Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label threats. Show all posts

Zero-Trust Log Intelligence: Safeguarding Data with Secure Access

 


Over the years, zero trust has become a popular model adopted by organisations due to a growing need to ensure confidential information is kept safe, an aspect that organisations view as paramount in cybersecurity. Zero-trust is a vital security framework that is fundamentally not like the traditional security perimeter-based model. Instead of relying on a robust boundary, zero-trust grants access to its resources after the constant validation of any user and every device they use, regardless of an individual's position within an organisation or the number of years since one first employed with the company. This "never trust, always verify" policy only grants minimum access to someone, even a long-tenured employee, about what is needed to fulfil their tasks. Because information for cybersecurity is often log file data, zero trust principles can provide better safeguarding of this sensitive information.

Log Files: Why They Are Both Precious and Vulnerable

Log files contain information that reflects all the digital interplay happening on the network, hence can indicate any vulnerability on a system for remediation purposes. For example, it's a good source where one will trace how companies' activities go regarding their performance by analysing log files for anything out of place or anomalies in systems' behaviours for speedy intervention for security lapses. At the same time, however, these log files can expose organisations to vulnerabilities when wrong hands gain access because of possible theft of confidential data or the intention of hacking or modification. The log files have to be strictly controlled and limited only for authorization, because the misuse has to be avoided for maintaining the network secure.

Collecting and Storing Log Data Securely

Zero trust can best be implemented only if gathering and storing of log file collection and storage are sound. It ensures that the real-time data is collected in an environment that has a tamper-resistant place that prevents data from unauthorised modification. Of late, there has been OpenTelemetry, which is gaining popularity due to its potential in the multiple data sources and secure integration with many databases, mostly PostgreSQL.

Secure log storage applies blockchain technology. A decentralised, immutable structure like blockchain ensures logs cannot be altered and their records will remain transparent as well as tamper-proof. The reason blockchain technology works through multiple nodes rather than one central point makes it nearly impossible to stage a focused attack on the log data.

Imposing Least Privilege Access Control

Least privilege access would be one of the greatest principles of zero-trust security, which means that end-users would have only access to what is required to achieve their task. However, it can be challenging when balancing this principle with being efficient in log analysis; traditional access control methods-such as data masking or classification-frequently fall short and are not very practical. One promising solution to this problem is homomorphic encryption, which enables analysis of data in its encrypted state. Analysts can evaluate log files without ever directly seeing the unencrypted data, ensuring that security is maintained without impacting workflow.

Homomorphic encryption is beyond the level of the analyst. This means other critical stakeholders, such as administrators, have access to permissions but are not allowed to read actual data. This means logs are going to be secure at internal teams and thus there is a lesser chance of accidental exposure.

In-House AI for Threat Detection

Companies can further secure log data by putting in-house AI models which are run directly within their database and hence minimise external access. For instance, the company can use a private SLM AI that was trained specifically to analyse the logs. This ensures there is safe and accurate threat detection without having to share any logs with third-party services. The other advantage that an AI trained on relevant log data provides is less bias, as all operations depend on only relevant encrypted log data that can give an organisation precise and relevant insights.

Organisations can ensure maximum security while minimising exposure to potential cyber threats by applying a zero-trust approach through strict access controls and keeping data encrypted all through the analysis process.

Zero-Trust for Optimal Log Security

One of the effective log file intelligence approaches appears to be zero trust security-a security approach that uses the technologies of blockchain and homomorphic encryption to ensure the integrity and privacy of information in management. It means one locks up logs, and it is a source for valuable security insights, kept well protected against unauthorised access and modifications.

Even if an organisation does not adopt zero-trust completely for its systems, it should still ensure that the protection of the logs is considered a priority. By taking the essential aspects of zero-trust, such as having minimal permissions and secured storage, it can help organisations decrease their vulnerability to cyber attacks while protecting this critical source of data.




Secrets of SharePoint Security: New Techniques to Evade Detection

 



According to a recent discovery by Varonis Threat Labs, two new techniques have emerged that pose a significant threat to data security within SharePoint, a widely used platform for file management. These techniques enable users to evade detection and retreat files without triggering alarm bells in audit logs.

Technique 1: Open in App Method

The first technique leverages SharePoint's "open in app" feature, allowing users to access and download files while leaving behind only access events in the file's audit log. This method, which can be executed manually or through automated scripts, enables rapid exfiltration of multiple files without raising suspicion.

