What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-12-15 12:21:00 | SolarWinds Trojan: Affected enterprises must use hot patches, isolate compromised gear (lien direct) | Hot patching and isolating potentially affected resources are on the IT response schedule as enterprises that employ SolarWinds Orion network-monitoring software look to limit the impact of the serious Trojan unleashed on the platform.The supply-chain attack, reported early this week by Reuters and detailed by security researchers at FireEye and Microsoft involves a potential state-sponsored, sophisticated actor gained access to a wide variety of government, public and private networks via Trojanized updates to SolarWind's Orion network monitoring and management software. This campaign may have begun as early as spring 2020 and is ongoing, according to FireEye and others. | Patching | Solardwinds | |
 |
2020-12-10 11:00:00 | Cisco fixes new Jabber for Windows critical code execution bug (lien direct) | Cisco has addressed a new critical severity remote code execution (RCE) vulnerability affecting several versions of Cisco Jabber for Windows, macOS, and mobile platforms after patching a related security bug in September. [...] | Vulnerability Patching | ||
 |
2020-12-07 17:49:00 | What is a managed firewall? Benefits, offerings explained (lien direct) | This blog was written by a third party author A firewall can have all the security bells and whistles to keep the bad guys out, but firewalls are only as effective as the people managing them. To get the most out of a firewall, it must be properly managed to ensure it does what it’s supposed to: mitigate threats targeting your business. What is a managed firewall? Monitoring your network can consume significant time, resources and costs. A managed firewall service, provided by a team of security experts, offers solutions that cover the administration, operation, monitoring, and maintenance of your firewall infrastructure. Depending on the offering, managed firewall may involve an assessment of your security threats and monitoring network traffic. Once the MSSP discovers what “normal” traffic looks like, any abnormal traffic patterns can be identified and corrected. Typically, managed firewall solutions include the set-up, maintenance, and modification of firewall rules as well as network monitoring. In addition, they often incorporate detailed analysis, reports and feedback. Patching and updates are commonly an essential part of the solution. Firewalls were not meant as plug and play devices. You can’t just set it up, install it on your network perimeter, and hope it does its job without any human management or expertise. Firewall management requires a significant level of expertise and consistent monitoring. The process of purchasing and setting up the firewall is only the first step in a long process. Common firewall issues and complexities The resources required to manage a firewall represent only a portion of the complexities involved. There are several less tangible issues that arise of which companies should be aware. Balancing user-friendliness and security Firewall rules are business inhibitors if protocols are too restrictive and don’t meet users' access requirements for specific applications or data. Conversely, providing access to more than what is needed to complete job duties can leave companies vulnerable to security breaches and data exfiltration. Absence of auditing While analyzing firewall rules regularly is considered a best practice, many companies often miss this crucial step. Inability to keep up with evolving threats As the threat landscape compounds and a company’s attack surface widens, so does the complexities of managing a firewall. Firewall configurations and rules that may have been sufficient just weeks or months ago, aren’t necessarily effective at blocking cyber threats today. Multiple locations, many firewalls Each of the complexities mentioned above can be enough to handle for a single firewall — but many organizations require multiple firewalls. Each firewall has its own set of rules and configurations. Work can be multiplied with each new firewall deployed. Complexity of industry compliance standards If your company processes payments online, your firewall will need to be PCI DSS compliant. However, the mere act of installing a firewall on your company’s network won’t make you PCI DSS compliant. There are over 20 PCI DSS sub-requirements as a framework for how firewalls should be installed, updated, and maintained to be compliant. Benefits of having a service provider manage your firewall The benefits of working with a managed security service provider (MSSP) for your firewall management go well beyond solving the issues and complexities outlined above. Managed firewall services offer a diverse set of advantages. Empowering digital transformation IT environments are evolving as organizations accelerate adoption of SaaS | Threat Patching Guideline | ||
 |
2020-11-19 16:23:50 | Healthcare Orgs: What You Need to Know About TrickBot and Ryuk (lien direct) |  In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) co-authored an advisory report on the latest tactics used by cybercriminals to target the Healthcare and Public Health (HPH) sector. In the report, CISA, FBI, and HHS noted the discovery of, ?????ヲcredible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,??? which they shared as a warning of potential ransomware attacks.
In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. As noted in the advisory, these security issues are even more difficult to handle and remediate during the COVID-19 pandemic; something healthcare providers should take that into consideration when determining how much to invest in their cybersecurity efforts.ツ?
The FBI first began tracking TrickBot modules in early 2019 as it was used by cyberattackers to go after large corporations. According to the report, ?????ヲTrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.???
What makes it so dangerous? Researchers found that TrickBot developers created a tool called anchor_dns which uses a single-byte X0R cipher to obfuscate communications and, once de-obfuscated, is discoverable in DNS request traffic. When the malware is successfully executed, TrickBot is copied as an executable file and the copy is placed into one of the following directories:
C:\Windows\
C:\Windows\SysWOW64\
C:\Users\[Username]\AppData\Roaming\
From there, the executable file downloads modules from command and control servers (C2s) and places them into the host???s %APPDATA% or %PROGRAMDATA% directory. Every 15 minutes, the malware runs scheduled tasks on the victim???s machine for persistence, and after successful execution, anchor_dns deploys more malicious .bat scripts and implements self-deletion techniques through commands. The report notes that an open source tracker for TrickBot C2 servers is located here.
