybersecurity Experts Weigh In first appeared on IT Security Guru.

The post Worldwide IT Outages: Cybersecurity Experts Weigh In appeared first on IT Security Guru.

Esteemed International Cyber Expo Advisory Council Expands

International Cyber Expo have announced the expansion of its world-class Advisory Council, now composed of 40 industry leaders from the fields of physical and cyber security. The Advisory Council, chaired by Ciaran Martin, Former CEO of the National Cyber Security Centre (NCSC) and Professor at The University of Oxford, helps shape and inform the award-winning […]

The post Esteemed International Cyber Expo Advisory Council Expands first appeared on IT Security Guru.

The post Esteemed International Cyber Expo Advisory Council Expands appeared first on IT Security Guru.

Cyber Community Reacts: King’s Speech and AI Legislation

“My Government is committed to making work pay and will legislate to introduce a new deal for working people to ban exploitative practices and enhance employment rights. It will seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models.” That’s what the King said yesterday […]

The post Cyber Community Reacts: King’s Speech and AI Legislation first appeared on IT Security Guru.

The post Cyber Community Reacts: King’s Speech and AI Legislation appeared first on IT Security Guru.

Sheltering from the Cyberattack Storm

As we move towards the summer and the promise of sunnier weather, it’s worth noting that the cybersecurity industry has seen more rain than sunshine recently. A slew of high-profile...

The post Sheltering from the Cyberattack Storm appeared first on Cyber Defense Magazine.

Changing the Passive to Active: Updating SaaS Cybersecurity Strategy with Threat Management

The massive Snowflake breach disclosed recently, involving hundreds of millions of stolen customer records, is a stark wake-up call for organizations to proactively manage their SaaS security. No doubt the...

The post Changing the Passive to Active: Updating SaaS Cybersecurity Strategy with Threat Management appeared first on Cyber Defense Magazine.

Deep Dive: Unveiling the Untold Challenges of Single Sign-On (SSO) Management

Single Sign-On (SSO) serves as the linchpin connecting corporate networks, facilitating seamless access to various web applications without the need for repeated login credentials. However, there are several untold challenges...

The post Deep Dive: Unveiling the Untold Challenges of Single Sign-On (SSO) Management appeared first on Cyber Defense Magazine.

How the Newest Tech Changes Cybersecurity Needs in the Legal Industry

Responsibly Adopting Technology to Improve Law Firm Productivity Lawyers face incredible pressure in their jobs to perform accurately and quickly. Thankfully, technology has been introduced that now allows legal professionals...

The post How the Newest Tech Changes Cybersecurity Needs in the Legal Industry appeared first on Cyber Defense Magazine.

5 Reasons IGA Programs Fail

Identity governance and administration (IGA) is a critical part of modern business. It’s one of the single most important pieces of creating and balancing a productive and secure work environment....

The post 5 Reasons IGA Programs Fail appeared first on Cyber Defense Magazine.

The First 10 Days of a vCISOs Journey with a New Client

“In a quaint village nestled between rolling hills and dense forests, a young apprentice named Eli was learning to throw pottery from a master potter. On the first day by...

The post The First 10 Days of a vCISOs Journey with a New Client appeared first on Cyber Defense Magazine.

Pioneering the New Frontier in AI Consumer Protection and Cyber Defense

In a groundbreaking move, the first state in the U.S. has passed comprehensive legislation aimed at protecting consumers from the potential risks associated with AI. The new Utah Artificial Intelligence...

The post Pioneering the New Frontier in AI Consumer Protection and Cyber Defense appeared first on Cyber Defense Magazine.

Digital Identities Have Evolved — Cyber Strategies Should Too

The scale of identity exposure has increased significantly, with over 90% of surveyed organizations reporting an identity-related breach within the last year. These attacks have long-lasting consequences – SpyCloud’s 2024 Identity Exposure Report found...

The post Digital Identities Have Evolved — Cyber Strategies Should Too appeared first on Cyber Defense Magazine.

Stop Chasing the AI Squirrel and Patch… Just Patch

In the contemporary technological landscape, the allure of advanced artificial intelligence (AI) systems often captivates the collective imagination of the tech industry and beyond. Stories of deepfakes, such as the...

The post Stop Chasing the AI Squirrel and Patch… Just Patch appeared first on Cyber Defense Magazine.

Guardians of the Grid: Cyber-Secure Microgrids and the Future of Energy Resilience

The Crucial Role of Cyber-Resilient Microgrids The vulnerability of major metropolitan power grids to natural disasters has become a pressing concern, but mother nature isn’t the only thing threatening our...

The post Guardians of the Grid: Cyber-Secure Microgrids and the Future of Energy Resilience appeared first on Cyber Defense Magazine.

Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies

Highly sophisticated, well-funded, and strategically motivated nation-state cybersecurity threats are complex and challenging, requiring advanced cybersecurity measures, threat intelligence, and international cooperation. Government agencies or state-sponsored groups, are engaging in cyber-attacks for various reasons, including espionage, sabotage, or for political influence.

Malicious Life Podcast: Why Did People Write Viruses In The 80s & 90s?

Why did people write malware in the pre-internet days? Back then, there was no way to make money by writing malware. So why write them in the first place? The lack of a financial motivation meant that virus authors had a plethora of other motives - and this diverse mix of motives had, as we shall hear, an interesting effect on the design and style of viruses created at that period.

Hardening of HardBit

Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.

Malicious Life Podcast: Section 230: The Law that Makes Social Media Great, and Terrible

Section 230 is the pivotal law that has enabled the rise of social media -while sparking heated debates over its implications. In this episode, we're charting the history of Section 230, from early landmark legal battles, to modern controversies, and exploring its complexities and the proposed changes that could redefine online speech and platform responsibility.

I am Goot (Loader)

Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.

Malicious Life Podcast: What Happened at Uber?

In 2016, Joe Sullivan, former CISO of Facebook, was at the peak of his career. As Uber's new CISO, he and his team had just successfully prevented data from a recent breach from leaking to the internet. But less than a year later, Sullivan was unexpectedly fired from Uber, and three years later, the US Department of Justice announced criminal charges against him.

So, what happened at Uber?

THREAT ALERT: The XZ Backdoor - Supply Chaining Into Your SSH

Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.

Malicious Life Podcast: The Nigerian Prince

In this episode of ML, we're exploring the history of the well-known Nigerian Prince scam, also known as 419 or advanced fee scam, from its roots in a Parisian prison during the French Revolution, to the economic and social reason why this particular scam became so popular with African youth. Also, will AI make such scams more dangerous - or, counter intuitively, go against the interests of scammers?

Malicious Life Podcast: Unmasking Secrets: The Rise of Open-Source Intelligence

Dive into the world of open-source intelligence (OSINT) in this episode, where we uncover how ordinary citizens use publicly available data to unravel some of the most complex global mysteries. From tracking conflicts in real-time to exposing the truth behind high-profile incidents like the downing of Malaysia Airlines flight MH17, discover how OSINT is revolutionizing the field of investigative journalism and transforming how we perceive and verify information.

Behind Closed Doors: The Rise of Hidden Malicious Remote Access

How to spot a holiday shopping scam: Fake deals, trick surveys & bogus gift cards

Scammers, fraudsters, and phishers take advantage of every season. But the holiday shopping season - which includes Black Friday, Cyber Monday, and Christmas - may be their favorite.

As retailers rush to capitalize on what is generally their most profitable time of year, they will generally flood email boxes with great offers that are often time sensitive and may even seem too-good-to-be-true. Meanwhile, consumers also feel the urgency to get their shopping done, along with the stresses of work and family. Add in the financial pressure of an inflationary economy and the likelihood of making a quick mistake keeps increasing. Read on for some simple yet effective ways to ruin the scammers' fun as you celebrate the season of giving.

Soon�

Posted by Sean @ 12:52 GMT

Our "construction project" is progressing nicely.

A work in progress

And it should resolve this…

Fix mobile usability issues?

Translation: your site doesn't help us sell more Android phones and ads.

But whatever, the "issues" should be fixed soon enough.

On 18/08/15 At 12:52 PM

Work In Progress

Posted by Sean @ 13:25 GMT

Regular readers will have noticed it's been slow here of late.

Under Construction

We're finally undertaking an upgrade from Greymatter 1.7.3. This may be the world's oldest Greymatter blog… that will now change.

More info coming soon.

In the meantime, you can still catch us on Twitter.

On 13/08/15 At 01:25 PM

"IOS Crash Report" Update: Safari Adds Block Feature

Posted by Sean @ 09:53 GMT

Ask, and sometimes, you shall receive.

Last Friday, we wrote about call center scammers targeting iOS. And today, Apple released a new (beta) feature that should help.

Apple released iOS 9 Public Beta 2:

iOS 9 Public Beta 2, Install

And it appears that one of Safari's new features allows people to block fraud-focused JavaScript.

iOS 9 Public, Safari Block Alerts

We tested a scam-site and after a few attempts to dismiss the JavaScript dialog, Safari included a prompt to "Block Alerts". We were then easily able to close the page.

Kudos Apple! Looking forward to seeing this in iOS 9's general release.

Big hat tip to Rosyna Keller.

On 23/07/15 At 09:53 AM

Duke APT group's latest tools: cloud services and Linux support

Posted by Artturi @ 11:59 GMT

Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or "solutions" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.

Linux support added with the cross-platform SeaDuke malware

Last week, both Symantec and Palo Alto Networks published research on SeaDuke, a newer addition to the arsenal of trojans being used by the Duke group. While older malware by the Duke group has always been written with a combination of the C and C++ programming languages as well as assembly language, SeaDuke is peculiarly written in Python with multiple layers of obfuscation. This Python code is usually then compiled into Windows executables using py2exe or pyinstaller. However, the Python code itself has been designed to work on both Windows and Linux. We therefore suspect, that the Duke group is also using the same SeaDuke Python code to target Linux victims. This is the first time we have seen the Duke group employ malware to target Linux platforms.

seaduke_crossplatform (39k image)
An example of the cross-platform support found in SeaDuke.

A new set of solutions with the CloudDuke malware toolset

Last week, we also saw Palo Alto Networks and Kaspersky Labs publish research on malware components they respectively called MiniDionis and CloudLook. MiniDionis and CloudLook are both components of a larger malware toolset we call CloudDuke. This toolset consists of malware components that provide varying functionality while partially relying on a shared code framework and always using the same loader. Based on PDB strings found in the samples, the malware authors refer to the CloudDuke components as "solutions" with names such as "DropperSolution", "BastionSolution" and "OneDriveSolution". A list of PDB strings we have observed is below:

� C:\DropperSolution\Droppers\Projects\Drop_v2\Release\Drop_v2.pdb
� c:\BastionSolution\Shells\Projects\miniDionis4\miniDionis\obj\Release\miniDionis.pdb
� c:\BastionSolution\Shells\Projects\miniDionis2\miniDionis\obj\Release\miniDionis.pdb
� c:\OneDriveSolution\Shells\Projects\OneDrive2\OneDrive\obj\x64\Release\OneDrive.pdb

The first of the CloudDuke components we have observed is a downloader internally called "DropperSolution". The purpose of the downloader is to download and execute additional malware on the victim's system. In most observed cases, the downloader will attempt to connect to a compromised website to download an encrypted malicious payload which the downloader will decrypt and execute. Depending on the way the downloader has been configured, in some cases it may first attempt to log in to Microsoft's cloud storage service OneDrive and retrieve the payload from there. If no payload is available from OneDrive, the downloader will revert to the previously mentioned method of downloading from compromised websites.

We have also observed two distinct trojan components in the CloudDuke toolset. The first of these, internally called "BastionSolution", is the trojan that Palo Alto Networks described in their research into "MiniDionis". Interestingly, BastionSolution appears to functionally be an exact copy of SeaDuke with the only real difference being the choice of programming language. BastionSolution also makes significant use of a code framework that is apparently internally called "Z". This framework provides classes for functionality such as encryption, compression, randomization and network communications.

bastion_z (12k image)
A list of classes in the BastionSolution trojan, including multiple classes from the "Z" framework.

Classes from the same "Z" framework, such as the encryption and randomization classes, are also used by the second trojan component of the CloudDuke toolset. This second component, internally called "OneDriveSolution", is especially interesting because it relies on Microsoft's cloud storage service OneDrive as its command and control channel. To achieve this, OneDriveSolution will attempt to log into OneDrive with a preconfigured username and password. If successful, OneDriveSolution will then proceed to copy data from the victim's computer to the OneDrive account. It will also search the OneDrive account for files containing commands for the malware to execute.

onedrive_z (7k image)
A list of classes in the OneDriveSolution trojan, including multiple classes from the "Z" framework.

All of the CloudDuke "solutions" use the same loader, a piece of code whose primary purpose is to decrypt the embedded, encrypted solution, load it in memory and execute it. The Duke group has often employed loaders for their malware but unlike the previous loaders they have used, the CloudDuke loader is much more versatile with support for multiple methods of loading and executing the final payload as well as the ability to write to disk and execute additional malware components.

CloudDuke spear-phishing campaigns and similarities with CozyDuke

CloudDuke has recently been spread via spear-phishing emails with targets reportedly including organizations such as the US Department of Defense. These spear-phising emails have contained links to compromised websites hosting zip archives that contain CloudDuke-laden executables. In most cases, executing these executables will have resulted in two additional files being written to the victim's hard disk. The first of these files has been a decoy, such as an audio file or a PDF file while the second one has been a CloudDuke loader embedding a CloudDuke downloader, the so-called "DropperSolution". In these cases, the victim has been presented with the decoy file while in the background the downloader has proceeded to download and execute one of the CloudDuke trojans, "OneDriveSolution" or "BastionSolution".

decoy_ndi_small (63k image)
Example of one of the decoy documents employed in the CloudDuke spear-phishing campaigns. It has apparently been copied by the attackers from here.

Interestingly, however, some of the other CloudDuke spear-phishing campaigns we have observed this July have born a striking resemblance to CozyDuke spear-phishing campaigns seen almost exactly a year ago, in the beginning of July 2014. In both spear-phishing campaigns, the decoy document has been the exact same PDF file, a "US letter fax test page" (28d29c702fdf3c16f27b33f3e32687dd82185e8b). Similarly, the URLs hosting the malicious files have, in both campaigns, purported to be related to eFaxes. It is also interesting to note, that in the case of the CozyDuke-inspired CloudDuke spear-phishing campaign, the downloading and execution of the malicious archive linked to in the emails has not resulted in the execution of the CloudDuke downloader but in the execution of the "BastionSolution" component thereby skipping one step from the process described for the other CloudDuke spear-phishing campaigns.

decoy_fax (72k image)
The "US letter fax test page" decoy employed in both CloudDuke and CozyDuke spear-phishing campaigns.

Increasingly using cloud services to evade detection

CloudDuke is not the first time we have observed the Duke group use cloud services in general and Microsoft OneDrive specifically as part of their operations. Earlier this spring we released research on CozyDuke where we mentioned observing CozyDuke sometimes either directly use a OneDrive account to exfiltrate stolen data or alternatively CozyDuke downloading Visual Basic scripts that would copy stolen files to a OneDrive account and sometimes even retrieve files containing additional commands from the same OneDrive account.

In these previous cases the Duke group has only used OneDrive as a secondary communication channel but still relied on more traditional C&C channels for most of their actions. It is therefore interesting to note that CloudDuke actually enables the Duke group to rely solely on OneDrive for every step of their operation from downloading the actual trojan, passing commands to the trojan and finally exfiltrating stolen data.

By relying solely on 3rd party web services, such as OneDrive, as their command and control channel, we believe the Duke group is trying to better evade detection. Large amounts of data being transferred from an organization's network to an unknown web server easily raises suspicions. However, data being transferred to a popular cloud storage service is normal. What better way for an attacker to surreptitiously transfer large amounts of stolen data than the same way people are transferring that same data every day for legitimate reasons. (Coincidentally, the implications of 3rd party web services being used as command and control channels is also the subject of an upcoming talk at the VirusBulletin 2015 conference).

Directing limited resources towards evading detection and staying ahead of defenders

Developing even a single multipurpose malware toolset, never mind many, requires time and resources. Therefore it seems logical to attempt to reuse code such as supporting frameworks between different toolsets. The Duke group, however, appear to have taken this a step further with SeaDuke and the CloudDuke component BastionSolution, by rewriting the same code in multiple programming languages. This has the obvious benefits of saving time and resources by providing two malware toolsets, that while similar on the inside, appear completely different on the outside. This way, the discovery of one toolset does not immediately lead to the discovery of the second toolset.

