In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication (MFA) issues, according to the latest Cisco Talos report.
Red Teaming security assessments aim to demonstrate to clients how attackers in the real world might link together various exploits and attack methods to reach their objectives.
By introducing a mobile device management (MDM) platform into the existing infrastructure, administrators gain the ability to restrict sideloading on managed devices.
Neiman Marcus has issued a notification to its customers regarding a massive data breach that occurred in May 2024, potentially exposing sensitive personal information. The Neiman Marcus data breach, affecting approximately 64,472 customers, involved unauthorized access to a cloud database platform used by the luxury retailer, which is operated by Snowflake, a third-party provider.In a conversation with The Cyber Express, a Neiman Marcus spokesperson confirmed the breach, stating, "Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake."Prompt action was taken, with the spokesperson adding, "Promptly after discovering the incident, NMG took steps to contain it, including by disabling access to the platform."
Neiman Marcus Data Breach Confirmed
The Neiman Marcus data breach compromised a range of personal data, including customer names, contact details, dates of birth, and Neiman Marcus gift card numbers."Based on our investigation, the unauthorized party obtained certain personal information stored in the platform," the spokesperson continued, clarifying that "The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers (but without gift card PINs)."Neiman Marcus has acted swiftly, launching an investigation with leading cybersecurity experts and notifying law enforcement authorities. In compliance with regulatory requirements, the company has begun notifying affected customers, including reaching out to the Maine Attorney General's office.The retailer has advised customers to monitor their financial statements for any suspicious activity and has provided resources for individuals concerned about identity theft.
Mitigation Against the Neiman Marcus Data Leak
"We also began an investigation with assistance from leading cybersecurity experts and notified law enforcement authorities," the spokesperson emphasized. Customers are encouraged to request free credit reports, report any suspected fraud to law enforcement and the Federal Trade Commission, and consider placing a security freeze on their credit files as precautionary measures.Neiman Marcus Group, Inc., based in Dallas, Texas, is a popular luxury retailer that oversees brands such as Neiman Marcus, Bergdorf Goodman, Horchow, and Last Call. Since September 2021, it has been under the ownership of a consortium of investment firms led by Davidson Kempner Capital Management, Sixth Street Partners, and Pacific Investment Management.Following this Neiman Marcus data leak, the firm has established a dedicated toll-free hotline (1-885-889-2743) for affected customers seeking further information or assistance related to the data breach incident.
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Thank you. The CISO2CISO Advisors Team.
Let’s explore some of the details behind this escalating threat to SaaS applications, what may be driving it, and what you can do to better protect your SaaS footprint from these types of threats.
Year after year, the cyber talent gap is increasing — currently estimated to have 3,5 million open positions worldwide — presenting all sorts of headaches for leaders and the organizations they aim to protect. Moreover, organizations have a short window to identify, foster and hopefully retain a pipeline of emerging cybersecurity leaders to ensure the […]
The LockBit ransomware group is claiming that it hacked into systems at the U.S. Federal Reserve and stole 33TB of data that it will begin leaking as early as Tuesday if the institution doesn’t pay the unspecified ransom. The notorious cybercriminals announced the attack on its dark web leak site on June 23, giving the..
You can also expand your coverage by adding two or three Blink Outdoor 4 cameras and still get a very good discount. This sale is part of Amazon's official early Prime Day deals, according to its press release, which also served as the official announcement that Prime Day 2024 will take place July 16-17.
This bundle has all the basics you need to set up your Blink security system. The Blink Video Doorbell has two-way audio so that you can communicate with guests from your phone, 1080p resolution, and infrared night vision. The Blink Outdoor 4 is the latest Blink outdoor camera and a great budget option that competes well with other outdoor cameras. The Sync Module 2 lets you use local storage for your video files instead of paying for cloud storage.
Note that you will need a Blink subscription to use all of this bundle's features. The Blink subscription plan starts at $30 a year for Blink Basic. For $100/year, you can get Blink Plus, which offers more features, including support for an unlimited number of devices.
Security analysts at Google are developing a framework that they hope will enable large language models (LLMs) to eventually be able to run automated vulnerability research, particularly analyses of malware variants. The analysts with Google’s Project Zero – a group founded a decade ago whose job it is to find zero-day vulnerabilities – have been..
