Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CISA. Show all posts
VPN security
CISA Cyber Attacks Ivanti Ivanti security flaws Ivanti VPN Exploitation Security Breach VPN VPN security

Lessons from the Ivanti VPN Cyberattack: Security Breaches and Mitigation Strategies

 

The recent cyberattack on Ivanti’s VPN software has prompted swift action from the Cybersecurity and Infrastructure Security Agency (CISA). This incident not only highlights the need for stronger cybersecurity measures but also raises important questions about exploit techniques, organizational responses to security breaches, and the escalating costs associated with downtime. 

The vulnerabilities in Ivanti’s VPN gateway allowed threat actors to bypass authentication and gain unauthorized access. Attackers could send maliciously crafted packets to infiltrate the system without needing to steal credentials, giving them access to user credentials, including domain administrator credentials. A second vulnerability enabled the injection of malicious code into the Ivanti appliance, allowing attackers to maintain persistent access, even after reboots or patches. Security researchers, including Mandiant, identified that Ivanti’s initial mitigations were insufficient. 

CISA warned that Ivanti’s interim containment measures were not adequate to detect compromises, leaving systems vulnerable to persistent threats. This uncertainty about the effectiveness of proposed mitigations necessitated CISA’s prompt intervention. The ability of attackers to gain persistent access to a VPN gateway poses significant risks. From this trusted position, attackers can move laterally within the network, accessing critical credentials and data. The compromise of the VPN allowed attackers to take over stored privileged administrative account credentials, a much more severe threat than the initial breach. In response to the breach, CISA advised organizations to assume that critical credentials had been stolen. 

Ivanti’s failure to detect the compromise allowed attackers to operate within a trusted zone, bypassing zero-trust principles and exposing sensitive data to heightened risks. The severity of the vulnerabilities led CISA to take the unusual step of taking two of Ivanti’s systems offline, a decision made to protect the most sensitive credentials. Despite later clarifications from Ivanti that patches could have been applied more discreetly, the miscommunications highlight the importance of clear, open channels during a crisis. Mixed messages can lead to unnecessary chaos and confusion. System-level downtime is costly, both in terms of IT resources required for shutdown and recovery and the losses incurred from service outages. 

The exact cost of Ivanti’s downtime remains uncertain, but for mission-critical systems, such interruptions are extremely expensive. This incident serves as a warning about the costs of addressing the aftermath of a cyberattack. CISA’s decision to shut down the systems was based on the potential blast radius of the attack. The trusted position of the VPN gateway and the ability to export stored credentials made lateral movement easier for attackers. 

Building systems based on the principle of least privilege can help minimize the blast radius of attacks, reducing the need for broad shutdowns. The Ivanti VPN cyberattack underscores the pressing need for robust cybersecurity measures. Organizations must adopt proactive infrastructure design and response strategies to mitigate risks and protect critical assets. Reducing the number of high-value targets in IT infrastructure is crucial. Privileged account credentials and stored keys are among the highest value targets, and IT leaders should prioritize strategies and technologies that minimize or eliminate such targets. 
Read more »
Windows
CISA Cyberattacks Cybercirme Cyberhackers CyberThreat HHS Microsoft Vulnerabilities and Exploits Windows

Microsoft Announces New Deadlines for Windows Updates

 


A July 4 deadline for Windows users who have not updated their systems is fast approaching. It was only two weeks ago that a two-week-old security vulnerability found in Windows was found to have been reactivated. Despite Microsoft's claim that CVE-2024-26169 is not exploitable, Symantec's security researchers believe otherwise, finding “some evidence” that attackers might have prepared an exploit for the CVE-2024-26169 vulnerability before patching the vulnerability. 

As of last month, several U.S. government agencies – including CISA and the FBI – have collaborated on a Cybersecurity Alert which warns that “Black Basta affiliates have compromised a wide range of critical infrastructure, businesses, and industries throughout North America, Europe and Australia.” There are over 500 organizations in the world that have been affected by Black Basta affiliates in the year 2024. 

Several organizations have released the joint CSA, including the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), to provide information regarding the Black Basta attacks, which are referred to hereafter as the authoring organizations. A variant of ransomware known as Black Basta has encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. 