The Duke group, long suspected of ties to the Russian state, have been running their espionage operation for an unusually long time and - especially lately - with unusual brazenness. These latest CloudDuke and SeaDuke campaigns appear to be a clear sign that the Duke's are not planning to stop any time soon.

Research and post by Artturi (@lehtior2)

F-Secure detects CloudDuke as Trojan:W32/CloudDuke.B and Trojan:W64/CloudDuke.B

Samples:

04299c0b549d4a46154e0a754dda2bc9e43dff76
2f53bfcd2016d506674d0a05852318f9e8188ee1
317bde14307d8777d613280546f47dd0ce54f95b
476099ea132bf16fa96a5f618cb44f87446e3b02
4800d67ea326e6d037198abd3d95f4ed59449313
52d44e936388b77a0afdb21b099cf83ed6cbaa6f
6a3c2ad9919ad09ef6cdffc80940286814a0aa2c
78fbdfa6ba2b1e3c8537be48d9efc0c47f417f3c
9f5b46ee0591d3f942ccaa9c950a8bff94aa7a0f
bfe26837da22f21451f0416aa9d241f98ff1c0f8
c16529dbc2987be3ac628b9b413106e5749999ed
cc15924d37e36060faa405e5fa8f6ca15a3cace2
dea6e89e36cf5a4a216e324983cc0b8f6c58eaa8
e33e6346da14931735e73f544949a57377c6b4a0
ed0cf362c0a9de96ce49c841aa55997b4777b326
f54f4e46f5f933a96650ca5123a4c41e115a9f61
f97c5e8d018207b1d546501fe2036adfbf774cfd

Compromised servers used for command and control:

hxxps://cognimuse.cs.ntua.gr/search.php
hxxps://portal.sbn.co.th/rss.php
hxxps://97.75.120.45/news/archive.php
hxxps://portal.sbn.co.th/rss.php
hxxps://58.80.109.59/plugins/search.php

Compromised websites used to host CloudDuke:

hxxp://flockfilmseries.com/eFax/incoming/5442.ZIP
hxxp://www.recordsmanagementservices.com/eFax/incoming/150721/5442.ZIP
hxxp://files.counseling.org/eFax/incoming/150721/5442.ZIP

On 22/07/15 At 11:59 AM

'Zero Days', The Documentary

Posted by Mikko @ 12:40 GMT

VPRO (the Dutch public broadcasting organization) produced a 45-minute documentary about hacking and the trade of zero days. The documentary has now been released in English on YouTube.

The documentary features Charlie Miller, Joshua Corman, Katie Moussouris, Ronald Prins, Dan Tentler, Eric Rabe (of Hacking Team), Felix Lindner, Rodrigo Branco, Ben Nagy, The Grugq, and many others.

On 20/07/15 At 12:40 PM

IOS Crash Report: Blocking "Pop-Ups" Doesn't Really Help

Posted by Sean @ 10:15 GMT

The Telegraph published an article on Thursday about a scam targeting iOS users. Here's the gist: scammers are using JavaScript generated dialogs to display warnings of so-called "IOS Crash" reports prompting people to call for tech support. Near the end of the Telegraph's article, the following advice is offered:

"To prevent the issue happening again, go to Settings -> Safari -> Block Pop-ups."

Unfortunately, this advice is incorrect. And perhaps even more unfortunately, some security and tech pundits are now repeating the bad advice on numerous websites. How do we know the advice is wrong? Because we actually tested it…

First of all, this "IOS Crash Report" scam is a variation of the technical support scam, cases of which have been documented as early as 2008. In the past, cold-calls originated directly from call centers in India. But more recently, web-based lures are used to prompt potential victims into contacting the scammers.

A Google Search returns several live scam sites with this text:

"Due to a third party application in your phone, IOS is crashed."

Here's one of the sites as viewed with iOS Safari on an iPad:

iosclean.com

Safari's "Fraudulent Website Warning" and "Block Pop-ups" features didn't prevent the page from loading.

What looks like a pop-up on the image above is actually a JavaScript generated dialog. One which will continuously re-spawn itself and can be very difficult to dismiss. Turning off JavaScript in Safari is the quickest way to regain control. Unfortunately, leaving JavaScript disabled will significantly impact a large number of legitimate websites.

Here's the same site as viewed with Google Chrome for Windows:

Notice the additional text in the image above: prevent this page from creating additional dialogs. Current versions of Chrome and Firefox (for Windows, at least) will inject this option into re-spawning dialogs, allowing the user to break the loop. Sadly, Internet Explorer and Safari do not. (We tested with IE for Windows / Windows Phone, and iOS Safari.)

Wouldn't be great if all browsers supported this prevention feature?

Yeah, we think so, too.

But it's not just browsers, apps with browser functionality can also be affected.

Here's an example of a JavaScript dialog displayed via Cydia.

error1014.com

The end of the Telegraph's article included the following advice from City of London police:

"Never give your iCloud username and password or your bank details to someone over the phone."

Indeed! Giving somebody your iCloud password could quickly turn a support scam into a data hijacking and extortion scheme. We attempted to call several of the scammer telephone numbers to see if they would ask for our iCloud credentials — only to discover that the numbers we tried are currently not in service.

Hopefully they stay that way. (They won't.)

On 17/07/15 At 10:15 AM

Hacking Team 0-day Flash Wave with Exploit Kits

Posted by Patricia @ 12:29 GMT

After Hacking Team was compromised, a lot of information were publicly disclosed beginning 5th of July, particularly its business clients and a zero-day vulnerability for the Adobe Flash Player that they have been using.

Since the info about the first zero-day was made freely available, we knew attackers would swiftly move into using it. As expected, the flash exploit was integrated into exploit kits such as Angler, Magnitude, Nuclear, Neutrino, Rig, and HanJuan as reported by Kafeine.

Based on our telemetry, there was a rise in Flash exploits beginning 6th and continued until 9th.

overall_stats (11k image)

Here are the stats for each exploit kit:

ek_stats (27k image)

The security advisory for CVE-2015-5119 zero-day was released on 7th July and the patch was made available on 8th. So the hits started to decline about two days after the patch.

But just when people have started updating their systems, there was yet another spike from the Angler flash exploit hits:

weekend_wave_stats (22k image)

Apparently, two more flash vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were discovered. These vulnerabilities are still waiting to be patched. According to Kafeine, one of the two vulnerabilities were added into the Angler exploit kit.

As a side note related to Angler exploit kit, if you noticed in the second chart above, Angler and HanJuan share the same statistics. This was due to the fact that our detections for Angler Flash exploits were also hitting on HanJuan Flash exploits.

We have verified this after discovering that there was a different URL pattern being detected by Angler:

angler_vs_hanjuan_urlpattern (9k image)

We looked at the flash exploit used by both kits, and the two are very much identical.

Angler Flash Exploit:

anglerek_ht0d_3 (26k image)

HanJuan Flash Exploit:

hanjuanek_ht0d_3 (23k image)

There were already speculations that there seem to be strong connections between the actors behind the two exploits kits. For example, both have used �fileless� delivery of payload and even similar encryption methods. Perhaps at some point we will see HanJuan supporting this new flash 0 day as well.

In the meantime, since there hasn�t been a patch out yet for these new ones, our users remain protected from the effects of the exploit kits through Browsing Protection as well as these detections:

Exploit:SWF/AnglerEK.L
Exploit:SWF/NeutrinoEK.C
Exploit:SWF/NeutrinoEK.D
Exploit:SWF/NuclearEK.H
Exploit:SWF/NuclearEK.J
Exploit:SWF/Salama.H
Exploit:SWF/Salama.R
Exploit:JS/AnglerEK.D
Exploit:JS/NuclearEK.I
Exploit:JS/MagnitudeEK.A

UPDATE: Adobe has released patches for the recent two vulnerabilities: CVE-2015-5122 and CVE-2015-5123. Users are recommended to update to the latest version of Adobe Flash Player.

On 13/07/15 At 12:29 PM

The Trusted Internet: Who governs who gets to buy spyware from surveillance software companies?

Posted by FSLabs @ 02:31 GMT

When hackers get hacked, that's when secrets are uncovered. On July 5th, Italian-based surveillance technology company Hacking Team was hacked. The hackers released a 400GB torrent file with internal documents, source code, and emails to the public - including the company's client list of close to 60 customers.

The list included countries such as Sudan, Kazakhstan and Saudi Arabia - despite official company denials of doing business with oppressive regimes. The leaked documents strongly implied that in the South-East Asian region, government agencies from Singapore, Thailand and Malaysia had purchased their most advanced spyware, referred to as a Remote Control System (RCS).

According to security researchers Citizen Lab, this spyware is extraordinarily intrusive, with the ability to turn on microphone and cameras on mobile devices, intercept Skype and instant messages, and use an anonymizer network of proxy servers to prevent harvested information from being traced back to the command and control servers.

Based on images of the client list posted to pastebin the software was purchased in Malaysia by the Malaysia Anti-Corruption Commission (MACC), Malaysia Intelligence (MI) and the Prime Minister's Office (PMO):

hacking_team_client_list (86k image)

Additional images of leaked invoices posted to medium.com indicated the spyware was sold through a locally-based Malaysian company named Miliserv Technologies (M) Sdb Bhd (registered with the Ministry of Finance Malaysia), which specializes in providing digital forensics, intelligent gathering and public security services:

hacking_team_hack_1 (95k image)

hacking_team_hack_2 (72k image)

Why the Prime Minister's Office would need surveillance software remains puzzling. Mind you, professional grade spyware ain't cheap - a license upgrade could cost you MYR400, 000 and maintenance renewal will set you back about MYR160,000.

According to reports of the incident in Malaysian alternative media, Malaysian government agencies have probably been using the spyware even before discovery of the FinFisher malware that was detected in the run-up to the 2013 General Elections.

Coincidentally, Malaysia has also been the frequent host of the annual ISS World Asia tradeshow, where companies promote their arsenal of 'lawful' surveillance software to law enforcement agencies, telco service provider or government employees. During the 2014 event, the Hacking Team was present and the associate lead sponsor of the event.

MiliServ Technologies is currently involved in the upcoming 2015 ISS World Asia in Kuala Lumpur. The event is invitation-only � though it may be interesting to see if Hacking Team will make it there this year.

Post by – Su Gim

On 08/07/15 At 02:31 AM

Problematic Wassenaar Definitions

Posted by Sean @ 13:25 GMT

The Wassenaar Arrangement, a multilateral export control regime, defines "intrusion software" as software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device. Intrusion software is used to: extract data or information, or to modify system or user data; or to modify the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Wassenaar states that monitoring tools are software or hardware devices that monitor system behaviours or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls.

Wassenaar Arrangement definitions
(Source)

So… what we at F-Secure (and the rest of the antivirus industry) call "malware" appears to easily fit Wassenaar's definition of intrusion software.

Why is this interesting?

Well, the US Bureau of Industry and Security (BIS), part of the US Department of Commerce, has proposed updating its rules to require a license for the export of intrusion software.

And according to the Dept of Commerce, "an export" is –any– item that is sent from the United States to a foreign destination. "Items" include among other things, software and technology.

The Paradox

So… if malware is intrusion software, and any item is an export, how exactly are US-based customers supposed to submit a malware sample to their European antivirus vendor? Seriously, customers send us zero-day using malware all the time. Not to mention the samples that we routinely exchange with other trusted AV vendors from around the globe.

Unintended Consequences

The text associated with the BIS proposal says the scope includes penetration testing products that use intrusion software in what looks like an attempt to limit "hacking" tools, but there is nothing about what is excluded from the scope. So the BIS might not intend to limit customers from uploading malware samples to their AV vendor, but that could be the effect if this new rule is adopted and arbitrarily enforced. Or else it could just force people to operate in a legal limbo. Is that what we want?

The BIS is taking comments until July 20th.

On 09/06/15 At 01:25 PM

Found Item: UK Wi-Fi Law?

Posted by Sean @ 13:27 GMT

I visited the UK last Thursday, found a coffee shop offering "free" Wi-Fi, and read this…

"UK Law states that we must know who is using our Wi-Fi at all times."

Now I'm not a lawyer — but that seems like quite the disingenuous claim.

_WalkinWiFi

Mobile number, post code, and date of birth??

I wonder how many people fall for this type of malarkey.

Post by — @Sean

On 08/06/15 At 01:27 PM

SMS Exploit Messages

Posted by Sean @ 13:56 GMT

There's an iOS vulnerability affecting iPhone, iPad, and even Apple Watch that allows for a denial of service.

Crashing a phone with an SMS? That's so 2008.

S60 SMS Exploit Messages

Unlike 2008, this time kids are reportedly using the vulnerability to harass others.

Apple is working on a security update. But unfortunately… that update very likely won't be available for older iPhones.

Updated to add:

Here's the "Effective Power" exploit crashing an iPhone 6:

Effective Power Unicode iOS hack on iPhone 6

And this… is Effective Power crashing the iOS Twitter app:

Effective Power Unicode iOS hack vs Twitter

On 28/05/15 At 01:56 PM

Ransomware Spam E-Mails Targeting Users in Italy and Spain

Posted by FSLabs @ 03:17 GMT

In the past few days, we received some cases from our customers in Italy and Spain, regarding malicious spam e-mails that pointed to Cryptowall or Cryptolocker ransomware.

The spam e-mails pretended to come from a courier/postal service, regarding a parcel that was waiting to be collected. The e-mails offer a link to track that parcel online:

crypt_email (104k image)

When we did the initial investigation of the e-mails from our standard test system, the link redirected to Google:

crypt_email_redirect_italy (187k image)

So, no malicious behavior? Well, we noted that the first two URLs were PHP. Since PHP code is executed on the server side, not locally on the client, it is possible that the servers were 'deciding' whether to redirect the user to Google or to serve malicious content, based on some preset conditions.

Since this particular spam e-mail is written in Italian - perhaps only a customer based in Italy would be able to see the malicious payload? Fortunately, we have Freedome, so we can travel to Italy for a little while to experiment.

So we turned on Freedome, set the location to Milan and clicked the link in the e-mail again:

crypt_email_mal_italy (302k image)

Now we see the bad stuff. If the user is (or appears to be) located in Italy, the server will redirect them to a malicious file hosted on a cloud storage server.

The e-mail spam sent to Spanish users is similar, though in those cases, a CAPTCHA challenge is included to make the site seem more authentic. If the link in the e-mail is clicked by a user located outside Spain, again we end up in Google:

crypt_email_redirect_spain (74k image)

If the site is visited instead from an Spanish IP, we get to the CAPTCHA screen:

crypt_email_target_spain (57k image)

And then to the malware itself:

crypt_email_mal_spain (313k image)

This spam campaign doesn't use any exploits (so far), just old-fashioned social engineering; infection only occurs if the user manually downloads and executes the files offered on the malicious URLs. For our customers, the URLs are blocked and the files are detected.

(malware SHA1s: 483be8273333c83d904bfa30165ef396fde99bf2, 295042c167b278733b10b8f7ba1cb939bff3cb38)

Post by — Victor

On 19/05/15 At 03:17 AM

Mac Hack Demonstration

Posted by Sean @ 12:46 GMT

Securing your SSH password is very important. Otherwise, you might be pwned by a little girl with her Raspberry Pi.

Don't worry, it's an authorized hack, she asked her mom for permission.

On 15/05/15 At 12:46 PM

Email Security Considerations for Microsoft 365 Users

The post Email Security Considerations for Microsoft 365 Users appeared first on GreatHorn.

Email Security Considerations for Google Workspace Users

The post Email Security Considerations for Google Workspace Users appeared first on GreatHorn.

Show the Value of Your Email Security Solutions: Don’t Just Measure Detection Rates

The post Show the Value of Your Email Security Solutions: Don’t Just Measure Detection Rates appeared first on GreatHorn.

Universities and Colleges Face Multi-faceted Email Security Challenges

The post Universities and Colleges Face Multi-faceted Email Security Challenges appeared first on GreatHorn.

Spam vs Phish: The Problem with User-Reported Phish Buttons

The post Spam vs Phish: The Problem with User-Reported Phish Buttons appeared first on GreatHorn.

Phishing for Google Impersonation Attacks

Bad actors around the globe go phishing in emails twenty-four hours a day, seven days a week. Whether they are “guppies” like your local bakery down the street or big “fish” like Google, no one is immune to their attacks. Google, one of the largest, most well-known – and used – applications, will always be […]

The post Phishing for Google Impersonation Attacks appeared first on GreatHorn.

