SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2023-11-27 09:26:51	8 sujets essentiels de cybersécurité à inclure dans votre programme de formation 8 Essential Cybersecurity Topics to Include in Your Training Program (lien direct)	Your employees have a critical role to play as a first line of defense against cyberthreats. But to be effective, they need to know what those threats are-and stay apprised of how they\'re evolving. A comprehensive security awareness program is the key to helping your users grow their understanding of attackers\' methods and objectives so they can become more proactive defenders. That includes knowing what strategies malicious actors employ to manipulate people so they can use them to enable their campaigns. The importance of security awareness It\'s well worth taking the time to craft a meaningful and engaging security awareness program. By presenting the right mix of information to your users in a compelling way, you can empower them to help you improve your organization\'s security posture as well as create a more robust security culture overall. The cybersecurity topics that you include in your program should be relevant to your business and industry, of course. Companies face different cyberthreat challenges and regulatory compliance requirements related to data protection and data privacy. That said, there are several subjects that almost any modern business, regardless of its industry, will want to ensure its employees understand. We list eight of these cybersecurity topics below. They are the go-to approaches and tools that attackers around the world commonly use to compromise users and their accounts, disrupt normal business operations, steal money or data, and do other damage. Here\'s a high-level overview of these eight must-know cybersecurity topics: 1. Social engineering Social engineering is a collection of techniques malicious actors use to manipulate human psychology. Attackers rely on these strategies to trick or threaten users to take actions such as giving up account credentials, handing over sensitive data, running malicious code and transferring funds. They do this by taking advantage of users\': Emotions, by conveying a sense of urgency, generating excitement about an opportunity, or creating fear around losing money or doing something wrong Trust, by posing as someone familiar to the user or a trusted brand or authority-such as the Internal Revenue Service (IRS), UPS, Amazon or Microsoft Fatigue, by timing attacks when users are likely to be tired or distracted and more inclined to let their “emotional mind” guide their decision-making Common social engineering tactics include phishing-which we cover in the next section-and these others: Social media reconnaissance. Attackers often turn to social media to gather information about users that they target with their campaigns. These efforts can include direct outreach to users. Vishing (voice phishing) and smishing (SMS/text phishing). Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from a trusted brand or authority. With smishing, attackers use text messages to send SMS messages to users or robocall them. The messages often promise gifts or services in exchange for payment. Telephone-oriented attack delivery (TOAD). TOAD attacks start with an email that claims to be from a legitimate source and includes a phone number for customer assistance. Callers are connected to fake customer service representatives who then direct the victim through the attack. They may instruct the victim to let them access their machine remotely or download a file that turns out to be malware. Or they might direct them to a phishing site. Common sense can go a long way toward preventing a social engineering attack. Make sure to reiterate that if a message seems too good to be true, it\'s very likely a scam. And if something doesn\'t look or sound right, it probably isn\'t. 2. Phishing Phishing is an example of social engineering. Most phishing messages are sent by email. But some attackers deliver these messages through other methods, including smishing and vishing. Here are some typical strategies: Malicious links. When a user clicks on a	Ransomware Malware Tool Vulnerability Threat Mobile Cloud	Uber Uber	★★