BazarLoader and Ryuk ransomware
CISA, FBI, and HHS note in the advisory report that around early 2020, threat actors believed to be associated with TrickBot began executing BazarLoader and BazarBackdoor attacks to infect targeted networks.
???The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure,??? the report says. ???Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.???
BazarLoader malware usually comes from phishing emails, the advisory says, with a link to a Google Drive document or another file hosting service housing what looks like a PDF file but is really an executable. The emails often appear personal with recipient or employer names in the subject l |
Ransomware Malware Tool Threat Patching | ★★★ | |
|
2020-11-17 06:01:00 | What is unified endpoint management? UEM explained (lien direct) | This blog was written by a third party author. The business world is undergoing its most dramatic shift yet with the adoption of digital assets and workforce decentralization representing a huge business opportunity. These changes have led to added endpoints, or devices connecting to the network, and is enabling this transformation. But managing the volumes of these diverse endpoints and geographic locations has grown in complexity. Furthermore, along with these changes in technology adoption and distribution of the workforce, the cybersecurity landscape is also changing. The multitude of endpoints that connect to the network is expanding the attack surface that bad actors with malicious intent can attempt to exploit. From a cybersecurity perspective, this influx of endpoints represents a significant business risk. Organizations need to understand the importance of both managing and securing their endpoints and how these two variables are intertwined for a complete endpoint security strategy. What is UEM? Traditional mobile device management has evolved, and in some way, UEM represents this modern evolution. With the dramatic increase of remote connectivity via mobile devices, shift to work from home, and IoT adoption, unified endpoint management has become the solution for modern IT departments looking to secure these environments. Unified endpoint management is more than just managing endpoints. The “unified” represents one console for deploying, managing, and helping to secure corporate endpoints and applications. In addition, UEM offers the abilities for provisioning, detection, deployment, troubleshooting and updating. UEM software gives IT and security departments the visibility and control over their devices as well as their end-users, delivered through a centralized management console. The goal of UEM software is to simplify an organization's endpoint strategy. But when adopting UEM software, it’s critical to approach the implementation with a big-picture view and plan accordingly. UEM security benefits Unified endpoint management offers organizations many benefits, with the most appealing being reduced costs across multiple departments. By comprehensively automating many IT tasks and processing, UEM often lowers overhead costs and hardware expenditures. Other key benefits are as follows: Offers endpoint management integration with multiple platforms One of the major selling points of UEM software is its ability to integrate with a variety of platforms, including Windows 10, macOS, Linux, Chrome OS, iOS, and Android, among others. With UEM, your business can configure, control, and monitor devices on these platforms from a single management console. With this integration, the burden of connecting these systems is reduced, costs are lowered, and risks are mitigated. Provides data and app protection across the attack surface UEM protects corporate data and applications, reducing cybersecurity threats. This protection is accomplished by: Providing conditional user access Enforcing automated rules Enforcing compliance guidelines Providing safeguards for data loss Empowering IT administrators to identify jailbreaks and OS rooting on devices And, when combined with a Mobile Threat Defense (MTD) solution, UEM’s can enforce security policies and take automated remediation steps to further mitigate security risks for iOS and Android devices. Boasts advanced desktop management With UEM, desktop operating systems gain a digital transformation boost that simplifies deployment and helps optimize app delivery and patch automation. Plus, an endpoint’s data and apps can be | Tool Vulnerability Threat Patching | ||
 |
2020-10-21 15:23:14 | Google patches Chrome zero‑day under attack (lien direct) | In addition to patching the actively exploited bug, the update also brings fixes for another four security loopholes | Patching | ||
 |
2020-09-24 14:02:31 | Microsoft warns hackers are actively targeting Zerologon vulnerability. Patch pronto! (lien direct) | If there are active attacks in the wild, if the DHS is ordering federal agencies to defend themselves, and if Zerologon is so easy to exploit, don't you think your business should be patching itself as soon as possible? | Patching | ||
 |
2020-09-24 07:52:52 | Microsoft says it detected active attacks leveraging Zerologon vulnerability (lien direct) | Zerologon patching window is slowly closing as Microsoft warns of attacks in the wild. | Vulnerability Patching | ||
|
2020-09-22 16:00:03 | Healthcare lags behind in critical vulnerability management, banks hold their ground (lien direct) | New research sheds light on which industries are performing well when it comes to patching high-risk bugs. | Vulnerability Patching | ||
 |
2020-09-22 15:00:00 | Weekly Threat Briefing: Android Malware, APT Groups, Election Apps, Ransomware and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cerberus Source Code Leak, Chinese APT, Mrbminer Malware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
US 2020 Presidential Apps Riddled with Tracking and Security Flaws
(published: September 17, 2020)
The Vote Joe 2020 application has been found to be potentially leaking personal data about voters. The app is used by the Joe Biden campaign to engage with voters and get supporters to send out promotional text messages. Using TargetSmart, an intelligence service, the app receives their predictions via API endpoint which has been found to be returning additional data. Voter preference and voter prediction could be seen, while voter preference is publically accessible, the information for TargetSmart was not meant to be publicly available. The app also let users from outside of the United States download, allowing for non-US citizens to have access to the data, as there was no email verification. Vote Joe isn’t the only campaign app with security issues, as the Donald Trump application exposed hardcoded secret keys in the APK.
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.
