What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-06-26 10:15:39 | (Déjà vu) A well-meaning feature leaves millions of Dell PCs vulnerable (lien direct) | Firmware security tool flaws affect as many as 30m desktops, laptops, and tablets. | Tool | ||
 |
2021-06-24 10:00:00 | A mid-year update for Cybersecurity – 4 trends to watch (lien direct) | This blog was written by an independent guest blogger. It is nearing the mid-year point of 2021, and already it can be characterized as” the year of the breach.” Many companies and institutions saw their security perimeters pierced by hackers including the mega-breaches of Solar Winds and the Colonial Pipeline. The scale of penetration and exfiltration of data by hackers and the implications are emblematic of the urgency for stronger cybersecurity. Although there are a variety of trends emerging in the first six months, below are four that stand out as barometers of what lies ahead. 1. Ransomware attacks are taking center stage as Cyber-threats There is ample evidence that ransomware has become a preferred method of cyber-attack choice by hackers in 2021. As of May 2021, there has been a 102% surge in ransomware attacks compared to the beginning of 2020, according to a report from Check Point Research. Hackers have found ransomware ideal for exploiting the COVID-19 expanded digital landscape. The transformation of so many companies operating is a digital mode has created many more targets for extortion. One office with 4,000 employees has become 4,000 offices. In addition to an expanding attack surface, hackers are more active than before because they can get paid easier for their extortion via cryptocurrencies that are more difficult for law enforcement to trace. Criminal hacker groups are becoming more sophisticated in their phishing exploits by using machine learning tools. They are also more coordinated among each other sharing on the dark web and dark web forums. In 2020, according to the cybersecurity firm Emsisoft, ransomware gangs attached more than 100 federal, state, and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses. As a result of the Colonial Pipeline Ransomware attack and others, the U.S. Department of Justice and the FBI have prioritized investigating and prosecuting hackers who deploy ransomware. The impact for the rest of 2021 will be more ransomware attacks against institutions and corporations who are less cyber secure, especially to targets that cannot afford to have operations impeded such as health care, state & local governments, educational institutions, and small and medium sized businesses. See: The New Ransomware Threat: Triple Extortion - Check Point Software Why Ransomware is So Dangerous and Difficult to Prevent | Manufacturing.net 2. Cyber-attacks are a real threat to commerce and economic prosperity So far this year, cyber-attacks have grown in number and sophistication, repeating a trend of the last several years. The recent cycle of major industry and governmental cyber breaches is emblematic of growing risk. The attacks are also becoming more lethal and costly to industry. A new NIST report was released on the economic impact to the U.S. economy by breaches, and it is alarming. The report suggests that the U.S. Loses hundreds of billions to cybercrime, possibly as much as 1 % to 4 % of GDP annually. The beach stats are part of a bigger global trend. The firm Cybersecurity Ventures predicts that global cybercrime damages will reach $6 trillion annually by this end of this year. The firm’s damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state sponsored and organized crime gang hacking activities, and a cyberattack surface. In both the public and private sectors, there is a | Ransomware Malware Tool Threat | ||
 |
2021-06-24 10:00:00 | A Well-Meaning Feature Leaves Millions of Dell PCs Vulnerable (lien direct) | Flaws in a firmware security tool affect as many as 30 million desktops, laptops, and tablets. | Tool | ||
 |
2021-06-24 08:01:46 | Homes, Not Just Devices: The New Consumer Cybersecurity (lien direct) | 
Over the last year, our relationship with digital technology has changed completely, and probably irrevocably. The pandemic has been bruising in many different ways, but it has been clear from the very start how important the internet has been as a tool to help us through it. Even just a few years ago, the behavioural […]
|
Tool | ★★★ | |
 |
2021-06-23 16:59:34 | iPhone Hacking Tool GrayKey Techniques Outlined in Leaked Instructions (lien direct) | Appleinsider report iPhone hacking tool GrayKey techniques outlined in leaked instructions “Leaked instructions for GrayShift’s GrayKey iPhone unlocking device have surfaced, giving an idea of what the device intended for law enforcement… | Tool | ★★ | |
 |
2021-06-22 20:30:03 | The Android 12 Privacy Dashboard is an at-a-glance permissions tool (lien direct) | Android 12 has a new Privacy Dashboard that makes it easier for users to check up on and manage the permissions on their devices. Jack Wallen gives you a peek into this new tool. | Tool | ||
 |