GMX.Net Phishing Campaigns: Why They’re Hitting Users’ Inboxes

GMX (Global Mail eXchange) Mail is an email service where users may register up to 10 individual email addresses at no cost. As a result, threat actors are leveraging this service to easily spin up new email addresses and effectively delivering phishing attacks that bypass Microsoft o365 and Google Workspace, landing in an organization’s email […]

The post GMX.Net Phishing Campaigns: Why They’re Hitting Users’ Inboxes appeared first on GreatHorn.

Native vs SEG vs ICES: What You Need to Know About Email Security

The shift from on-premise email platforms to cloud email platforms has taken shape, with the majority (70%) of organizations. Microsoft 365 and Google Workspace remain the predominant email platforms for organizations. However, a significant change has occurred in the past year. With an estimated 40% of ransomware attacks that start through email, and BEC and […]

The post Native vs SEG vs ICES: What You Need to Know About Email Security appeared first on GreatHorn.

Blueberry Muffins vs Blonde Chihuahuas: Debunking Artificial Intelligence in Email Security

In cybersecurity, buzzwords come and go, often being replaced with new buzzwords while the market is still attempting to realize the benefits of the former. Today, every technology vendor is talking about Artificial Intelligence (AI). In reality, Machine Learning (the method to one day achieve AI) is still the predominant technical solution deployed within vendor […]

The post Blueberry Muffins vs Blonde Chihuahuas: Debunking Artificial Intelligence in Email Security appeared first on GreatHorn.

Global Supply Chain: Attackers Targeting Business Deliveries

Our global supply chain includes all the people, companies and countries that need to work cohesively to manufacture, process and ship goods. Disruptions in the global supply chain are increasingly impacting organizations, with logistical problems crossing most industries. As a result, the continued strain on the supply chain puts added pressure on businesses as they […]

The post Global Supply Chain: Attackers Targeting Business Deliveries appeared first on GreatHorn.

8 Benefits of Endpoint Detection & Response (EDR) You Should Know [2024]

Did you know, the average employee today uses 2.5 devices to carry out their work? Across businesses, this can add up to hundreds or even thousands of bits of kit. One 2021 study in the UK found two-thirds of large businesses (250+ employees) have more than 1,000 devices on their networks, while medium-sized companies (50-249 […]

The post 8 Benefits of Endpoint Detection & Response (EDR) You Should Know [2024] appeared first on Heimdal Security Blog.

ServiceNow RCE Flaws Actively Exploited by Threat Actors to Steal Credentials

Threat actors are exploiting publicly known exploits to chain together ServiceNow flaws in order to infiltrate government organizations and commercial companies in data theft campaigns. Security researchers monitored the malicious activity and identified multiple victims, including government agencies, data centres, energy providers, and even software development firms. Even though the company fixed the vulnerabilities with […]

The post ServiceNow RCE Flaws Actively Exploited by Threat Actors to Steal Credentials appeared first on Heimdal Security Blog.

[2024] 10 Qualys Alternatives That Should Be on Your Shortlist

Qualys is one of the leading vulnerability, patch, and compliance management providers. While Qualys has long been a leader in cloud-based cybersecurity (it launched in 1999), it’s not suitable for everyone. It can be expensive, its scanning process can be slow, and it is purely cloud-based – making it less helpful for securing on-premises IT. […]

The post [2024] 10 Qualys Alternatives That Should Be on Your Shortlist appeared first on Heimdal Security Blog.

Russia-Linked Brute-Force Campaign Targets EU via Microsoft Infrastructure

Summary The European Union is experiencing a surge in brute-force cyberattacks on corporate and institutional networks, mostly originating from Russia, according to a Heimdal investigation. These attackers exploit Microsoft infrastructure, particularly in Belgium and the Netherlands, to avoid detection. Heimdal’s data reveals that the attacks date back to May 2024, but evidence suggests they may […]

The post Russia-Linked Brute-Force Campaign Targets EU via Microsoft Infrastructure appeared first on Heimdal Security Blog.

Heimdal Integrates with Autotask PSA to Elevate MSP Operations and Drive Market Expansion

LONDON, July 23, 2024 – Heimdal proudly announces its integration with Autotask PSA, a renowned Professional Services Automation tool developed by Datto, a Kaseya company. This new integration is poised to significantly enhance support ticket creation and management, driving productivity and unlocking new commercial opportunities for Heimdal customers and partners. Driven by high customer demand […]

The post Heimdal Integrates with Autotask PSA to Elevate MSP Operations and Drive Market Expansion appeared first on Heimdal Security Blog.

Major Outages Worldwide Caused by CrowdStrike Update

Many machines all around the world are at a halt. A faulty component in the latest CrowdStrike Falcon update is crashing Windows systems. The mass outage causes worldwide chaos, with major banks, healthcare companies, media outlets, logistic companies, and even airlines among the victims. Many flights have been grounded, with queues and delays at airports, […]

The post Major Outages Worldwide Caused by CrowdStrike Update appeared first on Heimdal Security Blog.

Best DNS Software in 2024

Choosing the right DNS software can make a significant difference in your network’s speed, security, and reliability. With a variety of options available, finding the best DNS software for your needs in 2024 can be challenging. This guide will help you explore the top choices, highlighting their key features, so you can make an informed […]

The post Best DNS Software in 2024 appeared first on Heimdal Security Blog.

The Complete Guide to Zero Trust Implementation

If you pay any attention to the world of cybersecurity, there’s a good chance you’ve heard the term ‘zero trust’ at some point over the last few years. In fact, the term is so ubiquitous that it’s often difficult to understand what it actually means and how you’d go about applying it to your security […]

The post The Complete Guide to Zero Trust Implementation appeared first on Heimdal Security Blog.

AT&T Data Breach Compromises 109 million Customers’s Information

Hackers got access to phone call and text message records belonging to roughly 109 million people in the AT&T data breach. The breaching of AT&T’s online database hosted in a Snowflake account happened in April 2024. What information did the AT&T data breach impact? The incident affected almost all the company’s mobile customers who communicated […]

The post AT&T Data Breach Compromises 109 million Customers’s Information appeared first on Heimdal Security Blog.

Hackers Only Need 22 Minutes Since Disclosure to Exploit a PoC

Security researchers observed hackers exploiting a vulnerability only 22 minutes after releasing proof of concept (PoC). It is the case of CVE-2024-27198, an authentication bypass flaw in JetBrains TeamCity. The CVE has a 9.8 CVSS score, which is critical. Hackers can use this vulnerability to execute arbitrary code and take complete control of the compromised […]

The post Hackers Only Need 22 Minutes Since Disclosure to Exploit a PoC appeared first on Heimdal Security Blog.

Automated Incident Response: What You Need to Know

If you’re responsible for an organization’s cybersecurity, then the appeal of automated incident response is obvious. Any technology that speeds up breach response time, reduces your workload, and prevents attacks is going to tick a lot of boxes. The concept of automated incident response isn’t entirely new. In a way, it has existed for many […]

The post Automated Incident Response: What You Need to Know appeared first on Heimdal Security Blog.

New Heimdal-HaloPSA Integration Boosts Efficiency for Managed Service Providers

LONDON, July 11, 2024 – Heimdal is pleased to announce its integration with HaloPSA, a premier helpdesk ticketing system designed for Managed Service Providers (MSPs). This integration allows Heimdal customers and partners using HaloPSA to automate and customize ticket management, significantly boosting operational efficiency. This strategic move highlights Heimdal’s mission to provide seamless, efficient, and […]

The post New Heimdal-HaloPSA Integration Boosts Efficiency for Managed Service Providers appeared first on Heimdal Security Blog.

Over 16,400 Private and State-Owned Businesses Exposed to RegreSSHion Vulnerability

Over 16,400 global organizations are at risk due to a critical security flaw that could lead to the remote compromise of systems, an investigation by Heimdal has found. Tracked as CVE-2024-6387 and known as RegreSSHion, this vulnerability carries a CVSS score of 8.1, raising alarms within the cybersecurity community for its potential to enable remote […]

The post Over 16,400 Private and State-Owned Businesses Exposed to RegreSSHion Vulnerability appeared first on Heimdal Security Blog.

Best Zero Trust Solutions in 2024

Looking for the best zero trust solutions in 2024? We’ve got your back. In this article, we’ll discuss the best options available to help you make an informed decision. Here’s a quick glance for you: Heimdal XDR: Best platform. Enhances security by adopting a Zero Trust model, ensuring that only essential permissions are granted to […]

The post Best Zero Trust Solutions in 2024 appeared first on Heimdal Security Blog.

Hackers Use the BlastRADIUS Flaw for Man-in-the-Middle Attacks

Researchers warn that BlastRADIUS, a flaw in the RADIUS network authentication protocol helps hackers conduct Man-in-the-middle (MitM) attacks. RADIUS is short for Remote Authentication Dial-In User Service. It is a client/server protocol for authenticating users and devices. Various networked devices like switches, routers, access points, and other routing infrastructure rely on it. RADIUS runs in […]

The post Hackers Use the BlastRADIUS Flaw for Man-in-the-Middle Attacks appeared first on Heimdal Security Blog.

ExelaStealer Delivered "From Russia With Love", (Fri, Jul 26th)

Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65):

ISC Stormcast For Friday, July 26th, 2024 https://isc.sans.edu/podcastdetail/9070, (Fri, Jul 26th)

No summary available.

XWorm Hidden With Process Hollowing, (Thu, Jul 25th)

XWorm is not a brand-new malware family&#;x26;#;x5b;1&#;x26;#;x5d;. It&#;x26;#;39;s a common RAT (Remote Access Tool) re-use regularly in new campaigns. Yesterday, I found a sample that behaves like a dropper and runs the malware using the Process Hollowing technique&#;x26;#;x5b;2&#;x26;#;x5d;. The sample is called "@Norman_is_back_RPE_v1.exe" (SHA256: dc406d626a9aac5bb918abf0799fa91ba6239fc426324fd8c063cc0fcb3b5428). It&#;x26;#;39;s a .Net executable that is, strangely, not obfuscated. It&#;x26;#;39;s possible to disassemble it with ilspycmd:

ISC Stormcast For Thursday, July 25th, 2024 https://isc.sans.edu/podcastdetail/9068, (Thu, Jul 25th)

No summary available.

"Mouse Logger" Malicious Python Script, (Wed, Jul 24th)

Keylogging is a&#;x26;#;xc2;&#;x26;#;xa0;pretty common feature of many malware families because recording the key pressed on a keyboard may reveal a lot of interesting information like usernames, passwords, etc. Back from SANSFIRE, I looked at my backlog of hunting results and found an interesting piece of Python malware. This one implements a keylogger and a screenshot grabber but also... a "mouse logger"&#;x26;#;x21; By mouse logger, I mean that it can collect activity generated by the user&#;x26;#;39;s mouse.

ISC Stormcast For Wednesday, July 24th, 2024 https://isc.sans.edu/podcastdetail/9066, (Wed, Jul 24th)

No summary available.

New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273), (Tue, Jul 23rd)

In April, an OS command injection vulnerability in various D-Link NAS devices was made public [1]. The vulnerability, %%CVE:2024-3273%% was exploited soon after it became public. Many of the affected devices are no longer supported.

ISC Stormcast For Tuesday, July 23rd, 2024 https://isc.sans.edu/podcastdetail/9064, (Tue, Jul 23rd)

No summary available.

CrowdStrike: The Monday After, (Mon, Jul 22nd)

Last Friday, after Crowdstrike released a bad sensor configuration update that caused widespread crashes of Windows systems. The most visible effects of these crashes appear to have been mitigated. I am sure many IT workers had to spend the weekend remediating the issue.

ISC Stormcast For Monday, July 22nd, 2024 https://isc.sans.edu/podcastdetail/9062, (Mon, Jul 22nd)

No summary available.

New Phishing Scam Leverages Chat To Add Credibility And Ensure Success

You Can Add Chat Support to the List of Techniques Phishing Scammers Use to Establish Credibility

A new phishing scam is leveraging trusted aspects of ecommerce to make their scams look legitimate.

Phishing Campaigns Continue To Exploit CrowdStrike Outage

As expected, threat actors are taking advantage of the global IT outage caused by a faulty CrowdStrike update last Friday, SC Media reports.

Russian Super-Threat Group Fin7 Comes Back from the Dead

Declared “dead” by the U.S. Attorney’s Office in 2023, the Russian cyber crime group Fin7 is impersonating some of the top global brands.

Your KnowBe4 Fresh Content Updates from July 2024

Check out the 26 new pieces of training content added in July, alongside the always fresh content update highlights, events and new features.

Your KnowBe4 Compliance Plus Fresh Content Updates from July 2024

July 2024 Compliance Plus Fresh Content Update

Check out the July updates in Compliance Plus so you can stay on top of featured compliance training content.

North Korean Fake IT Worker FAQ

Frequently Asked Questions About KnowBe4's Fake IT Worker Blog

July 23, 2024, I wrote a blog post about how KnowBe4 inadvertently hired a skillful North Korean IT worker who used the stolen identity of a US citizen. He participated in several rounds of video interviews and circumvented background check processes commonly used.

The intent was to share an organizational learning moment, so you can make sure this does not happen to you. The story went viral, which is exactly what I had hoped for. Do we have egg on our face? Yes. And I am sharing that lesson with you. It's why I started KnowBe4 in 2010. In 2024 our mission is more important than ever.

Q1: Was any KnowBe4 system breached in this North Korean IT worker incident?

No. KnowBe4 was not breached. When we hire new employees, their user account is granted only limited permissions that allow them to proceed through our new hire onboarding process and training. They can access only a minimal number of necessary apps to go through our new employee training.

Q2: What access do new employees get?

These are apps such as their email inbox, slack, and zoom. The workstation they receive is locked down and has no data residing on it, it is essentially a laptop with nothing on it except our endpoint security and management tools

Q3: Did the new employee get access to customer data?

No. This person never had access to any customer data, KnowBe4's private networks, cloud infrastructure, code, or any KnowBe4 confidential information. They had basic communication apps and a factory-new provisioned laptop. We detected suspicious activity and responded within minutes, quarantining the entire laptop.

Q4: Was any malware executed on the machine?

No. No malware was executed on the machine as it was blocked by our security tooling. A complete review of all processes, commands, network connections, and other activity on the laptop was conducted and we concluded that no further action was needed as there was no suspicious activity outside of what was detected and blocked.

Q5: What access did this worker have on his workstation that could have compromised customer data or perhaps used the simulated phishing platform?

There was nothing provided on the laptop. All of KnowBe4 data is kept in the cloud and a review of this individual's user account determined they did not access anything other than their own email inbox. We provision access to our KnowBe4 platform through Okta. New hires are not granted access into the KnowBe4 platform until after completion of their onboarding, which this person had not completed, and therefore never had access to the platform.

Q6: Why would someone hired as a software developer try to load malware on their new machine?

We can only guess, but the malware was an infostealer targeting data stored on web browsers, and perhaps he was hoping to extract information left on the computer before it was commissioned to him.

Q7: How did this bad actor pass your hiring process?

This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a US citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies.

Q8: The press made it sound like a data breach disclosure. Was it?

No. It was a Public Service Announcement. We could have kept quiet while wiping the egg off our face. However, our mission is to make the world aware of cybercrime. If something like this can happen to us, it can happen to almost anyone. The blog post was meant to warn organizations about this particular danger. It looks like we have succeeded.

Q9: Has KnowBe4 changed their hiring process?

You bet we have! Several process changes were made so that this thing will be caught earlier. One example is that in the US we will only ship new employee workstations to a nearby UPS shop and require a picture ID.

Q10: How can I learn more about this particular risk?

On the blog post at the end, we link to a podcast from Mandiant where they go in depth about this particular danger. I strongly recommend you listen to it.

Where was this covered in the press?