Tags: APK, Android, Campaign, Election, Joe Biden, PII
German Hospital Attacked, Patient Taken to Another City Dies
(published: September 17, 2020)
A failure in IT systems at Duesseldorf University Hospital in Germany has led to the death of a woman. In an apparent ransomware attack, the hospital’s systems crashed with staff unable to access data. While there was no apparent ransom note, 30 servers at the hospital had been encrypted last week, with a ransom note left on one server addressed to Heinrich Heine University. Duesseldorf police contacted the perpetrators to inform them they had attacked the hospital instead of the university, with the perpetrators providing decryption keys, however patients had to be rerouted to other hospitals and therefore a long time before being treated by doctors.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Germany, Healthcare, Hospital, Ransomware
|
Ransomware Malware Vulnerability Threat Patching Guideline | APT 41 | ★★★★★ |
 |
2020-09-04 18:58:51 | Expert On Study Finds Serious Problems With Vulnerability Management (lien direct) | The majority of IT departments are underestimating the maturity of their vulnerability remediation programs by a wide margin, according to a study from Vulcan Cyber. The company said it was surprised that most organizations think that they are much further along in their work in patching known vulnerabilities yet they have barely begun the work required. “What … The ISBuzz Post: This Post Expert On Study Finds Serious Problems With Vulnerability Management | Vulnerability Patching | ||
|
2020-08-26 07:01:00 | IoT security explained (lien direct) | This blog was written by a third party author. The Internet of Things (IoT) is a term used to describe a system of interconnected computing devices that use the internet to send and receive data without requiring human to computer or human to human coordination. The world of IoT encompasses a wide variety of technologies, vendors, and connectivity methods. While cameras, smart kitchen appliances and smart locks often come to mind, IoT devices are prevalent in all industries. IoT has broad applications across the enterprise and provides numerous benefits — including increased operational efficiencies, improved customer experiences, better business decisions, and keeping workers safe. For the organization looking to adopt IoT to any degree, security challenges must be overcome using more than typical network security solutions alone. Given the inherently insecure nature of the IoT space due to the lack of industry standards, new security complications arise. Any cyber risk related to an IoT deployment requires a proactive approach with security built-in from the start. Not unlike any new technology that enables digital transformation, the goal for IoT should include strategies that align the technology with the company’s current cybersecurity systems and policies. What are the security vulnerabilities of IoT? The use of IoT is expanding astronomically. According to research published in May 2020 by Transforma Insights, by the end of 2019, 7.6 billion IoT devices were active. By 2030, the number is expected to balloon to 24.1 billion. The rush to meet the growing demand for IoT devices is giving rise to favoring functionality over security. Connected and unprotected devices are vulnerable to botnet and distributed denial-of-service (DDoS) type attacks. Despite plans to adopt these devices in greater numbers, a Trustwave report notes that only 28 percent of organizations consider IoT-specific security strategies as “very important.” Alan Mihalic, founder and president of the IoT Security Institute, says that despite the incredible number of IoT devices, most are unsecured. “IoT devices provide an easy and attractive entry point for criminals seeking to enter an organization's network,” he said. “Moreover, their omnipresent nature provides access to opportunities never before possible within the technology environments; a presumably innocuous twenty-dollar IoT device can become the catalyst for a major cyber breach.” The IoT attack surface One look at the sheer amount of possible devices in the production environment gives us a window into the magnitude of threat possibilities. Because securing IoT devices requires real-time authentication and authorization, complexity is escalated — providing opportunities for bad actors to carry out many types of attacks. Whether it’s man-in-the-middle (MitM) attacks, leveraging stolen access credentials, spoofing or cloning, or encryption attacks targeting key algorithms, a hacker’s arsenal is well-stocked. But at its most basic level, IoT security is not built in from the ground up. Compromising a device is far simpler than most people think. Sadly, the most common userid/password combinations are support/support, admin/admin and default/default. For many devices, security is an afterthought. The mere act of changing a device’s default password can go a long way to pave the way for a robust IoT solution. How common are IoT attacks? IoT attacks are frequent, and they’re escalating. In the first half of 2019, honeypot | Threat Patching | ||
|
2020-08-24 04:00:39 | Expert In News: Cisco Bug Warning: Critical Static Password Flaw In Network Appliances Needs Patching (lien direct) | Cisco has disclosed a critical flaw affecting its ENCS 5400-W Series and CSP 5000-W Series appliances, which is due to their software containing user accounts with a default, static password. During internal testing Cisco discovered its Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for the appliances have user accounts with … The ISBuzz Post: This Post Expert In News: Cisco Bug Warning: Critical Static Password Flaw In Network Appliances Needs Patching | Patching | ||
|
2020-08-03 18:11:00 | Managed security services explained: what is an MSSP? (lien direct) | This blog was written by a third party author A managed security service provider (MSSP) is an IT service provider that focuses on delivering outsourced cybersecurity monitoring and management services to organizations. Different than a Managed IT Services Provider (MSP) that focuses on managing, maintaining, and servicing an organizations IT environment, MSSPs concern themselves with the continuous state of their customer’s security stance. What services do MSSPs provide? Not every MSSP offers identical services to the next. But, in general, there are a few common services MSSPs offer across the board: Continuous security monitoring and management – MSSPs work to ensure security devices and systems are functional and show no existing or eminent threats. The use of continuous monitoring provides the MSSP with real-time visibility into an organization’s current state of security while monitoring for cyberthreats. This includes analysis and reporting of security events from a wide range of solutions and data types, including network traffic, endpoint security