2021-06-22 20:15:00 | How One Application Test Uncovered an Unexpected Opening in an Enterprise Call Tool (lien direct) | Working as security consultants is highly rewarding. Companies depend on us to view their environment from the perspective of an attacker and find vulnerabilities that could enable threats to succeed. One of the most impactful parts of our role is when we’re the first to find a major vulnerability that could lead to a widespread […] | Tool Vulnerability Guideline | ||
|
2021-06-22 15:21:09 | Google Cloud launches AI dedicated to quality control and inspections (lien direct) | The new tool aims to help companies to reduce product defects and manage costs, the company says. | Tool | ||
 |
2021-06-22 11:17:00 | New Tool Launched to Remove Nude Images of Children Online (lien direct) | Children worried about nude content appearing online can now access a tool to restrict content being shared | Tool | ||
 |
2021-06-22 10:10:19 | Research Shows Many Security Products Fail to Detect Android Malware Variants (lien direct) | A group of academic researchers has created a tool that can be used to clone Android malware and test the resilience of these new variants against anti-malware detection. | Malware Tool | ||
 |
2021-06-22 07:05:17 | DroidMorph tool generates Android Malware Clones that (lien direct) | Boffins developed a tool dubbed DroidMorph that provides morphing of Android applications (APKs) and allows to create Android apps (malware/benign) clones. A group of researchers from Adana Science and Technology University (Turkey) and the National University of Science and Technology (Islamabad, Pakistan) has developed a tool dubbed DroidMorph that provides morphing of Android applications (APKs) […] | Malware Tool | ||
 |
2021-06-21 07:17:48 | 5 Critical Steps to Recovering From a Ransomware Attack (lien direct) | Hackers are increasingly using ransomware as an effective tool to disrupt businesses and fund malicious activities.
A recent analysis by cybersecurity company Group-IB revealed ransomware attacks doubled in 2020, while Cybersecurity Venture predicts that a ransomware attack will occur every 11 seconds in 2021.
Businesses must prepare for the possibility of a ransomware attack affecting their |
Ransomware Tool | ||
 |
2021-06-18 20:15:07 | CVE-2021-33824 (lien direct) | An issue was discovered on MOXA Mgate MB3180 Version 2.1 Build 18113012. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service. | Tool | ||
|
2021-06-18 19:15:07 | CVE-2021-33818 (lien direct) | An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service. | Tool | ||
|
2021-06-18 19:15:07 | CVE-2021-33822 (lien direct) | An issue was discovered on 4GEE ROUTER HH70VB Version HH70_E1_02.00_22. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service. | Tool | ||
 |
2021-06-18 13:03:34 | Open redirects ... and why Phishers love them, (Fri, Jun 18th) (lien direct) | Working from home, did you get a meeting invite recently that pointed to https://meet.google.com &#;x26;#;x3f;&#;x26;#;xc2;&#;x26;#;xa0; Well, that&#;x26;#;39;s indeed where Google&#;x26;#;39;s online meeting tool is located. But potentially the URL you got is not "only" leading you there. | Tool Guideline | ||
|
2021-06-18 13:00:00 | A New Tool Wants to Save Open Source from Supply Chain Hacks (lien direct) | Sigstore will make code signing free and easy for software developers, providing an important first line of defense. | Tool | ★★ | |
|
2021-06-18 10:12:58 | Microsoft\'s new security tool will discover firmware vulnerabilities, and more, in PCs and IoT devices (lien direct) | Devices have multiple OSs and firmware running, and most organisations don't know what they have or if it's secure. Microsoft will use ReFirm to make it easier to find out without being an expert. | Tool | ||
|
2021-06-18 10:00:00 | Risk-based security now more important than ever for Energy and Utilities! (lien direct) | This is the third of three blogs in a series to help the energy and utility industries. You can read the first blog on Ransomware and Energy and Utilities and the second blog on Threat Intelligence and Energy and Utilities as well. Convergence of IT/OT is now a reality: Whether intentional or accidental, IT and operational technology (OT) are converging to support business outcomes of reducing costs and taking advantage of efficiencies. IT assets are being used in OT environments and with the transformation of Industry 4.0 for utilizing IoT. Given the convergence and increased attack surface, NSA has issued guidance around stopping malicious cyber activity against OT. CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF (defense.gov) Security First mindset There is a need for a mindset shift in protecting OT assets given the ineffective traditional approaches and priorities regarding how IT assets are protected. Legacy infrastructure has been in place for decades and is now being combined as part of the convergence of IT and OT. This can be challenging for organizations that previously used separate security tools for each environment and now require holistic asset visibility to prevent blind spots. Today's cybercriminals can attack from all sides, and attacks are laterally creeping across IT to OT and vice versa. Beyond technology, focus on risk and resilience