Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerability management. Show all posts
Vulnerability management
Business Security Cyber Security ransomware attacks Threat Management Vulnerability management

Here's Why Ransomware Actors Have a Upper Hand Against Organisations

 

Successful ransomware assaults are increasing, not necessarily because the attacks are more sophisticated in design, but because attackers have found that many of the world's largest companies lack adequate resilience to basic safety measures. Despite huge efforts in cybersecurity from both the private and public sectors, many organisations remain vulnerable to ransomware attacks.

Richard Caralli, senior cybersecurity advisor at Axio, has over 40 years of experience as a practitioner, researcher, and leader in the audit and cybersecurity fields. Based on his years of experience, he believes that there are two primary reasons of the lack of ransomware resilience that exposes numerous organisations to otherwise preventable flaws in their ransomware defences: 

  • Recent noteworthy intrusions, such as those on gaming companies, consumer goods manufacturers, and healthcare providers, highlight the fact that some organisations may not have implemented basic safety standards. 
  • Organisations that have put in place foundational practices may not have done enough to confirm and validate those practices' performance over time, which causes expensive investments to lose their efficacy more quickly. 

Given this, organisations can take three simple activities to boost fundamental resilience to ransomware: 

Recommit to core practices

According to Verizon's "2023 Data Breach Investigations Report," 61% of all incidents used user credentials. Two-factor authentication (2FA) is currently regarded as an essential control for access management. However, a failure to apply this additional layer of security is at the heart of UnitedHealth Group/Change Healthcare's ongoing ransomware nightmare. This intrusion affects not only patients, but also service providers and professionals, who face severe barriers to obtaining treatment authorisations and payments. An entire sector is under attack as a result of a major healthcare provider's failure to adopt this foundational control.

Ensure fundamental procedures are institutionalised

There is a "set and forget" approach that handles cybersecurity during the installation stage but fails to ensure that procedures, controls, and countermeasures are long-lasting throughout the infrastructure's life, particularly when these infrastructures expand and adapt to organisational change. 

For example, cybersecurity procedures that are not actively adopted with characteristics that enable institutionalisation and durability are at risk of failing to withstand developing ransomware attack vectors. But what exactly does institutionalisation mean? Higher maturity behaviours include documenting the practice, resourcing it with sufficiently skilled and accountable people, tools, and funding, supporting its enforcement through policy, and measuring its effectiveness over time. 

Implementing the basics 

The issue of implementing and maintaining essential cybersecurity measures is numerous. It necessitates a commitment to constant attention, active management, and a thorough understanding of emerging hazards. However, by confronting these obstacles and ensuring that cybersecurity procedures are rigorously established, measured, and maintained, organisations may better protect themselves against the ever-present threat of ransomware attacks. 

Focussing on the basics first — such as implementing foundational controls like 2FA, developing maintenance skills to integrate IT and security efforts, and adopting performance management practices — can lead to significant improvements in cybersecurity, providing robust protection with less investment.
Read more »
Vulnerability management
Bank Security Bitcoin Digital Assets Technology Vulnerability management

Xapo Bank Aims To Boost Bitcoin Safety With Tech And Bunkers

 

Satoshi Nakamoto, the pseudonymous developer of Bitcoin, published the system's whitepaper in 2008, bluntly criticising financial institutions and the confidence they demand. However, in 2010, one of the most notable Bitcoin collaborators in its early days and the recipient of the first Bitcoin transaction in history, cypherpunk and cryptography specialist Hal Finney, predicted the existence of bitcoin banks. Today, bitcoin-native banks such as Xapo Bank exist in this grey area between the ethos and the potential deployment of this system across the global financial sector. 

Finney claims that Xapo Bank, which was founded in 2013, is among the leaders in the custodial space of Bitcoin. Wences Casares, an Argentinean entrepreneur and innovator who is well-known in Silicon Valley for his support of this technology, developed it as a solution for his friends and family. However, it expanded significantly. Currently, it is one of the few fully licensed banks in the world that deals with Bitcoin and other digital assets. 

Its business idea combines cutting-edge Bitcoin technology with a physical bunker in the Swiss highlands. This physical location blends old-fashioned Swiss standards with the latest safety technology. It's an atomic bunker that serves as the foundation of what Xapo provides its clients: high-quality security for digital assets. Xapo is exploring new technical opportunities. The custody business is dominated by multi-signature solutions, but the greatest alternative and security solution for the Gibraltar-registered bitcoin bank is the multi-party computation protocol. On a broad level, MPC enables several parties to share information without fully exposing the shared data. 

In the case of Xapo, this works by breaking the digital asset master private key into several unique fragments known as "key shares," which Xapo Bank has stored and distributed in hidden places around the world, including the Swiss bunker. The MPC protocol ensures that participants' contributions remain private during key creation and signing, without being revealed. This functionality assures that no single participant in the quorum has total access to or control over the stored assets, reducing the chance of collusion to nearly zero. 

"MPC is a much more modern and secure setup compared to a still more popular multi-signature approach. The fact that the private key is not put together at any point in the transaction means there is no moment it can be potentially exposed or hacked, which is not the case with the more traditional multi-sig technology," Xapo Bank's Chief Technology Officer, Kamil DziubliÅ„ski, stated. 

However, there are threats and concerns, even with a movie-style bunker and this novel method of securing the keys and transaction signing process. Security threats include hacking and phishing attempts. Financial risks include money laundering, terrorist financing, and various types of financial attacks.
Read more »
Windows
Cyber Security US Government Vulnerability management Window Systems Windows

Microsoft Update Alert: 70% Of Windows Users Are Now At Risk

 

Microsoft's end-of-support date for Windows 10 is approaching on October 14, 2025, and the operating system is already facing a serious security threat. With 70% of Windows users still operating Windows 10, the situation in terms of cyber-attacks has become increasingly perilous. This security bug has major consequences for individuals and organisations who rely on Windows 10. 