Effective April 30, 2024 Airbnb, the global vacation rental giant, announced a significant policy change: the prohibition of all indoor security cameras in its listings worldwide. This decision, aims to bolster the privacy of guests and address longstanding concerns about hidden cameras. While the majority of Airbnb’s over 7 million listings did not report having […]
An anonymous reader shares a report: Over the weekend, a clip from a recent interview with Telegram's founder Pavel Durov went semi-viral on X (previously Twitter). In the video, Durov tells right-wing personality Tucker Carlson that he is the only product manager at the company, and that he only employs "about 30 engineers." Security experts say that while Durov was bragging about his Dubai-based company being "super efficient," what he said was actually a red flag for users.
"Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare," Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.) Green was referring to the fact that -- by default -- chats on Telegram are not end-to-end encrypted like they are on Signal or WhatsApp. A Telegram user has to start a "Secret Chat" to switch on end-to-end encryption, making the messages unreadable to Telegram or anyone other than the intended recipient.
Also, over the years, many people have cast doubt over the quality of Telegram's encryption, given that the company uses its own proprietary encryption algorithm, created by Durov's brother, as he said in an extended version of the Carlson interview. Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a longtime expert in the security of at-risk users, said that it's important to remember that Telegram, unlike Signal, is a lot more than just a messaging app.
Stefan Dumitrascu Brings Expertise to AMTSO Board We are delighted to announce that our Chief Technology Officer, Stefan Dumitrascu, has been elected as a Board Member of the Anti-Malware Testing Standards Organisation (AMTSO). What is AMTSO? AMTSO is an international non-profit association dedicated to improving the objectivity, quality, and relevance of anti-malware testing methodologies worldwide. […]
Node.js is an open-source, cross-platform JavaScript runtime environment built on the powerful V8 engine from Chrome. It allows you to run JavaScript code outside a web browser, making it popular for building real-time applications and data streaming services. However, like any software, it is not immune to security vulnerabilities. Recently, multiple vulnerabilities were discovered in […]
Google’s initiative to phase out third-party tracking cookies through its Google Privacy Sandbox has encountered criticism from Austrian privacy advocacy group noyb (none of your business). The non-profit alleges that Google’s proposed solution still facilitates user tracking, albeit in a different form. Allegations of Misleading Practices According to noyb, Google’s Privacy Sandbox, marketed as […]
When transitioning to remote work, the dynamics drastically change from working within a dedicated office environment tailored to the tasks at hand. Adjusting to this new setting can pose challenges in ensuring responsible handling of sensitive company data.
In this article, The Cyber Express (TCE) Team delves into essential cybersecurity measures your company should implement or may already have in place. TCE also emphasizes actions one can take personally, whether they're accessing networks from home or public locations. Both employers and employees share the responsibility of adhering to strong security protocols, especially with the rise of cyber threats.
As organizations increasingly prioritize data protection and server security, it's crucial to stay informed about the latest cybersecurity tips for remote work environments. Keep reading to discover key steps to strengthen your cybersecurity posture while working remotely.
Cybersecurity Tips for Remote Workers
Know Your Organization's Cyberwork Policies
Understanding your organization's cyberwork policies ensures remote workers adhere to established protocols, safeguarding sensitive data. These policies typically include guidelines on using secure connections through VPNs, handling confidential information, and using approved applications.
By following these protocols, the risk of phishing or malware attacks is reduced as vulnerabilities from unprotected networks and devices are minimized. Awareness of these policies empowers employees to identify and report suspicious activities promptly, facilitating swift responses to potential threats.
Use Only Approved Devices
Using devices approved by your organization is critical for cybersecurity as it ensures compliance with company security standards. Approved devices are equipped with essential security measures such as firewalls, antivirus software, and encryption protocols, effectively reducing vulnerabilities.
Regular monitoring and updates ensure these devices remain secure with the latest patches, enhancing protection against unauthorized access and cyber threats. Moreover, using approved devices ensures compatibility with secure networks and systems, maintaining overall cybersecurity integrity.
Implement the Principle of Least Privilege
Implementing access controls based on the principle of least privilege limits access to sensitive information and systems to only those necessary for an employee's role. Strong authentication methods like two-factor authentication (2FA) further verify user identities, enhancing security. Regular review and updates of access permissions are essential, especially in remote work scenarios, to mitigate the risk of unauthorized access and ensure data security.
Secure Home Wi-Fi Networks
Securing your home Wi-Fi network is crucial when working remotely. Use strong, unique passwords and enable WPA3 encryption to protect against unauthorized access. Changing default router login credentials and regularly updating router firmware further enhances security by safeguarding against vulnerabilities and potential breaches. Consider segregating work and personal network usage to further bolster security measures.