Bleeping Computer: KnowBe4 mistakenly hires North Korean hacker, faces infostealer attack
SecurityWeek: KnowBe4 Hires Fake North Korean IT Worker, Catches New Employee Planting Malware
PCMag: Security Firm Discovers Remote Worker Is Really a North Korean Hacker
MSN (syndicated from PCMag): Security Firm Discovers Remote Worker Is Really a North Korean Hacker
CyberScoop: Cyber firm KnowBe4 hired a fake IT worker from North Korea
SC Media: KnowBe4 targeted by fake North Korean IT worker
OODA Loop: KnowBe4 Hires Fake North Korean IT Worker, Catches New Employee Planting Malware
CybersecurityNews: KnowBe4 Hired Fake North Korean IT Worker, Catches While Installing Malware
The Cyber Express: KnowBe4 Uncovers Fake Employee: How a North Korean Hacker Was Hired into the Team
CIO News: Security firm KnowBe4 discovers that it hired a North Korean hacker by mistake
Search Security: KnowBe4 catches North Korean hacker posing as IT employee
Cybersecurity Insiders: KnowBe4 targeted by North Korea with Insider Threat
Ars Technica: North Korean hacker got hired by US security vendor, immediately loaded malware

Phishing Campaigns Abuse Cloud Platforms to Target Latin America

Several threat actors are abusing legitimate cloud services to launch phishing attacks against users in Latin America, according to Google’s latest Threat Horizons Report.

Is Your Bank Really Calling? How to Protect Yourself from Financial Impersonation Fraud

Protecting your financial information has never been more crucial.

With the rise of sophisticated scams, it's becoming increasingly difficult to distinguish between legitimate bank communications and fraudulent attempts to access your accounts. So, how can you be sure it's really your bank contacting you?

Crypto Data Breach Continues to Fuel Phishing Scams Years Later

According to security researchers at Cisco Talos, emails impersonating legitimate officers at the Cyprus Securities and Exchange Commission are being sent to prior Opteck customers that offer victim's with investment advice.

How a North Korean Fake IT Worker Tried to Infiltrate Us

Incident Report Summary: Insider Threat

First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems. This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you. We wrote an FAQ, answering questions from customers. Story updated 7/25/2024.

TLDR: KnowBe4 needed a software engineer for our internal IT AI team. We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware.

Our HR team conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI "enhanced".

The EDR software detected it and alerted our InfoSec Security Operations Center. The SOC called the new hire and asked if they could help. That's when it got dodgy fast. We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea. The picture you see is an AI fake that started out with stock photography (below). The detail in the following summary is limited because this is an active FBI investigation.

LW ROUNDTABLE: CrowdStrike outage reveals long road ahead to achieve digital resiliency

Last week, CrowdStrike, one of the cybersecurity industry’s most reputable solution providers, inadvertently caused more disruption across the Internet than all the threat actors active online at the time.

A flawed update to CrowdStrike’s … (more…)

The post LW ROUNDTABLE: CrowdStrike outage reveals long road ahead to achieve digital resiliency first appeared on The Last Watchdog.

GUEST ESSAY: Consumers, institutions continue to shoulder burden for making mobile banking secure

The rapid adoption of mobile banking has revolutionized how we manage our finances.

With millions of users worldwide relying on mobile apps for their banking needs, the convenience is undeniable. However, this surge … (more…)

The post GUEST ESSAY: Consumers, institutions continue to shoulder burden for making mobile banking secure first appeared on The Last Watchdog.

MY TAKE: Study shows most folks haven’t considered bequeathing their ‘digital’ inheritances

In our digital age, managing passwords effectively is crucial not just for our security while we’re alive, but also for ensuring our digital legacies are secure after we’re gone.

A recent study by All About … (more…)

The post MY TAKE: Study shows most folks haven’t considered bequeathing their ‘digital’ inheritances first appeared on The Last Watchdog.

GUEST ESSAY: How cybercriminals are using ‘infostealers’ to sidestep passwordless authentication

Passwords have been the cornerstone of basic cybersecurity hygiene for decades.

However, as users engage with more applications across multiple devices, the digital security landscape is shifting from passwords and password managers towards including … (more…)

The post GUEST ESSAY: How cybercriminals are using ‘infostealers’ to sidestep passwordless authentication first appeared on The Last Watchdog.

RSAC Fireside Chat: Madison Horn’s quest to add cyber expertise, restore ethics to Congress

At a time of devolving politics, Madison Horn stands out as a breath of fresh air.

I had the chance to sit down with Horn at RSAC 2024 to learn all about her measured … (more…)

The post RSAC Fireside Chat: Madison Horn’s quest to add cyber expertise, restore ethics to Congress first appeared on The Last Watchdog.

RSAC Fireside Chat: Amplifier Security taps LLMs to help organizations foster a security culture

Security teams rely on an ever-growing stack of cybersecurity tools to keep their organization safe.

Related: The worst year ever for breaches

Yet there remains a glaring disconnect between security systems and employees.

Now comes a start-up, Amplifier Security, … (more…)

The post RSAC Fireside Chat: Amplifier Security taps LLMs to help organizations foster a security culture first appeared on The Last Watchdog.

New Tech Q&A: Adaptiva – CrowdStrike alliance highlights trend of blending IT and security systems

The coalescing of the next-gen security platforms that will carry us forward continues.

Adaptiva, a leader in autonomous endpoint management, recently announced the launch of OneSite Patch for CrowdStrike. This new solution integrates with … (more…)

The post New Tech Q&A: Adaptiva – CrowdStrike alliance highlights trend of blending IT and security systems first appeared on The Last Watchdog.

News Alert: Infinidat introduces advanced cyber resiliency and recovery solution for enterprises

Waltham, Mass., June 27, 2024, CyberNewsWire — Infinidat, a leading provider of enterprise storage solutions, has introduced a new automated cyber resiliency and recovery solution that will revolutionize how enterprises can minimize the impact of ransomware and malware attacks.… (more…)

The post News Alert: Infinidat introduces advanced cyber resiliency and recovery solution for enterprises first appeared on The Last Watchdog.

News Alert: FireTail unveils free access to its enterprise-level API security platform — to all

McLean, Va., June 26, 2024, CyberNewsWire — FireTail today announced a free version of its enterprise-level API security tools, making them accessible to developers and organizations of all sizes.

•FireTail’s unique combination of open-source code libraries, inline API call evaluation, … (more…)

The post News Alert: FireTail unveils free access to its enterprise-level API security platform — to all first appeared on The Last Watchdog.

RSAC Fireside Chat: The many flavors of ‘SASE’ now includes Aryaka’s ‘Unified SASE as a Service.”

Secure Access Service Edge (SASE) has come a long way since Gartner christened this cloud-centric cybersecurity framework in 2019.

Related: Can SASE stop tech sprawl?

SASE blends networking architecture, namely SD-WAN, with cloud-delivered security services such as security … (more…)

The post RSAC Fireside Chat: The many flavors of ‘SASE’ now includes Aryaka’s ‘Unified SASE as a Service.” first appeared on The Last Watchdog.

Meta takes down 63,000 sextortion-related accounts on Instagram

Meta has taken down a whopping number of Instagram accounts directly involved in sextortion and more accounts aimed at training scammers

Windows update may present users with a BitLocker recovery screen

After the July Microsoft update some systems boot into a BitLocker Recovery screen. How can you find the key you need?

TracFone will pay $16 million to settle FCC data breach investigation

Prepay wireless provider TracFone has been slapped on the wrist to the tune of $16 million for insufficient customer data protection

Google admits it can’t quite quit third-party cookies

Google has taken a new turn in the approach to eliminating third-party cookies. This time it's back to the Privacy Sandbox

Heritage Foundation data breach containing personal data is available online

Data from the Heritage Foundation containing at least half a million passwords and usernames are available online

A week in security (July 15 – July 21)

A list of topics we covered in the week of July 15 to July 21 of 2024

CrowdStrike update at center of Windows “Blue Screen of Death” outage

An enormous IT outage across the world today is not the result of a cyberattack, but rather a faulty update from CrowdStrike.

Number of data breach victims goes up 1,000%

The Identity Theft Resource Center has published a report showing a 1,170% increase in compromised data victims compared to the same quarter last year.

Gen Z breakups tainted by login abuse for spying and stalking, research shows

Gen Z, who are most likely to engage in consensual tracking, are also the most likely to face non-consensual tracking after a breakup.

Rite Aid says 2.2 million people affected in data breach

Rite Aid has started notifying 2.2 million people that were affected by data breach that was part of a June ransomware attack.

AI device Rabbit r1 logged user interactions without an option to erase them before selling

Rabbit has introduced an option to erase all data from the r1 device before selling it on, but what if you lose it or it gets stolen?

How an AI “artist” stole a woman’s face, with Ali Diamond (Lock and Code S05E15)

This week on the Lock and Code podcast, we speak with Ali Diamond about what it felt like to find an AI image model of herself online.

Disney “breached,” data dumped online

Hacktivists claim they have stolen 1.2 TB of data from Disney's developer Slack channels.

A week in security (July 8 – July 14)

A list of topics we covered in the week of July 8 to July 14 of 2024

Fake Microsoft Teams for Mac delivers Atomic Stealer

In a new malware campaign, threat actors are using Google ads to target Mac users looking to download Microsoft Teams.

Dangerous monitoring tool mSpy suffers data breach, exposes customer details

Customers of the stalkerware application mSpy had their customer support details exposed after a data breach

“Nearly all” AT&T customers had phone records stolen in new data breach disclosure

AT&T has told customers about yet another data breach. This time call and text records of nearly all customers were stolen.

iPhone users in 98 countries warned about spyware by Apple

Apple has sent a warning to people targeted by mercenary spyware in 98 countries.

Peloton accused of providing customer chat data to train AI

Exercise company Peloton is accused of providing customer chat data to a third party for AI training.

Ticketmaster says stolen Taylor Swift Eras Tour tickets are useless

Ticketmaster claims that tickets stolen in its data breach are useless, while scalpers have proven the rolling barcode method is not 100% effective.

How to Easily Meet the PCI DSS Awareness Training Requirements

All organisations that transmit, process or store payment card data, or affect its security, must meet the requirements of the PCI DSS (Payment Card Industry Data Security Standard). The currently applicable version of the PCI DSS is v4.0.1, a limited revision to PCI DSS v4.0. The PCI DSS consists of a standardised, industry-wide set of requirements and processes for: The Standard also has a requirement for security awareness training. This blog explains what the PCI DSS requirements are for staff awareness training, to whom they apply and how to prove compliance. What are the PCI DSS requirements for security awareness

The post How to Easily Meet the PCI DSS Awareness Training Requirements appeared first on IT Governance UK Blog.

Your Biggest Security Risk: The Insider Threat

Expert insight from our head of GRC consultancy Our analysis of the ICO’s (Information Commissioner’s Office) public data set found that 29–35% of reported personal data breaches between 2019 and 2023 in the UK had been caused accidentally. That is, the incident type was one of: Sector patterns However, when we investigated the sectors suffering the most accidental breaches, we found that the entire top 3 comprised the public sector, with numbers as bad as 36.4%, 40.4% and 57.1% of all data breaches caused through human error. When we asked Damian Garcia, our head of GRC (governance, risk and compliance)

The post Your Biggest Security Risk: The Insider Threat appeared first on IT Governance UK Blog.

ISO 27001:2022 Transition Challenges and How to Use ISO 27002

Practical insight from an ISO 27001 consultant With ISO 27001:2013 certification now unavailable, organisations must transition to the 2022 standard for their ISO 27001 certification to remain valid. What are some of the challenges organisations face? And how can they overcome them? We put these questions to Matthew Peers, who helps our clients implement and prepare for ISO 27001 certification. In this interview What are the challenges of transitioning to ISO 27001:2022? One challenge I’ve been seeing is updating all the documentation to match the new Standard. In ISO 27001:2013, Annex A contained 14 groups of controls. Now, we just

The post ISO 27001:2022 Transition Challenges and How to Use ISO 27002 appeared first on IT Governance UK Blog.

Analysing Data Breaches Caused by Human Error

A deep dive into the ICO’s numbers We often hear the terms ‘accidental breach’ and ‘internal threat’, but how common are these phenomena? To find out, we analysed the ICO’s (Information Commissioner’s Office) public data set. Specifically, we looked into four data breach types caused by human error: Note that this data set only accounts for personal data breaches reported to the ICO, so it only reflects breaches affecting UK residents. The number of data breaches that actually occurred was likely higher. Also note that this blog only accounts for the data from 2019–2023, because these are the only years

The post Analysing Data Breaches Caused by Human Error appeared first on IT Governance UK Blog.

The Good, the Bad and the Improvable of PCI DSS v4

Version 4.0 of the PCI DSS (Payment Card Industry Data Security Standard) went into effect on 1 April 2024, surpassing v3.2.1. As a QSA (Qualified Security Assessor), I’ve completed a few PCI DSS v4 analyses and assessments. In this blog, I’ll share the good, the bad and the improvable aspects of this new standard. I’ll also highlight a potentially problematic change introduced by PCI DSS v4.0.1, a recently published ‘limited revision’. PCI DSS v4.0.1 included no new requirements, but may nonetheless present a new challenge for certain organisations. In this blog The good New sub-requirements X.1.1 and X.1.2 I like

The post The Good, the Bad and the Improvable of PCI DSS v4 appeared first on IT Governance UK Blog.

‘RockYou2024’: Nearly 10 BILLION Unique Plaintext Passwords Leaked

A penetration tester’s take on the implications Cybernews researchers have found 9,948,575,739 unique plaintext passwords leaked on BreachForums, a popular hacking forum. On 4 July 2024, a threat actor called ‘ObamaCare’ leaked what is likely the largest password compilation to date, calling it “10 Billion Rockyou2024 Password Compilation”. Specifically, ObamaCare said: I present you a new rockyou2024 password list with over 9.9 billion passwords! I updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years. Also cracked some old ones with my new 4090. This contains actual new real passwords from users.

The post ‘RockYou2024’: Nearly 10 BILLION Unique Plaintext Passwords Leaked appeared first on IT Governance UK Blog.

Free Expert Insights: Index of Interviews

At least once a week, we sit down with an expert from within GRC International Group to get their insights on a technical topic or business area. Here are all our Q&As to date, grouped by broad topic: AI Cyber attacks and data breaches Cyber Essentials Cyber resilience Cyber security Data privacy DORA Europrivacy Incident response ISO 27001 PCI DSS PECR Security testing Supply chains Training Miscellaneous To get new expert insights straight to your inbox, sign up to our weekly newsletter, the Security Spotlight. Last updated: 10 July 2024. Interviews added: James Pickard on security trends for 2024 and

The post Free Expert Insights: Index of Interviews appeared first on IT Governance UK Blog.

GDPR Article 28 Contracts: What You Need to Know

An overlooked GDPR requirement AND a business enabler Andy Snow has trained thousands of people on the GDPR (General Data Protection Regulation). So, he’s a good person to ask about what areas people find challenging. His response? “The data-sharing aspects of contracts.” As a trainer, Andy regularly receives praise for his engaging delivery style, bringing the subject matter to life with real-world examples. In this conversation, he did the same. Andy’s explanations show the importance of this overlooked area of GDPR compliance. Contracts aren’t just a GDPR requirement. Doing your due diligence can save your organisation a lot of money,

The post GDPR Article 28 Contracts: What You Need to Know appeared first on IT Governance UK Blog.

Records of Processing Activities (ROPAs): Simplifying GDPR Compliance

Expert insight from a data privacy trainer and DPO “Organisations tend to overcomplicate GDPR compliance.” That’s what data privacy trainer and DPO (data protection officer) Andy Snow said when I asked him, in honour of the Regulation’s sixth anniversary, what organisations are still struggling with when it comes to GDPR compliance. This seems a common theme. Louise Brooks, head of consultancy at our sister company DQM GRC, remarked that many organisations tend to see the GDPR as prescriptive, stemming from misunderstandings around how the Regulation actually works: principles-based and risk-based. Specifically for GDPR compliance, records of

The post Records of Processing Activities (ROPAs): Simplifying GDPR Compliance appeared first on IT Governance UK Blog.

Security Trends for 2024 and Beyond

Expert insight from our head of security testing As we get deeper into 2024, we felt it was time to sit down with our head of security testing, James Pickard, to talk about what trends in cyber security he’s seeing. He pointed to the rise of AI, and how this is changing cyber security, particularly in terms of social engineering attacks. We also covered other areas, including ransomware trends and how organisations can protect themselves. About James Pickard James is an expert penetration tester – and our head of security testing – with more than a decade in the field.

The post Security Trends for 2024 and Beyond appeared first on IT Governance UK Blog.

When spear phishing met mass phishing

Kaspersky experts have discovered a new scheme that combines elements of spear and mass phishing

Developing and prioritizing a detection engineering backlog based on MITRE ATT&CK

How a SOC can efficiently manage priorities when writing detection logic for various MITRE ATT&CK techniques and what tools can help.