The FBI has conducted investigations into Black Basta and third parties have reported on these TTPs and IOCs. This is a ransomware-as-a-service variant that was first detected in April 2022 and is considered a ransomware-as-a-service (RaaS) variant. It is believed that the Black Basta ransomware will have affected more than 500 organizations globally by May 2024, affecting a wide range of businesses in North America, Europe, and Australia as well as critical infrastructures. 

Black Basta is a Russian-linked ransomware that originated in early 2022. It was used to attack over 329 organizations around the world and has grown to become one of the fourth most active strains of ransomware based on the number of victims. According to the group, they are using double-extortion tactics to extort victims by threatening to publish stolen data unless the victim is willing to pay a ransom. Several researchers have suggested that BlackBasta may have originated as a part of Conti Group, a ransomware gang that has been in operation for quite some time now. 

It has been revealed through the leak of Conti’s online chats that the group had ties to the Russian government and that it supported the invasion of Ukraine. The group ended in May 2022, but its online chats were leaking this information. Affiliates of Black Basta use common methods for gaining access to a system such as phishing emails and exploiting known vulnerabilities then use a double extortion technique to gain access to the system as well as steal data. There are two types of ransom notes: those which include instructions as to how to pay as well as those which do not.

The ransomware group instead gives victims a one-time use private code and instructs them to contact the group via a website that is only accessible through the Tor browser, a URL that contains a .onion extension. According to the majority of ransom notes, victims are usually given between 10 and 12 days before becoming subject to the publication of their data on the Basta News website, which the Black Basta ransomware group runs. Black Basta attacks businesses in a range of different industries, affecting the construction industry (10% of victims), the legal sector (4%) and the real estate sector (3%). This group of ransomware is known as Black Basta and its victimology is very similar to that of the Conti ransomware group.

Both groups have a shared appetite for many of the same industries as Black Basta. Among the victims of Black Basta, 61% are from organizations that are based in the United States, followed by 15% from the German authorities. There are several high-profile victims of Black Basta, which include Capita, a software services company with billions of dollars worth of UK government contracts, and ABB, a company that has more than US$29 billion in revenue. The information regarding whether or not a ransom was paid by either company has not been publicized.

The healthcare industry is an attractive target for cybercriminals due to the size of the organization, the technological dependence, the access to medical information and the unique impact of disruptions to patient care. There are several ways in which a member of the Black Basta organization will gain access to a system, and these methods include phishing emails, exploiting known vulnerabilities, and then using double extortion techniques to gain access to the system as well as stealing data. A ransom note can be divided into two types: those that provide instructions on how to pay the ransom, and those which do not provide instructions. 

As an alternative to encrypting the victims' files, the ransomware group comprises a group of individuals that give victims an individual one-use private code in addition to instructing them to contact the group via a website only accessible by Tor browsers, one that contains a .onion extension on the URL. There is usually between 10 and 12 days of grace allowed to victims according to ransom notes that are generally released by the Black Basta malware group before their data is exposed on Basta News, which is a website that publishes data from the victims. 

It is not uncommon for Black Basta to attack businesses across a wide range of different industries, with 10 per cent of victims coming from the construction industry, 4 per cent from the legal sector, and 3 per cent from the real estate industry. It seems that the Black Basta ransomware group, which has a victimology very similar to that of the Conti ransomware group, has been seen to distribute a similar type of ransomware. There is a clear affinity between the two groups when it comes to several of the same industries as Black Basta.

Black Basta has been responsible for the murder of 61% of American victims, followed by 16% of German victims, and the vast majority of victims belong to organizations based in the United States and Europe. The Black Basta scam has claimed the lives of several high-profile companies, including Capita, a software company with billions of dollars worth of contracts with the British government, and ABB, a company with one of the world's largest revenue bases within the US$29 billion range. Neither company has provided any information regarding a ransom payment that has been made by one of the companies, which is of concern. 