	2023-11-17 16:00:00	Découvrir les stratégies de sécurité du cloud 2023 \\ dans notre prochain webinaire - Sécurisez votre place Discover 2023\\'s Cloud Security Strategies in Our Upcoming Webinar - Secure Your Spot (lien direct)	En 2023, le cloud n'est pas un seul champ de bataille.Zenbleed, Kubernetes Attacks et Sophistiqué APTS ne sont que la pointe de l'iceberg dans la zone de guerre de la sécurité du nuage. En collaboration avec les experts estimés de Lacework Labs, The Hacker News présente fièrement un webinaire exclusif: \\ 'naviguer dans le paysage d'attaque cloud: 2023 Tendances, techniques et tactiques. \' Rejoignez-nous pour un In 2023, the cloud isn\'t just a technology-it\'s a battleground. Zenbleed, Kubernetes attacks, and sophisticated APTs are just the tip of the iceberg in the cloud security warzone. In collaboration with the esteemed experts from Lacework Labs, The Hacker News proudly presents an exclusive webinar: \'Navigating the Cloud Attack Landscape: 2023 Trends, Techniques, and Tactics.\' Join us for an	Cloud	Uber	★★
	2023-11-13 10:10:19	GKE et Anthos ne font plus qu\'un chez Google Cloud (lien direct)	Avec GKE Enterprise, Google Cloud intègre sa plate-forme Anthos (gestion de cloud hybride) dans l'interface de son Kubernetes managé.	Cloud	Uber	★★
	2023-11-06 15:05:54	Tigera a annoncé des mises à niveau vers Calico Open Source et Calico Cloud Tigera announced upgrades to Calico Open Source and Calico Cloud (lien direct)	Tigera introduit de puissantes améliorations à Calico Open Source et Calico Cloud pour élever la sécurité, l'évolutivité et les performances • Le score de sécurité de Calico Cloud \\ et les actions recommandées fournissent une vue inégalée des risques de sécurité, permettant aux entreprises de les identifier et d'atténuer rapidement. • La prise en charge de l'automate rationalisée avec Windows Host Process Container Support simplifie les opérations de Kubernetes, économise du temps et des ressources. • La prise en charge de l'IPv6 pour l'EBPF dans Calico autorise les entreprises à améliorer les performances et l'évolutivité de leurs applications, garantissant qu'ils répondent aux exigences des charges de travail modernes. • Une observabilité améliorée avec VXLAN pour le maillage de cluster offre une solution évolutive pour les déploiements multi-cluster, améliorant la visibilité et la sécurité. - revues de produits Tigera Introduces Powerful Enhancements to Calico Open Source and Calico Cloud to Elevate Security, Scalability and Performance • Calico Cloud\'s Security Score and Recommended Actions provide an unparalleled view of security risks, enabling enterprises to identify and mitigate them swiftly. • Streamlined autoscaling with Windows HostProcess Container support simplifies Kubernetes operations, saving time and resources. • IPv6 support for eBPF in Calico empowers enterprises to enhance the performance and scalability of their applications, ensuring they meet the demands of modern workloads. • Enhanced observability with VxLAN for cluster mesh offers a scalable solution for multi-cluster deployments, enhancing visibility and security. - Product Reviews	Cloud	Uber	★★
	2023-10-26 10:00:00	Ensuring robust security of a containerized environment (lien direct)	The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In today’s rapidly evolving digital landscape, containerized microservices have become the lifeblood of application development and deployment. Resembling miniature virtual machines, these entities enable efficient code execution in any environment, be it an on-premises server, a public cloud, or even a laptop. This paradigm eliminates the criteria of platform compatibility and library dependency from the DevOps equation. As organizations embrace the benefits of scalability and flexibility offered by containerization, they must also take up the security challenges intrinsic to this software architecture approach. This article highlights key threats to container infrastructure, provides insights into relevant security strategies, and emphasizes the shared responsibility of safeguarding containerized applications within a company. Understanding the importance of containers for cloud-native applications Containers play a pivotal role in streamlining and accelerating the development process. Serving as the building blocks of cloud-native applications, they are deeply intertwined with four pillars of software engineering: the DevOps paradigm, CI/CD pipeline, microservice architecture, and frictionless integration with orchestration tools. Orchestration tools form the backbone of container ecosystems, providing vital functionalities such as load balancing, fault tolerance, centralized management, and seamless system scaling. Orchestration can be realized through diverse approaches, including cloud provider services, self-deployed Kubernetes clusters, container management systems tailored for developers, and container management systems prioritizing user-friendliness. The container threat landscape According to recent findings of Sysdig, a company specializing in