Technique 2: SkyDriveSync User-Agent

The second technique exploits the User-Agent for Microsoft SkyDriveSync, disguising file downloads as sync events rather than standard downloads. By mislabeling events, threat actors can bypass detection tools and policies, making their activity harder to track.

Implications for Security

These techniques pose a significant challenge to traditional security tools such as cloud access security brokers and data loss prevention systems. By hiding downloads as less suspicious access and sync events, threat actors can circumvent detection measures and potentially exfiltrate sensitive data unnoticed.

Microsoft's Response

Despite Varonis disclosing these methods to Microsoft, the tech giant has designated them as a "moderate" security concern and has not taken immediate action to address them. As a result, these vulnerabilities remain in SharePoint deployments, leaving organisations vulnerable to exploitation.

Recommendations for Organisations

To alleviate the risk posed by these techniques, organisations are advised to closely monitor access events in their SharePoint and OneDrive audit logs. Varonis recommends leveraging User and Entity Behavior Analytics (UEBA) and AI features to detect and stop suspicious activities, such as mass file access.

What Are the Risks?

While SharePoint and OneDrive are essential tools for facilitating file access in organisations, misconfigured permissions and access controls can inadvertently expose sensitive data to unauthorised users. Threat actors often exploit these misconfigurations to exfiltrate data, posing a significant risk to organisations across various industries.

Detection and Prevention Strategies

To detect and prevent unauthorised data exfiltration, organisations should implement detection rules that consider behavioural patterns, including frequency and volume of sync activity, unusual device usage, and synchronisation of sensitive folders. By analysing these parameters, organisations can identify and mitigate potential threats before they escalate.




Securing Wearable Devices: Potential Risks and Precautions

 

In the rapidly evolving landscape of digital security, individuals are increasingly vulnerable to cyber threats, not only on conventional computers and smartphones but also on wearable devices. The surge in smartwatches and advanced fitness trackers presents a new frontier for potential security breaches.

Just like traditional devices, wearables store and transmit valuable data, making them attractive targets for hackers. If successfully compromised, these devices could become conduits for unauthorized prescription orders or even allow the tracking of an individual's location through the embedded GPS feature. The threat extends beyond personal wearables, with concerns arising about vulnerabilities in medical offices and equipment. The FDA has issued warnings about potential loopholes that hackers could exploit to target critical medical devices such as pacemakers and insulin pumps.

The risk isn't confined to personal privacy; there's a growing concern about the impact a hacked wearable could have on corporate networks. With the proliferation of connected devices, a compromised smartwatch might provide an easier entry point for hackers seeking to infiltrate company systems, especially if the wearable syncs with multiple networks.

One notable vulnerability lies in the Bluetooth connection that wearables commonly share with smartphones. While any internet-connected device carries inherent risks, wearables often use smartphones as intermediaries rather than operating as standalone devices. Presently, security compromises have mainly originated from devices connected to wearables or compromised external databases, making wearables a theoretical but legitimate concern.

To mitigate these risks, users are advised to exercise caution when installing apps on their wearables. Verifying the legitimacy of sources, checking user reviews, and researching app safety are essential steps to ensure the security of wearable devices. This advice extends to smartphones, where users should scrutinize app permissions, restricting access to unnecessary information and promptly deleting suspicious apps.

In this era of pervasive connectivity, safeguarding personal and corporate data requires a proactive approach, extending beyond conventional devices to include the emerging frontier of wearable technology.

Fortifying Cybersecurity for Schools as New Academic Year Begins

 

School administrators have received a cautionary alert regarding the imperative need to fortify their defenses against potential cyberattacks as the commencement of the new academic year looms. 

The National Cyber Security Centre has emphasized the necessity of implementing "appropriate security measures" to safeguard educational institutions from potential threats and to avert disruptions.

While there are no specific indicators of heightened threats as schools prepare to reopen, the onset of a fresh academic term underscores the potential severity of any cyberattacks during this period. 

Don Smith, the Vice President of the counter-threat unit at Secureworks, a cybersecurity firm, has highlighted the current transitional phase as an opportune moment for cybercriminals. He pointed out that the creation of new accounts for students and staff, as well as the school's approach to portable devices like laptops and tablets, can introduce vulnerabilities.