CloudSorcerer – A new APT targeting Russian government entities

Kaspersky discovered a new APT CloudSorcerer targeting Russian government entities and using cloud services as C2, just like the CloudWizard actor.

Cybersecurity in the SMB space — a growing threat

Kaspersky analysts explain which applications are targeted the most, and how enterprises can protect themselves from phishing and spam.

XZ backdoor: Hook analysis

In this article, we analyze XZ backdoor behavior inside OpenSSH, after it has achieved RSA-related function hook.

Analysis of user password strength

Kaspersky experts conducted a study of password resistance to attacks that use brute force and smart guessing techniques.

Cinterion EHS5 3G UMTS/HSPA Module Research

We performed the security analysis of a Telit Cinterion modem in course of a bigger project of security assessment of a popular model of a truck and found eight vulnerabilities.

QR code SQL injection and other vulnerabilities in a popular biometric terminal

The report analyzes the security properties of a popular biometric access control terminal made by ZKTeco and describes vulnerabilities found in it.

Bypassing 2FA with phishing and OTP bots

Explaining how scammers use phishing and OTP bots to gain access to accounts protected with 2FA.

IT threat evolution in Q1 2024. Mobile statistics

Mobile malware statistics for Q1 2024: most common threats for Android, mobile banking Trojans, and ransomware Trojans.

Global Security Outage

In this daily security byte with WatchGuard CSO, Corey Nachreiner, he explains the recent Global IT outage cause by a CrowdStrike update. We also follow-up on RockYou and the RockYou2024 data dump of 10 billion records

Blast RADIUS

This week on the podcast we discover the newly-disclosed protocol vulnerability in certain RADIUS implementations. Before that, we give an update on the continued fallout from the Snowflake customer databreaches including a new disclosure from AT&T. We also discuss a blog post from JFrog that details how they saved the world from what could have […]

OpenSSH regreSSHion Vulnerability

This week on the podcast, we cover OpenSSH’s recent critical vulnerability and what it means for systems administrators. Before that, we discuss the CDK Global ransomware attack impacting car dealerships across the us, a Korean internet service provider delivering malware to their customers, and a takeover of a popular JavaScript library gone hostile.

Snowflake Breach Campaign

This week on the podcast we doscuss two issues from this month’s Microsoft patch tuesday that deserve your attention. After that we discuss the recent data theft campain targeting Snowflake customers that has impacted over 100 organizations. We end the episode with an update on the hackers behind the MGM and Caesar’s Entertainment breaches last […]

Yet Another TA558 Campaign Targets South America’s Hospitality Industry With AsyncRAT

Introduction This research began with finding a simple malware sample to extract strings for an unrelated topic. In my day-to-day malware analysis workflow, I stumbled upon a JavaScript (JS) file with what I would call trivial obfuscation. I knew it was malware but wanted to understand the infection chain. After some cleanup, I understood it […]

Q1 2024 Internet Security Report

This week on the podcast we cover the WatchGuard Threat Lab’s Internet Security Report from Q1. In this episode, we discuss the latest trends in malware detections at the network and the endpoint, network attack trends, and malicious domains that targeted WatchGuard customers around the world.

Recall Windows Recall

This week on the podcast, we discuss a new Microsoft Windows feature that is shaping up to be a security nightmare. Before that, we discuss a new research initiative from the Advanced Research Projects Agency for Health (ARPA-H) that could make big improvements in healthcare cybersecurity.

SSID Confusion Attacks

This week on the podcast, we cover a newly disclosed weakness in the 802.11 Wi-Fi standard that affects common enterprise Wi-Fi deployments. Before that, we discuss CISA’s Secure by Design Pledge for technology vendors before ending with a Microsoft research post on Quick Assist social engineering.

Seattle Kraken IT Joins The 443 Podcast

In a very special episode of #the443Podcast, WatchGuard Director of Security Operations, Marc Laliberte sits down with Seattle Kraken Cybersecurity Engineer, Ryan Willgues to discuss how Ryan got his start in IT, what it’s like working for an NHL franchise, how the Kraken have deployed WatchGuard’s Unified Security Platform, and much more.

Picking Secure Technologies

This week on the podcast, we cover guidance from CISA and its international partners that guides organizations on the right questions to ask during the technology procurement process to make sure the products they buy are secure. Before that, we cover Microsoft’s research into a common vulnerability impacting over 4 billion Android application installations followed […]

The 2024 Verizon DBIR

This week on the podcast, we cover the key takeaways from the 2024 Verizon Data Breach Investigations Report. Before that, we discuss what we learned from United Healthcare CEO Andrew Witty’s congressional testimony on their ransomware attack in February. We also discuss a research article from JFrog on malicious Docker Hub repositories.

Cisco ArcaneDoor Attack

This week on the podcast, we cover a nation-state backed attack against Cisco ASA appliances which Cisco TALOS themselves have dubbed “ArcaneDoor.” After that, we discuss a phishing tookit being used to target LastPass users before ending with a new way to deliver malware payloads using legitimate services.

A Postmortem of Microsoft’s Security Incident

This week on the podcast, we cover a report from the Department of Homeland Security’s Cyber Safety Review Board that analyzes Microsoft’s Exchange Online 2023 security incident in excruciating detail. Before that, we cover CISA’s new rules around cyber incident reporting and an unsealed indictment against 7 Chinese nationals.

Ending Session Hijacking

This week on the podcast, we cover a Google initiative to kill off session hijacking attacks once and for all. Before that, we give an analysis of CVE-2023-3400, the Palo Alto zero-day vulnerability currently under active exploit. Additionally, we discuss a recent white paper from CISA on securely deploying artificial intelligence systems.

BatBadBut What?

This week on the podcast, we cover a research post that describes a code injection vulnerability caused by the way nearly every high level programming language runs on Windows. We also discuss a series of vulnerabilities in LG televisions that allow remote attackers to root the device before ending with a chat about new adversarial […]

Bad Month for Software Supply Chains

This week on the podcast, we cover a software supply chain attack years in the making that was days away from a devastating global impact. After that, we cover Facebook’s Project Ghostbusters and its impact on user privacy before ending with another software supply chain attack that successfully compromised developers in the gaming world.

Trucking Worms

This week on the podcast we discuss a vulnerability in required commercial truck hardware that could enable an automatically propagating worm across the entire US. Before that, we cover Apple’s “un-patchable” vulnerability in their M-series processors as well as a vulnerability that could let attackers unlock hotel room doors at will.

A Wild Month in Ransomware

This week on the podcast, we’re joined by Ryan Estes, a member of WatchGuard’s Zero-Trust Application Service classification team and resident ransomware expert to discuss the wild month in ransomware news. We start the episode with a story about a fake ransomware operator that scammed cybercriminals out of tens of thousands of dollars before discussing […]

Operation Cronos: A Breakdown of the LockBit Disruption

Check out LockBit 3.0 on our new Ransomware Tracker Beta! Hear more about Operation Cronos on The 443 Podcast. If you’ve followed the ransomware space for the past few years, it’s very likely you’ve heard of LockBit. If you don’t follow the cybersecurity landscape, there’s still a good chance you’ve heard of them or at […]

Locking Up LockBit

This week on the podcast, we cover an international law enforcement takedown of the LokBit ransomware group’s infrastructure. After that, we cover a novel malware delivery vector involving an IoT “toy.” We end the podcast by covering the latest White House Executive Order addressing cybersecurity in critical infrastructure.

Flipping Out Over Flipper Zero

This week on the podcast we cover Canada’s attempt to ban the Flipper Zero. Before that, we review a recent research post on a new class of vulnerability on the Ubuntu operating system. We end the episode with a chat bout a the impacts of artificial intelligence on data security. Menlo Report on Business AI […]

AnyDesk Remote Access Vendor Compromise

AnyDesk logo

On February 2nd, remote access software vendor AnyDesk disclosed they had been the victim of a cyberattack where an unknown threat actor obtained access to production systems. AnyDesk appears to have contained the incident before the adversaries were able to leverage their access into a supply chain attack against AnyDesk customers but out of an […]

Could a Toothbrush Botnet Happen?

This week on the podcast, we cover a recent news post about an army of 3 million compromised toothbrushes taking down a Swiss website, causing millions in damages. After that, we discuss the United States DOJ’s latest botnet takedown, this time targeting Volt Typhoon. We end the episode by walking through a CISA joint-publication giving […]

A Door in Apple’s Walled Garden

This week on the podcast, we cover Apple’s recent announcement describing how they will comply with the European Union’s new Digital Markets Act and what that means for the iPhone walled garden. Before that, we cover a databreach at Mercedez-Benze thanks to an alternative authentication method. Additionally, we cover the roundup of vulnerabilities in Ivanti’s […]

A Blizzard of Threats

This week on the podcast, we cover two “Blizzard” threat actors targeting governments and private organizations. We also give an update to the SEC’s compromised Twitter/X Account, and then end with a discussion of an EU program designed to improve their citizen’s privacy while browsing the internet.

Androxgh0st Analysis

This week on the podcast, we review a CISA and FBI joint advisory on the Androxgh0st malware. Before that we cover recent Volt Typhoon activity targeting SMB routers exposed on the internet. We end the episode with a fun research blog post about a series of flaws in an Indian insurance provider.

NIST Tackles Adversarial AI

This week on the podcast, we review NIST’s new publication that defines a taxonomy for how we talk about Adversarial Machine Learning. Before that, we cover a recent discovery of threat actors retaining access to Google accounts even through a password reset. We round out the episode with an account compromise that lead to a […]

RIPE for the Taking

This week, we cover a password compromise that lead to a mobile telco in Spain losing control of their IP address space. We also give a quick update on the Lapsus$ ringleader’s court case before discussing a recently discovered macOS backdoor malware that evades most endpoint protection. We end the episode by covering Microsoft’s research […]

Hacking the Crypto Supply Chain

This week on the podcast, we cover a supply chain attack against one of the largest hardware cryptocurrency wallet manufacturers. After that, we discuss the latest Apache Struts vulnerability under active exploit by threat actors. We end the episode with our thoughts on a research blog post about a set of threat actors using an […]

Bluetooth Busted

This week on the podcast, we cover a new unauthenticated keystroke injection vulnerability in the Bluetooth implementation on nearly every type of device. After that we discuss Logofail, a suite of vulnerabilities in most UEFI boot implementations that could let threat actors easily hide their tracks. We end by covering a recent CISA advisory on […]

Our 2024 Security Predictions

This week on the podcast we discuss our cybersecurity predictions for 2024. We’ll cover each of the 6 predictions for the coming year including the trends behind them and how to protect your organization if they come true!

Grading our 2023 Security Predictions

This week on the podcast, we look back to our 2023 security predictions and grade ourselves on how well we were able to see the future. We’ll go through each of our 6 predictions, explain the trends that fueled them, and then provide either evidence that they came true or discuss reasons why they may […]

What to Expect from NIS2

This week on the podcast, we dive in to the EU’s Network and Information Security directive update, aka NIS2. We’ll cover who might be impacted and what to expect in terms of requirements in the coming year. Before that, we give an update to on the latest Scattered Spider threat actor activity followed by an […]

Combined Cyber and Kinetic Warfare

This week on the podcast, we cover an analysis from Mandiant on an attack lead by the Russian state-sponsored threat actor Sandworm that came alongside missiles strikes against Ukraine. Before that, we review Okta’s post mortum from their recent cyber incident. We end the episode by discussing udpated research from Jamf on a North Korean […]

The White House Tackles AI

This week on the podcast we cover an Executive Order from the US White House on the topic of Artificial Intelligence. After that, we discuss the latest CISO that has found themselves in hot water with the law. We then cover an update to the Common Vulnerability Scoring System and end with a researcher claiming […]

The Threat Actor That Hacked MGM

This week on the podcast, we review a thorough unmasking of Octa Tempest, the threat actor beind the MGM and Caesars Entertainment attacks in September. Before that, we give an update on the Cisco IOS XE vulnerability that head to an implant installed on thousands of exposed devices. We round out the episode with an […]

CISA’s Secure by Design Whitepaper

This week on the podcast, we cover CISA’s newly updated whitepaper on guidance for both software manufacturers and customers on the principals of secure-by-design and secure-by-default. Before that, we cover the Cisco IOS XE vulnerability that is under active exploitation in the wild, give an update on the EPA’s efforts to regulate cybersecurity practices in […]

Microsoft is Killing NTLM

This week on the podcast, we cover the recent HTTP/2 protocol vulnerability that lead to the largest DDoS attack ever recorded by CloudFlare. After that, we discuss Microsoft’s announcement about the deprecation of VBScript and the impending removal of NTLM. We then cover a collection of data allegedly stolen from the genealogy website 23 and […]

Q2 2023 Internet Security Report

This week on the podcast, we go through the latest Internet Security Report from the WatchGuard Threat Lab. We’ll cover the top malware and network attack trends from Q2 2023 impacting small and mid-market organization globally before ending with defensive tips anyone can take back to their company.

Bing Chat Malvertising

This week on the podcast, we discuss an alert from CISA on nation state threat actors embedding malware into legacy Cisco router firmware. After that, we cover a research post on malicious advertisements served up via Bing’s ChatGTP integration. We then end with an analysis of North Korea’s Lazarus group’s latest social engineering techniques.

Meta’ One Good Deed

This week on the podcast, we get up to speed on the MGM and Caesars Entertainment ransomware incidents from the previous week. After that, we take a deep dive into a blog post from Meta’s application security team for their VR headsets. After that, we cover Microsoft’s analysis of an ATP’s pivot from email to […]

iPhone’s Latest 0-Day

This week on the podcast, we cover Microsoft’s final report on their July incident involving nation-state actors compromising enterprise email accounts. After that, we discuss a zero-day, zero-click vulnerability in iOS being actively exploited in the wild before ending with a chat about an upcoming change to how Android handles CA certificates.

The Qakbot Takedown

This week on the podcast, we cover the FBI-lead, multinational takedown of the Qakbot botnet of over 700,000 victim devices. After that, we cover two android malware variants including one targeting victims in southeast Asia and another built by the Russian GRU.

Weaponizing WinRAR

This week on the podcast we cover the latest evolutions of the North Korean threat actor Lazarus before covering an actively-exploited 0day vulnerability in the popular unarchiver WinRAR. We end the episode with an AI-related attack that doesn’t actually use AI.

U.S. Cyber Trust Mark

This week on the podcast we cover the FCC’s proposal for a security assurance labeling program for IoT devices. Before that, we discuss the latest AI research challenge hosted by DARPA as well as some research into a novel attack against the AI/ML supply chain.

Def Con 2023 Recap

On this week’s episode, we chat about some of our favorite talks from this year’s Def Con security conference. We’ll cover several topics including artificial intelligence, hacking mobile point of sale devices, and how worried we should or shouldn’t be about cyber warfare.

BlackHat 2023 Recap

In this special end-of-week episode of The 443, we cover some of our favorite talks from this year’s edition of the BlackHat cybersecurity conference in Las Vegas. We’ll discuss the trends we saw and summaries of interesting topics including AI, nation state warfare, and improving cyber defense.

What Is Same-Origin Policy? Replay

This week we look back to an episode that originally aired in May 2021 where we remember a Def Con legend then dive in to two web browsing security acronyms. Keep an eye out later this week as we come to you from this year’s Black Hat and Def Con cybersecurity conferences!

Qakbot Qacktivity

This week on the podcast, we cover the latest evolutions of the decade-old Qakbot malware including changes in how attackers deliver it. After that, we give an update on the SEC’s new rules around mandatory security disclosure. We then end by reviewing CISA’s analysis of Risk and Vulnerability Assessments they completed for their constituents in […]

Red Teaming AI Systems

This week on the podcast, we give an update on last week’s discussion around a China-based APT targeting government organizations. After that, we cover the latest uses of generative AI like ChatGPT by malicious hackers. Finally, we end with a report from Google on their efforts around Red Teaming Artificial Intelligence systems.

New Microsoft Office 0-Day

This week on the podcast we cover two stories that came out of Microsoft’s July Patch Tuesday. The first involves an incident within Microsoft that lead to foreign cybercriminals compromising the email accounts of multiple government agencies. The second story involves an actively exploited 0-day vulnerability in Office that at the time of recording, remains […]

Q1 2023 Internet Security Report

This week on the podcast, we cover WatchGuard Threat Lab’s Internet Security Report for Q1 2023. Throughout the episode, we’ll discuss the key trends for cyber threats impacting small and midsize organizations globally including the top malware and network attach detections as well as a look specifically at the endpoint. We round out the episode […]

RepoJacking

On this week’s podcast we discuss a recent analysis on the risks of GitHub RepoJacking. After that, we dive in to the Barracuda 0-day that China-based threat actors are actively exploiting as well as a novel command and control distribution method for a separate China-based APT.

