30,000 websites at risk: Check yours ASAP! (800 Million Ostriches Canβt Be Wrong.)
The post WordPress Plugin Supply Chain Attack Gets Worse appeared first on Security Boulevard.
A report from the Government Accountability Office (GAO) highlighted an urgent need to address critical cybersecurity challenges facing the nation.
The post GAO Urges Action to Address Critical Cybersecurity Challenges Facing U.S. appeared first on Security Boulevard.
In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication (MFA) issues, according to the latest Cisco Talos report.
The post Misconfigured MFA Increasingly Targeted by Cybercriminals appeared first on Security Boulevard.
More than 100,000 websites are affected by a supply chain attack injecting malware via a Polyfill domain.
The post Polyfill Supply Chain Attack Hits Over 100k WebsitesΒ appeared first on SecurityWeek.
Red Teaming security assessments aim to demonstrate to clients how attackers in the real world might link together various exploits and attack methods to reach their objectives.
The post Stepping Into the Attackerβs Shoes: The Strategic Power of Red Teaming (Insights from the Field) appeared first on Security Boulevard.
By introducing a mobile device management (MDM) platform into the existing infrastructure, administrators gain the ability to restrict sideloading on managed devices.
The post EU Opens the App Store Gates: A Call to Arms for MDM Implementation appeared first on Security Boulevard.
Snowflakes has become the latest corporate victim in a cyberattack but how it is playing out is a little different than many breaches.
The post Snowflake Breach appeared first on Security Boulevard.
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Β Β Β Thank you. The CISO2CISO Advisors Team.
La entrada Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Letβs explore some of the details behind this escalating threat to SaaS applications, what may be driving it, and what you can do to better protect your SaaS footprint from these types of threats.
The post Why SaaS Identity Abuse is This Yearβs Ransomware appeared first on RevealSecurity.
The post Why SaaS Identity Abuse is This Yearβs Ransomware appeared first on Security Boulevard.
Year after year, the cyber talent gap is increasing β currently estimated to have 3,5 million open positions worldwide β presenting all sorts of headaches for leaders and the organizations they aim to protect. Moreover, organizations have a short window to identify, foster and hopefully retain a pipeline of emerging cybersecurity leaders to ensure the [β¦]
La entrada Recommended Skills for a Cyber Security Career se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
The LockBit ransomware group is claiming that it hacked into systems at the U.S. Federal Reserve and stole 33TB of data that it will begin leaking as early as Tuesday if the institution doesnβt pay the unspecified ransom. The notorious cybercriminals announced the attack on its dark web leak site on June 23, giving the..
The post LockBit Claims Ransomware Attack on U.S. Federal Reserve appeared first on Security Boulevard.
Security analysts at Google are developing a framework that they hope will enable large language models (LLMs) to eventually be able to run automated vulnerability research, particularly analyses of malware variants. The analysts with Googleβs Project Zero β a group founded a decade ago whose job it is to find zero-day vulnerabilities β have been..
The post Googleβs Project Naptime Aims for AI-Based Vulnerability Research appeared first on Security Boulevard.
Copying usersβ files and deleting some? Even a cartoon hound knows this isnβt fine.
The post Microsoft Privacy FAIL: Windows 11 Silently Backs Up to OneDrive appeared first on Security Boulevard.
Effective April 30, 2024 Airbnb, the global vacation rental giant, announced a significant policy change: the prohibition of all indoor security cameras in its listings worldwide. This decision, aims to bolster the privacy of guests and address longstanding concerns about hidden cameras. While the majority of Airbnbβs over 7 million listings did not report having [β¦]
The post Airbnbβs Ban on Indoor Security Cameras: What It Means for Your Personal Cybersecurity appeared first on BlackCloak | Protect Your Digital Lifeβ’.
The post Airbnbβs Ban on Indoor Security Cameras: What It Means for Your Personal Cybersecurity appeared first on Security Boulevard.
Stefan Dumitrascu Brings Expertise to AMTSO Board We are delighted to announce that our Chief Technology Officer, Stefan Dumitrascu, has been elected as a Board Member of the Anti-Malware Testing Standards Organisation (AMTSO). What is AMTSO? AMTSO is an international non-profit association dedicated to improving the objectivity, quality, and relevance of anti-malware testing methodologies worldwide. [β¦]
The post Our CTO joins AMTSO Board appeared first on SE Labs Blog.
The post Our CTO joins AMTSO Board appeared first on Security Boulevard.