Smith explained, "Summer is a time when people are using their devices to have fun, play games, that sort of thing. If you've allowed teachers and pupils to take devices home, or let them bring their own, these devices may have picked up infections and malware that can come into the school and create a problem."

Last September, six schools within the same academy trust in Hertfordshire suffered internal system disruptions due to a cyberattack, occurring shortly after the new term had started. 

Additionally, just recently, Debenham High School in Suffolk fell victim to a hack that temporarily crippled all of its computer facilities, prompting technicians to work tirelessly to restore them before the commencement of the new term.

Schools are generally not the primary targets of concentrated cyberattack campaigns, unlike businesses, but they are considered opportunistic targets due to their comparatively less robust defenses. 

Don Smith emphasized that limited budgets and allocation priorities may result in schools having inadequate cybersecurity measures. Basic digital hygiene practices, such as implementing two-factor authentication and keeping software up to date, are crucial for safeguarding vital data.

Moreover, it is imperative for both students and teachers to be regularly educated about cybersecurity threats, including the importance of strong passwords, vigilance against suspicious downloads, and the ability to identify phishing attempts in emails. Mr. Smith noted that cybersecurity is no longer solely the responsibility of a small IT team; instead, all users are on the frontline, necessitating a general understanding of cybersecurity fundamentals.

A recent study revealed that one in seven 15-year-olds is susceptible to responding to phishing emails, especially those from disadvantaged backgrounds with weaker cognitive skills. Professor John Jerrim, the study's author, emphasized the need for increased efforts to help teenagers navigate the increasingly complex and perilous online landscape.

The National Cyber Security Centre, a division of GCHQ, has previously issued warnings regarding the growing prevalence of ransomware attacks targeting the education sector. Ransomware attacks involve criminals infiltrating a network and deploying malicious software that locks access to computer systems until a ransom is paid. Although ransomware attacks temporarily declined during the first quarter of 2023, they have been steadily increasing since then.

SonicWall, a cybersecurity company, emphasized that schools, being repositories of substantial data, are attractive targets for hackers pursuing financial and phishing scams. As schools rely more heavily on internet-based tools in the classroom, they must prioritize cybersecurity, both in terms of budget allocation and mindset, as the new school year approaches.

In response to these concerns, a spokesperson for the Department for Education affirmed that educational institutions bear the responsibility of being aware of cybersecurity risks and implementing appropriate measures. This includes establishing data backups and response plans to mitigate potential incidents.

"We monitor reports of all cyberattacks closely and in any case where there has been an attack, we instruct the department's regional team to offer support," they added. "There is no evidence to suggest that attacks like this are on the rise."

Vietnamese Cybercriminals Exploit Malvertising to Target Facebook Business Accounts

Cybercriminals associated with the Vietnamese cybercrime ecosystem are exploiting social media platforms, including Meta-owned Facebook, as a means to distribute malware. 

According to Mohammad Kazem Hassan Nejad, a researcher from WithSecure, malicious actors have been utilizing deceptive ads to target victims with various scams and malvertising schemes. This tactic has become even more lucrative with businesses increasingly using social media for advertising, providing attackers with a new type of attack vector – hijacking business accounts.

Over the past year, cyber attacks against Meta Business and Facebook accounts have gained popularity, primarily driven by activity clusters like Ducktail and NodeStealer, known for targeting businesses and individuals operating on Facebook. 

Social engineering plays a crucial role in gaining unauthorized access to user accounts, with victims being approached through platforms such as Facebook, LinkedIn, WhatsApp, and freelance job portals like Upwork. Search engine poisoning is another method employed to promote fake software, including CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.

Common tactics among these cybercrime groups include the misuse of URL shorteners, the use of Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host malicious payloads.

Ducktail, for instance, employs lures related to branding and marketing projects to infiltrate individuals and businesses on Meta's Business platform. In recent attacks, job and recruitment-related themes have been used to activate infections. 

Potential targets are directed to fraudulent job postings on platforms like Upwork and Freelancer through Facebook ads or LinkedIn InMail. These postings contain links to compromised job description files hosted on cloud storage providers, leading to the deployment of the Ducktail stealer malware.

The Ducktail malware is designed to steal saved session cookies from browsers, with specific code tailored to take over Facebook business accounts. These compromised accounts are sold on underground marketplaces, fetching prices ranging from $15 to $340.