solutions, infrastructure logs and/or SIEM solutions. Vulnerability management – MSSPs help organizations identify, prioritize, and remediate known vulnerabilities that can be used by cybercriminals to gain access to applications, systems, and data. Vulnerability Management services can range from simply providing vulnerability assessments of networks, systems, and applications (with the customer organization doing the remediation), to full-blown vulnerability management where discovered vulnerabilities are also remediated through automated patching and system reconfiguration. Intrusion management – Networks need to be continually monitored for possible cyberattack. MSSPs leverage intrusion detection and intrusion prevention systems to look for and block anomalous network traffic that may potentially be malicious in nature. Security technology management – MSSPs handle the daily management of advanced threat defense technologies, unified threat management, security gateways, firewalls, VPNs and more. Threat hunting – This is a service that proactively identifies and eradicates threats in your environment using computer forensics, cyber threat intelligence and malware analysis. Security compliance monitoring and management – Organizations required to prove their state of security is compliance with government and industry regulations rely on MSSPs to assess, track and document the state of an organization’s adherence to compliance mandates such as the Payment Card Industry Data Security Standard (PCI-DSS), the European Union’s General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA). Why would organizations use an MSSP? The outsourcing of such a critical aspect of business operations requires that doing so provides an organization with significant benefits. Due to the material impact data breaches and ransomware attacks have had on organizations, with post-attack costs reaching into the tens of millions, the idea of putting the safety of the network into a provider’s hands can be daunting. Even with such critical levels of importance, organizations choose to leverage MSSPs to manage their security a number of reasons: 1) Expertise – MSSPs maintain a staff that are experts on many aspects of cybersecurity. Organizations concerned with cyberattacks and the fortification of their environment’s security often find they are lacking internal expertise. Outsourcing to an MSSP extends the internal IT team t | Ransomware Malware Vulnerability Threat Patching | ||
|
2020-07-10 09:57:09 | (Déjà vu) Security Expert On Zoom Zero-day Vulnerability (lien direct) | Video conferencing software Zoom is working on patching a zero-day vulnerability that was disclosed online earlier today in a blog post by cyber-security firm ACROS Security. The security firm said the zero-day impacts Zoom’s Windows client, but only when the clients are running on old Windows OS versions, such as Windows 7 and Windows Server … The ISBuzz Post: This Post Security Expert On Zoom Zero-day Vulnerability | Vulnerability Patching | ||
|
2020-07-09 18:00:00 | Zoom working on patching zero-day disclosed in Windows client (lien direct) | Security firm has disclosed today a zero-day vulnerability in Zoom's Windows client. | Vulnerability Patching | ||
|
2020-07-08 08:07:00 | Vulnerability assessment steps, process explained (lien direct) | This blog was written by a third party author What is a vulnerability assessment? Vulnerability assessment is the process of defining, identifying, classifying, and prioritizing vulnerabilities in systems, applications, and networks. It provides an organization with the needed visibility into the risks that exist concerning external threats designed to take advantage of vulnerabilities. At a tactical level, the vulnerability assessment process can help organizations identify potential methods of unauthorized access by which threats can gain entry to the organization’s network. Assessments (and fixes based on the results) need to be performed before the vulnerabilities found can be exploited. Every organization faces the risk of cyberattacks—regardless of organization size—so it’s beneficial to perform some form of vulnerability assessment regularly. Larger enterprises and those organizations experiencing ongoing attacks may benefit most. Assessments can be performed by internal IT security teams or outsourced to third parties that focus on security services. 4 steps to a vulnerability assessment Assessing the current state of vulnerabilities is a bit more involved than installing vulnerability scanner software and hitting the “Scan” button. Vulnerability assessments are the foundational element of your organization when putting proper security controls in place. It requires some proper planning, prioritizing, and reporting. The process of performing a vulnerability assessment can be broken down into the following 4 high-level steps. Step 1: Initial assessment The goal here is to understand the importance of devices on your network and the risk associated with each. Risk can be determined using several factors, including but not limited to: Whether a given device is accessible to the internet (whether via internal or external IP addresses) Whether the device is publicly accessible to anyone (such as a kiosk machine) Whether a device’s users have low-level or elevated permissions (such as administrators) The device’s role in business processes The determined risk can be used to prioritize the remainder of the assessment and establish the proper order for the vulnerability assessment scans. It can also be used as input for a business impact analysis that is a part of an enterprise risk management initiative. Step 2: Define a system baseline For each given device to be assessed for vulnerabilities, it’s necessary to understand whether its configuration meets basic security best practices. Some of the configuration factors that should be a part of a baseline include: Operating system (OS), version, and service pack or build, if applicable Approved software Installed services and required ports Any unnecessary open ports Any special security configuration, if applicable Approach each device as if you were an malicious actor; when you perform a scan in the next step, you want to see what an internal or external threat actor can access, and be able to compare that against known vulnerabilities and insecure configurations so you can interpret the results of the scan properly. In addition to the configuration factors, gathering up any additional detail known about the system (such as log data pushed into a SIEM solution), and any already-known vulnerabilities for the specific OS and version, any installed applications or any enabled services, will be useful. Step 3: Perform a vulnerability scan There are a few options available when it comes to vulnerability scans. Each one provides a bit of different context to the results. In general, vulnerability scans are performed either via unauthenticated or authenticated means. In an unauthenticated scan, a system is assessed from the network perimeter, looking | Vulnerability Threat Patching | ||