The healthcare industry represents an appealing target for cybercriminals due to several critical factors. Firstly, the sheer size and scale of healthcare organizations make them lucrative targets. Additionally, their substantial reliance on advanced technology heightens vulnerability to cyberattacks. Furthermore, these organizations possess extensive repositories of sensitive medical information, making them particularly attractive to malicious actors. The potential disruptions to patient care resulting from cyber incidents also underscore the unique and profound impact of such breaches within the healthcare sector.
Read more »
Ransomware
BlackSuit CISA FBI malware Ransomware

From Code to Chaos: BlackSuit Ransomware and The CDK Global Cyber Crisis


In recent days, the automotive industry has been hit by a significant IT outage that has disrupted operations for car dealerships across North America. The culprit? The notorious BlackSuit ransomware gang. In this blog post, we’ll delve into the details of the attack, its impact, and what it means for CDK Global and its customers.

The Incident

According to people familiar with the situation, the BlackSuit ransomware gang is responsible for CDK Global's significant IT failure and interruption to car dealerships throughout North America.

The conversations follow the BlackSuit ransomware assault, which led CDK to lock down its IT infrastructure and data centers, including its car dealership platform, to prevent the attack from spreading. The company attempted to restore services on Wednesday, but a second cybersecurity attack forced it to shut down all IT systems again.

The Attack

CDK Global, a leading provider of technology solutions for auto dealerships, found itself in the crosshairs of cybercriminals

While the company has yet to officially confirm the ransomware attack, multiple sources indicate that BlackSuit is behind the incident. The attack likely exploited vulnerabilities in CDK’s systems, leading to widespread disruption.

Impact on Dealerships

Two of the largest public car dealership companies, Penske Automotive Group and Sonic Automotive, disclosed that they, too, were impacted by the outages.

The fallout from the CDK Global outage has been substantial. Car dealerships rely heavily on CDK’s software for inventory management, sales, and customer service. 

With the systems down, dealers have had to resort to manual processes, including pen-and-paper record-keeping. Imagine the chaos in a busy dealership trying to manage sales, service appointments, and parts inventory without their usual digital tools.

Data Theft Concerns

Beyond the immediate operational challenges, there are serious concerns about data theft. Ransomware attacks often involve stealing sensitive information before encrypting files and demanding a ransom.

CDK Global must now investigate whether customer data, financial records, or other critical information has been compromised. The potential fallout from such a breach could be long-lasting and damaging.

Response and Recovery

In November 2023, the FBI and CISA published in a joint advisory that Royal and BlackSuit's encryptors use similar strategies and have coding overlaps.

CDK Global’s response to the attack is crucial. They need to assess the extent of the breach, restore systems, and enhance security measures. Communication with affected dealerships is equally important. Dealers need transparency about the situation, timelines for resolution, and guidance on how to navigate the outage.

Read more »
Malicious Campaign
CISA Credential Theft Data Breach Data Leak Malicious Campaign

Hackers Reveal Their Strategy of Stealing Snowflake's Ticketmaster Data

 

Ticketmaster and other organisations' Snowflake accounts were said to have been accessed by a ShinyHunters hacker via a breach of software engineering firm EPAM Systems, validating a Mandiant report attributing some of the intrusions to third-party contractor hacks, Wired reported. 

According to the hacker, information-stealing malware and a remote access trojan deployed against one of EPAM Systems' Ukraine-based employees allowed ShinyHunters to gain access to unencrypted credentials used by the employee to access the firm's customers' Snowflake accounts, which were then used to infiltrate the Snowflake accounts, including the one owned by Ticketmaster. 

EPAM ruled out the ShinyHunters hacker's claims, but independent security researcher "Reddington" discovered an infostealer-harvested data repository online, including the internal EPAM URL to Ticketmaster's Snowflake account and the credentials employed by the EPAM worker to access Ticketmaster's account. 

"This means that anyone that knew the correct URL to [Ticketmaster’s] Snowflake could have simply looked up the password, logged in, and stolen the data" noted Reddington. 

In the hacking campaign targeting Snowflake's clients, nearly 165 customer accounts were potentially compromised, but only a few of these have been identified thus far. In addition to Ticketmaster, the banking corporation Santander has recognised that their data was stolen but has neglected to name the account from which it was taken. 

However, a local media outlet has confirmed that it was a Snowflake account; the stolen data included bank account information for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about employees, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also confirmed that they could possibly be victims of this campaign. 