Recent attack sequences observed between February and March 2023 involve the use of shortcut and PowerShell files to download and launch the final malware. The malware has evolved to harvest personal information from various platforms, including X (formerly Twitter), TikTok Business, and Google Ads. It also uses stolen Facebook session cookies to create fraudulent ads and gain elevated privileges.

One of the primary methods used to take over a victim's compromised account involves adding the attacker's email address, changing the password, and locking the victim out of their Facebook account.

The malware has incorporated new features, such as using RestartManager (RM) to kill processes that lock browser databases, a technique commonly found in ransomware. Additionally, the final payload is obfuscated using a loader to dynamically decrypt and execute it, making analysis and detection more challenging.

To hinder analysis efforts, the threat actors use uniquely generated assembly names and rely on SmartAssembly, bloating, and compression to obfuscate the malware.

Researchers from Zscaler also observed instances where the threat actors initiated contact using compromised LinkedIn accounts belonging to users in the digital marketing field, leveraging the authenticity of these accounts to aid in social engineering tactics. This highlights the worm-like propagation of Ducktail, where stolen LinkedIn credentials and cookies are used to log in to victims' accounts and expand their reach.

Ducktail is just one of many Vietnamese threat actors employing shared tools and tactics for fraudulent schemes. A Ducktail copycat known as Duckport, which emerged in late March 2023, engages in information stealing and Meta Business account hijacking. Notably, Duckport differs from Ducktail in terms of Telegram channels used for command and control, source code implementation, and distribution, making them distinct threats.

Duckport employs a unique technique of sending victims links to branded sites related to the impersonated brand or company, redirecting them to download malicious archives from file hosting services. Unlike Ducktail, Duckport replaces Telegram as a channel for passing commands to victims' machines and incorporates additional information stealing and account hijacking capabilities, along with taking screenshots and abusing online note-taking services as part of its command and control chain.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure said.

Rare Technique Deployed by Android Malware to Illicitly Harvest Banking Data

 

Trend Micro, a cybersecurity research firm, has recently unveiled a novel mobile Trojan that employs an innovative communication technique. This method, known as protobuf data serialization, enhances its ability to pilfer sensitive data from compromised devices.

Initially detected by Trend Micro in June 2023, this malware, named MMRat, primarily targets users in Southeast Asia. Surprisingly, when MMRat was first identified, popular antivirus scanning services like VirusTotal failed to flag it as malicious.

MMRat boasts a wide array of malicious functionalities. These include collecting network, screen, and battery data, pilfering contact lists, employing keylogging techniques, capturing real-time screen content, recording and live-streaming camera data, and even dumping screen data in text formats. Notably, MMRat possesses the ability to uninstall itself if required.

The capacity to capture real-time screen content necessitates efficient data transmission, and this is where the protobuf protocol shines. It serves as a customized protocol for data exfiltration, using distinct ports and protocols to exchange data with the Command and Control (C2) server.

Trend Micro's report highlights the uniqueness of the C&C protocol, which is customized based on Netty, a network application framework, and the aforementioned Protobuf. It incorporates well-designed message structures, utilizing an overarching structure to represent all message types and the "oneof" keyword to denote different data types.

Researchers have uncovered instances of this malware concealed within counterfeit mobile app stores, masquerading as government or dating applications. While they commend the overall sophistication of these efforts, it's essential to note that these apps still request permissions for Android's Accessibility Service, a common red flag that clearly signals their malicious nature.

Decoding Cybercriminals' Motives for Crafting Fake Data Leaks

 

Companies worldwide are facing an increasingly daunting challenge posed by data leaks, particularly due to the rise in ransomware and sophisticated cyberattacks. This predicament is further complicated by the emergence of fabricated data leaks. Instead of genuine breaches, threat actors are now resorting to creating fake leaks, aiming to exploit the situation.

The consequences of such falsified leaks are extensive, potentially tarnishing the reputation of the affected organizations. Even if the leaked data is eventually proven false, the initial spread of misinformation can lead to negative publicity.

The complexity of fake leaks warrants a closer examination, shedding light on how businesses can effectively tackle associated risks.

What Drives Cybercriminals to Fabricate Data Leaks?