What's happening?

A 2018 Windows flaw has been added to the US government's known exploited vulnerabilities (KEV) database, cautioning of potential privilege escalation assaults and remote code execution. Researchers believe that the vulnerability, CVE-2018-0824, was exploited by the Chinese hacker outfit APT41. This threat actor is supported by the Ministry of State Security and has a high level of seriousness because it targets both government and private organisations. 

The US government has warned people to fix or stop using Windows if there is any risk by August 26. If this is not done, users will remain vulnerable to assaults. This vulnerability will not affect Windows 11. Additionally, it would not harm updated Windows systems, emphasising the importance of upgrades for users. The warnings appear to be insufficient, as many users continue to use Windows 10, with only 30% having updated their systems to Windows 11. 

Furthermore, as the end-of-support date approaches, hundreds of scam emails are likely to target Windows 10 customers' inboxes. The hackers would take advantage of this situation and jeopardise the security of users' data and systems, resulting in data breaches and other serious consequences such as system compromise and financial losses. 

Take a look at Reddit or the comments on this post to see the enormous number of Windows users who are waiting for Microsoft to pull a late rabbit out of the bag and expand Windows 10 support. It is unclear how this will affect all those who have invested in upgrading. 

Given the recent experience, with global images of blue screens of death all around, come October, this could be a hackers' paradise for a while. Another aspect to consider is that malicious actors would take advantage of the situation and send out scam after scam to nervous Windows 10 users.
Read more »
Vulnerability management
AI Automation Cyber Threats Technology Vulnerability management

AI and Vulnerability Management: Industry Leaders Show Positive Signs

AI and Vulnerability Management: Industry Leaders Show Positive Signs

Positive trend: AI and vulnerability management

We are in a fast-paced industry, and with the rise of technological developments each day, the chances of cyber attacks always arise. Hence, defense against such attacks and cybersecurity becomes paramount. 

The latest research into the cybersecurity industry by Seemplicity revealed that 91% of participants claim their security budget is increasing this year. It shows us the growing importance of cybersecurity in organizations.

Understanding report: An insight into industry leaders' mindset

A survey of 300 US cybersecurity experts to understand views about breathing topics like automation, AI, regulatory compliance, vulnerability and exposure management. Organizations reported employing 38 cybersecurity vendors, highlighting sophisticated complexity and fragmentation levels within the attack surfaces. 

The fragmentation results in 51% of respondents feeling high levels of noise from the tools, feeling overwhelmed due to the traffic of notifications, alerts, and findings, most of which are not signaled anywhere. 

As a result, 85% of respondents need help with handling this noise. The most troubling challenge reported being slow or delayed risk reduction, highlighting the seriousness of the problem, because of the inundating noise slowing down effective vulnerability identification and therefore caused a delay in response to threats. 

Automation and vulnerability management on the rise

97% of respondents cited methods (at least one) to control noise, showing acceptance of the problem and urgency to resolve it. 97% showed some signs of automation, hinting at a growth toward recognizing the perks of automation in vulnerability and exposure management. The growing trend towards automation tells us one thing, there is a positive adoption response. 

However, 44% of respondents still rely on manual methods, a sign that there still exists a gap to full automation.

But the message is loud and clear, automation has helped in vulnerability and exposure management efficiency, as 89% of leaders report benefits, the top being a quicker response to emergency threats. 

AI: A weapon against cyber threats

The existing opinion (64%) that AI will be a key force against fighting cyber threats is a positive sign showing its potential to build robust cybersecurity infrastructure. However, there is also a major concern (68%) about the effects of integrating AI into software development on vulnerability and exposure management. AI will increase the pace of code development, and the security teams will find it difficult to catch up. 

Read more »
Vulnerability management
Global Outage Tech Giant Technology Threat Landscape Vulnerability management

Are We Ready For The Next Major Global IT Outage? Here's All You Need to Know

 

Last Friday, a glitch in the tech firm led to a global disruption impacting cross-sector activities. Hospitals, health clinics, and banks were impacted; airlines grounded their planes; broadcasting firms were unable to broadcast (Sky News went off the air); emergency numbers such as 911 in the United States were unavailable; and MDA experienced several troubles in Israel. 

This incident had a significant impact in the United States, Australia, and Europe. Critical infrastructure and many corporate operations were brought to a halt. In Israel, citizens instantly linked the incident to warfare, namely the UAV that arrived from Yemen and exploded in Tel Aviv, presuming that Iran was attacking in the cyber dimension. 

What exactly happened? 

CrowdStrike, an American firm based in Texas that provides a cybersecurity protection system deployed in several companies across the world, announced on Friday morning that there was a glitch with the most recent version of their system given to customers. The issue caused Microsoft's operating system, Windows, not to load, resulting in a blue screen. As a result, any organisational systems that were installed and based on that operating system failed to load. In other words, the organisation had been paralysed. 

But the trouble didn't end there. During the company's repair actions, hackers "jumped on the bandwagon," impersonating as staff members and giving instructions that essentially involved installing malicious code into the company and erasing its databases. This was the second part of the incident. 

Importance of risk management 

Risk management is an organisational discipline. Within risk management processes, the organisation finds out and maps the threat and vulnerability portfolio in its activities, while also developing effective responses and controls to threats and risks. Threats can be "internal," such as an employee's human error, embezzlement, or a technical failure in a computer or server. Threats can also arise "externally" to the organisation, such as consumer or supplier fraud, a cyberattack, geopolitical threats in general, particularly war, or a pandemic, fire, or earthquake. 