Designing software from the ground up to be secure, as recommended by the Secure by Design initiative from the Cybersecurity and Infrastructure Security Agency (CISA), has its challenges, especially if it's done at scale. .
The post How platform engineering helps you get a good start on Secure by Design appeared first on Security Boulevard.
Five WordPress plugins were injected with malicious code that creates a new administrative account.
The post Several Plugins Compromised in WordPress Supply Chain AttackΒ appeared first on SecurityWeek.
eBPF is one of the most widely used technologies in todayβs computing ecosystem, starting from the cloud sector
The post Reverse engineering eBPF programs appeared first on ARMO.
The post Reverse engineering eBPF programs appeared first on Security Boulevard.
Node.js is an open-source, cross-platform JavaScript runtime environment built on the powerful V8 engine from Chrome. It allows you to run JavaScript code outside a web browser, making it popular for building real-time applications and data streaming services. However, like any software, it is not immune to security vulnerabilities. Recently, multiple vulnerabilities were discovered in [β¦]
The post Addressing Node.js Vulnerabilities in Ubuntu appeared first on TuxCare.
The post Addressing Node.js Vulnerabilities in Ubuntu appeared first on Security Boulevard.
Googleβs initiative to phase out third-party tracking cookies through its Google Privacy Sandbox has encountered criticism from Austrian privacy advocacy group noyb (none of your business). The non-profit alleges that Googleβs proposed solution still facilitates user tracking, albeit in a different form. Allegations of Misleading Practices Β According to noyb, Googleβs Privacy Sandbox, marketed as [β¦]
The post Alert: Australian Non-Profit Accuses Google Privacy Sandbox appeared first on TuxCare.
The post Alert: Australian Non-Profit Accuses Google Privacy Sandbox appeared first on Security Boulevard.
History doesnβt repeat itself, but it often rhymes. As AppSec evolves towards a new playbook, hereβs what we can learn from ITβs journey. Just over 20 years ago, Watts Humphrey declared that every business was a software business. Not everyone agreed. No one would image that, sports shoe manufacturers, automakers and even barbecue brands are [β¦]
The post Back to the Future: What AppSec Can Learn From 30 Years of IT Security appeared first on OX Security.
The post Back to the Future: What AppSec Can Learn From 30 Years of IT Security appeared first on Security Boulevard.
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Β Β Β Thank you. The CISO2CISO Advisors Team.
La entrada Best Practices for Cyber Crisis Management se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
In the United States, there is no national, statutory, cross-sector minimum standard for information security. No national law defineswhat would be considered reasonable security in matters involving data breaches. The federal and state governments have various statutes, regulations, policies, and caselaw covering elements of cybersecurity, like data breach notification and data privacy.But all of these [β¦]
La entrada A Guide to Defining Reasonable Cybersecurity se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Β Β Β Thank you. The CISO2CISO Advisors Team.
La entrada AWS Cloud Security Checklist se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Β Β Β Thank you. The CISO2CISO Advisors Team.
La entrada Attacking .NET se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
The U.S. Department of Homeland Security (DHS) was tasked in Executive Order 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence to develop safety and security guidelines for use by critical infrastructure owners and operators. DHS developed these guidelines in coordination with the Department of Commerce, the Sector Risk Management Agencies (SRMAs) for [β¦]
La entrada MITIGATING ARTIFICIAL INTELLIGENCE (AI) RISK: Safety and Security Guidelinesfor Critical Infrastructure Ownersand Operators se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Say goodbye to passwords! Passkeys are the next generation of authentication, offering enhanced security and convenience. Learn how passkeys work, their benefits over passwords, and why they are the future of secure online access.
The post Passkeys: The Future of Passwordless Authentication appeared first on Security Boulevard.
En 2023, la tensiΓ³n estratΓ©gica ha vuelto a ocupar un primer plano. A la guerra iniciada por la invasiΓ³n rusa de Ucrania en 2022 hay que sumar el nuevo conflicto en Gaza, desencadenado por el ataque terrorista de HamΓ‘s a Israel el 7 de octubre. La posibilidad de que el conflicto derive en una mayor [β¦]
La entrada Informe Anual de Seguridad Nacional 2023 se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Multiple bad actors are using the Rafel RAT malware in about 120 campaigns aimed at compromising Android devices and launching a broad array of attacks that range from stealing data and deleting files to espionage and ransomware. Rafel RAT is an open-source remote administration tool that is spread through phishing campaigns aimed at convincing targets..