cloud security, a whopping 87% of container images have high-impact or critical vulnerabilities. While 85% of these flaws have a fix available, they can’t be exploited because the hosting containers aren’t in use. That said, many organizations run into difficulties prioritizing the patches. Rather than harden the protections of the 15% of entities exposed at runtime, security teams waste their time and resources on loopholes that pose no risk. One way or another, addressing these vulnerabilities requires the fortification of the underlying infrastructure. Apart from configuring orchestration systems properly, it’s crucial to establish a well-thought-out set of access permissions for Docker nodes or Kubernetes. Additionally, the security of containers hinges on the integrity of the images used for their construction. Guarding containers throughout the product life cycle A container\'s journey encompasses three principal stages. The initial phase involves constructing the container and subjecting it to comprehensive functional and load tests. Subsequently, the container is stored in the image registry, awaiting its moment of execution. The third stage, container runtime, occurs when the container is launched and operates as intended. Early identification of vulnerabilities is vital, and this is where the shift-left security principle plays a role. It encourages an intensified focus on security from the nascent stages of the product life cycle, encompassing the design and requirements gathering phases. By incorporating automated security checks within the CI/CD pipeline, developers can detect security issues early and minimize the chance of security gap	Tool Vulnerability Threat Cloud	Uber	★★★
	2023-09-18 16:48:49	FinOps Kubernetes : un modèle QoS à maîtriser (lien direct)	Pas d'optimisation des coûts sur Kubernetes sans maîtrise du modèle de qualité de service des pods ? Google Cloud insiste sur cet élément.	Cloud	Uber	★★★
	2023-08-15 10:00:00	Pourquoi la sécurité de l'API est-elle la prochaine grande chose en cybersécurité? Why is API security the next big thing in Cybersecurity? (lien direct)	The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. APIs, formally known as application programming interfaces, occupy a significant position in modern software development. They revolutionized how web applications work by facilitating applications, containers, and microservices to exchange data and information smoothly. Developers can link APIs with multiple software or other internal systems that help businesses to interact with their clients and make informed decisions. Despite the countless benefits, hackers can exploit vulnerabilities within the APIs to gain unauthorized access to sensitive data resulting in data breaches, financial losses, and reputational damage. Therefore, businesses need to understand the API security threat landscape and look out for the best ways to mitigate them. The urgent need to enhance API security APIs enable data exchanges among applications and systems and help in the seamless execution of complex tasks. But as the average number of APIs rises, organizations often overlook their vulnerabilities, making them a prime target of hackers. The State of API Security Q1 Report 2023 survey finding concluded that the attacks targeting APIs had increased 400% during the past six months. Security vulnerabilities within APIs compromise critical systems, resulting in unauthorized access and data breaches like Twitter and Optus API breaches. Cybercriminals can exploit the vulnerabilities and launch various attacks like authentication attacks, distributed denial-of-service attacks (DDoS), and malware attacks. API security has emerged as a significant business issue as another report reveals that by 2023, API abuses will be the most frequent attack vector causing data breaches, and also, 50% of data theft incidents will happen due to insecure APIs. As a result, API security has. become a top priority for organizations to safeguard their data, which may cost businesses $75 billion annually. Why does API security still pose a threat in 2023? Securing APIs has always been a daunting task for most organizations, mainly because of the misconfigurations within APIs and the rise in cloud data breaches. As the security landscape evolved, API sprawl became the top reason that posed a threat to API security. API sprawl is the uncontrolled proliferation of APIs across an organization and is a common problem for enterprises with multiple applications, services, and development teams. As more APIs are created, they expanded the attack surface and emerged as an attractive target for hackers. The issue is that the APIs are not always designed by keeping security standards in mind. This leads to a lack of authorization and authentication, exposing sensitive data like personally identifiable information (PII) or other business data. API sprawl	Malware Tool Vulnerability Threat Cloud	Uber	★★★