It appears that the world has become far more global and technological than humans like to imagine or believe. And, certainly, a keyboard error made by one individual in one organisation can have global consequences, affecting all of our daily lives. This is the fact, and we should recognise it as soon as possible and start preparing for future incidents through systematic risk management methods.
Read more »
Vulnerability management
Cyber Security Ethical Hacker Financial Data Threat Landscape Vulnerability management

The Vital Role of Ethical Hacking in Cyber Security

 

The possibility of cyber attacks is a major issue, with the global average cost of a data breach expected to reach $4.45 million in 2023, a 15% increase over the previous three years, according to an IBM analysis. This stark figure highlights the growing financial and reputational threats companies face, emphasising the importance of ethical hacking in an increasingly interconnected world. 

Ethical hackers are the first line of defence, utilising their knowledge to replicate cyber attacks under controlled conditions. These individuals play an important role in averting potentially disastrous data breaches, financial loss, and reputational harm caused by cyber attacks by proactively fixing security vulnerabilities before they are exploited. 

This article explores the importance of ethical hacking, the tactics used by ethical hackers, and how to pursue a career in this vital sector of cyber security. 

What is ethical hacking? 

Ethical hacking, commonly referred to as penetration testing or white-hat hacking, is a technique for testing computer systems, networks, or online applications for security flaws. Unlike criminal hackers, who attempt to make money from vulnerabilities, ethical hackers utilise their expertise to uncover and patch them before they are exploited. 

They utilise their expertise with authorization, hoping to improve security posture before a real hacker exploits vulnerabilities. This preemptive strike against possible breaches is an important part of modern cyber security tactics and a technique of protecting against the most dangerous cyber security threats. Ethical hacking adheres to a fixed code of ethics and legal restrictions. 

Ethical hackers must have clear permission to explore systems and ensure that their actions do not stray into illegal territory. Respect for privacy, data integrity, and the lawful exploitation of uncovered vulnerabilities is critical. 

Methodologies of Ethical Hacking 

Ethical hackers employ a variety of methodologies to assess the security of information systems. These include: 

Risk assessment: Scanning systems and networks to identify known vulnerabilities. 

Penetration testing: Simulating cyber attacks to evaluate the effectiveness of security measures. 

Social engineering: Testing the human element of security through phishing simulations and other tactics. 

Security auditing: Examining the adherence of systems and policies to security standards and best practices. 

Process of ethical hacking

Step 1: Reconnaissance - The ethical hacker collects as much information about the target system or network as possible utilising techniques such as WHOIS databases, search engines, and social media to obtain publically available information. 
 
Step 2: Scanning – They look for live hosts, open ports, services running on those hosts, and vulnerabilities connected with them. Nmap may be used to scan ports, while Nessus or OpenVAS can be used to check for vulnerabilities that can be exploited. 

Step 3: Gaining Access – They use the identified vulnerabilities to gain unauthorised access to the system or network. Metasploit is commonly used to exploit vulnerabilities. Other tools include SQL injection tools for database attacks, as well as password cracking programmes such as John the Ripper or Hydra. 

Step 4: Maintaining Access – Ensure continued access to the target for further exploration and analysis without being detected. Tools like backdoors and trojans are used to maintain access, while ensuring to operate stealthily to avoid detection by security systems.

Step 5: Covering Tracks – Delete evidence of the hacking process to avoid detection by system administrators or security software. Log tampering and the use of tools to clear or modify entries in system logs. Tools such as CCleaner can also be used to erase footprints.
Read more »
Vulnerability management
Chinese Hackers Cyber Security Data Privacy Endpoint security Vulnerability management

Chinese APT40 Can Exploit Flaws Within Hours of Public Release

 

A joint government advisory claims that APT40, a Chinese state-sponsored actor, is focusing on recently discovered software vulnerabilities in an attempt to exploit them in a matter of hours.

The advisory, authored by the Cybersecurity and Infrastructure Security Agency, FBI, and National Security Agency in the United States, as well as government agencies in Australia, the UK, Canada, New Zealand, Germany, South Korea, and Japan, stated that the cyber group has targeted organisations in a variety of arenas, employing techniques commonly employed by other state-sponsored actors in China. It has often targeted Australian networks, for instance, and remains a threat, the agencies warned. 

Rather than using strategies that involve user engagement, the gang seems to prefer exploiting vulnerable, public-facing infrastructure and prioritising the collection of valid credentials. It frequently latches on public exploits as soon as they become accessible, creating a "patching race" condition for organisations. 

"The focus on public-facing infrastructure is interesting. It shows they're looking for the path of least resistance; why bother with elaborate phishing campaigns when you can just hit exposed vulnerabilities directly?" stated Tal Mandel Bar, product manager at DoControl. 

The APT targets newly disclosed flaws, but it also has access to a large number of older exploits, according to the agencies. As a result, a comprehensive vulnerability management effort is necessary.

Comprehensive reconnaissance efforts 

APT40 conducts reconnaissance against networks of interest on a regular basis, "including networks in the authoring agencies' countries, looking for opportunities to compromise its targets," according to the joint advice. The group then employs Web shells for persistence and focuses on extracting data from sensitive repositories.

"The data stolen by APT40 serves dual purposes: It is used for state espionage and subsequently transferred to Chinese companies," Chris Grove, director of cybersecurity strategy at Nozomi Networks, stated. "Organizations with critical data or operations should take these government warnings seriously and strengthen their defenses accordingly. One capability that assists defenders in hunting down these types of threats is advanced anomaly detection systems, acting as intrusion detection for attackers able to 'live off the land' and avoid deploying malware that would reveal their presence.” 

APT40's methods have also advanced, with the group now adopting the use of compromised endpoints such as small-office/home-office (SOHO) devices for operations, allowing security agencies to better track it. Volt Typhoon's noted approach is just one of many parts of the group's operation that are comparable to other China-backed threat groups including Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk, the advisory reads. 