Enable Two-Factor Authentication (2FA)
Activating two-factor authentication adds an extra layer of security by requiring a second form of verification alongside passwords. This significantly reduces the risk of unauthorized access, even if passwords are compromised. 2FA methods like SMS codes, authenticator apps, or biometric scans provide robust protection, particularly for handling sensitive work-related data remotely.
Use Strong, Unique Passwords
Protect work-related accounts and devices with strong, unique passwords that include a mix of characters, numbers, and symbols. Avoid using the same password across multiple accounts to mitigate the impact of a potential breach. Consider using a password manager to generate and securely store complex passwords, ensuring optimal security without the risk of forgetting passwords or compromising data integrity.
Use Antivirus and Antimalware Software
Deploy reliable antivirus and antimalware software to detect, block, and remove malicious software threats such as viruses and ransomware. Regular software updates ensure protection against evolving cyber threats, enhancing device and data security. Conducting regular scans helps identify and mitigate potential security risks, preserving the integrity of work devices and sensitive data.
Use a Virtual Private Network (VPN)
Utilize a VPN to encrypt internet connections and enhance security when accessing work-related data remotely. VPNs mask IP addresses and encrypt online activities, safeguarding against unauthorized access and data interception on unsecured Wi-Fi networks. Whether working from home or public locations, VPNs provide a secure channel for transmitting sensitive information, ensuring confidentiality and data integrity.
Keep Software Updated and Data Backed Up
Regularly update operating systems, applications, and security software to protect against vulnerabilities exploited by cybercriminals. Enable automatic updates to ensure devices have the latest security patches and firmware. Back up work data regularly using cloud-based solutions or external hard drives to safeguard against data loss due to hardware failures or cyberattacks. Automating backups ensures data integrity and availability, minimizing disruption and downtime.
Have a Plan of Action for Cyberattacks
Prepare and maintain a comprehensive plan of action for responding to cyberattacks to mitigate damage and facilitate swift recovery. The plan should outline steps for identifying, isolating, and mitigating threats, as well as notifying IT teams for immediate remediation. Regular drills and simulations help familiarize employees with incident response procedures, ensuring a prompt and effective response to cybersecurity incidents when working remotely.
By implementing these cybersecurity tips for remote workers, one can enhance data protection, mitigate risks, and contribute to maintaining a secure work environment from any location.
History doesn’t repeat itself, but it often rhymes. As AppSec evolves towards a new playbook, here’s what we can learn from IT’s journey. Just over 20 years ago, Watts Humphrey declared that every business was a software business. Not everyone agreed. No one would image that, sports shoe manufacturers, automakers and even barbecue brands are […]
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Thank you. The CISO2CISO Advisors Team.
In the United States, there is no national, statutory, cross-sector minimum standard for information security. No national law defineswhat would be considered reasonable security in matters involving data breaches. The federal and state governments have various statutes, regulations, policies, and caselaw covering elements of cybersecurity, like data breach notification and data privacy.But all of these […]
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Thank you. The CISO2CISO Advisors Team.
The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free. Thank you. The CISO2CISO Advisors Team.
The U.S. Department of Homeland Security (DHS) was tasked in Executive Order 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence to develop safety and security guidelines for use by critical infrastructure owners and operators. DHS developed these guidelines in coordination with the Department of Commerce, the Sector Risk Management Agencies (SRMAs) for […]
WordPress plugins running on as many as 36,000 websites have been backdoored in a supply-chain attack with unknown origins, security researchers said on Monday.
So far, five plugins are known to be affected in the campaign, which was active as recently as Monday morning, researchers from security firm Wordfence reported. Over the past week, unknown threat actors have added malicious functions to updates available for the plugins on WordPress.org, the official site for the open source WordPress CMS software. When installed, the updates automatically create an attacker-controlled administrative account that provides full control over the compromised site. The updates also add content designed to goose search results.
Poisoning the well
“The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow,” the researchers wrote. “The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago.”