It can be all too easy to deploy security technology and think you've mitigated risk to your business. Still, sadly technology investment is no guarantee of protection against the latest threats. It is critical to take a risk-based approach to security. This means that to decrease enterprise risk, leaders must identify and focus on specific elements of cyber risk to target. More specifically, the many components of cyber risk must be understood and prioritized for enterprise cybersecurity efforts. Organizations are increasingly aiming to shift from cybersecurity to cyber resilience. This means they must understand the threats they face, measure the potential financial impact of cyber exposures, compare this against the company's risk appetite level, and proactively manage cyber risks by having clear action plans based on their capabilities and capacities to protect against cybercrime. Focus on a risk-based approach The risk-based approach does two critical things at once. First, it designates risk reduction as the primary goal. This enables the organization to prioritize investment, including in implementation-related problem solving based squarely on a cyber program's effectiveness at reducing risk. Second, the program distills top management's risk-reduction targets into specific, pragmatic implementation programs with precise alignment from senior executives to the front line. Following the risk-based approach, a company will no longer "build the control everywhere"; rather, the focus will be on building the appropriate controls for the worst vulnerabilities to defeat the most significant threats that target the business' most critical areas. The risk-based approach to cybersecurity is thus ultimately interactive and a dynamic tool to support strategic decision-making. Focused on business value, utilizing a common language among the interested parties, and directly linking enterprise risks to controls, the approach helps translate executive decisions about risk reduction into control implemen | Ransomware Tool Threat Guideline | ||
|
2021-06-17 23:33:55 | [eBook] 7 Signs You Might Need a New Detection and Response Tool (lien direct) | It's natural to get complacent with the status quo when things seem to be working. The familiar is comfortable, and even if something better comes along, it brings with it many unknowns.
In cybersecurity, this tendency is countered by the fast pace of innovation and how quickly technology becomes obsolete, often overnight.
This combination usually results in one of two things – organizations |
Tool | ||
|
2021-06-17 12:15:07 | CVE-2021-0143 (lien direct) | Improper permissions in the installer for the Intel(R) Brand Verification Tool before version 11.0.0.1225 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-06-16 22:15:07 | CVE-2021-32690 (lien direct) | Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on. | Tool Vulnerability | Uber | |
|
2021-06-16 16:55:21 | Google Rolls out E2EE For Android Messages App (lien direct) | Google has finally enabled end-to-end encryption (E2EE) for the Messages app in Android but the privacy-enhancing tool remains somewhat limited. Google announced end-to-end encryption is now available in Android, but only for one-on-one conversations between users of the Messages app. | Tool | ||
|
2021-06-15 15:00:03 | Box launches new free self-service cloud migration tool (lien direct) | Businesses moving less than 10TB that meet certain other conditions can take advantage of Box Shuttle to move data from on-premise systems to its cloud services without cost, but others may still have to pay. | Tool | ||
|
2021-06-15 13:20:07 | Accenture crowdsources 25 signals of business change (lien direct) | The firm offers an interactive tool to guide companies trying to navigate change in the "era of compressed transformation." | Tool | ||
|
2021-06-15 11:54:20 | Wear your MASQ! New Device Fingerprint Spoofing Tool Available in Dark Web (lien direct) | The MASQ tool could be used by attackers to emulate device fingerprints thus allowing them to bypass fraud protection controls The Resecurity® HUNTER unit has identified a new tool available for sale in the Dark Web called MASQ, enabling bad actors to emulate device fingerprints thus allowing them to bypass fraud protection controls, including authentication mechanisms. One of the […] | Tool | ||
|
2021-06-14 21:00:28 | CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack (lien direct) | Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach. | Hack Tool | ||
|
2021-06-14 16:06:52 | IBM Watson Orchestrate uses AI to help improve sales, HR and operations (lien direct) | A new, personal interactive tool for professionals was recently unveiled at IBM's Think conference. | Tool | ||
 |
2021-06-14 15:01:00 | SOAR is an Architecture, Not a Product (lien direct) | Over the past several years, the rising star of security orchestration, automation, and response (SOAR) tools keeps climbing higher. As organizations struggle to handle the crush of alerts surging out of their security controls with not enough cybersecurity professionals to manage the work, SOAR products promise to bring some sanity to the process.