The advisory provides mitigating approaches for APT40's four major types of tactics, techniques, and procedures (TTPs), which include initial access, execution, persistence, and privilege escalation.
Read more »
Vulnerability management
Cyber Security Stress-Testing Threat Landscape Vulnerability management

A World of Novel Risks: Stress-Testing Security Assumptions

 

The most severe security failures are generally those that we cannot anticipate – until they occur. Prior to 9/11, national security and law enforcement planners expected that airline hijackers would land their planes and reach a settlement — until they didn't. Prior to Stuxnet, control system engineers felt that air-gapped systems could work without interference—until a virus was installed. Prior to the SolarWinds breach discovery in 2020, IT managers believed that verified updates to a trusted network management platform were legal and safe—until the platform itself became the target of a devastating supply chain attack. 

The severity of injury caused by these accidents is often determined by the extent to which novel risks were unforeseen, or assumed not to be threats in the first place. In other words, the more basic the assumption, the more harmful the compromise. The objective of security is to be safe not only now, but also in the future, anticipating and mitigating threats that might arise at a later time and place through adequate preparation and security. And the assumptions we make about the future environment form the basis for that work. Assumptions are required for any security strategy to be cohesive. But they have a shelf life. 

It's doubtful that our presumptions from now will be true later on. We understand that growing interdependencies would inevitably lead to cross-domain and cross-disciplinary security concerns. We are aware that the endless cycles of discovery and patch, identify and neutralise, and detect and respond will be even more difficult to maintain than they are now due to the pace of change brought on by the rate of technological advancement. 

Adopting a future-resilience approach 

Recognising the shifting situation, we have endeavoured to speed this process by collecting and sharing more data, gaining deeper insights from more powerful analytics, detecting threat actors and their behaviours earlier, and responding faster to ongoing attacks. 

But we're falling further behind. It is too late to understand a threat actor's aims and attack methods, let alone identify their moves. The primary challenge is to plan for a future with an unknown risk profile. To become more resilient in a world of "unseen until it's too late" challenges, we must tighten our strategies and stress-test our assumptions. The future of security will be about resilience in the face of unknown hazards. Monitoring trends and anticipating threats is not sufficient. We must also reconsider the assumptions that support our current sense of security. 

A new, future-resilient strategy will need to incorporate a purposeful process of challenging existing assumptions while they are still relevant in order to predict a future in which those assumptions are undermined. Then, based on this new future "reality," we can devise strategies for survival. In other words, we move away from assessing the current environment, making assumptions about the future, identifying threats, and then mitigating those risks, and towards explicitly identifying our assumptions, "making up" threats to undermine those assumptions, and building resilience to survive that future.
Read more »
Vulnerability management
Data Centre Liquid Cooling Machine learning Technology Vulnerability management

Five Challenges to Adoption of Liquid Cooling in Data Centers

 

Data centre liquid cooling systems are becoming increasingly popular due to their greater heat management effectiveness when compared to traditional air cooling methods. However, as technology advances, new security issues emerge, such as cybersecurity and physical risks. 

These concerns are critical to industry professionals as they can result in data breaches, system disruptions, and considerable operational downtime. Understanding and minimising these risks ensures that a data centre is reliable and secure. This method emphasises the significance of a comprehensive approach to digital and physical security in the changing landscape of data centre cooling technology. 

But the transition from air to liquid is not easy. Here are some of the main challenges to the implementation of liquid cooling in data centres: 

Two cooling systems instead of one

It is rarely practical for an established data centre to switch to liquid cooling one rack at a time. The facilities personnel will have to operate two cooling systems rather than one, according to Lex Coors, chief data centre technology and engineering officer of Interxion, the European colocation behemoth. This makes liquid cooling a better option for new data centres or those in need of a major overhaul. 

No standards 

The lack of industry standards for liquid cooling is a significant barrier to widespread use of the technology. "The customer, first of all, has to come with their own IT equipment ready for liquid cooling," Coors stated. "And it's not very standardized -- we can't simply connect it and let it run.” Interxion does not currently have consumers using liquid cooling, but the company is prepared to support it if necessary, according to Coors. 

Corrosion

Corrosion is a challenge in liquid cooling, as it is in any system that uses water to flow through pipes. "Corrosion in those small pipes is a big issue, and this is one of the things we are trying to solve today," Mr. Coors added. Manufacturers are improving pipelines to reduce the possibility of leaks and to automatically close if one occurs. 

Physical security 

Physical tampering with data centre liquid cooling systems poses serious security threats since unauthorised modifications can disrupt operations and jeopardise system integrity. Malicious insiders, such as disgruntled or contractors, can use their physical access to change settings, introduce contaminants, or disable cooling devices. 

Such acts can cause overheating, device failures, and protracted downtime, compromising data centre performance and security. Insider threats highlight the importance of rigorous access controls, extensive background checks, and ongoing monitoring of personnel activities. These elements help to prevent and respond promptly to physical sabotage. 

Operational complexity 

The company that offers colocation and cloud computing services, Markley Group, plans to implement liquid cooling in a high-performance cloud data centre early next year. According to Jeff Flanagan, executive VP of Markley Group, the biggest risk could be increased operational complexity. 

"As a data center operator, we prefer simplicity," he said. "The more components you have, the more likely you are to have failure. When you have chip cooling, with water going to every CPU or GPU in a server, you're adding a lot of components to the process, which increases the potential likelihood of failure.”
Read more »
Vulnerability management
Cisco Security Security Patch SQL Bug Vulnerabilities and Exploits Vulnerability management

Cisco Firepower Management Center Impacted By a High-Severity Vulnerability

 

Cisco addressed a flaw in the web-based management interface of the Firepower Management Centre (FMC) Software, identified as CVE-2024-20360 (CVSS score 8.8). 

The vulnerability is a SQL injection bug; an intruder can use it to acquire any data from the database, run arbitrary commands on the underlying operating system, and elevate privileges to root. The attacker can only exploit this flaw if they have at least Read Only user privileges. 

“A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.” reads the advisory. “This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system.” 

“A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials,” the advisory adds. 