An anonymous reader quotes a report from the Associated Press: Car dealerships in North America continue to wrestle with major disruptions that started last week with cyberattacks on a software company used widely in the auto retail sales sector. CDK Global, a company that provides software for thousands of auto dealers in the U.S. and Canada, was hit by back-to-back cyberattacks Wednesday. That led to an outage that has continued to impact operations. For prospective car buyers, that's meant delays at dealerships or vehicle orders written up by hand. There's no immediate end in sight, with CDK saying it expects the restoration process to take "several days" to complete. On Monday, Group 1 Automotive Inc., a $4 billion automotive retailer, said that it continued to use "alternative processes" to sell cars to its customers. Lithia Motors and AutoNation, two other dealership chains, also disclosed that they implemented workarounds to keep their operations going. [...]
Several major auto companies -- including Stellantis, Ford and BMW -- confirmed to The Associated Press last week that the CDK outage had impacted some of their dealers, but that sales operations continue. In light of the ongoing situation, a spokesperson for Stellantis said Friday that many dealerships had switched to manual processes to serve customers. That includes writing up orders by hand. A Ford spokesperson added that the outage may cause "some delays and inconveniences at some dealers and for some customers." However, many Ford and Lincoln customers are still getting sales and service support through alternative routes being used at dealerships.
Group 1 Automotive Inc., which owns 202 automotive dealerships, 264 franchises, and 42 collision centers in the U.S. and the United Kingdom, said Monday that the incident has disrupted its business applications and processes in its U.S. operations that rely on CDK's dealers' systems. The company said that it took measures to protect and isolate its systems from CDK's platform. All Group 1 U.S. dealerships will continue to conduct business using alternative processes until CDK's dealers' systems are available, the company said Monday. Group 1's dealerships in the U.K. don't use CDK's dealers' systems and are not impacted by the incident. In regulatory filings, Lithia Motors and AutoNation disclosed that last week's incident at CDK had disrupted their operations as well. Lithia said it activated cyber incident response procedures, which included "severing business service connections between the company's systems and CDK's." AutoNation said it also took steps to protect its systems and data -- adding that all of its locations remain open "albeit with lower productivity," as many are served manually or through alternative processes.
Say goodbye to passwords! Passkeys are the next generation of authentication, offering enhanced security and convenience. Learn how passkeys work, their benefits over passwords, and why they are the future of secure online access.
En 2023, la tensión estratégica ha vuelto a ocupar un primer plano. A la guerra iniciada por la invasión rusa de Ucrania en 2022 hay que sumar el nuevo conflicto en Gaza, desencadenado por el ataque terrorista de Hamás a Israel el 7 de octubre. La posibilidad de que el conflicto derive en una mayor […]
Multiple bad actors are using the Rafel RAT malware in about 120 campaigns aimed at compromising Android devices and launching a broad array of attacks that range from stealing data and deleting files to espionage and ransomware. Rafel RAT is an open-source remote administration tool that is spread through phishing campaigns aimed at convincing targets..
Jollibee Foods Corporation (JFC), which is the largest fast-food chain operator in Philippines, has launched an investigation for an alleged data breach in its system that may have affected millions of its customers across the globe. The Jollibee probe was initiated after a threat actor claimed responsibility for breaching the systems of the Jollibee Foods Corporation.
On June 21, The Cyber Express reported that a notorious attacker, operating under the alias “Sp1d3r”, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000 on the dark web.
[caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption]
Details of Jollibee Probe into Cyberattack
The Philippines National Privacy Commission (NPC) regulations make it mandatory for organizations in the country to report and inform stakeholders of cybersecurity incidents within 72 hours of discovery.
A statement was released on June 22 by Richard Shin, Chief Financial Officer and Corporate Information Officer of JFC, which said that it was addressing “a cybersecurity incident” that reportedly affected the company, “in addition to other subsidiaries”.
“The Company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the Company’s and its subsidiaries’ data against threats. The Company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the statement said.
JFC, however, added that its e-commerce platforms and those of its subsidiaries’ brands remained unaffected by the cyberattack and continued to be operational. It added that the safety of data from stakeholders was paramount for the company.
“JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders. The Company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats,” the company said.
“The Company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter,” it added.
The fast-food delivery group urged the public to be vigilant and exercise good information security practices, including keeping passwords secure and changing them often.
Jollibee’s Cybersecurity Concerns
The alleged data breach of the fast-food chain took place on popular data hack site BreachForums on June 20.
The threat actor, “Sp1d3r”, claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details.
JFC, meanwhile, is investigating this alleged cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King Philippines, and Highlands Coffee.