A New Russian APT

On this week’s episode we discuss the newly named threat actor Cadet Blizzard, including their typical tools, tactics and procedures. We also cover CISA’s newest binding directive to federal agencies. Before that, we give an update on exploited MOVEit Transfer servers and the latest Bitcoin laundering technique.

Minecraft Mod Malware

This week on the podcast we cover a supply chain attack of sorts against Minecraft gamers. After that, we cover a vulnerability in MOVEit Transfer that threat actors are exploiting in the wild to steal data and deploy ransomware. Finally, we wne with our review of the latest Verizon Data Breach Investigations Report (DBIR).

How Not to Update Software

This week on the podcast, we give a quick update on the latest Volt Typhoon activity before covering a newly for sale EDR bypass tool. After that, we discuss Gigabyte’s decision to rootkit their own motherboards before ending with a new macOS vulnerability.

Naming APTs

This week on the podcast, we cover Microsoft’s latest refresh of naming conventions for advanced persistent threat (APT) actors worldwide, as well as an update on two specific threat actors and their latest tactics. We also cover a ransomware event targeting a biotechnology company with an interesting twist.

TikTok is Banned, Kind Of

This week on the podcast, we cover the recent TikTok ban coming from the state of Montana and discuss whether it was justified and what the potential security impact is. Before that, we give an update on two US Supreme Court cases that were poised to potentially strip away Section 230 protections. We also highlight […]

Scratching the Surface of Rhysida Ransomware

A few days ago, I was scrolling through Twitter and came across a post by the MalwareHunterTeam briefly discussing a new Ransomware group – Rhysida. A lack of results from a Google search shows this is a newer group prepping to start operations. I grabbed a sample and downloaded it, and the executable confirmed that […]

An Interview with ChatGPT

This week on the podcast, Marc kick’s Corey off the podcast and interview’s ChatGPT to learn its thoughts on AI applications in cybersecurity, both on offense and defense.

Securing Healthcare Tech

This week on the podcast, we cover two new malware research pieces, including the latest evolution of a delivery vehicle as old as time. After that, we cover recent regulations in the healthcare industry that have a chance to push the industry to a more secure future.

Rustbuckets and Papercuts

This week on the podcast, we cover a recently discovered macOS malware attack that uses a multi-stage delivery mechanism. Before that, we discuss an actively-exploited vulnerability in the print management software PaperCut, as well as an update on the 3CX supply chain attack.

MSPs Around the World – Americas

This week’s podcast comes from the WatchGuard Apogee partner conference for the Americas where we bring on special guests Kevin Willette of Verus Corporation and Neil Holme of Impact Business Technology to discuss the challenges and opportunities MSPs and MSSPs will face in the coming years. This is the first of a multipart series where […]

Zero Trust Maturity Model 2.0

This week on the podcast, we cover two new publications out of CISA. First, we dive into CISA’s guidance to manufacturers and customers on products that are secure-by-design and secure-by-default. Next, we discuss CISA’s latest Zero Trust Maturity Model which any organization can use to gauge how far along they are on the ZTA path […]

Cybersecurity News: A Trio of Vulnerabilities, BreachForums Admin Arrested, Hundreds of Ransomware Victims, and The Rise of AI

This post arrives later than usual, but as they say, “Better late than never.” Researchers and the media have highlighted various unique, interesting, or destructive vulnerabilities in the last few weeks. We decided to pick three of these vulnerabilities and talk about them. One was patched with Microsoft’s Patch Tuesday in March; another affects the […]

Operation Cookie Monster

This week on the podcast, we discuss another cybercrime marketplace takedown dubbed Operation Cookie Monster. After that, we discuss Microsoft’s attempts to limit the distribution of a popular hacking toolkit. Finally, we discuss a recent analysis by Dr. Ken Tindell of Canis Automotive Labs around how criminals were able to steal his friend’s Toyota Rav4. […]

Another Software Supply Chain Attack

This week on The 443, we discuss the latest software supply chain attack with a potential blast radius of thousands of organizations. Then we cover a new protocol vulnerability in the Wi-Fi wireless standard before ending with some research into insecure Microsoft Azure applications.

3CX Supply Chain Attack

3CX created the desktop phone app 3CXDesktopApp and now finds itself in the middle of a supply chain attack. As a recognized company in the softphone space, 3CX provides services to many large companies including Honda, Coca-Cola, BMW, Holiday Inn among others, according to the testimonials on their website. This week though, they […]

The NSA’s Guidance on Securing Authentication

This week we have all the acronyms as we cover a joint publication by CISA and the NSA with Identity and Access Management (IAM) best practices. We then cover some new proposed cybersecurity rules out of the Securities and Exchange Commission (SEC) before ending with an FBI takedown of a popular hacking forum.

Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches

It’s Monday, and there’s no better way to start a new week than with some cybersecurity-related news. So, if you need an excuse to procrastinate a bit more, allow us to fill that void. For this iteration, we made a few minor improvements, as always. In addition to the table of contents from last time, […]

An Update on Section 230

On this week’s episode we look back to our initial monologue on Section 230 protections that allow the social media and the internet as a whole to function. We cap off the episode replay with a new discussion on a recent supreme court case that has the potential to dramatically impact the internet as […]

Here Come The Regulations

On today’s episode, we cover two new sets of cybersecurity regulations, fresh off the heels of the White House’s National Cybersecurity Strategy publication, targeting different critical infrastructure sectors in the United States. We’ll also cover the latest in nation state activity targeting network connectivity appliances and end with some fun research into an oldie but […]

US National Cybersecurity Strategy

This week’s episode is all about the White House’s recently released National Cybersecurity Strategy. We’ll walk through the strategy from top to bottom and discuss the key elements most likely to impact individuals and organizations as well as our overall thoughts on the direction the US Federal Government is planning to take.

Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!

A new week, a new month, and a new Cybersecurity News post! This iteration contains a whopping eight (8) stories covering the last two to four weeks. Since cybersecurity is a diverse field of assorted specializations, we attempt to match that with various stories touching on all aspects of cybersecurity. This time we cover a […]

Cybersecurity’s Toll on Mental Health

This week on the episode we have a discussion about stress related issues impacting cybersecurity professionals and ways to combat them. Before that, we cover the latest news including new 0click exploit protection from Samsung, the latest update on GoDaddy’s security woes, and Twitters latest erratic move.

Successfully Prosecuting a Russian Hacker

In today’s episode, we discuss a recent court case resulting in the succesful conviction of a Russian national tied to breaking in to several publicly traded US companies. We also cover the latest details on the ESXiArgs ransomware attacks that have been impacting organizations globally as well as the latest CISA alert on nation-state ransomware […]

Cybersecurity News: Automated Ransomware Attacks, U.S. No Fly List Leaked, and A.I. Detecting A.I.

Welcome to another iteration of Cybersecurity News. The fairly new and unorthodox, semi-monthly news article that highlights a handful of noteworthy cybersecurity-related stories and provides extra references and resources to do further research if you desire. We aim to solidify a more concrete release schedule going forward and will release more information once we have […]

Live Audience MSP Q&A Panel

On this week’s very special episode of the podcast, we sit down with Matt Lee, Calvin Engen, and Scott Williamson, three MSP security and business experts for a Q&A panel in front of a live audience! We’ll cover everything from how MSPs and MSSPs should address the cyber threat landscape to what vendors can do […]

A Technical Analysis of ISAACWiper

Shortly after Putin launched his “special military operation” in Ukraine on February 24th, 2022, researchers from ESET published information about two novel destructive malware families – HermeticWiper and ISAACWiper. HermeticWiper was part of a three-pronged campaign that included a worm and pseudo-ransomware component known as HermeticWizard and HermeticRansom, respectively. HermeticWiper is the data-wiping component. ISAACWiper, […]

What is CVSS?

This week on the podcast we cover the Common Vulnerability Scoring System (CVSS) including how it works and some of its limitations. Before that though, we discuss a recent survey on the risks of ChatGPT’s usage in cyberattacks and the latest activity from Lazarus, the North Korean government hacking operation.

CISA Warns of Weaponized RMM Software

On today’s episode, we cover a recent Department of Justice operation that resulted in taking down a major ransomware organization. After that, we cover two recent publications from CISA, the first on malicious use of legitimate RRM software and the second giving guidance to K-12 on how to address cybersecurity concerns.

Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Sifting through the most recent cybersecurity-related news may seem daunting, and keeping up with the latest developments is arduous. However, the WatchGuard Threat Lab is happy to filter through the latest cybersecurity news and highlight some stories we believe are important, noteworthy, or interesting. The goal is to focus on a few recent cybersecurity-related stories, […]

Law Enforcement Infiltrate and Seize Hive Ransomware Operation

In a sudden, stunning announcement today, the United States Department of Justice, the FBI, and federal agencies from 13 countries from Europol, announced the seizure of the transnational Hive ransomware operation. The seizure was part of a months-long operation that began in late July 2022 when the FBI infiltrated the Hive network. Deputy Attorney General […]

Report Roundup

This week on the podcast, we cover key findings from three individual reports published last week. In the first report we’ll dive into the world of blockchain analysis looking for illicit transactions. In the second report, we’ll cover the state of SMB security. The final report includes a discussion of overall financial crime involving stolen […]

Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach

Regarding malware, breaches, and the overall threat landscape, 2023 is off to a dynamic start. Malvertising (malicious advertising) continues to be a successful attack vector for hackers, especially from sponsored ads via Google searches. Jon DiMaggio released his long-awaited Ransomware Diary series beginning with the first iteration of the LockBit ransomware group. Also, a new […]

The RCE Vulnerability That Wasn’t

This week on the podcast we cover a recently-disclosed vulnerability in the popular JavaScript library JsonWebToken. After that, we give an update to weaponizing ChatGPT, the currently free Artificial Intelligence chat bot that has made waves since it’s release in November. We round out the episode with a wave farewell to Windows 7 and Windows […]

When Trying to Catch ‘Em All, Leave This RAT Alone

Recently, researchers have observed threat actors using a website previously associated with the popular AR game, PokemonGo to distribute a remote access trojan (RAT). The method of delivery is a cleverly disguised game installer that includes a copy of the commonly used NetSupport Manager application, which on its own is technically a trusted application. The […]

Reviving a Dead Botnet

This week on the podcast we cover a recent analysis by Mandiant on a Russia-based APT using a decade old botnet to deliver new attacks. Before that, we cover an update from LastPass about their most recent breach as well as the 200 million Twitter accounts leaked last week.

Q3 2022 Internet Security Report

This week on the podcast we discuss key findings from the WatchGuard Threat Lab’s Q3 2022 Internet Security Report. We’ll cover everything from the top malware threats to the latest network attack trends targeting small and midsize enterprises globally and give practical defensive tips that anyone can use to keep their organizations safe. [PowerPress]

2023 Security Predictions

It’s that time of year for us to discuss the WatchGuard Threat Lab’s 2023 cyber security predictions! On this episode, we will cover the six predictions plus another two that didn’t make the cut as well as some defensive strategies to try and help stop them from coming true.

Apple’s New Privacy Expansion

This week on the podcast, we cover Apple’s latest announcement of expanded privacy and security features for their users. Before that, we cover a major breach in the Android ecosystem followed by a new Internet Explorer (yes, that still exists) 0-day vulnerability.

Hacking Hyundai

On this week’s episode, we cover the latest in car hacking, this time involving a vulnerability that could have given remote attackers full control over certain Hyundai models’ doors, lights and engine. After that, we discuss the latest breach impacting a major password management app and how it’s different from previous ones we’ve seen. We […]

CISA Incident Response Learnings

On today’s episode we cover a pair of alerts from the Cybersecurity Infrastructure and Security Agency (CISA), one detailing the tools, tactics and procedures from a prolific ransomware organization and another walking through a recent incident response engagement CISA completed with a federal agency. Before that though, we learn about what happens when you use […]

Attack Surface Management

This week on the podcast we dive into the world of attack surface management. We discuss what your attack surface is made up of including some areas you may not have thought of and then cover the best ways to reduce and ultimately protect it.

Endurance Ransomware Claims Breach of US Federal Government

The WatchGuard Security Team spends a lot of time chasing ransomware extortion groups throughout the dark web. So, it only fits that one of the newer ransomware extortion groups is named Endurance Ransomware. It appears this “group” is one individual known as IntelBroker, who has allegedly breached several entities of the US government and two […]

2022 Cybersecurity Predictions Recap

This week on the podcast we take a look back at our 2022 cybersecurity predictions and give ourselves a grading on how well we did. From cyber insurance to space hacks, we’ll cover each of the 6 predictions we made last December and discuss why we think they did or did not come to fruition. […]

Why OpenSSL Downgraded Their Vulnerability

On this episode we cover the much anticipated OpenSSL vulnerabilities that were disclosed and patched on November 1st and why the 6 year streak of no critical issues continues. After that, we dive back in to election security and the hacking activity that could have the most impact. We end with an update from Apple […]

CISA’s Cybersecurity Performance Goals

This week on the podcast we cover CISA’s freshly-released Cybersecurity Performance Goals (CPGs) designed to help smaller organizations bridge the gap between frameworks and practical implementation. After that, we discuss a new bill working its way through the US Senate designed to address open source software security risks. Finally, we end with a research post […]

Ransomware TTPs Deep Dive

This week on the podcast, we cover another remote code execution vulnerability that looks extremely concerning on the surface but might be less serious in reality. After that, we cover two research articles by Microsoft on ransomware campaigns including defensive takeaways for all organizations.

Cyber Energy Star

This week on the podcast we cover a proposed program from the White House to create an Energy Star-like label for cybersecurity in consumer products. Before that, we cover two other updates from the federal government including a new open source tool from CISA and the latest reincarnation of Privacy Shield.

Q2 Threats and Guilty CSOs

This week on the podcast, we focus on highlighting WatchGuard’s Q2 Internet Security Report, covering the latest threat trends and what you can do to avoid them. However, we also pack in our security news segment, with an Optus breach update from an Australian IT and security expert and WatchGuard Partner, the latest on the […]

Optus Opts Out of PII Protection

This week on the podcast, we cover an Optus data breach that could affect over 10 million Australian customers, and what they should do to protect themselves. We highlight a new malware-as-a-service (MaaS) information stealer that lowers the cost and technical bar for cybercriminals. Finally, we end with some good news about how the FBI […]

Two Microsoft Exchange Server Zero-Day Vulnerabilities (aka ProxyNotShell)

Update 10/6/2022 : Microsoft has released several updates since their post on the “ProxyNotShell” Exchange vulnerabilities. If you followed their initial mitigation steps, they are not sufficient to block this threat and your Exchange server may remain vulnerable. Security researchers began poking at the initial mitigation recommendations and found ways to bypass their initial detection […]

An Uber Hack

The 443 Podcast -An Uber Hack

This week on the podcast, we cover Uber’s most recent security incident and the alleged individual behind it. After that, we dive into the world of gas station operational technology and potential security weaknesses in one tool. Finally, we end with a chat about the FBI CISO Academy and how the FBI as a whole […]

Are CISOs Legally Accountable for Security?

This week on the podcast we cover a court case that is attempting to hold the ex-CISO of a popular tech company accountable for their actions involving a data breach dating back to 2016. Before that though, we dive in to a novel command and control (C2) method as well as the latest commoditization of […]

A Day in the Life of a Malware Analyst

This week on the podcast we sit down with Ryan Estes, a malware analyst on the WatchGauard Threat Lab team, to discuss what it takes to rapidly differentiate malware from goodware. In this interview, we discuss what it takes to get in to malware analytics, popular tools to help with the task, and resources anyone […]

The Twitter Thing

This week on the podcast, we cover the big whistleblower complaint against Twitter including our hot takes on who to believe. We then cover an FBI alert on evasion techniques cyber criminals are deploying in their authentication attacks before finishing with a highlight of a very convincing phish.

2022 Black Hat and Def Con Recap

This week on the podcast we review our time at this year’s Black Hat and Def Con cybersecurity conferences in Las Vegas. We’ll cover how the WatchGuard CTF contest went this year and discuss takeaways from a few of the briefings we attended.