	2023-08-02 20:24:06	VMware Carbon Black lance Cloud Native Detection and Response (CNDR) (lien direct)	VMware Carbon Black offre une solution de détection des menaces et de réponse aux incidents pour les applications de nouvelle génération Grâce à ces nouvelles capacités Cloud native de détection et de réponse aux menaces, les équipes de sécurité bénéficient d'une visibilité unifiée en temps réel sur les conteneurs et environnements Kubernetes - Produits	Threat Cloud	Uber	★★
	2023-07-27 17:05:00	Les vulnérabilités pourraient exposer les utilisateurs d'Ubuntu à des attaques d'escalade privilégiées Vulnerabilities could expose Ubuntu users to privilege escalation attacks (lien direct)	Les chercheurs ont ont découvert deux vulnérabilités dans le système d'exploitation Linux, Ubuntu avec le potentiel d'accorder des attaquants a augmenté les privilèges.Les deux bogues ont un impact sur les surlayfs, un système de fichiers Linux largement installé utilisé pour la conteneurisation sur les serveurs cloud avec des technologies comme Docker et Kubernetes.Après avoir été informé des vulnérabilités par les chercheurs avec la société de sécurité du cloud Wiz Researchers have discovered two vulnerabilities in the Linux operating system Ubuntu with the potential to grant attackers escalated privileges. The two bugs impact OverlayFS, a widely installed Linux filesystem used for containerization on cloud servers with technologies like Docker and Kubernetes. After being notified of the vulnerabilities by researchers with the cloud security firm Wiz	Vulnerability Cloud	Uber	★★
	2023-07-13 21:25:00	Botnet silentbob de Teamtnt \\ infecte 196 hôtes dans Cloud Attack Campaign TeamTNT\\'s Silentbob Botnet Infecting 196 Hosts in Cloud Attack Campaign (lien direct)	Jusqu'à 196 hôtes ont été infectés dans le cadre d'une campagne de cloud agressive montée par le groupe Teamtnt appelé SilentBob. "Le botnet géré par TeamTNT a jeté son objectif sur les environnements Docker et Kubernetes, les serveurs Redis, les bases de données Postgres, les grappes Hadoop, les serveurs Tomcat et Nginx, les applications SSAF, SSAF et Jupyter, les chercheurs Aqua Security Ofek Itach et Assaf ont déclaré dans dans dans In In dans dansun As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called Silentbob. "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications," Aqua security researchers Ofek Itach and Assaf Morag said in a	Cloud	Uber	★★★
	2023-06-29 19:15:08	CVE-2023-33190 (lien direct)	SealOS est une distribution de système d'exploitation cloud open source basé sur le noyau Kubernetes.Dans les versions de SEALOS avant 4.2.0, une mauvaise configuration des autorisations de contrôle d'accès basées sur les rôles (RBAC) a entraîné un attaquant de pouvoir obtenir des autorisations de contrôle des cluster, qui pourraient contrôler l'ensemble du cluster déployé avec SEALOS, ainsi que des centaines de pods etAutres ressources dans le cluster.Ce problème a été résolu dans la version 4.2.0.Il est conseillé aux utilisateurs de mettre à niveau.Il n'y a pas de solution de contournement connu pour cette vulnérabilité. Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.0 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. This issue has been addressed in version 4.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.	Cloud	Uber
	2023-06-23 21:15:09	CVE-2023-35165 (lien direct)	AWS Cloud Development Kit (AWS CDK) est un cadre de développement logiciel open source pour définir l'infrastructure cloud dans le code et la fournir via AWS CloudFormation.Dans les packages, `aws-cdk-lib` 2.0.0 jusqu'à 2.80.0 et` @ aws-cdk / aws-eks` 1.57.0 jusqu'à 1.202.0, `eks.cluster` et` eks.fargatecluster` Les constructions en créent deux deuxLes rôles, «CreationRole» et «Mastersrole» par défaut, qui ont une politique de confiance trop permissive. La première, appelée «CreationRole», est utilisée par les gestionnaires Lambda pour créer le cluster et déployer des ressources Kubernetes (par exemple `KubernetesManifest», «HelmChart», ...).Les utilisateurs avec la version CDK supérieure ou égale à 1,62.0 (y compris les utilisateurs de V2) peuvent être affectés. La seconde, appelée «Mastersrole» par défaut, n'est provisionnée que si la propriété «Mastersrole» n'est pas fournie et a des autorisations pour exécuter des commandes «kubectl» sur le cluster.Les utilisateurs avec la version