|
2020-07-02 13:01:00 | Vulnerability management explained (lien direct) | This blog was written by a third party author. What is vulnerability management? Every year, thousands of new vulnerabilities are discovered, requiring organizations to patch operating systems (OS) and applications and reconfigure security settings throughout the entirety of their network environment. To proactively address vulnerabilities before they are utilized for a cyberattack, organizations serious about the security of their environment perform vulnerability management to provide the highest levels of security posture possible. Vulnerability management is generally defined as the process of identifying, categorizing, prioritizing, and resolving vulnerabilities in operating systems (OS), enterprise applications (whether in the cloud or on-premises), browsers, and end-user applications. An ongoing process, vulnerability management seeks to continually identify vulnerabilities that can be remediated through patching and configuration of security settings. Addressing threats with vulnerability management Bad actors look to take advantage of discovered vulnerabilities in an attempt to infect a workstation or server. Managing threats is a reactive process where the threat must be actively present. Whereas vulnerability management is proactive, seeking to close the security gaps that exist before they are taken advantage of. More than just patching vulnerabilities It’s important to note that formal vulnerability management doesn’t simply involve the act of patching and reconfiguring insecure settings. Vulnerability management is a disciplined practice that requires an organizational mindset within IT that new vulnerabilities are found daily requiring the need for continual discovery and remediation. What is considered a vulnerability? Any means by which an external threat actor can gain unauthorized access or privileged control to an application, service, endpoint, or server is considered a vulnerability. Tangible examples include communication ports open to the internet, insecure configurations of either software or OSs, methods by which to gain privileged access through approved interaction with a given application or OS, and a susceptibility to allow malware to infect a system. How are vulnerabilities defined? While security vendors can choose to build their own vulnerability definitions, vulnerability management is commonly seen as being an open, standards-based effort using the security content automation protocol (SCAP) standard developed by the National Institute of Standards and Technology (NIST). At a high level, SCAP can be broken down into a few components: Common vulnerabilities and exposures (CVE) – Each CVE defines a specific vulnerability by which an attack may occur. Common configuration enumeration (CCE) – A CCE is a list of system security configuration issues that can be used to develop configuration guidance. Common platform enumeration (CPE) – CPEs are standardized methods of describing and identifying classes of applications, operating systems, and devices within your environment. CPEs are used to describe what a CVE or CCE applies to. Common vulnerability scoring system (CVSS) – This scoring system works to assign severity scores to each defined vulnerability and is used to prioritize remediation efforts and resources according to the threat. Scores range from 0 to 10, with 10 being the most severe. Many public sources of vulnerability definitions exist, such as the National Vulnerability Database (NVD) or Microsoft’s security updates and are freely available. Additionally, several vendors offer access to private vulnerability databases via paid subscription. Security conf | Malware Vulnerability Threat Patching | ||
|
2020-06-19 17:31:15 | Academics studied DDoS takedowns and said they\'re ineffective, recommend patching vulnerable servers (lien direct) | The volume of DDoS traffic to victims remained the same. The number of DDoS-for-hire domains went up. | Patching | ||
|
2020-06-10 14:45:00 | (Déjà vu) Microsoft Office June security updates fix critical RCE bugs (lien direct) | Microsoft released the June 2020 Office security updates, with a total of 19 security updates and 5 cumulative updates for 7 different products, patching 4 critical bugs that enable attackers remotely execute arbitrary code on unpatched systems. [...] | Patching | ||
|
2020-06-02 03:22:00 | Critical Exim bugs being patched but many servers still at risk (lien direct) | Patching Exim mail servers is not going fast enough and members of the Russian hacker group Sandworm are actively exploiting three critical vulnerabilities that allow executing remote command or code remotely. [...] | Patching | ||
 |
2020-05-16 17:38:09 | NBlog May 16 - adjusting to the new normal (lien direct) |  According to alert AA20-133A from US-CERT:"The U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.Cybersecurity weaknesses-such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans-have continued to make organizations susceptible to ransomware attacks in 2020."Well whadyaknow?The US government blames "sophisticated foreign cyber actors" - the usual xenophobic, somewhat paranoid and conspiratorial stance towards those filthy rotten foreigners, desperately attacking little old US of A (today's version of reds under beds I guess);"Unpatched" VPNs and insecurely configured Office 365 services are being targeted, implicitly blaming customers for failing to patch and configure the software correctly, blithely ignoring the fact that it was US-based software vendors behind the systems that required patching and configuring to address exploitable vulnerabilities; |
Ransomware Vulnerability Patching | ||
|