The promise is that SOAR platforms can help security operations teams to sail through the massive volume of alerts they face and better coordinate their security incident response lifecycle with custom playbooks tailored to an organization’s response policies. Many organizations are already starting to reap these benefits.
But as SOAR use cases evolve to real world situations and industry analysts adjust their definition of the market, it's becoming increasingly clear that SOAR is less of a singular platform and more of a comprehensive architecture for tying a lot of threads in the security stack together in a meaningful fashion, including threat intelligence platform (TIP) capabilities.
What is SOAR?
SOAR is part of the cybersecurity industry's long-term push toward improved security automation. As the name suggests, there are three core functions that SOAR products have historically delivered to security teams:
Orchestration: Customized security orchestration helps integrate the dozens of best-of-breed security tools that the typical SOC has accumulated over the years. These tools often do very specialized tasks but teams struggle because they don’t play nicely with one another. Orchestration within a SOAR product is usually used to aggregate data from a number of different sources to enrich alerts, consolidate and deduplicate alert data, and initiate remediation actions on third-party systems.
Automation: In the context of SOAR, security automation executes a sequence of tasks related to a security workflow without requiring much human intervention. It’s typically implemented via ‘playbooks’ that script automated processes to replace time-consuming but relatively simple processes, leaving skilled analysts freed up to carry out more advanced threat mitigation activities.
Response: Incident response consists of alert triage, case management, security incident investigation, threat indicator enrichment, and response actions. For example, a security event or alert should automatically pull in contextual data like IPs, domains, file hashes, user names, and email addresses to provide the analyst a rapid understanding of the security scenario. Then the analyst should be able to issue investigative, containment or response actions against the data.
To accomplish these tasks, SOAR uses threat intelligence to prioritize and enrich the incidents that they manage.
TIP and Gartner's Latest Definition of SOAR
This vital role of threat intelligence management in SOAR has grown to such prominence that many SOAR tools have started building in limited threat intelligence capabilities that mirror some of what a more fully featured TIP would offer.
In fact, Gartner's latest definition of SOAR now names the operationalization of threat intelligence as "table stakes" for SOAR tools. Its 2020 market guide says that SOAR convergence is now not only roping in security incident response platform (SIRP) and security orchestration and automation (SOA) technology, but also TIP technology.
Soar architectures are comprised of a combination of proven technologies, with threat intelligence platforms (TIPs) and the integrations they provide serving as a cornerstone.