CDK supérieure ou égale à 1,57.0 (y compris les utilisateurs de V2) peuvent être affectés. Le problème a été résolu dans `@ aws-cdk / aws-eks` v1.202.0 et` aws-cdk-lib` v2.80.0.Ces versions n'utilisent plus le directeur racine du compte.Au lieu de cela, ils restreignent la politique de confiance aux rôles spécifiques des gestionnaires de Lambda qui en ont besoin.Il n'y a pas de solution de contournement pour CreationRole.Pour éviter de créer le «Mastersrole par défaut», utilisez la propriété «MasterSrole» pour fournir explicitement un rôle. AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks` 1.57.0 until 1.202.0, `eks.Cluster` and `eks.FargateCluster` constructs create two roles, `CreationRole` and `default MastersRole`, that have an overly permissive trust policy. The first, referred to as the `CreationRole`, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g `KubernetesManifest`, `HelmChart`, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) may be affected. The second, referred to as the `default MastersRole`, is provisioned only if the `mastersRole` property isn\'t provided and has permissions to execute `kubectl` commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) may be affected. The issue has been fixed in `@aws-cdk/aws-eks` v1.202.0 and `aws-cdk-lib` v2.80.0. These versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. There is no workaround available for CreationRole. To avoid creating the `default MastersRole`, use the `mastersRole` property to explicitly provide a role.	Cloud	Uber
	2023-06-22 12:05:42	Google Cloud attribue 313 337 $ en 2022 Prix VRP Google Cloud Awards $313,337 in 2022 VRP Prizes (lien direct)	Anthony Weems, Information Security Engineer2022 was a successful year for Google\'s Vulnerability Reward Programs (VRPs), with over 2,900 security issues identified and fixed, and over $12 million in bounty rewards awarded to researchers. A significant amount of these vulnerability reports helped improve the security of Google Cloud products, which in turn helps improve security for our users, customers, and the Internet at large.We first announced the Google Cloud VRP Prize in 2019 to encourage security researchers to focus on the security of Google Cloud and to incentivize sharing knowledge on Cloud vulnerability research with the world. This year, we were excited to see an increase in collaboration between researchers, which often led to more detailed and complex vulnerability reports. After careful evaluation of the submissions, today we are excited to announce the winners of the 2022 Google Cloud VRP Prize.2022 Google Cloud VRP Prize Winners1st Prize - $133,337: Yuval Avrahami for the report and write-up Privilege escalations in GKE Autopilot. Yuval\'s excellent write-up describes several attack paths that would allow an attacker with permission to create pods in an Autopilot cluster to escalate privileges and compromise the underlying node VMs. While thes	Vulnerability Cloud	Uber	★★
	2023-06-07 11:15:11	Arrêtons de procrastiner la mise à jour des systèmes d\'information ! (lien direct)	L’infrastructure d'une entreprise évolue en permanence, d'une architecture centralisée à une architecture distribuée, de l'architecture centralisée aux infrastructures cloud, et du cloud à Kubernetes. Et c'est également le cas du secteur de la sauvegarde qui au cours des deux dernières décennies, a connu des changements majeurs. Pour autant, faire évoluer sa technologie n'est pas qu'un	Cloud	Uber	★★
	2023-04-25 18:22:00	Anomali Cyber Watch: Deux attaques de la chaîne d'approvisionnement enchaînées, leurre de communication DNS furtive de chien, Evilextractor exfiltrates sur le serveur FTP Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, and Supply-chain attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters (published: April 21, 2023) A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign. Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups. MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application \| [MITRE ATT&CK] T1496 - Resource Hijacking \| [MITRE ATT&CK] T1036 - Masquerading \| [MITRE ATT&CK] T1489 - Service Stop Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:Kubernetes RBAC 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (published: April 20, 2023) Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and	Ransomware Spam Malware Tool Threat Cloud	Uber APT 38 ChatGPT APT 43	★★