2020-04-29 12:00:00 | Have you started working from home? Secure your endpoints! (lien direct) | This blog was written by an independent guest blogger. Due to recent international events, there are likely millions of people in the United States and around the world who have just started working from home. There are a lot of office jobs that could move from the company’s workplace to employees’ homes-- accountants, web designers, application developers, network administrators, lawyers, clerical jobs, stock traders, data entry people, call center agents, tech support agents, and probably many other white collar roles. I write web content about cybersecurity for a living, and I’ve always worked from home. Welcome to my world, millions of people! Try to save watching a TV show or playing a video game for after you’ve done your tasks for the day. But if your work has frustrated you by lunchtime, a nice long relaxing shower often helps. Maybe you have young children or pets at home who want your attention. You will need to shift your attention between playing Paw Patrol for your kids and walking the dog, and getting back to your task at hand. But there’s an upside. If you make yourself a yummy lunch and put your leftovers in the fridge, your coworkers won’t be able to steal them! Maybe your kid or spouse will, but you won’t resent them enjoying your pasta casserole. Now your home PC may be your office. And when you connect it to your company’s network, it will become one of its endpoints. Chances are your company’s network administrators and various security practitioners have taken some care to secure the endpoint (PC) that the company owns. Your user account probably has access to some files and folders on your employer’s servers, but no access to others. There’s likely some sort of information security policy that’s being enforced. If there’s some anomalous activity on your work PC, your IT department or security operations center should be investigating if it’s an indication of a cyber attack. But you’re not in your company’s office anymore. You’re at home. And your own home PC is just as attractive of a target to cyber attackers as the PC your company provides you in your workplace. Especially if your home PC is connected to your company’s network. So even though you can eat fish at your desk without your coworkers complaining, cybersecurity should be taken just as seriously. And because you own this endpoint, you have the responsibility to security harden it. So here are my tips for you. Only you should access your home endpoint As I said, when your home PC connects to your company’s network, it becomes one of the network’s various endpoints. Chances are you’re authorized to access some data resources on the network that a cyber attack would love to have. Financial data, internal documents and memos, internal applications, logs, and likely other sorts of sensitive data as well. And even if you’re not an administrator, an attacker may want to access your user account and perform privilege escalation attacks until they’ve acquired admin access. But they can’t privilege escalate if they don’t have access to your user account in the first place. Put a strong password in your user account in your operating system, whether it’s Windows 10, macOS, or even if you’re a desktop Linux-using weirdo like me. It should have more than ten characters, with upper and lowercase letters numbers, and special characters. Don’t make your password “Tabby” because that’s your cat’s name and only you and your family have physical access to your PC. Assume that an attacker could acquire remote access to your PC through the internet. But a cyber attacker is unlikely to physically enter your home. So if you have to write your operating system password on a Post-it Note in order to make it really complex and still be able to use it, so be it. If your spou | Malware Patching | ||
|
2020-04-28 14:04:30 | Microsoft releases guidance on blocking ransomware attacks (lien direct) | Microsoft warned today of ongoing human-operated ransomware campaigns targeting healthcare organizations and critical services, and shared tips on how to block new breaches by patching vulnerable internet-facing systems. [...] | Ransomware Patching | ||
 |
2020-04-27 03:00:00 | Android security: Patching improves, but fragmentation challenges remain (lien direct) | Android device makers have improved their patching processes over the past two years according to a new analysis, decreasing the time gap between when security updates become public and their integration into firmware. This is good news for the Android ecosystem, which has historically been considered worse than Apple's iOS when it comes to patch hygiene. However, version fragmentation remains high in the Android world, with significant differences among device manufacturers and even across the same vendor's product lines. This leads to many devices running versions that are no longer supported.[ Give your career a boost with top security certifications: Who they're for, what they cost, and which you need. | Sign up for CSO newsletters. ] Berlin-based Security Research Labs (SRLabs) has published the results of its binary analysis of around 10.000 unique firmware builds running on many Android device models from different manufacturers. Most of the data was collected with SnoopSnitch, an application developed by the company to analyze mobile radio data for abnormalities that could indicate user tracking and fake base stations. It can also check if the Android firmware running on a device has the critical vulnerability patches that correspond to its reported security patch level. | Vulnerability Patching Guideline | ||
|
2020-04-17 12:52:50 | DHS CISA: Companies are getting hacked even after patching Pulse Secure VPNs (lien direct) | Hackers compromised Pulse Secure VPNs, stole AD credentials, and are now using the stolen passwords to access internal networks even after companies patched their VPN servers. | Patching | ||
|
2020-04-15 11:12:10 | (Déjà vu) Microsoft Office April security updates fix critical RCE bugs (lien direct) | Microsoft released the April 2020 Office security updates on April 14, 2020, with a total of 55 security updates and 5 cumulative updates for 7 different products, and patching 5 critical bugs allowing attackers to run scripts as the current user and remotely execute arbitrary code on unpatched systems. [...] | Patching | ||
|
2020-04-14 18:59:32 | (Déjà vu) Microsoft April 2020 Patch Tuesday comes with fixes for four zero-days (lien direct) | Microsoft fixes another 113 bugs this month after patching a whopping 115 last month. | Patching | ||
|
2020-04-14 18:59:00 | Microsoft April 2020 Patch Tuesday comes with fixes for three zero-days (lien direct) | Microsoft fixes another 113 bugs this month after patching a whopping 115 last month. | Patching | ||
 |
2020-03-31 13:45:00 | Patching Poses Security Problems with Move to More Remote Work (lien direct) | Security teams were not ready for the wholesale move to remote work and the sudden expansion of the attack surface area, experts say. | Patching | ||
|
2020-03-23 13:19:46 | NBlog March 20 - COVID-19 PIG update (lien direct) | Here's today's update to my COVID-19 information risk Probability Impact Graphic: I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway). Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”. Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security?'Sanity' is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious disease etc., which is my rationale for including 'mental health issues' in the middle of the PIG. There is some genuinely good news in the medical world concerning progress on coronavirus testing, antiviral drugs and vaccines, although it's hard to spot among the large volume of dubious information and rumours sloshing around on social media (another information risk on the PIG). There's even some good news for infosec pro's. COVID-19 is a golden opportunity for those of us with an interest in security awareness and business continuity. Essentially, we are in the midst of a dramatic case study. |