According to Cisco, there isn't a fix for this vulnerability. The IT giant confirmed that neither Firepower Threat Defence (FTD) nor Adaptive Security Appliance (ASA) software is impacted by this security vulnerability. The attacks that are taking advantage of this vulnerability in the wild are unknown to the Cisco Product Security Incident Response Team (PSIRT). 

Security patch 

Cisco has published free software upgrades to address the vulnerability stated in the advisory. Customers with service contracts that include regular software updates should receive security fixes through their usual update channels. Customers can only install and get support for software versions and feature sets for which they have acquired a licence. Customers agree to abide by the terms and conditions of the Cisco software licence while installing, downloading, accessing, or using such software upgrades. 

Furthermore, customers may only download software for which they have a valid licence, either directly from Cisco or through a Cisco authorised reseller or partner. In most cases, this will be a maintenance upgrade for already purchased software. Customers that receive free security software updates are not entitled to a new software licence, additional software feature sets, or significant revision upgrades.
Read more »
Vulnerability management
Artificial Intelligence Cyber Security Deepfake Technology Threat Landscape Vulnerability management

Deepfakes and AI’s New Threat to Cyber Security

 

With its potential to manipulate reality, violate privacy, and facilitate crimes like fraud and character assassination, deepfake technology presents significant risks to celebrities, prominent individuals, and the general public. This article analyses recent incidents which bring such risks to light, stressing the importance of vigilance and preventative steps.

In an age where technology has advanced at an unprecedented rate, the introduction of deepfake technologies, such as stable diffusion software, presents a serious and concerning threat. This software, which was previously only available to trained experts, is now shockingly accessible to the general public, creating severe issues about privacy, security, and the integrity of digital content.

The alarming ease with which steady diffusion software can be downloaded and used has opened a Pandora's box of possible abuse. With a few clicks, anyone with basic technological knowledge can access these tools, which can generate hyper-realistic deepfakes. This programme, which employs sophisticated artificial intelligence algorithms, can modify photographs and videos to the point that the generated content appears astonishingly real, blurring the line between truth and deception. 

This ease of access significantly reduces the barrier to entry for developing deepfakes, democratising a technology that was previously only available to individuals with significant computational resources and technical experience. Anyone with a simple computer and internet access can now enjoy the benefits of dependable diffusion software. This development has significant ramifications for personal privacy and security. It raises serious concerns about the potential for abuse, particularly against prominent figures, celebrities, and high-net-worth individuals, who are frequently the target of such malicious activity. Rise in incidents 

Targeting different sectors 

Deepfakes: According to the World Economic Forum, the number of deepfake videos online has increased by an astonishing 900% every year. The surge in cases of harassment, revenge, and crypto frauds highlights an increasing threat to everyone, especially those in the public eye or with significant assets. 

Elon Musk impersonation: In one noteworthy case, scammers used a deepfake video of Elon Musk to promote a fraudulent cryptocurrency scheme, causing large financial losses for people misled by the hoax. This instance highlights the potential for deepfakes to be utilised in sophisticated financial crimes against naïve investors.

Targeting organisations: Deepfakes offer a significant threat to organisations, with reports of extortion, blackmail, and industrial espionage. A prominent case involves fraudsters tricking a bank manager in the UAE with a voice deepfake, resulting in a $35 million robbery. In another case, scammers used a deepfake to deceive Binance, a large cryptocurrency platform, during an online encounter.

Conclusion 

The incidents mentioned above highlight the critical need for safeguards against deepfake technology. This is where services like Loti come in, providing tools to detect and counteract unauthorised usage of a person's image or voice. Celebrities, high-net-worth individuals, and corporations use such safeguards to protect not only their privacy and reputation, but also against potential financial and emotional harm.

Finally, as deepfake technology evolves and presents new issues, proactive measures and increased knowledge can help reduce its risks. Companies like Loti provide a significant resource in this continuous battle, helping to maintain personal and professional integrity in the digital age.
Read more »
Vulnerability management
Authentication Keys Cyber Security SaaS Apps Threat Landscape Vulnerability management

Here's Why Tokens Are Like Treasure for Opportunistic Attackers

 

Authentication tokens are not tangible tokens, of course. However, if these digital IDs are not routinely expired or restricted to a single device, they may be worth millions of dollars in the hands of threat actors.

Authentication tokens ( commonly called "session tokens") play a vital role in cybersecurity. They encapsulate login authorization data, allowing for app validations and safe, authenticated logins to networks, SaaS applications, cloud computing, and identity provider (IdP) systems, as well as single sign-on (SSO) enabling ubiquitous corporate system access. This means that everyone holding a token has a gold key to company systems without having to complete a multifactor authentication (MFA) challenge. 

Drawbacks of employee convenience

The lifetime of a token is frequently used to achieve a balance between security and employee convenience, allowing users to authenticate once and maintain persistent access to applications for a set period of time. The attackers are increasingly obtaining these tokens through adversary-in-the-middle (AitM) attacks, in which the hacker is positioned between the user and legitimate applications to steal credentials or tokens, as well as pass-the-cookie attacks, which steal session cookies stored on browsers. 

Personal devices comprise browser caches as well, but they are not subject to the same level of security as corporate systems. Threat actors can simply capture tokens from inadequately secured personal devices, making them more vulnerable. However, personal devices are frequently granted access to corporate SaaS apps, posing a risk to corporate networks. 

Once a threat actor secures a token, they get access to the user's rights and authorizations. If they have an IdP token, they can use the SSO features of all business applications that are integrated with the IdP without the need for an MFA challenge. If it is an admin-level credential with accompanying privileges, they have the ability to destroy systems, data, and backups. The longer the token remains active, the more they can access, steal, and damage. Furthermore, they can create new accounts that do not require the token for persisted network access. 

While frequent expiration of session tokens will not prevent these types of assaults, it will significantly reduce the risk footprint by limiting the window of opportunity for a token to work. Unfortunately, we often notice that tokens are not being expired at regular intervals, and some breach reports indicate that default token expirations are being purposely extended. 