	2023-04-21 18:56:00	Kubernetes RBAC a exploité dans une campagne à grande échelle pour l'exploitation de la crypto-monnaie Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining (lien direct)	Une campagne d'attaque à grande échelle découverte dans la nature a exploité le contrôle d'accès basé sur les rôles (K8S) (RBAC) pour créer des délais et exécuter des mineurs de crypto-monnaie. "Les attaquants ont également déployé des démonssets pour prendre le relais et détourner les ressources des grappes K8S qu'ils attaquent", a déclaré la société de sécurité Cloud Aqua dans un rapport partagé avec le Hacker News.La société israélienne, qui a surnommé l'attaque A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack	Cloud	Uber	★★
	2023-04-21 17:20:00	14 Kubernetes et défis de sécurité cloud et comment les résoudre 14 Kubernetes and Cloud Security Challenges and How to Solve Them (lien direct)	protéger leurs actifs numériques. En réponse, les hauts-mèmes, le premier Recently, Andrew Martin, founder and CEO of ControlPlane, released a report entitled Cloud Native and Kubernetes Security Predictions 2023. These predictions underscore the rapidly evolving landscape of Kubernetes and cloud security, emphasizing the need for organizations to stay informed and adopt comprehensive security solutions to protect their digital assets. In response, Uptycs, the first	Cloud	Uber	★★
	2023-04-13 10:00:00	Cloud Forensics - Une introduction à l'enquête sur les incidents de sécurité dans AWS, Azure et GCP Cloud forensics - An introduction to investigating security incidents in AWS, Azure and GCP (lien direct)	The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The cloud has revolutionized the way we do business. It has made it possible for us to store and access data from anywhere in the world, and it has also made it possible for us to scale our businesses up or down as needed. However, the cloud also brings with it new challenges. One of the biggest challenges is just keeping track of all of the data that is stored in the cloud. This can make it difficult to identify and respond to security incidents. Another challenge is that the cloud is a complex environment. There are many different services and components that can be used in the cloud, and each of these services and components has different types of data stored in different ways. This can make it difficult to identify and respond to security incidents. Finally, since cloud systems scale up and down much more dynamically than anything we’ve seen in the past, then the data we need to understand the root cause and scope of an incident can disappear in the blink of an eye. In this blog post, we will discuss the challenges of cloud forensics and incident response, and we will also provide some tips on how to address these challenges. How to investigate a compromise of a cloud environment When you are investigating a compromise of a cloud environment, there are a few key steps that you should follow: Identify the scope of the incident: The first step is to identify the scope of the incident. This means determining which resources were affected and how the data was accessed. Collect evidence: The next step is to collect evidence. This includes collecting log files, network traffic, metadata, and configuration files. Analyze the evidence: The next step is to analyze the evidence. This means looking for signs of malicious activity and determining how the data was compromised. Respond to the incident and contain it: The next step is to respond to the incident. This means taking steps to mitigate the damage and prevent future incidents. For example with a compromise of an EC2 system in AWS, that may include turning off the system or updating the firewall to block all network traffic, as well as isolating any associated IAM roles by adding a DenyAll policy. Once the incident is contained, that will give you more time to investigate safely in detail. Document the incident: The final step is to document the incident. This includes creating a report that describes the incident, the steps that were taken to respond to the incident, and the lessons that were learned. What data can you get access to in the cloud? Getting access to the data required to perform an investigation to find the root cause is often harder in the cloud than it is on-prem. That’s as you often find yourself at the mercy of the data the cloud providers have decided to let you access. That said, there are a number of different resources that can be used for cloud forensics, including: AWS EC2: Data you can get includes snapshots of the volumes and memory dumps of the live systems. You can also get cloudtrail logs associated with the instance. AWS EKS: Data you can get includes audit logs and control plane logs in S3. You can also get the docker file system, which is normally a versioned filesystem called overlay2. You can also get the docker logs from containers that have been started and stopped. AWS ECS: You can use ecs execute or kubectl exec to grab files from the filesystem and memory. AWS Lambda: You can get cloud trail logs and previous versions of lambda. Azure Virtual Machines: You can download snapshots of the disks in VHD format. Azure Kubernetes Service: You can use &l	Cloud	Uber	★★