Patching Guideline | ||
|
2020-03-23 12:00:00 | Windows Server 2019 OS hardening (lien direct) | This blog was written by an independent guest blogger. Windows Server 2019 ships and installs with an existing level of hardening that is significantly more secure compared to previous Windows Server operating systems. Gone are the bloat of Xbox integration and services and the need for third-party security solutions to fill security gaps. Operating System (OS) hardening provides additional layers of security and preventative measures against both unauthorized changes and access. Hardening is critical in securing an operating system and reducing its attack surface. Be careful! If you harden an operation system too much, you risk breaking key functionality. Hardening approach Harden your Windows Server 2019 servers or server templates incrementally. Implement one hardening aspect at a time and then test all server and application functionality. Your cadence should be to harden, test, harden, test, etc. Mistakes to avoid Reducing the surface area of vulnerability is the goal of operating system hardening. Keeping the area as small as possible means avoiding common bad practices. Do not turn off User Access Control (UAC). You should move the UAC slider to the top: Always notify. The few extra clicks to make while trying to install a new application or change system settings might prevent system compromise in the future. Do not install Google Chrome, Firefox, JAVA, Adobe Flash, PDF viewers, email clients, etc. on your Windows Server 2019 operating systems unless you have an application dependency for these applications. Do not install unnecessary roles and features on your Windows Server 2019 servers. If you need to install a role such as IIS, only enable the minimum features you require and do not enable all role features. Do not forget to fully patch your Windows Server 2019 operating system and establish a monthly patch window allowing you to patch and reboot your servers monthly. Hardening Windows 2019 Server Core As a foundation to Windows Server 2019, the Core version of Windows Server 2019, should be installed. This version is Windows 2019 Server Core. Server Core removes the traditional GUI interface to the operating system and provides the following security benefits. • Server Core has a smaller attack surface than Server with a GUI • Requires fewer software updates and reboots • Can be managed using new Windows Admin Center • Improved Application Compatibility features in Windows Server 2019 Traditional Windows administrators may be apprehensive running Server Core due to a lack of PowerShell familiarity. The new Windows Admin Center provides a free, locally deployed, browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows 10 PC’s. Windows Admin Center comes at no additional cost beyond Windows and is ready to use in production. You can install Windows Admin Center on Windows Server 2019 as well as Windows 10 and earlier versions of Windows and Windows Server and use it to manage servers and clusters running Windows Server 2008 R2 and later. Secure the Local Administrator Account Local Administrator Password Solution (LAPS) If Windows Server does get compromised, the attacker will quickly try to move laterally across your network to find highly valuable systems and information. Credenti | Ransomware Malware Tool Vulnerability Patching | ||
 |
2020-03-16 20:00:46 | Most organizations have yet to fix CVE-2020-0688 Microsoft Exchange flaw (lien direct) | Organizations are delaying in patching Microsoft Exchange Server flaw (CVE-2020-0688) that Microsoft fixed with February 2020 Patch Day updates. Organizations are delaying in patching Microsoft Exchange Server flaw (CVE-2020-0688) that Microsoft fixed with February 2020 Patch Day updates. The CVE-2020-0688 flaw resides in the Exchange Control Panel (ECP) component, the root cause of the problem is that Exchange servers […] | Patching | ||
|
2020-03-11 10:54:59 | Microsoft Releases the March 2020 Security Updates for Office (lien direct) | Microsoft released the March 2020 Office security updates on March 10, 2020, with a total of 13 security updates and 5 cumulative updates for 6 different products, with 12 of them patching bugs allowing attackers to execute arbitrary code remotely after exploitation. [...] | Patching | ||
 |
2020-02-20 12:30:26 | To Rank or Not to Rank Should Never Be a Question (lien direct) | Scanning is an important part of any vulnerability management program, but it should always be accompanied by vulnerability ranking to ensure teams are patching the most impactful issues first. | Vulnerability Patching | ||
|
2020-02-12 08:33:53 | Microsoft Releases February 2020 Office Updates With Security Fixes (lien direct) | Microsoft released the February 2020 Office security updates on February 11, 2020, with a total of 10 security updates and three cumulative updates for six different products, with three of them patching flaws allowing for remote code execution. [...] | Patching | ||
 |
2020-01-27 18:00:00 | Intel Is Patching the Patch for the Patch for Its \'Zombieload\' Flaw (lien direct) | Intel's made two attempts to fix the microprocessor vulnerability it was warned about 18 months ago. Third time's the charm? | Vulnerability Patching | ||
|
2020-01-26 10:31:32 | Patching the Citrix ADC Bug Doesn\'t Mean You Weren\'t Hacked (lien direct) | Citrix on Friday released the final patch for the critical vulnerability tracked as CVE-2019-19781 in its affected appliances. Many organizations are still at risk, though, as they continue to run Citrix servers without a fix or the advised [...] | Vulnerability Patching | ||
|
2020-01-22 09:00:00 | NBlog Jan 22 - further lessons from Travelex (lien direct) |  At the bottom of a Travelex update on their incident, I spotted this yesterday:Customer PrecautionsBased on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. I'm waffling on about corporate identity theft, flowing on from the original incident.I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypot |
Ransomware Malware Patching Guideline | APT 15 | |
|
2020-01-19 09:32:27 | Hackers patch Citrix servers to deploy their own backdoor (lien direct) | Attacks on Citrix servers are intensifying, one of the threat actors behind them is patching them and installing its own backdoor to lock out other attackers. Security experts are monitoring a spike in the number of attacks against Citrix servers after that researchers announced the availability online of proof-of-concept exploits for the CVE-2019-19781 flaw in Citrix NetScaler […] | Threat Patching | ||
|
2020-01-17 14:00:00 | Journey to security: Data safety for travelers (lien direct) |
Image source: Pixabay
Note:This blog was written by an independent guest blogger.