The post Rafel RAT Used in 120 Campaigns Targeting Android Device Users appeared first on Security Boulevard.
Source: X[/caption]
In this episode of the Shared Security Podcast, the team debates the Surgeon Generalβs recent call for social media warning labels and explores the pros and cons. Scott discusses whether passwords should be stored in web browsers, potentially sparking strong opinions. The hosts also provide an update on Microsoftβs delayed release of CoPilot Plus PCs [β¦]
The post Social Media Warning Labels, Should You Store Passwords in Your Web Browser? appeared first on Shared Security Podcast.
The post Social Media Warning Labels, Should You Store Passwords in Your Web Browser? appeared first on Security Boulevard.
The Payment Card Industry Data Security Standard (PCI DSS) is a global cornerstone for safeguarding cardholder data. PCI DSS version 4.0, the most recent iteration, emphasises a dynamic, risk-based approach to security, compelling organisations to tailor their controls to their unique environments. PCI DSS penetration tests are crucial for meeting and maintaining security standards. Within β¦
PCI DSS Penetration Testing Guide Read More Β»
The post PCI DSS Penetration Testing Guide appeared first on Security Boulevard.
ISO 27001, the internationally recognised standard for information security management systems (ISMS), provides a framework for organisations to protect their valuable information assets. Penetration testing is crucial in preventing data breaches and maintaining the businessβs reputation. ISO 27001 strongly recommends it as a critical tool for assessing an organisationβs security posture and ensuring compliance with β¦
Learn about ISO 27001 Penetration Testing and its requirements Read More Β»
The post Learn about ISO 27001 Penetration Testing and its requirements appeared first on Security Boulevard.
Long simmering suspicions about the loyalty of Kaspersky Software, a cybersecurity firm headquartered in Russia, came to a head this week after the U.S. government banned the sale of the companyβs software, effective July 20th, to both companies and individual consumers. In addition, the U.S. Treasury Department has placed sanctions on 12 senior leaders of..
The post U.S. Bans Sale of Kaspersky Cybersecurity Software appeared first on Security Boulevard.
ο»Ώ Recently, we hosted Ross Randall, Director of Technology at Lamar County School District in Georgia, and Tim Miles, Director of Technology at Steamboat Springs School District in Colorado, for a summer-inspired live webinar focused on fortifying your districtβs multilayered cybersecurity strategy. From beach balls to firewalls, Ross and Tim generously shared their practical insights, [β¦]
The post Ross Randallβs 3 Essential Tips to Strengthening Your Districtβs Multilayered Cybersecurity appeared first on ManagedMethods.
The post Ross Randallβs 3 Essential Tips to Strengthening Your Districtβs Multilayered Cybersecurity appeared first on Security Boulevard.
In our purple team service, we try to take a depth and quality approach and run many different functionally diverse test cases for a given technique. In this blog, I will describe our process of defining and implementing test cases for our purple team runbooks. The goal of this blog post is to provide the community with a bit more information about how we implement test cases for logon session enumeration, what preventative controls might be, and how this process can be applied to other techniques.
We wanted to develop a logical numbering system to separate test cases for each technique. After a couple of iterations of our purple team service, we started to deliberately select test cases and run variations based on three distinct categories:
Defining test cases in this manner allows us to triangulate a techniqueβs coverage estimation rather than treat the techniques in the MITRE ATT&CK matrix as a bingo card where we run net session and net1 session, fill in the box for this technique, and move on to the next one. After running each test case during the purple team assessment, we look for whether the test case was prevented, detected, or observed (telemetry) by any security controls the organization mayΒ have.
Letβs dive into logon session enumeration by deconstructing the functional differences between three distinct procedures. If you want to learn more (or want to apply this methodology yourself), you can find out more about the process we use to examine the function call stack of tools in Nathanβs Beyond Procedures: Digging into the Function Call Stack and Jaredβs On Detection: Tactical to Functional series.
We can start by examining the three distinct procedures that SharpHound implements. Rohan blogged about the three different methods SharpHound uses. SharpHound can attempt to use all three depending on the context itβs running under and what arguments are passed to it. The implementation of each procedure can be found here: NetSessionEnum, NetWkstaEnum, and GetSubKeyNames in the SharpHoundCommon library. Matt also talks about this in his BOFHound: Session Integration blog.