But here's the thing, while SOAR is certainly enriched by TIP and while SOAR tools depend on native threat intelligence functionality, true SOAR benefits f |
Tool Threat | ||
|
2021-06-14 11:30:48 | Get your software ready for the next Windows update with this tool (lien direct) | Instead of running your own fleet of test PCs for software updates, why not let Microsoft manage them in the cloud? | Tool | ||
 |
2021-06-14 10:26:17 | Wireless Penetration Testing: Fern (lien direct) | Fern is a python based Wi-Fi cracker tool used for security auditing purposes. The program is able to crack and recover WEP/WPA/WPS keys and also run other network-based attacks on wireless or ethernet based networks. The tool is available both as open source and a premium model of the free | Tool | ||
|
2021-06-11 12:32:49 | Canada Privacy Watchdog Slams Police Use of Facial Recognition Tool (lien direct) | Federal police broke Canada's privacy laws by using a US company's controversial facial recognition software in hundreds of searches, an independent parliamentary watchdog ruled Thursday. | Tool | ||
 |
2021-06-11 12:05:33 | About the Unsuccessful Quest for a Deserialization Gadget (or: How I found CVE-2021-21481) (lien direct) | This blog post describes the research on SAP J2EE Engine 7.50 I did between October 2020 and January 2021. The first part describes how I set off to find a pure SAP deserialization gadget, which would allow to leverage SAP's P4 protocol for exploitation, and how that led me, by sheer coincidence, to an entirely unrelated, yet critical vulnerability, which is outlined in part two. The reader is assumed to be familiar with Java Deserialization and should have a basic understanding of Remote Method Invocation (RMI) in Java. PrologueIt was in 2016 when I first started to look into the topic of Java Exploitation, or, more precisely: into exploitation of unsafe deserialization of Java objects. Because of my professional history, it made sense to have a look at an SAP product that was written in Java. Naturally, the P4 protocol of SAP NetWeaver Java caught my attention since it is an RMI-like protocol for remote administration, similar to Oracle WebLogic's T3. In May 2017, I published a blog post about an exploit that was getting RCE by using the Jdk7u21 gadget. At that point, SAP had already provided a fix long ago. Since then, the subject has not left me alone. While there were new deserialization gadgets for Oracle's Java server product almost every month, it surprised me no one ever heard of an SAP deserialization gadget with comparable impact. Even more so, since everybody who knows SAP software knows the vast amount of code they ship with each of their products. It seemed very improbable to me that they would be absolutely immune against the most prominent bug class in the Java world of the past six years. In October 2020 I finally found the time and energy to set off for a new hunt. To my great disappointment, the search was in the end not successful. A gadget that yields RCE similar to the ones from the famous ysoserial project is still not in sight. However in January, I found a completely unprotected RMI call that in the end yielded administrative access to the J2EE Engine. Besides the fact that it can be invoked through P4 it has nothing in common with the deserialization topic. Even though a mere chance find, it is still highly critical and allows to compromise the security of the underlying J2EE server. The bug was filed as CVE-2021-21481. On march 9th 2021, SAP provided a fix. SAP note 3224022 describes the details. P4 and JNDI Listing 1 shows a small program that connects to a SAP J2EE server using P4: The only hint that this code has something to do with a proprietary protocol called P4 is the URL that starts with P4://. Other than that, everything is encapsulated by P4 RMI calls (for those who want to refresh their memory about JNDI). Furthermore, it is not obvious that what is going on behind the scenes has something to do with RMI. However, if you inspect more closely the types of the involved Java objects, you'll find that keysMngr is of type com.sun.proxy.$Proxy (implementing interface KeystoreManagerWrapper) and keysMngr.getKeystore() is a plain vanilla RMI-call. The argument (the name of the keystore to be instantiated) will be serialized and sent to the server which will return a serialized keystore object (in this case it won't because there is no keystore "whatever"). Also not obvious is that the instantiation of the InitialContext requires various RMI calls in the background, for example the instantiation of a RemoteLoginContext object that will allow to process the login with the provided credentials. Each of these RMI calls would in theory be a sink to send a deserialization gadget to. In the exploit I mentioned above, one of the first calls inside new InitialContext() was used to | Tool Vulnerability | ||
|
2021-06-10 16:19:52 | Facebook is a hub of sex trafficking recruitment in the US, report says (lien direct) | “The Internet has become the dominant tool traffickers use to recruit victims." | Tool | ||
|
2021-06-10 10:22:50 | This open-source Microsoft benchmark is a powerful server testing tool (lien direct) | Storage is a vital component of a modern server. DISKSPD can provide valuable insights into how it performs under different workloads. | Tool | ||
|