Hacker Summer Camp 2022

This week on the podcast, we give our preview of the Black Hat and Def Con cybersecurity conferences, aka Hacker Summer Camp. Throughout the episode, we’ll discuss the briefings and panels we’re most excited to see and what we hope to get out of them. If you’re not able to attend either conference in person […]

Private Sector Offensive Actors

This week on the podcast we discuss the shifting landscape of phishing attacks in the wake of Microsoft’s efforts to block malicious Office macros. We then cover a private organization that has been found not just selling exploit tools but also participating in offensive cyber operations. We end the episode with a review of IBM […]

USA’s Answer to GDPR

This week on the podcast, we discuss the current cyber skills gab and a federal program designed to help combat it. After that, we dive in to the American Data Privacy protection Act and what it potentially means if passed by US Congress. We end this week with a quick update on Microsoft’s attempts to […]

Rolling PWN

This week on the podcast we cover the latest in car hacking research, this time targeting vulnerabilities in remote keyless entry. We then dive in to Microsoft’s latest research on Adversary in the Middle (AitM) attacks and end with key findings from the latest WatchGuard Threat Lab quarterly Internet Security Report.

Over a Billion Records Leaked in Shanghai National Police Database Hack

This past week, a hacker by the name of ChinaDan allegedly breached the Shanghai National Police (SHGA) database and has put the nearly 23 TB of data up for sale for 10 bitcoin (BTC), or a little over $200k USD as of this writing. ChinaDan claims the data contains “information on 1 Billion Chinese national […]

LockBit Ransomware Group Introduces Bug Bounties and More

The LockBit ransomware group has unveiled a new website – LockBit 3.0 – to host their ransom extortions and data leaks. The website includes several new features, including an unprecedented bug bounty program to assist the group in securing their site; acceptance of the privacy cryptocurrency, Zcash; and the addition of receiving payments from users […]

Grading Gartner’s Guesses

This week on the podcast, we discuss two recent security reports, one on the topic of open source software and the other on “insecure by design” in the Operational Technology (OT) space. We go through the key findings from each report and what our thoughts are on their accuracy within the real world. We end […]

200th Episode Extravaganza

In celebration of our 200th episode, this week on the podcast we take a look back at the last few years and revisit some of our favorite episodes. Along the way, we’ll give updates on a few of our cybersecurity predictions from years past that took just a little bit longer than anticipated to come […]

Robux Ransomware

This week on the podcast we cover the latest and most bizarre ransomware extortion demand we’ve seen in recent memory. Before that though, we cover the latest updates on nation state hacking activity including threats of escalating attacks leading to physical retaliation.

0-Days for Days

This week on the podcast we cover two fresh 0-day vulnerabilities, one in Windows and another in Atlassian’s Confluence, both under active exploitation in the wild. Additionally, we cover Costa Rica’s no good, terrible month in Cybersecurity.

Package Hijacking

This week on the podcast, we discuss the line between ethical security research and malicious activity thanks to a compromised open source software package. After that we cover the latest industry to fall victim to Ransomware and end by highlighting a 0-click vulnerability in Zoom’s message system discovered by Google Project Zero.

WatchGuard Launches PSIRT Page

WatchGuard’s Product Security Incident Response Team (PSIRT) has launched our public PSIRT page to provide a consolidated resource where network administrators can find advisories and information about security vulnerabilities in WatchGuard products, as well as WatchGuard’s investigations into industry-wide security issues that may impact our products or services. Our PSIRT page also provides information for […]

Building Security Strategies with Matt Lee

This week on the podcast we sit down for a chat with Matt Lee, Sr. Director of Security and Compliance at Pax8 and well-known cyber security educator, to discuss security strategies for MSPs and midsize enterprises in the face of a dynamic threat landscape. We cover everything from picking a framework to getting buy in […]

CISA Guidance for MSPs

195

This week on the podcast we walk through CISA alert AA222-131A which gives bulleted guidance to MSPs and customers of MSPs on how to navigate their relationship security as threats targeting service providers continue to grow. We’ll walk through the list and hit each recommendation and give our own guidance on top of them for […]

The REturn of REvil?

This week on the podcast we discuss the latest rumblings around the return of the prolific ransomware-as-a-service organization REvil. Before that though, we dive in to the latest tools, tactics and procedures of the Lazarous nation state hacking group as well as a recently discovered form of fileless malware evasion.

Most Exploited Vulnerabilities of 2021

This week on the podcast, we dive into CISA’s list of the 15 most exploited vulnerabilities in 2021. We’ll walk through each flaw and give a refresher on their history and how attackers have exploited them. After that, we cover the latest ransomware-as-a-service threat that has victimized over 60 organizations worldwide before ending with a […]

Psychic Signatures

This week on the podcast we cover a critical and easily-exploited vulnerability in how some recent versions of Java handle cryptography. We also discuss the latest in a series of alerts from CISA and international intelligence organizations on cyber threats to critical infrastructure. Finally, we end with a condensed overview of the latest internet security […]

Hidden Hafnium

This week on the podcast, we cover the latest evasion and persistence techniques from the state-sponsored threat actors known as Hafnium. Then, we dive into the world of ICS and SCADA devices to discuss the latest joint-agency alert from the US Government. We then round out the episode by highlighting some recent research into spoofing […]

Patch Management Lag

This week on the podcast we discuss one of the most rampant yet easily resolved risks facing many organizations today, not installing vendor-supplied security fixes. We’ll cover some of the reasons why organizations might fall behind on patching as well as the potentially serious consequences. After that, we cover the latest 0-day Chromium vulnerability before […]

For the Love of InfoSec, Don’t Over-Expose Administrative Management Portals

When talking to IT and Security professionals, everyone seems to know they shouldn’t overly-expose management portals. And yet, every year we learn some new statistic showing tens of thousands of devices or software products with management portals exposed on the Internet. In hopes of changing this trend, this article talks about why management portals sometimes […]

The Rise and Fall of Lapsus$

This week on the podcast we cover the hacking organization Lapsus$ including their tactics, targets, and how they ended up with several members arrested last week. After that, we cover the cyber cold war and threats of Russian revenge attacks against the US energy sector that prompted classified meetings with potentially targeted organizations.

Sharing Cyclops Blink Threat Intelligence with the Community

At WatchGuard, we understand the importance of sharing threat intelligence with the information security (infosec) community when safe and appropriate. Not only does this information sharing help to directly defend against known threats, but it also helps the community at large learn from the attacks found in the wild, and appropriately adjust detection and defense […]

SATCOM Security

This week on the podcast, we cover a CISA alert on securing satellite communications (SATCOM) in the wake of several recent incidents involving providers and networks in eastern Europe. After that, we check in on the TSA’s cybersecurity rules for pipeline distribution networks and how adoption is going so far in the industry.

US-Backed Cryptocurrency

This week on the podcast, we cover last week’s Executive Order from the White House that lays the foundation for a United States Central Bank Digital Currency, or CBDC, and what it means for the future of Cryptocurrency. We also discuss recent research from Mandiant on APT41, a Chinese threat actor that has recently turned […]

Conti Leaks

This week on the podcast we cover the recent leaks highlighting the inner workings of the Conti ransomware group that started with chat logs and grew to entire source code dumps. We then round out the episode by discussing the recent Nvidea breach and how some of the stolen information might fuel future attacks.

5G Didn’t Break Your Car

5G didn’t put malware on these Mazda’s entertainment systems but many Seattle Mazda drivers couldn’t change their radio station after turning it to the local NPR station, KUOW. As one reddit user put it, “the whole audio system and Bluetooth just keeps trying to reboot.” Some users also reported they couldn’t use their backup cameras. […]

Rewind: Can We Trust Facial Recognition

This week on the podcast we dig back into our archives for an episode that originally aired back in July 2020 where we discussed one of our analysts first-hand research into facial recognition biases.

SpoolFool: Windows Print Spooler Fooled Again

Microsoft’s monthly Patch Tuesday already occurred this month, so you know what that means – more disclosed vulnerabilities. This iteration of patches included fixes for a combined 70 vulnerabilities, including one zero-day. Thankfully, none of these fall into Microsoft’s “critical” category. However, there are four Elevation of Privilege vulnerabilities targeting the Windows Print Spooler service […]

BGP-Powered Crypto Theft

This week on the podcast we cover a cryptocurrency heist that abused the backbone of the internet to steal millions of dollars of coins. In related news, we also cover the FBI’s new Virtual Asset Exploitation Team and their focus on tracking cryptocurrency-related cybercrime as well as a recent alert on business email compromise from […]

Russia, Fighters of Cybercrime?

This week on the podcast we cover Russia’s latest crackdown on cybercriminals within their borders and try to answer the “why now?” question. We also discuss a multi-billion dollar cryptocurrency recovery by the US Justice Department including the arrest of two New Yorkers allegedly responsible for the 2016 Bitfinex hack.

New Oski Stealer Variant, “Mars Stealer”, Targets Credentials, Crypto, and 2FA

In early 2020, during the emergence of the COVID-19 pandemic, researchers discovered a novel malware named Oski Stealer, capable of stealing browser data such as cookies, history, payment information, and autofill information, as well as cryptocurrency wallets, login credentials of applications, and Authy 2FA information. It can also take screenshots of your desktop and perform […]

Face Recognition and Privacy Concerns Works Its Way Into Taxes

taxes paperwork

The US IRS has plans to use a 3rd party identification system to prevent tax-related identity theft. The IRS plans to contract with ID.me to identify people using, among other factors, face recognition. James Hendler, professor of Computer, Web and Cognitive Sciences, wrote about some issues with the IRS’s plan. How will the data be […]

Hacking Back at North Korea

This week on the podcast, we cover the heist of $322 million in cryptocurrency from the distributed exchange Wormhole, including a long discussion on the why it feels like cryptocurrency is still the wild west of technology. After that, give an update on our brief mention in last week’s episode about North Korea’s internet seemingly […]

The Pwnkit Problem

This week on the podcast, we cover Pwnkit, a privilege escalation vulnerability impacting almost every modern Linux release worldwide. We also dive in to the world of macOS malware with DazzleSpy, a remote a remote access trojan targeting Hong Kong pro-democracy advocates. Finally, we end with an update on North Korea’s Lazarus APT and their […]

Q3 2021 Internet Security Report

This week on the podcast we discuss the latest Internet Security Report from the WatchGuard Threat Lab. Built with threat intelligence gathered from tens of thousands of Firebox UTM appliances that have opted-in to sharing data, the quarterly report lets us talk about the latest malware and attack trends targeting organizations globally. On this episode, […]

Log4j Becomes The Highest Detected Vulnerability Days After Release

Log4Shell attacks have spread throughout the Internet due to the ease with which attackers can perform them. The WatchGuard Threat Lab sees a sample of these attacks from our customers’ perspectives when they opt to provide anonymized threat intelligence data from their Fireboxes. This limited data, along with our analysis, gives us a unique opportunity […]

The Death of the Carding Marketplace

This week on the podcast we give a quick update to the Log4Shell saga after the researchers detected the first significant campaign that uses the critical vulnerability. After that, we dive in to the world of carding marketplaces where cybercriminals buy and sell stolen credit card information and discuss possible reasons for why these marketplaces […]

Is Cybersecurity Vocational?

This week on the podcast we give an update on log4j2 and it’s most recently-disclosed vulnerabilities before covering a recent report on credential stuffing by the New York Attorney General. Then, we discuss this recent article in DarkReading on whether or not cybersecurity jobs should be considered professional or vocational.

HP iLO and the Newly Discovered iLOBleed Rootkit

Iranian researchers at Amnpardaz security firm have discovered rootkits in HPs iLO (Integrated Lights-Out) management modules. These optional chips are added to servers for remote management and grant full high-level access to the system. This includes the ability to turn the server on and off, configure hardware and firmware settings, and additional administrator functions. The […]

Post-Purchase Monetization of the TV and Your Diminishing Privacy

The internet came by storm. Yes, for years it wasn’t accessible to the major populace, but over time it found its way into the office, school, home, and now more specifically into the living room. With the evolution of the internet came few rules. In came the market makers who began to define basic expectations […]

Give Us Your SSN, Your Email Password, and Your Dream Job

Every so often, there is a phish that stands out because of its brazenness. Today, we came across a bank phish that requested a few verification details: Username and Password Social Security Number Email address and email password used for 2-Step verification Security Questions: What was your dream job as a child? Who is your […]

Active Compromises of vCenter Using The Log4J Vulnerability

Much of what we see exploiting the log4j2 vulnerability, CVE-2021-44228, appears like a scan for the vulnerability, not necessarily exploitation. However, our own honey pot https://github.com/WatchGuard-Threat-Lab/log4shell-iocs has seen activity from this exploit to install coin miners. In one of the first targeted cases for this vulnerability, a ransomware gang have exploited VMware vCenter with Conti […]

Log4Shell Deep Dive

This week we take a deep dive into CVE-2021-44228, better known as Log4Shell, a critical vulnerability in the massively popular log4j2 logging library for Java applications. We discuss how the flaw came about, how it works, and why this specific issue has the potential to cause lasting headaches for the security industry for years to […]

Bluetooth Is Safe Enough For You

Politico published a short piece about Kamala Harris’s hesitancy with Bluetooth devices. They considered this a bit amusing, perhaps considering her paranoid based on their tone. While the article’s content was light, it did discuss some important security concerns that any Jane Doe might care about. Besides Kamala Harris opting for wired headphones instead of […]

Our 2022 Security Predictions

As we move in to the end of the year it’s time for us to discuss WatchGuard Threat Lab’s 2022 cybersecurity predictions. While many of our predictions tend to come off as extreme, they’re all grounded in the trends that we’ve been following and what we expect to see continue into the coming year. If […]

Critical RCE Vulnerability in Log4J2

[Updated 13-12-2021: Additional information for WatchGuard customers] On Thursday, security researchers disclosed a critical, unauthenticated remote code execution (RCE) vulnerability in log4j2, a popular and widely used logging library for java applications. CVE-2021-44228 is a full 10.0 on the CVSS vulnerability scoring system due to a combination of how trivial the exploit is and damaging […]

2021 Security Predictions Grading

Its getting to be the end of the year which means its time to take a look back at WatchGuard Threat Lab’s 2021 security predictions and give ourselves a grading on how well we did! On this episode, we’ll go through our 8 predictions for 2021, recap the trends that fueled them, and discuss either […]

Dangers of Bicubic Interpolation In Pictures

We have seen interpolation in the news concerning a recent court case. Here we cover what interpolation does to an image, not only because of the recent news but also because face recognition uses interpolation to better recognize a face – something we have covered in the past. Interpolation means to take pixels in an image and calculate what their […]

CISA Alert Tips Off Adversaries

This week on the podcast we discuss how a recent CISA alert on specific threat actor activity tipped off a separate adversary, leading to a new wave of attacks against vulnerable systems across multiple industries. We also cover the latest US and international law enforcement crackdowns on ransomware operators as well as a breakthrough on […]

The Evolution of Phishing: A WatchGuard Real-World Example

Phishing is a type of social engineering attack where threat actors attempt to trick users into providing sensitive information via email. Typically, this involves creating a phishing campaign where threat actors will send the same phishing email to a large batch of recipients in an attempt to trick at least a small subset of these […]

Trojan Source

On this week’s episode of the podcast, we cover a newly discovered method for hiding malicious source code in plain sight, CISA’s new Known Exploited Vulnerabilities Catalog, and action from the US Department of Commerce on the Pegasus spyware manufacturer NSO Group.