Token attacks in the spotlight 

Last year, multiple breaches involving stolen authentication tokens made headlines. Two incidents involved hacked IdP tokens. According to Okta, threat actors were in their systems from September 28 to October 17 as a result of a compromised personal Gmail account. A saved password from the Gmail account was synchronised in the Chrome browser, granting access to a service account, most likely without MFA enforcement. 

Once inside the service account, threat actors were able to obtain additional customer session tokens from ServiceNow's HAR files. The hack ultimately impacted all Okta customer support users. 

Notably, on November 23, 2023, Cloudflare discovered a threat actor attacking its systems via session tokens obtained from the Okta hack. This suggests that these session tokens did not expire 30 to 60 days after the Okta breach – not as a usual course of business, and not in response to the breach.

In September 2023, Microsoft also announced that threat actors had gotten a consumer signing key from a Windows crash dump. They then exploited it to attack Exchange and Active Directory accounts by exploiting an undisclosed flaw that allowed business systems to accept session tokens signed with the consumer's signing key. This resulted in the theft of 60,000 US State Department emails. This hack may not have had the same impact if tokens had been more aggressively expired (or pinned).
Read more »
Vulnerability management
China Cyber Security Cyber Threats Cybersecurity Dutch intelligence espionage FortiGate devices Malware Detection RAT Threat actors Vulnerability management

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.
Read more »
Vulnerability management
Cloud Security Exchange Servers Server Vulnerability Vulnerabilities and Exploits Vulnerability management

Thousands of Outdated Microsoft Exchange Servers are Susceptible to Cyber Attacks

 

A large number of Microsoft Exchange email servers in Europe, the United States, and Asia are currently vulnerable to remote code execution flaws due to their public internet exposure. These servers are running out-of-date software that is no longer supported, and as a result, they do not receive any updates or security patches. As a result, they are vulnerable to a variety of security issues, some of which have critical severity ratings. 

Recent internet scans conducted by The ShadowServer Foundation have disclosed that nearly 20,000 Microsoft Exchange servers are presently accessible via the public internet and have reached the end of life stage. These statistics, however, may not be indicative of the whole picture. Yutaka Sejiyama, a Macnica security researcher, carried out additional research and identified over 30,000 Microsoft Exchange servers that have reached end-of-life status. 

Sejiyama's Shodan scans discovered nearly 30,635 unsupported Microsoft Exchange devices on the public web. There were 275 Exchange Server 2007 instances, 4,062 Exchange Server 2010 instances, and a whopping 26,298 Exchange Server 2013 instances. 

One of the main concerns with these old servers is the possibility of remote code execution. Outdated Exchange servers are vulnerable to a number of remote code execution bugs, including the critical ProxyLogon vulnerability (CVE-2021-26855), which can be combined with the less serious CVE-2021-27065 flaw to allow remote code execution.

According to Sejiyama's analysis of the scanned systems' build numbers, approximately 1,800 Exchange servers are still vulnerable to ProxyLogon, ProxyShell, and ProxyToken vulnerabilities. 

While some of these flaws do not have critical severity ratings, Microsoft still considers them "important." Furthermore, with the exception of the ProxyLogon chain, which was previously exploited in attacks, all of these flaws are believed to be "more likely" to be targeted. 

Organisations that continue to use obsolete Exchange servers despite having implemented available mitigations are still susceptible. Microsoft strongly advises prioritising the installation of updates on servers that are exposed to the outside world. The only option for servers that have reached the end of support is to upgrade to a version that continues to get security patches. 

The identification of tens of thousands of vulnerable Microsoft Exchange servers emphasises the critical importance of updating software and applying security patches on a regular basis. Failure to do so exposes businesses to the risk of remote code execution and other security breaches.
Read more »
Vulnerability management
Application Security Cloud Security Data Safety Vulnerabilities and Exploits Vulnerability management

Unpatched ICS Flaws in Critical Infrastructure: CISA Issues Alert

 

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) released recommendations for a total of 49 vulnerabilities in eight industrial control systems (ICS) utilised by businesses in various critical infrastructure sectors. Several of these vulnerabilities are still unpatched. 

Organizations in the critical infrastructure sectors must increasingly take cybersecurity into account. Environments for ICS and operational technology (OT) are becoming more and more accessible via the Internet and are no longer air-gapped or compartmentalised as they once were. As a result, both ICS and OT networks have grown in popularity as targets for both nation-state players and threat actors driven by financial gain.

That's bad because many of the flaws in the CISA advisory can be remotely exploited, only require a simple assault to succeed, and provide attackers access to target systems so they may manipulate settings, elevate privileges, get around security measures, steal data, and crash systems. Products from Siemens, Rockwell Automation, Hitachi, Delta Electronics, Keysight, and VISAM all have high-severity vulnerabilities. 

The CISA recommendation was released at the same time as a study from the European Union on threats to the transportation industry, which included a similar warning about the possibility of ransomware attacks on OT systems used by organisations that handle air, sea, rail, and land transportation. Organizations in the transportation industry are also affected by at least some of the susceptible systems listed in CISA's alert. 

Critical vulnerabilities

Siemens' RUGGEDCOM APE1808 technology contains seven of the 49 vulnerabilities listed in CISA's alert and is not currently patched. The flaws give an attacker the ability to crash or increase the level of privileges on a compromised system. The device is presently used by businesses in several critical infrastructure sectors all around the world to host commercial applications. 

The Scalance W-700 devices from Siemens have seventeen more defects in various third-party parts. The product is used by businesses in the chemical, energy, food, agricultural, and manufacturing sectors as well as other critical infrastructure sectors. In order to protect network access to the devices, Siemens has urged organisations using the product to update their software to version 2.0 or later. 

InfraSuite Device Master, a solution used by businesses in the energy sector to keep tabs on the health of crucial systems, is impacted by thirteen of the recently discovered vulnerabilities. Attackers can utilise the flaws to start a denial-of-service attack or to obtain private information that could be used in another attack. 