2021-06-09 20:15:08 | CVE-2021-0086 (lien direct) | Improper permissions in the installer for the Intel(R) Brand Verification Tool before version 11.0.0.1225 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-06-09 19:15:09 | CVE-2020-8702 (lien direct) | Uncontrolled search path element in the Intel(R) Processor Diagnostic Tool before version 4.1.5.37 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-06-07 12:06:12 | New Google Tool Helps Developers Visualize Dependencies of Open Source Projects (lien direct) | Google has launched a new experimental tool designed to help application developers visualize the dependencies of open source projects. | Tool | ||
|
2021-06-03 10:00:00 | (Déjà vu) Ransomware and Energy and Utilities (lien direct) | This is a blog series focused on providing energy and utility industries with helpful insights and practical, helpful information on cybersecurity. Intro The exponential growth of IoT devices in the energy and utilities industry has greatly increased focus on cybersecurity. Focus on cybersecurity across industries has increased recently, no doubt due to factors like COVID-19 forcing a jump in remote work. In 2020, we saw cybersecurity move from being a technical problem to a business issue. Along with the recognition that businesses really need to lead with a security-first mindset to be resilient, the CISO was elevated to a seat at the proverbial table as a true C-suite leader and trusted board advisor. Energy and utilities face unique challenges compared to other industries. According to McKinsey: “In our experience working with utility companies, we have observed three characteristics that make the sector especially vulnerable to contemporary cyberthreats. First is an increased number of threats and actors targeting utilities: nation-state actors seeking to cause security and economic dislocation, cybercriminals who understand the economic value represented by this sector, and hacktivists out to publicly register their opposition to utilities’ projects or broad agendas. The second vulnerability is utilities’ expansive and increasing attack surface, arising from their geographic and organizational complexity, including the decentralized nature of many organizations’ cybersecurity leadership. Finally the electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines, and even physical destruction.” Let’s look at one type of common and profitable attack that could impact energy and utility companies – ransomware. What is ransomware? Ransomware is exactly as the name implies – something valuable to your business is being kept from you until a ransom is paid for its return. In simple terms, ransomware is extortion. Ransomware, a form of malicious software, blocks you from accessing your computer systems or files until you pay the cyber adversary to allow you access to your information. The ransom is typically requested in crypto currency because of its anonymity and ease of online payment – this translates to no tracing of the origin or destination of the funds, a common tactic of cyber criminals. Knowingly infecting a system with ransomware and requesting payment to unlock the system is a crime. Law enforcement agencies recommend not paying the ransom associated with ransomware. The thought is that if the ransom is paid, you as the victim of ransomware are then identified as an easy target for further cybercrime and the ransomware attack is perpetuated against others. Who is the target of ransomware? Cyber criminals seek the path of least resistance in their targets and strike against businesses that are easy targets. Ransomware is a business and the perpetrators, like any good businessperson, are looking for a strong ROI. The C | Ransomware Malware Tool Vulnerability Guideline | Deloitte | |
 |
2021-06-03 10:00:00 | Chinese cybercriminals spent three years creating a new backdoor to spy on governments (lien direct) | The new tool has been used in ongoing cyberespionage activities. | Tool | ||
|
2021-06-03 10:00:00 | Ransomware and energy and utilities (lien direct) | This is a blog series focused on providing energy and utility industries with helpful insights and practical, helpful information on cybersecurity. Intro The exponential growth of IoT devices in the energy and utilities industry has greatly increased focus on cybersecurity. Focus on cybersecurity across industries has increased recently, no doubt due to factors like COVID-19 forcing a jump in remote work. In 2020, we saw cybersecurity move from being a technical problem to a business issue. Along with the recognition that businesses really need to lead with a security-first mindset to be resilient, the CISO was elevated to a seat at the proverbial table as a true C-suite leader and trusted board advisor. Energy and utilities face unique challenges compared to other industries. According to McKinsey: “In our experience working with utility companies, we have observed three characteristics that make the sector especially vulnerable to contemporary cyberthreats. First is an increased number of threats and actors targeting utilities: nation-state actors seeking to cause security and economic dislocation, cybercriminals who understand the economic value represented by this sector, and hacktivists out to publicly register their opposition to utilities’ projects or broad agendas. The second vulnerability is utilities’ expansive and increasing attack surface, arising from their geographic and organizational complexity, including the decentralized nature of many organizations’ cybersecurity leadership. Finally the electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines, and even physical destruction.” Let’s look at one type of common and profitable attack that could impact energy and utility companies – ransomware. What is ransomware? Ransomware is exactly as the name implies – something valuable to your business