This is not the first time that Jollibee has faced flak for its cybersecurity measures. In December 2017, JFC had informed of a data breach of its delivery website. The NPC had then warned that the data of 18 million customers was at “a very high risk” of being exposed.
After an investigation, the NPC in May 2018 suspended Jollibee’s delivery website due to “serious vulnerabilities.” JFC also took down the delivery websites of its other brands.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
In a world increasingly dependent on digital infrastructure, the cybersecurity landscape continues to evolve, and so does the role of women in this critical field. Irene Corpuz, a cyber policy expert at the Dubai Electronic Security Center and co-founder and board member of Women in Cyber Security Middle East (WiCSME), shared her insights on effective strategies for encouraging women in cybersecurity and the challenges small businesses face in prioritizing cybersecurity at The World Cybercon META Edition hosted by The Cyber Express in Dubai.
Strategies to Encourage Women in Cybersecurity
Irene Corpuz believes that collaboration and communication are key to empowering women in cybersecurity. One of the most effective strategies is to collaborate and communicate our objectives and advocacy for increasing and empowering women in cyber," she states. By showcasing women in various roles—from mentors and speakers to leaders—on platforms like conferences, the visibility and success of these women can inspire others to pursue their ambitions in the field.
"Seeing other women grow and succeed motivates them to pursue their dreams and careers," Irene emphasizes. She highlights the importance of a supportive community, which acts as a backbone for women in cybersecurity, helping them navigate and thrive in the industry.
Trends in Women's Participation in Cybersecurity
Reflecting on her journey, Irene observes a positive trend in the participation of women in cybersecurity. When WiCSME was founded in 2018, women made up only 12% of the cybersecurity workforce. However, this number has significantly increased to 25% by last year. This growth is attributed not just to WiCSME but to the collective efforts of various women-in-cyber organizations worldwide.
"There’s a continuous growth, and awareness of the importance of diversity and inclusion in cybersecurity is becoming more widespread," Irene notes. This trend signifies a growing recognition of the value that diverse perspectives bring to the cybersecurity industry.
Challenges for Small Businesses in Cybersecurity
Transitioning the conversation to small businesses, Irene sheds light on the challenges they face in prioritizing cybersecurity. "Small businesses and young entrepreneurs often face constraints in financial resources," she explains. As these businesses focus on growth and expanding their customer base, investing in cybersecurity often becomes a secondary priority.
However, Irene stresses the importance of embedding a cybersecurity and awareness culture from the beginning, even if it means taking small steps. "Startups and SMEs need to take baby steps in embedding cybersecurity and awareness culture within their employees," she advises. As these companies mature, their cybersecurity measures should evolve accordingly to build a resilient defense against cyber threats.
Conclusion
The insights shared by Irene Corpuz underscore the significance of community support and visibility in empowering women in cybersecurity. Furthermore, her perspective on the challenges faced by small businesses highlights the necessity of integrating cybersecurity practices gradually and consistently. As the cybersecurity landscape continues to evolve, the contributions of women and the resilience of small businesses will play a pivotal role in shaping a secure digital future.
In this episode of the Shared Security Podcast, the team debates the Surgeon General’s recent call for social media warning labels and explores the pros and cons. Scott discusses whether passwords should be stored in web browsers, potentially sparking strong opinions. The hosts also provide an update on Microsoft’s delayed release of CoPilot Plus PCs […]
Apple, Microsoft and Google need more access to our data as they promote new phones and personal computers that are powered by artificial intelligence. Should we trust them?
The Linux Foundation's "Open Source Security Foundation" (or OpenSSF) is a cross-industry forum to "secure the development, maintenance, and consumption of the open source software". And now the OpenSSF has launched a new mailing list "which aims to monitor the threat landscape of open-source project vulnerabilities," reports I Programmer, "in order to provide real time alerts to anyone subscribed."
The Record explains its origins:
OpenSSF General Manager Omkhar Arasaratnam said that at a recent open source event, members of the community ran a tabletop exercise where they simulated a security incident involving the discovery of a zero-day vulnerability. They worked their way through the open source ecosystem — from cloud providers to maintainers to end users — clearly defining how the discovery of a vulnerability would be dealt with from top to bottom. But one of the places where they found a gap is in the dissemination of information widely.