Certain cybercriminal groups, like LockBit, Conti, Cl0p, and others, have gained significant attention, akin to celebrities or social media influencers. These groups operate on platforms like the Dark Web and other shadowy websites, and some even have their own presence on the X platform (formerly Twitter). Here, malicious actors publish details about victimized companies, attempting to extort ransom and setting deadlines for sensitive data release. This may include private business communications, corporate account login credentials, employee and client information. Moreover, cybercriminals may offer this data for sale, enticing other threat actors interested in using it for subsequent attacks.

Lesser-known cybercriminals also seek the spotlight, driving them to create fake leaks. These fabricated leaks generate hype, inducing a concerned reaction from targeted businesses, and also serve as a means to deceive fellow cybercriminals on the black market. Novice criminals are especially vulnerable to falling for this ploy.

Manipulating Databases for Deception: The Anatomy of Fake Leaks

Fake data leaks often materialize as parsed databases, involving the extraction of information from open sources without sensitive data. This process, known as internet parsing or web scraping, entails pulling text, images, links, and other data from websites. Threat actors employ parsing to gather data for malicious intent, including the creation of fake leaks.

In 2021, a prominent business networking platform encountered a similar case. Alleged user data was offered for sale on the Dark Web, but subsequent investigations revealed it was an aggregation of publicly accessible user profiles and website data, rather than a data breach. This incident garnered media attention and interest within the Dark Web community.

When offers arise on the Dark Web, claiming to provide leaked databases from popular social networks like LinkedIn, Facebook, or X, they are likely to be fake leaks containing information already publicly available. These databases may circulate for extended periods, occasionally sparking new publications and causing alarm among targeted firms.

According to Kaspersky Digital Footprint Intelligence, the Dark Web saw an average of 17 monthly posts about social media leaks from 2019 to mid-2021. However, this figure surged to an average of 65 monthly posts after a significant case in the summer of 2021. Many of these posts, as per their findings, may be reposts of the same database.

Old leaks, even genuine ones, can serve as the foundation for fake leaks. Presenting outdated data leaks as new creates the illusion of widespread cybercriminal access to sensitive information and ongoing cyberattacks. This strategy helps cybercriminals establish credibility among potential buyers and other actors within underground markets.

Similar instances occur frequently within the shadowy community, where old or unverified leaks resurface. Data that's several years old is repeatedly uploaded onto Dark Web forums, sometimes offered for free or a fee, masquerading as new leaks. This not only poses reputation risks but also compromises customer security.

Mitigating Fake Leaks: Business Guidelines

Faced with a fake leak, panic is a common response due to the ensuing public attention. Swift identification and response are paramount. Initial steps should include refraining from engaging with attackers and conducting a thorough investigation into the reported leak. Verification of the source, cross-referencing with internal data, and assessing information credibility are essential. Collecting evidence to confirm the attack and compromise is crucial.

For large businesses, including fake leaks, data breaches are a matter of "when," not "if." Transparency and preparation are key in addressing such substantial challenges. Developing a communication plan beforehand for interactions with clients, journalists, and government agencies is beneficial. 

Additionally, constant monitoring of the Dark Web enables detection of new posts about both fake and real leaks, as well as spikes in malicious activity. Due to the automation required for Dark Web monitoring and the potential lack of internal resources, external experts often manage this task.

Furthermore, comprehensive incident response plans, complete with designated teams, communication channels, and protocols, facilitate swift action if such cases arise.

In an era where data leaks continuously threaten businesses, proactive and swift measures are vital. By promptly identifying and addressing these incidents, conducting meticulous investigations, collaborating with cybersecurity experts, and working with law enforcement, companies can minimize risks, safeguard their reputation, and uphold customer trust.

Safeguard Your Home Against Rising Cyber Threats, Here's All You Need To Know

 

Malicious cyber actors have the ability to exploit vulnerable networks within households, potentially compromising personal and private information of family members, including children and elders.

In today's highly connected world, it is crucial to prioritize cybersecurity and take proactive steps to protect your household from cyber threats.

Educating your children and elders about the significance of safeguarding personal information, using strong passwords, and understanding cybersecurity best practices can significantly reduce the risk of falling victim to cyberattacks. 