In a notice published earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged that organisations follow Snowflake's recommendations to look for signals of odd behaviour and take precautions to prevent unauthorised access. A similar advice issued by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) warned of "successful compromises of several companies using Snowflake environments.”
Read more »
White House
CISA Cyber Security data security Google Mandiant Mandiant Threat Intelligence ransomware attacks Social Engineering White House

Rising Ransomware Attacks Highlight Persistent Cybersecurity Challenges

 


Despite global law enforcement efforts and heightened attention from the White House, ransomware incidents continue to rise unabated, according to a new report from cybersecurity firm Mandiant. Researchers at the Google-owned company identified 50 new ransomware variants in 2023, with about a third branching off existing malware. This underscores the pervasive nature of the problem and the challenges in curbing cyber extortion. 

In 2023 alone, cybercriminals amassed over $1 billion from victim ransom payments, highlighting the lucrative nature of these attacks. The healthcare sector has been particularly hard-hit, with hospitals experiencing significant disruptions. The report noted that Ascension, one of the nation's largest healthcare systems with 140 hospitals across 19 states, was recently impacted by the Black Basta ransomware variant. The ongoing outage is raising concerns about patient safety and the potential risk to lives. Mandiant's findings align with a recent White House report on national cybersecurity, which also noted an increase in ransomware attacks. 

However, one significant issue is that reporting ransomware incidents is largely voluntary. This means assessments of ransomware prevalence often rely on data from cybersecurity companies, whose understanding is based on their customer base and the cybercriminal communities they monitor. To address this, the Cybersecurity and Infrastructure Security Agency (CISA) is finalizing a mandate requiring critical infrastructure owners and operators to report ransomware payments within 24 hours. This mandate aims to provide a more comprehensive view of ransomware activity and enhance response efforts. 

Mandiant's assessment highlights a 75% year-over-year increase in posts on data leak sites, which extortionists use to pressure companies into paying ransoms. The firm noted that 2023 saw the highest number of data-leak site posts since tracking began in 2020. Additionally, there was a 20% increase in the number of investigations led by Mandiant, indicating a significant rise in ransomware activities. The most prolific ransomware variants observed were ALPHV and LOCKBIT, each accounting for 17% of all activity. The surge in ransomware attacks in 2023 followed a slight dip in extortion activities in the previous year. Mandiant researchers suggested that the dip in 2022 might have been an anomaly caused by external factors such as the Russian invasion of Ukraine or the leaked Conti chats, which may have temporarily disrupted cybercriminal operations. 

As law enforcement agencies continue to conduct global operations against ransomware gangs, the evolving tactics and persistent nature of these cybercriminals highlight the need for continuous vigilance and enhanced cybersecurity measures. The collaboration between government agencies, cybersecurity firms, and critical infrastructure operators is crucial in building a robust defense against the relentless threat of ransomware.
Read more »
Remote Access Software
Black Basta CISA FBI RaaS Ransomware Remote Access Software

New Ransomware Threat Hits Hundreds of Organisations Worldwide

 


In a recent joint report by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), a new ransomware gang named Black Basta has been identified as breaching over 500 organisations globally between April 2022 and May 2024. This group has targeted various sectors, including healthcare, spanning across North America, Europe, and Australia.

Black Basta, coming through as a Ransomware-as-a-Service (RaaS) operation in April 2022, has quickly gained notoriety by attacking numerous high-profile victims such as Rheinmetall, Hyundai, Capita, and the American Dental Association, among others. Believed to have connections to the former Conti cybercrime syndicate, Black Basta operates with sophistication and a steady stream of initial access to its targets.

One of the key tactics employed by Black Basta involves stealing corporate data before encrypting a company's devices. This stolen data is then used in double-extortion attacks, where victims have demanded a ransom to prevent the publishing of their sensitive information. The gang's data leak site, 'Black Basta Blog' or 'Basta News,' lists victims and progressively releases data to pressure them into paying the ransom.