"What we lack within the open source community is a place in which we can convene to distribute indicators of compromise (IOCs) and threats, tactics and procedures (TTPs) in a way that will allow the community to identify threats when our packages are under attack," Arasaratnam said... "[W]e're going to be standing up a mailing list for which we can share this information throughout the community and there can be discussion of things that are being seen. And that's one of the ways that we're responding to this gap that we saw...." The Siren mailing list will encourage public discussions on security flaws, concepts, and practices in the open source community with individuals who are not typically engaged in traditional upstream communication channels...
Members of the Siren email list will get real-time updates about emerging threats that may be relevant to their projects... OpenSSF has created a signup page for those interested and urged others to share the email list to other open source community members...
OpenSSF ecyosystem strategist Christopher Robinson (also security communications director for Intel) told the site he expects government agencies and security researchers to be involved in the effort. And he issued this joint statement with OpenSSF ecosystem strategist Bennett Pursell:
By leveraging the collective knowledge and expertise of the open source community and other security experts, the OpenSSF Siren empowers projects of all sizes to bolster their cybersecurity defenses and increase their overall awareness of malicious activities. Whether you're a developer, maintainer, or security enthusiast, your participation is vital in safeguarding the integrity of open source software.
In less than a month, the mailing list has already grown to over 800 members...
The Payment Card Industry Data Security Standard (PCI DSS) is a global cornerstone for safeguarding cardholder data. PCI DSS version 4.0, the most recent iteration, emphasises a dynamic, risk-based approach to security, compelling organisations to tailor their controls to their unique environments. PCI DSS penetration tests are crucial for meeting and maintaining security standards. Within …
ISO 27001, the internationally recognised standard for information security management systems (ISMS), provides a framework for organisations to protect their valuable information assets. Penetration testing is crucial in preventing data breaches and maintaining the business’s reputation. ISO 27001 strongly recommends it as a critical tool for assessing an organisation’s security posture and ensuring compliance with …
An anonymous reader quotes a report from TechCrunch: A hacker is advertising customer data allegedly stolen from the Australia-based live events and ticketing company TEG on a well-known hacking forum. On Thursday, a hacker put up for sale the alleged stolen data from TEG, claiming to have information of 30 million users, including the full name, gender, date of birth, username, hashed passwords, and email addresses. In late May, TEG-owned ticketing company Ticketek disclosed a data breach affecting Australian customers' data, "which is stored in a cloud-based platform, hosted by a reputable, global third party supplier."
The company said that "no Ticketek customer account has been compromised," thanks to the encryption methods used to store their passwords. TEG conceded, however, that "customer names, dates of birth and email addresses may have been impacted" -- data that would line up with that advertised on the hacking forum. The hacker included a sample of the alleged stolen data in their post. TechCrunch confirmed that at least some of the data published on the forum appears legitimate by attempting to sign up for new accounts using the published email addresses. In a number of cases, Ticketek's website gave an error, suggesting the email addresses are already in use. There's evidence that the company's "cloud-based platform" provider is Snowflake, "which has been at the center of a recent series of data thefts affecting several of its customers, including Ticketmaster, Santander Bank, and others," notes TechCrunch.
"A now-deleted post on Snowflake's website from January 2023 was titled: 'TEG Personalizes Live Entertainment Experiences with Snowflake.' In 2022, consulting company Altis published a case study (PDF) detailing how the company, working with TEG, 'built a modern data platform for ingesting streaming data into Snowflake.'"
Long simmering suspicions about the loyalty of Kaspersky Software, a cybersecurity firm headquartered in Russia, came to a head this week after the U.S. government banned the sale of the company’s software, effective July 20th, to both companies and individual consumers. In addition, the U.S. Treasury Department has placed sanctions on 12 senior leaders of..
Recently, we hosted Ross Randall, Director of Technology at Lamar County School District in Georgia, and Tim Miles, Director of Technology at Steamboat Springs School District in Colorado, for a summer-inspired live webinar focused on fortifying your district’s multilayered cybersecurity strategy. From beach balls to firewalls, Ross and Tim generously shared their practical insights, […]
How we define and create test cases for our purple team runbooks
Intro
In our purple team service, we try to take a depth and quality approach and run many different functionally diverse test cases for a given technique. In this blog, I will describe our process of defining and implementing test cases for our purple team runbooks. The goal of this blog post is to provide the community with a bit more information about how we implement test cases for logon session enumeration, what preventative controls might be, and how this process can be applied to other techniques.