Here is a breakdown of each of the three unique procedures implemented in SharpHound for remote session enumeration:
Distinct Procedure #1: Network Session Enumeration (NetSessionEnum)
NetSessionEnum is a Win32 API implemented in netapi32.dll. The image below shows where each tool is implemented in the function callΒ stack:
This Win32 API returns a list of active remote or network logon sessions. These two blogs (Netwrix and Compass Security) go into detail about which operating systems allow βAuthenticated Usersβ to query logon sessions and how to check and restrict access to this API remotely by altering the security descriptor in the HKLM/SYSTEM/CurrentControlSet/Services/LanmanServer/DefaultSecurity/SrvsvcSessionInfo registry key. If we read Microsoftβs documentation on the RPC server, we see the MS-SRVS RPC server is only implemented via the \PIPE\srvsvc named pipe (RPC servers can also be commonly implemented via TCP as well). As Microsoftβs documentation states, named pipes communicate over CIFS\SMB via portΒ 445.
In our purple team service, we usually target the organizationβs most active file server for two reasons. First, port 445 (SMB) will generally be open from everywhere on the internal network for this server. Second, this server has the most value to an attacker since it could contain hundreds or even thousands of user-to-machine mappings an attacker could use for βuser hunting.β
Distinct Procedure #2: Interactive, Service, and Batch Logon Session Enumeration (NetWkstaUserEnum)
NetWkstaUserEnum is also a Win32 API implemented in netapi32.dll. Below is the breakdown of the function call stack and where each tool is implemented:
As Microsoft documentation says: βThis list includes interactive, service, and batch logonsβ and βMembers of the Administrators, and the Server, System, and Print Operator local groups can also view information.β This API call has different permission requirements and returns a different set of information than the NetSessionEnum API call; however, just like NetSessionEnum, the RPC server is implemented only via the \PIPE\wkssvc named pipe. Again, this blog from Compass Security goes into more detail about the requirements.
Since this, by default, requires administrator or other privileged rights on the target machine, we will again attempt to target file servers and usually get an access denied response when running this procedure. As a detection engineer, if someone attempts to enumerate sessions, do we have the telemetry even if they are unsuccessful? Next, we will attempt to target a workstation on which we have administrator rights to enumerate sessions using this minor variation in a different testΒ case.
Distinct Procedure #3: Interactive Session Enumeration (RegEnumKeyExW)
Note: Iβm only showing the function call stack of RegEnumKeyExW, SharpHound calls OpenRemoteBaseKey to get a handle to the remote key before calling RegEnumKeyExW. I also left out calls to API sets in thisΒ graph.
RegEnumKeyExW is, again, a Win32 API implemented in advapi32.dll. Below is the breakdown of the function call stack and where each tool is implemented:
As Microsoft documentation says, the remote system βrequires the Remote Registry service to be running on the remote computer.β Again, this blog from Compass Security goes into more detail about the requirements, but by default, the service is disabled on workstation operating systems like Windows 11 and 10 and set to trigger start on server operating systems by interacting with the \PIPE\winreg named pipe. If the remote registry service is running (or triggerable), then the HKEY_USERS hive can be queried for a list of subkeys. These subkeys contain SIDs for users that are interactively logged on. Like NetWkstaUserEnum and NetSessionEnum, the RPC server is implemented only via the \PIPE\winreg namedΒ pipe.
Now that we have a diverse set of procedures and tooling examples that use a variety of execution modalities, we can start creating test cases to run for this technique. Below, I have included an example set of test cases and associated numbering system using each of the three distinct procedures and altering the execution modality for eachΒ one.
You can also find a full TOML runbook for the examples below here: https://ghst.ly/session-enumeration-runbook. All of the test cases are free or open source and can be executed via an Apollo agent with the Mythic C2 framework.
For example, our numbering looks like: Test CaseΒ X.Y.Z
A sample set of test cases we mightΒ include:
Network Session Enumeration (NetSessionEnum)
Interactive, Service, and Batch Logon Session Enumeration (NetWkstaUserEnum)
Interactive Session Enumeration (RegEnumKeyExW)
After executing each test case, we can determine if the test case was prevented, detected, or observed. Tracking information like this allows us to provide feedback on your controls and predict how likely they would detect or prevent an adversaryβs arbitrary selection of procedure or execution modality. Also, we space test cases about 10 minutes apart; name artifacts like files, registry keys, and processes by their corresponding test case number; and alternate the machine and source user we are executing from to make finding observable telemetry easier. We may include or exclude certain test cases based on the organizationβs security controls. For example, if they block and alert on all powershell.exe usage, we arenβt going to run 40 test cases across multiple techniques that attempt to call the PowerShell binary.