Technical analysis reveals that Black Basta utilises the ChaCha20 encryption algorithm to encrypt files, rendering them inaccessible without the decryption key. Victims are left with a custom extension appended to their encrypted files (.basta), along with a ransom note providing instructions on how to negotiate with the threat actors.

Responding to this spreading threat, federal agencies advise organisations to maintain up-to-date operating systems, employ phishing-resistant Multi-Factor Authentication (MFA), and train users to identify and report phishing attempts. Moreover, securing remote access software and implementing recommended mitigations are essential steps in blocking the risks posed by Black Basta and similar ransomware attacks.

Healthcare organisations are particularly vulnerable, given their size, technological reliance, and access to sensitive patient information. CISA and the FBI have suggested adhering to the StopRansomware Guide in order to dodge potential attacks in the healthcare sector.

Recent incidents, including an attack on healthcare giant Ascension, accentuate the urgency of addressing the threat posed by Black Basta. With the gang's ability to readily expand its victim pool and employ coercive tactics, organisations must remain particularly careful and implement robust cybersecurity measures to mitigate the risk of falling victim to ransomware attacks.

Considering the course of events, cybersecurity experts emphasise the importance of ardent measures, including regular backups, system updates, and employee training, to strengthen defences against ransomware threats like Black Basta. This calls for collective efforts to combat the growing menace of ransomware and protect critical infrastructure from malicious actors.


Read more »
Vulnerabilties and Exploits
CISA Company Security FBI Path Traversal Vulnerabilties and Exploits

CISA Ask Companies to Fix Path Traversal Vulnerabilities


CISA and FBI urge companies to take patch actions 

CISA and the FBI recommended software companies today to assess their products and fix route traversal security flaws before selling.

Attackers can leverage path traversal vulnerabilities (also known as directory traversal) to create or overwrite important files used to execute malware or circumvent security systems such as authentication. 

“Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in our Known Exploited Vulnerabilities (KEV) catalog,” says the CISA and FBI joint report.

Impact of these security loops

Such security holes can also allow threat actors to acquire sensitive data, such as credentials, which can then be used to brute-force existing accounts and compromise the targeted systems.

Another option is to disable or limit access to vulnerable systems by overwriting, destroying, or altering critical authentication files (which would lock out all users).

CISA and the FBI propose that software buyers ask vendors if they completed formal directory traversal testing. 

To eliminate this type of problem from all goods, manufacturers should ensure that their software developers immediately install the necessary mitigations. Integrating security into products from the start can eliminate directory traversal issues.

About directory traversal vulnerabilities

Directory traversal vulnerabilities occur when users manipulate inputs, such as file paths, to gain unauthorized access to application files and directories. Malicious cyber actors can use these exploits to access restricted directories and read, change, or write arbitrary files, which can have adverse effects.

How Can Software Vendors Avoid Directory Traversal Risks?

To minimize directory traversal vulnerabilities in software products, developers should apply proven mitigations such as:

  • Use random identification and store metadata independently (e.g., in a database) instead of relying on user input for a file name.
  • If the previous strategy is not followed, restrict file names to alphanumeric characters. Please ensure that submitted files do not have executable permissions.

Path vulnerabilities ranked eighth on MITRE's list of the 25 dangerous software issues, trailing only out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bounds read flaws.

In March, CISA and the FBI released another "Secure by Design" alert, advising executives of software manufacturing companies to develop mitigations to prevent SQL injection (SQLi) security risks.

SQLi vulnerabilities were listed third among MITRE's top 25 most hazardous software vulnerabilities between 2021 and 2022, trailing only out-of-bounds writes and cross-site scripting.

Read more »
Vulnerabilties and Exploits
CISA Google Software Providers SQL Injection Vulnerabilties and Exploits

Protecting Users Against Bugs: Software Providers' Scalable Attempts

Protecting Users Against Bugs

Ransomware assaults, such as the one on Change Healthcare, continue to create serious disruptions. However, they are not inevitable. Software developers can create products that are immune to the most frequent types of cyberattacks used by ransomware gangs. This blog discusses what can be done and encourages customers to demand that software companies take action.

Millions of Americans recently experienced prescription medicine delays or were forced to pay full price as a result of a ransomware assault. While the United States has begun to make headway in reacting to cyberattacks, including the passage of incident reporting requirements into law, it is apparent that much more work remains to be done to combat the ransomware epidemic. 