is being kept from you until a ransom is paid for its return. In simple terms, ransomware is extortion. Ransomware, a form of malicious software, blocks you from accessing your computer systems or files until you pay the cyber adversary to allow you access to your information. The ransom is typically requested in crypto currency because of its anonymity and ease of online payment – this translates to no tracing of the origin or destination of the funds, a common tactic of cyber criminals. Knowingly infecting a system with ransomware and requesting payment to unlock the system is a crime. Law enforcement agencies recommend not paying the ransom associated with ransomware. The thought is that if the ransom is paid, you as the victim of ransomware are then identified as an easy target for further cybercrime and the ransomware attack is perpetuated against others. Who is the target of ransomware? Cyber criminals seek the path of least resistance in their targets and strike against businesses that are easy targets. Ransomware is a business and the perpetrators, like any good businessperson, are looking for a strong ROI. The C | Ransomware Malware Tool Vulnerability Guideline | Deloitte | |
|
2021-06-02 09:08:39 | Exploit broker Zerodium is looking for Pidgin 0day exploits (lien direct) | Zero-day exploit broker Zerodium is looking for 0day exploits affecting the IM client tool Pidgin on Windows and Linux. Zero-day exploit broker Zerodium announced it is looking for 0day exploits affecting the IM client tool Pidgin on Windows and Linux. The company will pay up to $100,000 for zero-days in Pidgin, which is a free and open-source multi-platform instant […] | Tool | ||
|
2021-06-01 22:15:08 | CVE-2021-32657 (lien direct) | Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. The vulnerability is fixed in versions 19.0.11, 20.0.10, and 21.0.2. As a workaround, administrators can use the OCC command line tool to administrate the Nextcloud users. | Tool Vulnerability | ||
|
2021-05-29 20:01:04 | Secure Search is a Browser Hijacker – How to Remove it Now? (lien direct) | Secured Search is a browser hijacker that changes your browser’s settings to promote securedsearch.com, let’s remove it. Secured Search is the same piece of software as ByteFence Secure Browsing. It’s supposedly a tool that improves browsing security and privacy. In reality, it’s a browser hijacker. It alters your browser’s settings to promote securedsearch.com (which is […] | Tool | ||
|
2021-05-28 16:26:42 | Engineered virus and goggles restore object recognition in a blind man (lien direct) | What started out as an experimental tool has evolved into a treatment. | Tool | ||
|
2021-05-28 11:15:07 | CVE-2021-20201 (lien direct) | A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection. | Tool | ||
|
2021-05-27 12:43:57 | Hackers compromised Japanese government offices via Fujitsu \'s ProjectWEB tool (lien direct) | Threat actors have compromised offices of multiple Japanese agencies via Fujitsu ‘s ProjectWEB information sharing tool. Threat actors have breached the offices of multiple Japanese agencies after they have gained access to projects that uses the Fujitsu ‘s ProjectWEB information sharing tool. ProjectWEB is a software-as-a-service (SaaS) platform for enterprise collaboration and file-sharing that was […] | Tool Threat | ||
|
2021-05-26 17:20:00 | Threat Intelligence Platforms Help Organizations Overcome Key Security Hurdles (lien direct) | Dealing with Big Data, Providing Context, Integration, and Fast Understanding of New Threats are Among the Benefits Threat Intelligence Platforms or TIPs Provide When industry analysts survey most security professionals these days, the common consensus is that it’s now harder to manage security operations than ever before. For example, a recent Enterprise Strategy Group (ESG) research study showed that some 63 percent of security pros say that the job is tougher today than it was just two years ago. While there's no doubt that the variety and volume of threats keep on growing by the year, the question is whether or not it’s the complexity of the security problems that have risen precipitously, or whether something else is going on. I'd argue that it's mostly the latter, in that it’s not so much that the complexity has grown tremendously over this time so much as the “awareness” of already latent complexity has become more apparent. As the breadth of technologies and data available to modern cybersecurity organizations continues to proliferate, security strategists are finally getting enough visibility into their environments to start discovering gaps that have existed all along. But knowing where the deficiencies exist doesn’t always equate to being able to address them. These same security folks are also struggling to wrap their arms around what is possible to achieve by using the array of tools in their arsenals and the vast quantities of information available. Years ago in the security world, the common mantra was that security organizations “don't know what they don't know” and this was due to deficiencies in monitoring and threat intelligence capabilities. Nowadays the opposite is true. They're flooded with data and they're starting to get a better sense of what they don't fully know or understand about adversarial activities in their environments. But this dawning self-awareness can be quite nerve-wracking as they ask themselves, “Now that I know, what should I do?” It can be daunting to make that jump from understanding to taking action—this is the process that many organizations struggle with when we talk about “operationalizing” threat