By researching and deconstructing each tool and looking at the underlying function call stacks, we found that regardless of which distinct procedure or execution modality was used, they all used three different RPC servers, each implemented using named pipes. This will also allow us to triangulate detection coverage and help determine if a custom or vendor-based rule is looking for a brittle indicator or a tool-specific detail\toolmark.
We now have a fairly broad set of test cases for a runbook that accounts for a wide variety of attacker tradecraft for this technique. Knowing this as a blue teamer or detection engineer will allow me to implement a much more comprehensive detection strategy for this particular technique around the three named pipes we discovered. This allows us to write robust detection rules, rather than looking for the string βGet-NetSessionβ in a PowerShell script. Would this produce a perfect detection for session enumeration? No. Does this include every single way an attacker can determine where a user is logged? No. Does deconstructing adversary tradecraft in this manner vastly improve our coverage for the technique? Absolutely.
In my next post, I will cover many log sources native to Windows (Iβm counting Sysmon as native) and a couple of EDRs that allow us to detect logon session enumeration via named pipes (or TCP in some cases). Some of these sources you might be familiar with, others arenβt very well documented. Each of these log sources can be enabled and shipped to a centralized place like a SIEM. Each source has its requirements, provides a different context, and has its pros and cons for use in a detection rule.
Deconstructing Logon Session Enumeration was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Deconstructing Logon Session Enumeration appeared first on Security Boulevard.
ASUS announces major Firmware Update ASUS recently issued a firmware update to resolve a critical security vulnerability affecting seven different variants of its router models. Identified as CVE-2024-3080 with a CVSS v3 severity score of 9.8 (critical), the vulnerability permits remote attackers to take control of the affected router models without needing any login credentials. [...]
The post CVE-2024-3080: ASUS warns Customers about the latest Authentication Bypass Vulnerability detected Across seven Router Models appeared first on Wallarm.
The post CVE-2024-3080: ASUS warns Customers about the latest Authentication Bypass Vulnerability detected Across seven Router Models appeared first on Security Boulevard.
Spend more on security! Car and truck dealers fall back on pen and paper as huge SaaS provider gets hacked (again).
The post 30,000 Dealerships Down β βRansomwareβ Outage Outrage no. 2 at CDK Global appeared first on Security Boulevard.
Different models of access control offer unique methods and benefits. The three primary models are Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Discretionary Access Control (DAC).
The post Understanding Access Control Models: RBAC, ABAC, and DAC appeared first on Security Boulevard.
As per recent reports, cybersecurity experts uncovered a troubling development on the Python Package Index (PyPI) β a platform used widely by developers to find and distribute Python packages. A malicious package named βcrytic-compilersβ was discovered, mimicking the legitimate βcrytic-compileβ library developed by Trail of Bits. This fraudulent package was designed with sinister intent: to [β¦]
The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on TuxCare.
The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on Security Boulevard.
A recently patched Vision Pro vulnerability was classified by Apple as a DoS issue, but a researcher has shown that itβs βscaryβ.
The post Spatial Computing Hack Exploits Apple Vision Pro Flaw to Fill Room With Spiders, Bats appeared first on SecurityWeek.
Modern chief information security officers (CISOs) are navigating tough circumstances due to complex challenges and heightened regulatory pressures.
The post Itβs a Hard Time to Be a CISO. Transformational Leadership is More Important Than Ever. appeared first on Security Boulevard.
3 min read Security teams can enhance business operations by providing workload credential management as a service, freeing developers to focus on innovation.
The post Why Devs Arenβt Responsible for Non-Human Credential Hygiene appeared first on Aembit.
The post Why Devs Arenβt Responsible for Non-Human Credential Hygiene appeared first on Security Boulevard.
An analysis of ransomware attacks claimed to have been perpetrated by cybercriminal syndicates that was published today by NCC Group, a provider of managed security services, finds LockBit 3.0 has reemerged to claim the top spot amongst the most prominent threat actors. Previously dormant following the groupsβ takedown by law enforcement officials earlier this year,..
The post Report Details Reemergence of Lockbit 3.0 Ransomware Syndicate appeared first on Security Boulevard.
Ongoing European Union quest to break end-to-end encryption (E2EE) mysteriously disappears.
The post EU Aims to Ban Math β βChat Control 2.0β Law is Paused but not Stopped appeared first on Security Boulevard.
Login