Other vendors in the CISA advisory that have several defects in their products include Visam, whose Vbase Automation technology had seven flaws, and Rockwell Automaton, whose ThinManager product was employed in the crucial manufacturing industry and had three flaws. For communications and government businesses, Keysight had one vulnerability in its Keysight N6845A Geolocation Server, while Hitachi updated details on a previously known vulnerability in its Energy GMS600, PWC600, and Relion products. 

For the second time in recent weeks, CISA has issued a warning to firms in the critical infrastructure sectors regarding severe flaws in the systems such organisations employ in their operational and industrial technology settings. Similar warnings on flaws in equipment from 12 ICS suppliers, including Siemens, Hitachi, Johnson Controls, Panasonic, and Sewio, were released by the FCC in January. 

Many of the defects in the previous warning, like the current collection of flaws, allowed threat actors to compromise systems, increase their privileges, and wreak other havoc in ICS and OT contexts. 

OT systems under attack

A report this week on cyberthreats to the transportation industry from the European Union Agency for Cybersecurity (ENISA) issued a warning about potential ransomware attacks against OT systems. The report's analysis of 98 publicly reported incidents in the EU transportation sector between January 2021 and October 2022 was the basis for the report. 

According to the data, 47% of the attacks were carried out by cybercriminals who were motivated by money. The majority of these attacks (38%) involved ransomware. Operational disruptions, spying, and ideological assaults by hacktivist groups were a few more frequent reasons. 

Even while these attacks occasionally caused collateral damage to OT systems, ENISA's experts did not discover any proof of targeted attacks on them in the 98 events it examined. 

"The only cases where OT systems and networks were affected were either when entire networks were affected or when safety-critical IT systems were unavailable," the ENISA report stated. However, the agency expects that to change. "Ransomware groups will likely target and disrupt OT operations in the foreseeable future."

The research from the European cybersecurity agency cited an earlier ENISA investigation that warned of ransomware attackers and other new threat groups tracked as Kostovite, Petrovite, and Erythrite that target ICS and OT systems and networks. The report also emphasised the ongoing development of malware designed specifically for industrial control systems, such as Industroyer, BlackEnergy, CrashOverride, and InController, as indicators of increasing attacker interest in ICS environments. 

"In general, adversaries are willing to dedicate time and resources in compromising their targets to harvest information on the OT networks for future purposes," the ENISA report further reads. "Currently, most adversaries in this space prioritize pre-positioning and information gathering over disruption as strategic objectives."
Read more »
Vulnerability management
Cyber Attacks malware OST Ransomware RDP Secureworks Vulnerability Vulnerability management

Ransomware is Now the Top Attack Vector Due to Bug Exploitation

 



Security experts at Secureworks have revealed that vulnerability exploitation has accounted for 52% of ransomware incidents investigated by the company over the past 12 months. This makes it the number one initial access vector for attackers, according to a new report published by the company.

As an annual report, the security firm's State of the Threat report is compiled based on the insight gathered from the anti-terrorism unit of the organization over the past year.

A leading ransomware researcher has found that last year, ransomware actors mainly used vulnerabilities found in systems exposed to the Internet to increase their effectiveness, rather than to take advantage of credentials  often associated with the compromise of Remote Desktop Protocol (RDP), and using malicious emails.

Reports suggested that this shift in tactics may directly result from a significant imbalance between the capabilities of threat actors and network defenders. This imbalance may explain this shift in tactics.

At the same time as threats are rapidly weaponizing newly discovered vulnerabilities, developers of offensive security tools (OSTs) are also driven by the need to generate profit or keep their tools relevant  to implement updated exploit code as soon as possible, the report illustrated. 

A lot of people often overlook the fact that responsible disclosure is often about not having to wait for patches to become available. Even if a patch is available, the process of patching a vulnerability in an enterprise environment is far more complicated and much slower than the process for threat actors or OST developers of weaponizing publicly accessible exploit code.

As a result, vulnerability management teams must also take precautions against the persistent threat of credential-based attacks. In a recent report, Secureworks reported a 150% growth in the use of info-stealers that are designed to grab credentials from networks and gain access to them in an attempt to steal sensitive information.

There has been an investigation launched by an anti-virus vendor on a single day in June, during which it claimed to have observed over 2.2 million credentials, which were collected by criminals who stole information and made them available for sale on an underground platform.

According to Secureworks, ransomware continues to represent the number one threat to global organizations, accounting for more than a quarter of the attacks analyzed by the company. Among the threats that have been reported, most of them have been linked to Russian cybercrime groups.

So far this year, the good news is that the median dwell time of attackers has dropped from 22 days in 2021 to 11 days. This is a decrease of two days from last year, but it still leaves attackers with plenty of time to steal data from organizations and deploy the payloads for ransomware attacks.

Preventions for ransomware attacks


Safeguarding your systems from malware attacks includes simple yet effective measures like

• Never click on unknown or unauthorized links or stores.
• Never input your personal information on unofficial stores or websites.
• Never click on any unknown attachments on emails.
• Never plug into any unknown USB sticks.
• Never download any software or application from unauthorized sources.
• Always keep your systems up-to-date.
• Always work under VPN security while using public wi-fi.
 
To ensure that the vulnerabilities do not get exploited, you need to identify and address them as soon as possible. Keeping track of your vital systems and their security is impossible without implementing an effective vulnerability management system (VM). 

Choosing the right VM tools is important as they provide accuracy, guidance in the right directions, and efficiency, to help your team in dealing with the most critical vulnerabilities. Once you establish a scalable and sustainable VM program you will be capable of defending your systems from ransomware attacks.
Read more »
zero Day vulnerability
Bugs Exploits Flaws Log4j PoC Vulnerabilities and Exploits Vulnerability management Vulnerable Systems zero Day vulnerability

The Log4j Incident Demonstrated Again That Publicly Disclosing 0-day Vulnerabilities Only Aids Intruders

 

On December 9, 2021, a (now-deleted) tweet pointing to a 0-day proof of concept (PoC) exploit for the Log4Shell vulnerability on GitHub set the internet ablaze, sending businesses rushing to mitigate, patch, and patch again as other PoCs surfaced. 