As the threat landscape continues to evolve, safeguarding your household from malicious actors becomes paramount. To protect your family from cyber threats, consider implementing the following measures:

1. Manage your routing devices:
  • Keep your devices up-to-date with the latest firmware and software.
  • Secure your home network by using unique router usernames and strong passwords.
  • Create a separate guest network for visitors.
  • Change passwords regularly and schedule weekly router reboots.

2. Secure laptops, computers, and web devices:
  • Cover cameras when not in use to prevent unauthorized access.
  • Utilize non-admin accounts for everyday activities.
  • Regularly update operating systems and apply security patches.
  • Disconnect devices from the internet when not in use.
  • Enable multi-factor authentication or use passkeys where possible.
  • Schedule weekly reboots for added security.

3. Manage home assistants:
  • Be aware of which devices in your home have listening capabilities.
  • Avoid having sensitive conversations near home assistants.
  • Mute their microphones when not in use.
  • Review and understand the terms and conditions before accepting them blindly.

Additionally, it is crucial to protect senior relatives from cyberattacks, as they are often targeted for financial frauds due to their limited exposure to technology. 

Educate seniors about common scams and advise them to send unknown calls to voicemail, use credit freezes, and set strict privacy settings on social media. Legal tools such as living trusts, guardianships, or power of attorney can also be utilized to safeguard seniors from scammers.

When teaching children about cybersecurity, instill good cyber hygiene and privacy practices from an early age. Use cybersecurity games and resources suitable for their age group to impart knowledge effectively. 

Beyond passwords and privacy, educate children about verifying online information and identifying phishing and smishing attempts. Encourage them to be mindful of their privacy settings on social media platforms to prevent cyberbullying and protect their personal information.

By adopting these cybersecurity practices and fostering a cybersecurity-conscious environment, you can significantly enhance the safety and security of your family in the digital world.

How Ransomware Turned Into the Stuff of Nightmares for Modern Businesses

 

Few cyberthreats have progressed as rapidly in recent years as ransomware, which has become a global scourge for businesses over the last two decades. 

Ransomware has evolved from simple infect and encrypt attacks to double- and now triple-extortion attacks, making it one of the most dangerous security threats of the modern era. Meanwhile, with the rise of ransomware-as-a-service, it has become more accessible to would-be cybercriminals as well.

Techradar spoke with Martin Lee, Technical Lead of Security Research at Cisco Talos, to learn more about the threat posed by ransomware and the steps businesses can take to protect themselves.

What characteristics make ransomware attacks so effective and difficult to counter?

Ransomware is essentially the 21st century equivalent of kidnapping. The criminal steals something valuable and demands payment in exchange for its return. The ransomware business model has progressed over time to become a highly efficient source of revenue for criminals.

A ransomware attack should not be taken lightly. Criminals attempt to evoke an immediate response by encrypting and rendering a system inaccessible. If a critical system is disrupted, the bad folks know that the victim will have a strong incentive to pay.

Ransomware attacks are launched through every possible entry point. Criminals will look for any vulnerability in perimeter defences in order to gain access. The profitability of ransomware drives criminals' tenacity; the attacks' ubiquity makes them difficult to defend against. To defend against such attacks, excellent defences and constant vigilance are required.

What are the most significant changes in ransomware operations since the days of simple infect and encrypt attacks?

Modern criminal ransomware attacks first appeared in the mid-2000s. Initially, these were mass-market' attacks in which criminals distributed as much malware as possible without regard for the nature or identity of the systems being targeted. Although the vast majority of malware would be blocked, a small percentage would be successful in infecting and encrypting systems, and a small number of these would result in payment of a ransom.

In 2016, ther noticed a change in the ransomware model. SamSam, a new ransomware variant, was distributed in an unusual manner. The group behind this malware planned ahead of time, exploiting vulnerabilities in externally facing systems to gain a foothold within the organisation. Once inside, they expanded their access, looked for key systems, and infected them with ransomware.

Criminals can significantly disrupt the operation of an organisation by researching their target and disrupting business critical systems. Criminals use this approach to demand a much higher ransom than if they compromise a single laptop, for example.

In what ways do you expect ransomware attacks to develop further in the years to come?

Ransomware has proven to be a reliable source of revenue for criminals. However, the success of the attacks is not guaranteed. The less profitable the activity becomes as more attacks are blocked.