Defining Unique Test Cases
We wanted to develop a logical numbering system to separate test cases for each technique. After a couple of iterations of our purple team service, we started to deliberately select test cases and run variations based on three distinct categories:
Distinct Procedures: Jared defines this as “a sequence of operations that, when combined, implement a technique or sub-technique.” We attempt to deconstruct tools that implement the technique to find functional differences, whether that tool is open-source or a Microsoft binary. This can require reverse engineering or reviewing source code to reveal what the tool is doing under the hood. It also might involve writing or altering existing tooling to meet your needs. An example of this can be found in part 1 of Jared’s blog On Detection: Tactical to Functional, where he reviews the source code of Mimikatz’s sekurlsa::logonPasswords module. If the tool implements a unique set of operations in the call graph, then we define that as a distinct procedure.
Execution Modality: We then alter the execution modality, which changes how the set of functions is implemented. This is outlined in part 12 of Jared’s blog On Detection: Tactical to Functional: “one tool that is built into the operating system (Built-in Console Application), a tool that had to be dropped to disk (Third-Party Console Application), a tool that could run in PowerShell’s memory (PowerShell Script), a tool that runs in the memory of an arbitrary process (Beacon Object File), and a tool that can run via a proxy without ever touching the subject endpoint (Direct RPC Request)”. This variation helps us determine if we run the same distinct procedure but with a different execution mechanism (Beacon Object File, Unmanaged PowerShell, etc.) or is implemented in a different programming language (C, Python, PowerShell, etc.) will alter whether your security controls detected or prevented it.
Minor Variations: Finally, we introduce slight variations to alter the payload, target user, computer, or process depending on the technique we are working on. In the case of logon session enumeration, we alter local vs. remote logon sessions and the machine we are targeting (i.e., file server, workstation, etc). During purple team assessments, we often find ourselves using this variation based on the organization’s environmental factors. For other techniques, these environmental factors normally include choosing which account to Kerberoast or which process to inject into.
Defining test cases in this manner allows us to triangulate a technique’s coverage estimation rather than treat the techniques in the MITRE ATT&CK matrix as a bingo card where we run net session and net1 session, fill in the box for this technique, and move on to the next one. After running each test case during the purple team assessment, we look for whether the test case was prevented, detected, or observed (telemetry) by any security controls the organization may have.
Let’s dive into logon session enumeration by deconstructing the functional differences between three distinct procedures. If you want to learn more (or want to apply this methodology yourself), you can find out more about the process we use to examine the function call stack of tools in Nathan’s Beyond Procedures: Digging into the Function Call Stack and Jared’s On Detection: Tactical to Functional series.
We can start by examining the three distinct procedures that SharpHound implements. Rohan blogged about the three different methods SharpHound uses. SharpHound can attempt to use all three depending on the context it’s running under and what arguments are passed to it. The implementation of each procedure can be found here: NetSessionEnum, NetWkstaEnum, and GetSubKeyNames in the SharpHoundCommon library. Matt also talks about this in his BOFHound: Session Integration blog.
Here is a breakdown of each of the three unique procedures implemented in SharpHound for remote session enumeration:
NetSessionEnum is a Win32 API implemented in netapi32.dll. The image below shows where each tool is implemented in the function call stack:
NetSessionEnum Function Call Graph
This Win32 API returns a list of active remote or network logon sessions. These two blogs (Netwrix and Compass Security) go into detail about which operating systems allow “Authenticated Users” to query logon sessions and how to check and restrict access to this API remotely by altering the security descriptor in the HKLM/SYSTEM/CurrentControlSet/Services/LanmanServer/DefaultSecurity/SrvsvcSessionInfo registry key. If we read Microsoft’s documentation on the RPC server, we see the MS-SRVS RPC server is only implemented via the \PIPE\srvsvc named pipe (RPC servers can also be commonly implemented via TCP as well). As Microsoft’s documentation states, named pipes communicate over CIFS\SMB via port 445.
In our purple team service, we usually target the organization’s most active file server for two reasons. First, port 445 (SMB) will generally be open from everywhere on the internal network for this server. Second, this server has the most value to an attacker since it could contain hundreds or even thousands of user-to-machine mappings an attacker could use for “user hunting.”
NetWkstaUserEnum is also a Win32 API implemented in netapi32.dll. Below is the breakdown of the function call stack and where each tool is implemented:
NetWkstaUserEnum Function Call Graph
As Microsoft documentation says: “This list includes interactive, service, and batch logons” and “Members of the Administrators, and the Server, System, and Print Operator local groups can also view information.” This API call has different permission requirements and returns a different set of information than the NetSessionEnum API call; however, just like NetSessionEnum, the RPC server is implemented only via the \PIPE\wkssvc named pipe. Again, this blog from Compass Security goes into more detail about the requirements.