Public vulnerability disclosure – that is, revealing to the world the existence of a bug in a piece of software, a library, an extension, or another piece of software, and releasing a proof-of-concept (PoC) that exploits it – occurs frequently for vulnerabilities in a wide range of software, from the most esoteric to the most mundane (and widely used). 

Threat actors are the only ones who benefit from the public disclosure of 0-day PoCs, as per research and experience, because it puts enterprises in the awkward position of needing to remediate the issue without having anything solid to mitigate it with (i.e., a vendor's patch). 

There are several different types of responsible vulnerability disclosure systems available today. Some companies have an official vulnerability disclosure programme while others arrange and operate it through crowdsourced platforms. Companies typically offer money for information concerning flaws in their products (also known as "bug bounties"). 

Those disclosures usually follow a set of steps, and vendor patches have clearly stated release dates so that users have plenty of time to install them (90 days is the accepted standard for this). 

When the Log4Shell vulnerability was announced publicly, the disclosure procedure was already underway (as evidenced by the pull request on GitHub that appeared on November 30). The following is the timeline of the disclosure, according to information provided by the Apache Software Foundation:
  • November 24: The Log4j maintainers were informed 
  • November 25: The maintainers accepted the report, reserved the CV, and began researching a fix November 26: The maintainers communicated with the vulnerability reporter 
  • November 29: The maintainers communicated with the vulnerability reporter December 4: Changes were committed 
  • December 5: Changes were committed 
  • December 7: First release candidate created 
  • December 8: The maintainers communicated with the vulnerability reporter, made additional fixes, created a second release candidate 
  • December 9: Patch released 
While user comments on the Apache Log4j GitHub project page expressed dissatisfaction with the timeliness of the update, this is to be expected when it comes to patching vulnerabilities - as everyone keeps pointing out, after all, the patch was developed by volunteers. 

Probable reasons for releasing PoC 

There could be valid and logical reasons for releasing a 0-day proof-of-concept. The most prevalent of these is the breakdown of the vulnerability disclosure process: the vendor may not be or cease to be responsive, may judge the vulnerability to be minor enough to warrant a repair, or may take too long to fix it – or any combination of the above. 

In situations like these, security researchers frequently decide to make the PoC public for the "common good," i.e. to force vendors to release a patch quickly. Other factors could include publicity (especially if the researcher is associated with a security vendor) – nothing attracts more press attention than zero-day proof-of-concept exploits for a widely used piece of software, especially if no patch is available. 

However, it should be noted that the evidence against publishing proof-of-concept exploits is now substantial and overwhelming. According to a study conducted by Kenna Security, sharing proof-of-concept attacks mostly assists attackers. A presentation at Black Hat several years ago walked through the lifecycle of zero-days and how they were released and exploited, demonstrating that if proof-of-concept exploits aren't publicly disclosed, the vulnerabilities in question aren't discovered for an average of 7 years by anyone else (threat actors included).

Unfortunately, during the log4j scramble, this was discovered a little too late. Although the initial tweets and disclosures were quickly withdrawn, the harm had already been done. Even the most recent revelation, which resulted in the release of patch 2.17.1, generated so much criticism from the security community that the researcher apologized publicly for the publication's bad timing. 

It's encouraging to see that public disclosure of PoC exploits is becoming more common. Researchers who choose to jump the gun need to be criticized, but all must all work together to ensure that more rigorous disclosure mechanisms are in place for everyone so that the public PoC scenario is avoided the next time a vulnerability like Log4Shell is uncovered.
Read more »
Zero-day vulnerability
Botnets DDOS Attacks LeetHoxer malware Mirai botnet Moobot Vulnerability management Zero-day vulnerability

LeeHozer and Moobot Have The Same Attack Maneuvers?


Sharing has become a thing with cyber-criminals and their malware mechanisms. Reportedly, LeetHozer botnet was found to have similar attack tactics as that of the Mootbot malware family. Researchers have reasons to think that the party that created the Moobot also could be the ones who created the LeetHozer.

Per researchers, the LeetHozer botnet has been counting on other kinds of malware for a little bit of sharing here and there. Per sources, it has in the past used the loader and reporter system that the Mirai uses.

Apparently, despite using the same mechanisms as Mirai the LeetHoxer threat was a little different. According to researchers, other Mirai variations too were altered including the encryption procedure, the bot program, and the command and control protocol. The unique "string and downloader" too were revealed to be of the same kind as Mirai.

Per reports, the botnet was noticed when it was found to be manipulating a vulnerability in the “telenet service” of a device. It made use of the default password to get access to the device. Once the device got infected the LeetHozer sent the information of the device to its reporter mechanism which then got to the command and control server and then finally the instructions for the Denial-of-Service attack were received.

The history of various attacks has it that Moobot has been a part of quite a lot of attacks ever since it first surfaced last year. According to researchers, several threat actors have made use of it to exploit zero-day vulnerabilities. It was discovered by the researchers while it was manipulating a zero-day vulnerability in fiber routers, reports mention. It hence is needless to say that one of the major attack tactics of the Moobot is exploiting any zero-day flaw it could get it claws into.

There are numerous ways in which an organization can create a barricade against any such attacks. The cyber and technological security personnel could design a response plan and a contingency plan especially against DDoS attacks, the systems should be backed up at all times, and configuration could be done in a way that as soon as the network is attacked the back-up kicks in. Also, researchers suggest that Artificial Intelligence could prove to be a very lucrative solution for such problems.

Read more »
Subscribe to: Posts (Atom)