intelligence. For security operations, it’s not enough to just know about an adversary via various threat feeds and other sources. To take action, threat intelligence needs to be deployed in real-time so that security tools and personnel can actually leverage it to run investigations, detect the presence of threats in their networks, respond faster, and continuously improve their security architectures. But there are many significant hurdles in running security operations that stand in the way of achieving those goals. This is where a robust threat intelligence platform (TIP) can add significant value to the security ecosystem. TIPs help security operations teams tackle some of the greatest hurdles. Big Data Conundrum with Threat Intelligence Platforms The first challenge is that the sheer volume of threat intelligence made available to security teams has become a big data problem, one that can't be solved by just filtering out the feeds that are in use, which would defeat the purpose of acquiring varied and relevant feeds in the first place. Organizations don't want to ingest millions or billions of evolving threat indicators into their security information and event manager (SIEM), which would be cost-prohibitive but also lead to the creation of unmanageable levels of false positives. This is where Anomali comes in, with a TIP doing the work on the front end, interesting and pre-curated threat “matches” can be integrated directly into your SIEM. These matches prese | Tool Threat Guideline | Solardwinds Solardwinds | |
|
2021-05-25 15:00:00 | Anomali Cyber Watch: Bizzaro Trojan Expands to Europe, Fake Call Centers Help Spread BazarLoader Malware, Toshiba Business Reportedly Hit by DarkSide Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BazarCall, DarkSide, Data breach, Malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Air India passenger data breach reveals SITA hack worse than first thought
(published: May 23, 2021)
Adding to the growing body of knowledge related to the March 2021 breach of SITA, a multinational information technology company providing IT and telecommunication services to the air transport industry, Air India announced over the weekend that the personal information of 4.5 million customers was compromised. According to the airline, the stolen information included passengers’ name, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data. The compromise included data for passengers who registered with Indian Airlines between 26 August 2011 and 3 February 2021; nearly a decade. Air India adds to the growing list of SITA clients impacted by their data breach, including Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa.
Analyst Comment: Unfortunately, breaches like this are commonplace. While customers have no control over their information being included in such a breach, they can and should take appropriate actions once notified they may be impacted, Those actions can include changing passwords and credit cards associated with the breached accounts, engaging with credit reporting agencies for enhanced credit monitoring or freezing of credit inquiries without permission, and reaching out to companies that have reportedly been breached to learn what protections they may be offering their clients.
Tags: Data Breach, Airline, PII
BazarCall: Call Centers Help Spread BazarLoader Malware
(published: May 19, 2021)
Researchers from PaloAlto’s Unit42 released a breakdown of a new infection method for the BazarLoader malware. Once installed, BazarLoader provides backdoor access to an infected Windows host which criminals can use to scan the environment, send follow-up malware, and exploit other vulnerable hosts on the network. In early February 2021, researchers began to report a “call center” method of distributing BazarLoader. Actors would send phishing emails with trial subscription-based themes encouraging victims to phone a number to unsubscribe. If a victim called, the actor would answer the phone and direct the victim through a process to infect the computer with BazarLoader. Analysts dubbed this method of infection “BazarCall.”
Analyst Comment: This exemplifies social engineering tactics threat actors employ to trick users into installing malware on their machines. All social media users should be cautious when accepting unknown requests to connect, and particularly cautious when receiving communication from unknown users. Even if cal |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | ||
 |
2021-05-25 09:00:00 | Crimes d'opportunité: augmentation de la fréquence des compromis sur la technologie opérationnelle à faible sophistication Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises (lien direct) |
Les attaques contre les processus de contrôle soutenues par la technologie opérationnelle (OT) sont souvent perçues comme nécessairement complexes.En effet, perturber ou modifier un processus de contrôle pour provoquer un effet prévisible est souvent assez difficile et peut nécessiter beaucoup de temps et de ressources.Cependant, Maniant Threat Intelligence a observé des attaques plus simples, où les acteurs ayant différents niveaux de compétences et de ressources utilisent des outils et des techniques informatiques communs pour accéder et interagir avec les systèmes OT exposés.
L'activité n'est généralement pas sophistiquée et n'est normalement pas ciblée contre des organisations spécifiques
Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. The activity is typically not sophisticated and is normally not targeted against specific organizations |
Tool Threat Industrial | ★★★ |
To see everything:
Our RSS (filtrered)