In today’s world, we enjoy incredible mobility that our ancestors could only dream of. In a matter of hours or, at most, days, we can go from one continent to another.
At the same time, our lives depend on the security of all sorts of our private data: from our credit card information to our browsing habits. But if at our homes we can be sure that we have taken sufficient security measures and protected our systems, things get muddier when we travel.
There is no way to tell if cybersecurity employed by an airport or hotel you use is enough to protect your sensitive data. However, there are ways to increase your safety by following several simple tips.
1. Don’t trust public USB charging stations
While their convenience is hard to overestimate when your battery charge is running low, public USB charging stations should not be treated as safe.
The threat when the data on your device is stolen or infected through a USB cord when you connect the device to a charging station is called juice jacking. It may not be the most widespread type of malware injection but it is better to avoid any possibility of it nevertheless.
This threat can be mitigated by getting a USB data blocker that allows charging your device while blocking any data transfer to or from it. Alternatively, just charge your device at a socket.
2. Mind your physical security
It’s not every time when personal information gets stolen that some complex hacking techniques are involved. Quite often, stealing access to sensitive data only requires a more traditional set of criminal skills.
If you travel to a highly-populated city and especially if you use public transportation there, your chances of running into pickpocketers are going to be very high. Therefore, it’s a good idea to take some preemptive measures to battle this possibility.
If your device is small (like a smartphone), try to keep it in an inside pocket, if possible. This way, you will make it almost unreachable to any thief.
On the other hand, if your device is bigger (like a laptop) and you carry it around in a bag, be sure not to put the bag down in any circumstances. Hold it tightly so that no criminal can snatch it from your hands.
3. Be prepared in case your device is stolen
Sadly, no matter what precautions you take, there’s still a possibility that your device may be stolen. It only takes a criminal one lucky attempt to do so while you have to succeed in protecting yourself constantly.
This is why you need to have a plan B.
Set up a screen locker for your smartphone. Ideally, it should be done with a password because those are the hardest to crack but it comes at a price of having to enter it every time you need to access your smartphone. However, in the unfortunate event if your device does get stolen, the perpetrators won’t be able to access it and your personal information.
Another option is setting up a biometric authentication procedure to unlock your phone. In most cases, using your fingerprint is the most convenient route to take.
Similarly, your other devices should also be |
Malware Threat Patching Guideline | ||
|
2020-01-17 12:29:00 | A hacker is patching Citrix servers to maintain exclusive access (lien direct) | FireEye believes this is a bad guy hoarding Citrix servers, rather than a good-guy vigilante looking out for organizations. | Patching | ||
|
2019-12-23 10:00:00 | 20 Vulnerabilities to Prioritize Patching Before 2020 (lien direct) | Researchers list the top 20 vulnerabilities currently exploited by attack groups around the world. | Patching | ||
 |
2019-12-17 10:33:40 | WordPress patches several security concerns (lien direct) | WordPress has pushed out version 5.3.1 patching four security issues. WordPress versions 5.3 and earlier are affected and the company is recommending users download the new version, which is a short-cycle maintenance release and soon will be superseded by a full update when version 5.4 is released. Source: SC Magazine | Patching | ||
|
2019-11-12 18:00:09 | Flaw in Intel PMx driver gives \'near-omnipotent control over a victim device\' (lien direct) | Intel released an updated version of pmxdrvx64.sys and pmxdrv.sys; however, patching might take a while. | Patching | ||
|
2019-10-11 17:20:45 | Microsoft and NIST partner to create enterprise patching guide (lien direct) | A NIST guide was needed as the patch testing process for some companies involved asking questions on internet forums. | Patching | ★★★★★ | |
|
2019-10-08 13:51:55 | (Déjà vu) Microsoft Releases the October 2019 Security Updates for Office (lien direct) | Microsoft released the October 2019 Microsoft Office security updates, bundling a total of 14 security updates and four cumulative updates across seven different products, nine of them patching remote code execution flaws. [...] | Patching | ||
|
2019-10-03 03:00:00 | 8 ways your patch management policy is broken (lien direct) | Not appropriately patching your software and devices has been a top reason why organizations are compromised for three decades. In some years, a single unpatched application like Sun Java was responsible for 90% of all cybersecurity incidents. Unpatched software clearly needs to be mitigated effectively. [ Patching and security training programs will thwart attacks more effectively than anything else. Here's how to do them better.. | Sign up for CSO newsletters. ] | Patching | ★★ | |
|
2019-09-10 13:42:05 | (Déjà vu) Microsoft Releases the September 2019 Security Updates for Office (lien direct) | Microsoft released the September 2019 Microsoft Office security updates, bundling a total of 19 security updates and five cumulative updates across seven different products, five of them patching remote code execution flaws. [...] | Patching | ||
 |
2019-09-10 11:36:01 | (Déjà vu) Latest Microsoft Updates Patch 4 Critical Flaws In Windows RDP Client (lien direct) | Get your update caps on.
Microsoft today released its monthly Patch Tuesday update for September 2019, patching a total of 79 security vulnerabilities in its software, of which 17 are rated critical, 61 as important, and one moderate in severity.
Two of the security vulnerabilities patched by the tech giant this month are listed as "publicly known" at the time of release, one of which is an |
Patching |
To see everything:
Our RSS (filtrered)