Face Recognition Removed from Facebook But Added to Metaverse

Facebook’s face recognition has one of the largest training databases in the world, built from photos that users have uploaded since Facebook’s inception, but that database’s time may be coming to an end. In a blog post on Facebook they recently announced that they are going to remove the controversial face recognition technology from Facebook. “We’re shutting down the Face Recognition system […]

The Security Conscious NRA Breached by Russian Hacking Group

The NRA has found itself in the middle of a potential breach and ransomware attack. This happened last week after the Russian hacking group Greif reportedly gained access. Greif has close ties to Evil Corp (another advanced hacking group currently sanctioned by the US) or may even just be the same group rebranded. Grief posted […]

Stealing Make-believe Money

This week on the podcast, we cover a heist of over $130 million worth of cryptocurrency from a distributed financial (DeFi) organization and have an in depth discussion on why cryptocurrency-related platforms continue to suffer substantial breaches. Before that though, we cover an apparent ransomware attack against the National Rifle Association and an FBI raid […]

Nobelium Threat Group Sets Sights on IT Providers

The Microsoft Threat Intelligence Center (MSTIC) detected attacks by the Nobelium group targeting IT services providers. The intent was to “gain access to downstream customers” such as Cloud Service Providers (CSP) and Managed Service Providers (MSP). If the Nobelium name sounds familiar, it’s because they were the threat actor behind the 2020 SolarWinds compromise. MSTIC […]

China Linked Hacking Group Compromises 13 Telcos

Many cellular network protocols don’t have clear documentation explaining them, especially when it comes to the proprietary protocols used by 4G and 5G networks. This makes them difficult to understand by the average person, but also potentially vulnerable to anyone willing to take the time to research them and find issues. We haven’t yet seen attacks […]

Schrödinger’s REvil

171

This week on the podcast, we cover the latest news on REvil, the ransomware-as-a-service organization responsible for the Kaseya attack earlier this year among many others. After that, we cover an update from the US Commerce Department on new export rules around selling hacking tools outside of the United States, nearly 6 years after the […]

InfoSec News From Last Week October 25th, 2021

Exploit Broker Zerodium Increasing Focus on VPNs The exploit broker Zerodium announced they are seeking exploits for ExpressVPN, NordVPN, and Surfshark VPNs. VPNs are becoming a more lucrative target. Zerodium’s announcement has brought attention to that. Many use VPNs because they believe it protects their privacy. However, it also puts the responsibility of that […]

US Government Sets Rules for Hacking Tool Exports

The US Department of Commerce announced export controls on hacking tools used for surveillance. The aim is to curb access to authoritarian governments who have been identified for human rights violations and abuses. Any companies who intend to sell their wares abroad will need to acquire a License Exception Authorized Cybersecurity Exports (ACE). An additional […]

InfoSec News From Last Week October 18th, 2021

Azure, BitBucket, GitHub, and GitLab revoke SSH Keys After GitKraken Vulnerability Git software client GitKraken disclosed an SSH key generation flaw in a post this past Monday. The flaw was discovered in versions 7.6.x, 7.7.x, and 8.0.0 for releases available between mid-May to late-June this year. GitKraken uses the library keypair to generate SSH keys […]

VirusTotal Global Ransomware Report

This week on the podcast we cover VirusTotal’s first ever global ransomware report which analyzes ransomware trends over the last year from the unique position of the world’s largest malware intelligence platform. Before that though, we cover another APT group with a ridiculous name found exploiting a zero-day vulnerability in Windows.

HTML Basics That We Often Miss

By now you have probably heard of Missouri governor Mike Parson tweet threatening to prosecute a journalist for responsibly disclosing a data breach. If you missed it though, according to the tweet and the governor’s ensuing press conference, a journalist from the St. Louis Post-Dispatch found teachers’ SSNs embedded in a public web page […]

The SMS Breach You Didn’t Hear About

This week on the podcast we discuss a breach that lasted over 5 years involving a company responsible for routing SMS messages for 95 of the top 100 mobile carriers in the world. Before that though, we’ll cover the recent Facebook downtime incident as well as the seemingly total compromise of the video game streaming […]

InfoSec News Weekly Wrap-Up October 8th, 2021

SMS Routing Company Syniverse Discloses Breach Spanning 5 Years Syniverse claims to be “the world’s most connected company” serving so many large telecommunication companies that it should be assumed that your provider is one of their customers. Their reach is significant, acting as the intermediary for text messages between carriers and routing calls between networks. […]

US Agencies Have Been Busy

U.S. Agencies have been making headlines recently for a lot of their new cyber related regulations. The following are several noteworthy of examples of what they have been up to. The Federal Communications Commission (FCC) and Robocalls The FCC expects phone carriers to block illegal robocalls from providers not yet registered with the Robocall Mitigation […]

How SMBs Deal With An Uptick in Breaches

A recent survey of 700 SMBs (small and medium businesses) by Untangle shows an increase in cybersecurity budgets and awareness. While some companies still have users working remotely, 50% of respondents have moved back into the office or at least some form of hybrid work environment. Most companies – 64% – see breaches as the […]

Twitch Affected by Large Data Leak

Update 1: Twitch believes login credentials have not been exposed (October 7th, 2021): Twitch posted a statement on their blog that, “At this time, we have no indication that login credentials have been exposed.” Additionally, as credit card details are not stored by Twitch, they have ruled out exposure. We recommend changing your password […]

To Not Share is To Care

October is Cybersecurity (or, for the less civilized, ‘cyber security’) Awareness Month. Every October, CISA hosts security awareness presentations. Additionally, Cybersecurity Awareness month means an increase in jaded by posts by InfoSec professionals on Twitter and emails from corporate reiterating security basics. There are plenty of positives to be found. Individuals are increasingly familiar with […]

Q2 2021 Internet Security Report

This week on the podcast we cover the latest quarterly Internet Security Report from the WatchGuard Threat Lab. We’ll go over the latest attack trends and key findings from Q2 2021 as well as defensive tips for keeping your systems safe from the latest threat landscape.

FBIs Botched Plan to Catch REvil Cost Victims Millions

Earlier this year Kaseya, who provides IT management software to service providers that support tens of thousands of organizations from schools to hospitals, was involved in a ransomware attack fueled by a compromise of their VSA Remote Monitoring and Management (RMM) software. While the ransomware only impacted a small percentage of their customer base, thousands […]

Half of Respondents Admitted to Sharing Their Passwords

We often write about passwords and password policies from the IT/security administrator side, usually after a password becomes compromised. We recently found a survey that looked at compromised passwords from the user’s side to better understand how users feel about them. The survey shows a few key points that shed light on the social […]

Kaseya’s Trusted Third Party

This week on the podcast we discuss the recently disclosed identify of the”Trusted Third Party” that Kaseya acquired the REvil ransomware master decryption key from, as well as the morals around a decision to hold on to the decryption key for multiple weeks before handing it off to Kaseya. We then cover a new APT […]

OMIGOD!

This week on the podcast we discuss the recently patched zero-click vulnerability in iOS, macOS and WatchOS that researchers at TheCitizen Lab discovered while investigating NSO Group’s Pegasus spyware. After that, we cover a vulnerability in the OMI Agent that comes automatically installed on all Azure Linux virtual machines. We finish by covering Microsoft’s latest […]

OWASP Update

This week on the podcast we discuss the first update to the OWASP Top 10 since 2017. OWASP servers as an excellent resource for improving web application security so we’re excited to run through the latest refresh of their top security weaknesses. We also discuss phishing attacks that abuse Internationalized Domain Names (IDNs) in emails […]

Azure Linux VMs Vulnerable Due to Pre-Installed Agents

Update 1: OMI agent is not installed on Azure FireboxV/Cloud instances (September 17th, 2021): We reviewed our FireboxV/Cloud instance for Azure and confirmed that the OMI agent cannot be installed on the image. We recommend reviewing the additional guidance Microsoft published on September 16th, 2021 for securing the OMI affected resources/tools. Original Post (September 16th, […]

ProxyWare

This week on the podcast we cover ProxyWare, a form of malware that monetizes your internet access for the benefit of the attacker. After that, we discuss ChaosDB, a vulnerability that could have enabled any Azure user to gain full access to any other user’s CosmosDB instance. Finally, we end with a discussion of location […]

Stop Following Me – Rewind

163

This week on the podcast we dig back in the archives to 2019 where we discussed how web servers manage to track users across sites using browser fingerprinting methods. Even though some improvements like removing third-party cookies have been made to limit tracking, plenty of additional fingerprinting options still remain.

Read More - Stop Following Me – Rewind

PolyNetwork Heist

162 PolyNetwork

This week on the podcast we cover one of the largest cryptocurrency heists in history, with a surprising twist of an ending! Before that we’ll chat about the latest T-Mobile data breach and what we can learn about protecting user identity. We end the episode with a discussion about one of the latest episodes of […]

Mobile Carriers Leak 123 million Customer Records in One Week

Over the last week we saw 70 million AT&T customers and 53 million T-Mobile customers have their personal data leaked to hackers. While we didn’t find any connections between these two breaches the timing of the incidents is strange. AT&T has so far denied the breach involving their customers. While we don’t have confirmation from […]

DEF CON 29 Recap

This week on the podcast we chat about a few of our favorite presentations from the 2021 edition of the DEF CON security conference out of Las Vegas. If haven’t checked them out yourself, visit the DEF CON YouTube channel or media.defcon.org to view this year’s and all previous year’s content.

Supply Chain Attacks Through an IDE

David Dworken, a Google security researcher, presented a recent Defcon talk about how he found over 30 vulnerabilities in various Integrated Development Environments (IDEs) over the course of a few months of research. Many believe that source code on its own is benign as long as you don’t compile and run it, but as Dworken proved, simply loading code into an IDE can cause infections. A popular example of this comes from […]

ProxyShell, Exchange Servers Under Attack Again

With the 2021 editions of the BlackHat and DEF CON security conferences all wrapped up, one of the presentation that made the biggest waves was the latest research from Orange Tsai of Devcore Security Consulting. Tsai was the researcher responsible for identifying and disclosing CVE-2021-26855, better known as ProxyLogon, to Microsoft back in January 2021, […]

Bad BGP

160 bad bgp

This week on the podcast, we chat about a recent report from Qrator that highlights some of the massive weaknesses in the backbone of the internet. After that, we discuss a recent research blog post from Yan (@bcrypt) showing her work in finding a CSRF flaw in OK Cupid that bypassed Cross-Origin Resource Sharing (CORS) […]

Defcon Talk Timeless-Timing-Attacks

Cyber security breach concept

A recent Defcon talk by Tom Van Goethem and Mathy Vanhoef, “Timeless Timing Attacks” made significant progress on ways to create timing attacks over a network. Timing attacks work by extracting data form devices based on how long it takes to respond. To successfully run a timing attack, the attacker usually must be directly […]

What Is Zero-Trust Security?

159 zero trust

This week on the podcast we talk Zero-Trust. What is it? How do you implement it? And why should all IT professionals work towards updating their networks to this security architecture? We’ll answer all that and more after a quick Kaseya update and a security memorandum from the White House.

What to Make of the Biden Administration’s New ICS Cybersecurity Initiative

Yesterday, the Biden Administration unveiled a new initiative to help improve the cybersecurity stance of the industrial control systems (ICS) that manage the nation’s critical infrastructure. As recent events (like the Colonial Pipeline ransomware incident) have shown, disruptions to critical infrastructure can have serious, potentially even fatal consequences. In short, this is a very real need and […]

Why So SeriousSAM

158 Serious SAM

This week on the podcast we cover the latest Microsoft Windows privilege escalation vulnerability, SeriousSAM aka HaveNightmare. Before that, we discuss NSO Group and their spyware software known as Pegasus and whether private organizations should be allowed to market and sell spyware to government agencies.

Section 230 – Rewind

157 section 230 rewind

With the White House announcing this month that it plans to investigate potential changes to Section 230, the safe harbor laws that enable websites to moderate content without risk of liability for content they fail to remove, we wanted to bring back an episode from last year where we discuss exactly what these laws are […]

REvil Hasn’t Gone Anywhere (Probably)

Many of the recent high-profile ransomware attacks like those against Acer, JBS and more recently, customers of Kaseya, have been the work of the ransomware as a service group REvil. After the most recent attack that exploited multiple zero-day vulnerabilities in Kaseya’s VSA software and left thousands of organizations encrypted, REvil appears to have gone […]

The PrintNightmare Saga Continues to Frustrate System Administrators

Nightmare

Update 1: Third PrintNightmare CVE published (July 16th, 2021): Microsoft published CVE-2021-34481 on July 15th for a local privilege escalation vulnerability. The third Print Spooler service vulnerability is considered separate from PrintNightmare (CVE-2021-34527), but it is still within a similar sphere of printer driver vulnerabilities. Gentilkiwi, the author of the Mimikatz utility, posted a […]

Kaseya & PrintNightmare

156 Print Nightmare

This week on the podcast we cover the Kaseya mass ransomware incident from July 7. While the event is still ongoing, we already have evidence for how the attack occurred and exactly what the threat actors did on affected endpoints. In this episode we dive in to the details around the incident and defensive tips […]

A Market for Lemons?

155 market for lemons

We recorded this episode before news of the massive attack against Kasaye users broke on Friday. Suffice to say, next week’s episode will give a full debrief of the incident including how it happened, who it affected, and what all MSPs can learn from it. In the meantime, check out Corey’s post on the Kaseya […]

About This Website

Cybersecurity News

French Authorities Launch Operation to Remove PlugX Malware from Infected Systems

Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials

This AI-Powered Cybercrime Service Bundles Phishing Kits with Malicious Android Apps

Offensive AI: The Sine Qua Non of Cybersecurity

U.S. DoJ Indicts North Korean Hacker for Ransomware Attacks on Hospitals

Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining

CrowdStrike Warns of New Phishing Scam Targeting German Customers

Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

North Korean Hackers Shift from Cyber Espionage to Ransomware Attacks

6 Types of Applications Security Testing You Must Know About

Meta Removes 63,000 Instagram Accounts Linked to Nigerian Sextortion Scams

Webinar: Securing the Modern Workspace: What Enterprises MUST Know about Enterprise Browser Security

Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform

Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software

New Chrome Feature Scans Password-Protected Files for Malicious Content

How a Trust Center Solves Your Security Questionnaire Problem

Telegram App Flaw Exploited to Spread Malware Hidden in Videos

How to Reduce SaaS Spend and Risk Without Impacting Productivity

Patchwork Hackers Target Bhutan with Advanced Brute Ratel C4 Tool

CrowdStrike Explains Friday Incident Crashing Millions of Windows Devices

Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities List

Chinese Hackers Target Taiwan and U.S. NGO with MgBot and MACMA Malware

New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

How to Securely Onboard New Employees Without Sharing Temporary Passwords

Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files

Meta Given Deadline to Address E.U. Concerns Over 'Pay or Consent' Model

Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware

Google Abandons Plan to Phase Out Third-Party Cookies in Chrome

Experts Uncover Chinese Cybercrime Network Behind Gambling and Human Trafficking

PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing

How to Set up an Automated SMS Analysis Service with AI in Tines

MSPs & MSSPs: How to Increase Engagement with Your Cybersecurity Clients Through vCISO Reporting

SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

New Linux Variant of Play Ransomware Targeting VMware ESXi Systems

Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

17-Year-Old Linked to Scattered Spider Cybercrime Syndicate Arrested in U.K.

Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

Two Russian Nationals Plead Guilty in LockBit Ransomware Attacks

Safeguard Personal and Corporate Identities with Identity Intelligence

Pro-Houthi Group Targets Yemen Aid Organizations with Android Spyware

APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

Summary of "AI Leaders Spill Their Secrets" Webinar

SolarWinds Patches 8 Critical Flaws in Access Rights Manager Software

WazirX Cryptocurrency Exchange Loses $230 Million in Major Security Breach

Alert: HotPage Adware Disguised as Ad Blocker Installs Malicious Kernel Driver

AppSec Webinar: How to Turn Developers into Security Champions

Automated Threats Pose Increasing Risk to the Travel Industry

SAP AI Core Vulnerabilities Expose Customer Data to Cyber Attacks

Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

Phish-Friendly Domain Registry “.top” Put on Notice

Global Microsoft Meltdown Tied to Bad Crowdstrike Update

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

Crooks Steal Phone, SMS Records for Nearly All AT&T Customers

The Stark Truth Behind the Resurgence of Russia’s Fin7

Microsoft Patch Tuesday, July 2024 Edition

The Not-So-Secret Network Access Broker x999xx

KrebsOnSecurity Threatened with Defamation Lawsuit Over Fake Radaris CEO

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Friday Squid Blogging: Sunscreen from Squid Pigments

Compromising the Secure Boot Process

The CrowdStrike Outage and Market-Driven Brittleness

Data Wallets Using the Solid Protocol

Robot Dog Internet Jammer

2017 ODNI Memo on Kaspersky Labs

Snake Mimics a Spider

Friday Squid Blogging: Peru Trying to Protect its Squid Fisheries

Brett Solomon on Digital Rights

Criminal Gang Physically Assaulting People for Their Cryptocurrency

Student Loan Breach Exposes 2.5M Records

Watering Hole Attacks Push ScanBox Keylogger

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms

Ransomware Attacks are on the Rise

Cybercriminals Are Selling Access to Chinese Surveillance Cameras

Twitter Whistleblower Complaint: The TL;DR Version

Firewall Bug Under Active Attack Triggers CISA Warning

Fake Reservation Links Prey on Weary Travelers