Malicious emails and attempts to download malware can be blocked by perimeter defences. Filtering connections at the IP address or DNS layer can prevent malware from communicating with its command and control systems. End-point protection systems can detect and block malicious malware, and effective backup solutions can restore affected systems.

With a better understanding of the effects of ransomware and stronger defences, fewer successful attacks will be witnessed and ransomware will become unprofitable. However, as organisations become smarter, so do criminals, and ransomware will continue to exist.

Microsoft Launches New External Attack Surface Audit Tool

 

Microsoft has released a new security solution that enables security teams to identify Internet-exposed resources in their organization's environment that attackers may use to access their networks. The emphasis is on unmanaged or unknown assets that have been introduced to the environment as a result of mergers or acquisitions, generated by shadow IT, are absent from inventory owing to insufficient cataloguing, or have been overlooked due to rapid corporate expansion. 

This new tool, dubbed Microsoft Defender External Attack Surface Management, offers users an overview of their organisations' attack surface, making it easier to uncover vulnerabilities and prevent possible attack routes. This tool will develop a database of the organization's full environment, including unmanaged and agentless devices, by continually scanning Internet connections. 

Microsoft Corporate VP for Security Vasu Jakkal said, "The new Defender External Attack Surface Management gives security teams the ability to discover unknown and unmanaged resources that are visible and accessible from the internet – essentially, the same view an attacker has when selecting a target. Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker." 

Microsoft Defender External Attack Surface Management helps security teams to see their environment as an attacker does and uncover exploitable flaws before they do by continually watching connections and hunting for unsecured devices vulnerable to Internet assaults. 

Microsoft also introduced Microsoft Defender Threat Information, a second security solution that will provide threat intelligence to security operations (SecOps) teams in order to uncover attacker infrastructure and accelerate attack investigations and remediation efforts. It will also provide SecOps team members with real-time data from Microsoft's large database of 43 trillion daily security signals, allowing them to actively seek threats in their surroundings. The data is offered as a library of raw threat intelligence containing information on enemies' identities as well as correlations between their tools, strategies, and techniques. 

"This depth of threat intelligence is created from the security research teams formerly at RiskIQ with Microsoft's nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender security research teams," Jakkal added. 

"The volume, scale and depth of intelligence is designed to empower Security Operations Centers to understand the specific threats their organization faces and to harden their security posture accordingly." 

According to Microsoft, all of this additional information about threat actors' TTPs and infrastructure will assist customers' security teams in detecting, removing, and blocking hidden adversary tools within their organization's environment.

NCSC Warns Of Threats Posed By Malicious Apps

 

A new report by the UK's National Cyber Security Centre (NCSC) has alerted of the threats posed by malicious applications. While most people are familiar with apps downloaded to smartphones, they are also available on everything from smart TVs to smart speakers. 

The government is seeking input on new security and privacy guidelines for applications and app stores. Ian Levy, the NCSC's technical director, stated app stores could do more to improve security. Cybercriminals are currently exploiting vulnerabilities in app stores on all types of linked devices to cause harm,  as per Mr Levy. 

Android phone users downloaded apps containing the Triada and Escobar malware from various third-party app stores last year, according to the FBI.  "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said.

The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (internet of things) devices". It includes an example of a security firm illustrating how it could construct a malicious app for a prominent fitness tracker that could be downloaded via a link that seemed legitimate because it used the company's web address. 

Spyware/stalkerware capable of stealing anything from location to personal body data was found in the app. After the security firm alerted the company, it proceeded to rectify the situation. 

 The thirst for applications grew during the pandemic, according to the NCSC research, with the UK app market currently valued at £18.6 billion ($23.2 billion). The government's proposal to ask app retailers to commit to a new code of practice outlining baseline security and privacy requirements is supported by the cyber-security centre. 

"Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government stated.

 A new code of practice would require retailers to set up procedures to find and repair security problems more quickly.

Security Professionals View Ransomware and Terrorism as Equal Threats

 

Venafi published the results of a global poll of over 1,500 IT security decision-makers, which showed that 60% of security professionals believe ransomware threats should be treated on par with terrorism. 

Following the attack on the Colonial Pipeline earlier this year, the US Department of Justice upgraded the threat level of ransomware. According to the report, just about a third of respondents have put in place basic security protections to break the ransomware kill chain. 