Since this, by default, requires administrator or other privileged rights on the target machine, we will again attempt to target file servers and usually get an access denied response when running this procedure. As a detection engineer, if someone attempts to enumerate sessions, do we have the telemetry even if they are unsuccessful? Next, we will attempt to target a workstation on which we have administrator rights to enumerate sessions using this minor variation in a different test case.
Note: I’m only showing the function call stack of RegEnumKeyExW, SharpHound calls OpenRemoteBaseKey to get a handle to the remote key before calling RegEnumKeyExW. I also left out calls to API sets in this graph.
RegEnumKeyExW is, again, a Win32 API implemented in advapi32.dll. Below is the breakdown of the function call stack and where each tool is implemented:
RegEnumKeyExW Function Call Graph
As Microsoft documentation says, the remote system “requires the Remote Registry service to be running on the remote computer.” Again, this blog from Compass Security goes into more detail about the requirements, but by default, the service is disabled on workstation operating systems like Windows 11 and 10 and set to trigger start on server operating systems by interacting with the \PIPE\winreg named pipe. If the remote registry service is running (or triggerable), then the HKEY_USERS hive can be queried for a list of subkeys. These subkeys contain SIDs for users that are interactively logged on. Like NetWkstaUserEnum and NetSessionEnum, the RPC server is implemented only via the \PIPE\winreg named pipe.
Putting it all Together with Test Cases
Now that we have a diverse set of procedures and tooling examples that use a variety of execution modalities, we can start creating test cases to run for this technique. Below, I have included an example set of test cases and associated numbering system using each of the three distinct procedures and altering the execution modality for each one.
Test Case 3.0.0 — Enumerate Interactive Sessions via reg_query BOF (Server)
Test Case 3.0.1 — Enumerate Interactive Logon Sessions via reg_query BOF (workstation)
Test Case 3.1.0 — Enumerate Interactive Sessions from Impacket (reg.py)
After executing each test case, we can determine if the test case was prevented, detected, or observed. Tracking information like this allows us to provide feedback on your controls and predict how likely they would detect or prevent an adversary’s arbitrary selection of procedure or execution modality. Also, we space test cases about 10 minutes apart; name artifacts like files, registry keys, and processes by their corresponding test case number; and alternate the machine and source user we are executing from to make finding observable telemetry easier. We may include or exclude certain test cases based on the organization’s security controls. For example, if they block and alert on all powershell.exe usage, we aren’t going to run 40 test cases across multiple techniques that attempt to call the PowerShell binary.
Conclusion
By researching and deconstructing each tool and looking at the underlying function call stacks, we found that regardless of which distinct procedure or execution modality was used, they all used three different RPC servers, each implemented using named pipes. This will also allow us to triangulate detection coverage and help determine if a custom or vendor-based rule is looking for a brittle indicator or a tool-specific detail\toolmark.
We now have a fairly broad set of test cases for a runbook that accounts for a wide variety of attacker tradecraft for this technique. Knowing this as a blue teamer or detection engineer will allow me to implement a much more comprehensive detection strategy for this particular technique around the three named pipes we discovered. This allows us to write robust detection rules, rather than looking for the string “Get-NetSession” in a PowerShell script. Would this produce a perfect detection for session enumeration? No. Does this include every single way an attacker can determine where a user is logged? No. Does deconstructing adversary tradecraft in this manner vastly improve our coverage for the technique? Absolutely.
In my next post, I will cover many log sources native to Windows (I’m counting Sysmon as native) and a couple of EDRs that allow us to detect logon session enumeration via named pipes (or TCP in some cases). Some of these sources you might be familiar with, others aren’t very well documented. Each of these log sources can be enabled and shipped to a centralized place like a SIEM. Each source has its requirements, provides a different context, and has its pros and cons for use in a detection rule.
ASUS announces major Firmware Update ASUS recently issued a firmware update to resolve a critical security vulnerability affecting seven different variants of its router models. Identified as CVE-2024-3080 with a CVSS v3 severity score of 9.8 (critical), the vulnerability permits remote attackers to take control of the affected router models without needing any login credentials. [...]
Different models of access control offer unique methods and benefits. The three primary models are Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Discretionary Access Control (DAC).
Login
Source: X[/caption]