	2023-03-15 11:53:55	Xavier Pestel – Weborama : " Nous faisons du Kubernetes au quotidien " (lien direct)	Xavier Pestel, Lead SRE (Site Reliability Engineering) détaille comment il pilote l'infrastructure DMP de Weborama, qui s'appuie sur deux fournisseurs de Cloud public, avec Kubernetes.	Guideline Guideline Cloud	Uber	★★★
	2023-02-28 17:43:44	Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist (lien direct)	The opportunistic "SCARLETEEL" attack on a firm's Amazon Web Services account turns into targeted data theft after the intruder uses an overpermissioned service to jump into cloud system.	Cloud	Uber	★★
	2022-10-18 08:41:18	The benefits of taking an intent-based approach to detecting Business Email Compromise (lien direct)	By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets. A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge. Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit. Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent. The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email.	Threat Medical Cloud	Yahoo Uber APT 38 APT 37 APT 29 APT 19 APT 15 APT 10
	2022-08-18 08:00:00	Ukraine and the fragility of agriculture security (lien direct)	By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H	Ransomware Threat Guideline Cloud	NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam
	2022-08-06 10:46:21	CISO workshop slides (lien direct)	A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):	Malware Vulnerability Threat Patching Guideline Medical Cloud	Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam
	2017-12-15 14:00:00	Things I Hearted This Week 15th December 2017 (lien direct)	Continuing the trend from last week, I’ll continue trying to put a positive spin on the week’s security news. Why? I hear you ask. Well, I’ve been mulling over the whole optimist thing, and glass half full analogy and it does work wonders. Side note, a tweet about half full / empty glasses and infosec took on a life of its own a few days ago. But I’m reminded of the ending monologue by Morgan Freeman in “The Shawshank Redemption”, in which he starts off by saying, “Get busy living or get busy dying.” So the thought of the week is, “Get busy securing, or get busy insecuring.” Hmm doesn’t quite have the same ring to it. Will have to think of a better word – but you catch my drift. Let’s jump into this week’s interesting security bits Mirai Mirai on the wall I picture Brian Krebs as being a Liam Neeson type – he sees that his website is under attack by a never-before seen DDoS attack. He mutters to himself, “I don’t know who you are, but I will hunt you, I will find you, and I will blog about it until you get arrested, prosecuted, and thrown in jail.” It so happens that this week the hackers behind the Mirai botnet and a series of DDoS attacks pled guilty. The Hackers Behind Some of the Biggest DDoS Attacks in History Plead Guilty \| Motherboard Mirai IoT Botnet Co-Authors Plead Guilty \| KrebsonSecurity Botnet Creators Who Took Down the Internet Plead Guilty \| Gizmondo Bug Laundering Bounties Apparently, HBO negotiated with hackers. Paying them $250,000 under the guise of a bug bounty as opposed to a ransom. Maybe in time, it will be found that HBO acted above board, maybe it was a sting operation, maybe it was a misconstrued email. The worrying fact is that any payment exchange system can be used to launder money. However, bug bounty providers don’t (as far as I can tell) have financial services obligations. Does the bug bounty industry need more regulation (shudder)? Leaked email shows HBO negotiating with hackers \| Calgary Herald Remember the 'Game of Thrones' leak? An Iranian hacker was charged with stealing HBO scripts to raise bitcoin \| USA Today Uber used bug bounty program to launder blackmail payment to hacker \| ars Technica Inside a low budget consumer hardware espionage implant I’m not much of a hardware expert – actually, I’m not much of a hardware novice either. But this writeup by Mich is awesome. I didn’t even know there were so many ways to sniff, intercept and basically mess around with stuff at such small scale. It’s extremely detailed and I’ve permanently bookmarked it for future reference.	Guideline Medical Cloud	Uber APT 38 APT 37

Last update at: 2024-05-10 06:07:53
See our sources.

To see everything: Our RSS (filtrered)