Other significant findings:
  • Over the last 12 months, 67 per cent of respondents from companies with more than 500 employees have suffered a ransomware assault, rising to 80 per cent for companies with 3,000-4,999 employees. 
  • Although 37% of respondents said they would pay the ransom, 57% said they would reconsider if they had to publicly publish the payment, as required by the Ransomware Disclosure Act, a bill introduced in the US Senate that would require corporations to reveal ransomware payments within 48 hours.
  • Despite the increased frequency of ransomware assaults, 77 percent of respondents are optimistic that the mechanisms they have in place would keep them safe from ransomware. IT decision makers in Australia have the most faith in their tools (88 percent), compared to 71 percent in the United States and 70 percent in Germany.
  • Paying a ransom is considered "morally wrong" by 22% of respondents. 
  • Seventeen per cent of those hacked admitted to paying the ransom, with Americans paying the highest (25 per cent) and Australian businesses paying the least (9 per cent). 

Many depend on traditional security controls to tackle ransomware threats 

Kevin Bocek, VP ecosystem and threat intelligence at Venafi stated, “The fact that most IT security professionals consider terrorism and ransomware to be comparable threats tells you everything you need to know; these attacks are indiscriminate, debilitating, and embarrassing.” 

“Unfortunately, our research shows that while most organizations are extremely concerned about ransomware, they also have a false sense of security about their ability to prevent these devastating attacks. Too many organizations say they rely on traditional security controls like VPNs and vulnerability scanning instead of modern security controls, like code signing, that are built-in to security and development processes.” 

According to the survey, most businesses do not employ security controls that disrupt the ransomware kill chain early in the attack cycle. Many ransomware attacks begin with phishing emails including a malicious attachment, yet only 21% of ransomware assaults restrict all macros in Microsoft Office documents. 

Only 28% of firms require all software to be digitally signed by their organization before employees are permitted to execute it, and only 18% utilize group policy to limit the usage of PowerShell. 

FiveSys Rootkit Exploits Microsoft-Issued Digital Signature

 

A rootkit termed FiveSys can potentially avoid detection and enter Windows users' PCs by abusing a Microsoft-issued digital signature, as per the Bitdefender security experts, 

Microsoft introduced rigorous requirements for driver packages that aim to receive a WHQL (Windows Hardware Quality Labs) digital signature to prevent certain types of malicious attacks, and starting with Windows 10 build 1607, it prevents kernel-mode drivers from being loaded without such a certificate. 

Malware developers, on the other hand, seem to have discovered a way to bypass Microsoft's certification and obtain digital signatures for their rootkits, allowing them to target victims without raising suspicion. 

Microsoft confirmed in June that intruders had successfully submitted the Netfilter rootkit for certification via the Windows Hardware Compatibility Program. Now, Bitdefender's researchers warn that the FiveSys rootkit also has a Microsoft-issued digital signature, implying that this might soon become an emerging trend in which adversaries successfully verify their malicious drivers and signed by Microsoft. 

According to the researchers, FiveSys is comparable to the Undead malware that was first disclosed a few years ago. Furthermore, the rootkit, like Netfilter, is aimed towards the Chinese gaming industry. 

Bitdefender stated, “The attackers seem to originate from China and target several domestic games. We can confidently attribute this campaign to several threat actors, as their tools share the same functionality but are vastly different in implementation.” 

The rootkit directs Internet traffic to a custom proxy server using a frequently updated autoconfiguration script that comprises a list of domains/URLs. Furthermore, the rootkit can prohibit drivers from the Netfilter and fk_undead malware families from being loaded by using a list of digital signatures. 

Moreover, FiveSys offers a built-in list of 300 supposedly randomly created domains that are encrypted and are intended to circumvent possible takedown attempts. Bitdefender also claims to have discovered multiple user-mode binaries that are used to obtain and execute malicious drivers on target PCs. 

FiveSys appears to use four drivers in all, although only two of them were isolated by the security experts. After discovering the abuse, Microsoft cancelled FiveSys' signature.

While the rootkit is being used to steal login credentials from gaming accounts, it is likely that it may be utilised against other targets in the future. However, by following a few easy cybersecurity safeguards, one can prevent falling prey to such or similar assaults.

Botezatu recommended,  "In order to stay safe, we recommend that users only download software from the vendor's website or from trusted resources. Additionally, modern security solutions can help detect malware – including rootkits – and block their execution before they are able to start."