Ransomware gangs flourish because they usually attack genuinely easy weaknesses in software that serve as the basis for critical operations and services.

Providing scalable solutions: Company duty

Business leaders of software manufacturers hold the key: They can build products that are resilient against the most common classes of cyberattacks by ransomware gangs.

The security community has known how to eliminate classes of vulnerabilities across software for decades. What is needed is not perfectly secure software but “secure enough” software, which software manufacturers are capable of creating.n exploit remarkably simple vulnerabilities in software that is the foundation for the essential processes and services.

Systemic classes of defects like SQL injection or insecure default configurations, such as a lack of multi-factor authentication by default or hardcoded default passwords, enable the vast majority of ransomware attacks and are preventable at scale.

The expense of preventing some types of vulnerabilities during the design stage is substantially less than dealing with the complex aftermath of a breach. 

According to a recent Google study, it has nearly eliminated many common types of vulnerabilities in its products, such as SQL injection and cross-site scripting. Furthermore, Google claims that such tactics were cost-effective and, in some cases, saved money ultimately as a result of having to worry about bugs.

Fighting lack of action

Inaction is exactly what has occurred in the software business. The Biden administration's National Cybersecurity Strategy asks for a shift in this direction, with software manufacturers accepting responsibility for product security from the start.

For example, whereas conventional vulnerability assessment approaches urge a sequential approach to identifying and patching vulnerabilities one by one, the agency's SQL injection alert promotes software manufacturers' executives to lead codebase reviews and eliminate all potentially unsafe functions to prevent SQL injection at the source.

How to identify bugs

Software vendors may assess vulnerability classes on two levels: impact, or the degree of damage that can be done by that class of vulnerability, and the cost of avoiding that flaw at scale.

SQL injection vulnerabilities are likely to be high in impact but inexpensive in cost to eliminate, whereas memory-safety issues have extremely high impact but need large investments to rewrite codebases systematically. Businesses can create a priority list of the most cost-effective tasks for fixing specific types of flaws in their products.

Customer's role: What can you do?

Companies should ask how their vendors attempt to remove entire classes of threats, such as implementing phishing-resistant multi-factor authentication and developing a memory-safe plan to address the most prevalent type of software vulnerability.

It is feasible that future ransomware assaults may be far more difficult to carry out. It's high time for software businesses to make this possibility a reality and safeguard Americans by including security from the beginning. Customers should insist that they do this.
Read more »
ransomware attacks
CDR CISA Cyber Attacks Cyber Defenses cybercriminals EDR endpoint detection and response LockBit Malicious Software Open Source Software ransomware attacks

The Rise of Weaponized Software: How Cyber Attackers Outsmart Traditional Defenses

 

As businesses navigate the digital landscape, the threat of ransomware looms larger than ever before. Each day brings new innovations in cybercriminal techniques, challenging traditional defense strategies and posing significant risks to organizations worldwide. Ransomware attacks have become increasingly pervasive, with 66% of companies falling victim in 2023 alone, and this number is expected to rise. In response, it has become imperative for businesses to reassess their security measures, particularly in the realm of identity security, to effectively combat attackers' evolving tactics.
 
Ransomware has evolved beyond merely infecting computers with sophisticated malicious software. Cybercriminals have now begun exploiting legitimate software used by organizations to conduct malicious activities and steal identities, all without creating custom malware. One prevalent method involves capitalizing on vulnerabilities in Open Source Software (OSS), seamlessly integrating malicious elements into OSS frameworks. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about this growing trend, citing examples like the Lockbit operation, where cyber attackers leverage legitimate, free software for nefarious purposes. Conventional endpoint security solutions often lack the necessary behavior analytics capabilities to detect subtle indicators of compromise. 

As a result, attackers can exploit tools already employed by organizations to acquire admin privileges more easily while evading detection. This underscores the need for organizations to stay abreast of evolving techniques and adapt their defense strategies accordingly. Throughout the ransomware attack lifecycle, cybercriminals employ a variety of tactics to advance their missions. 

From initial infection to data exfiltration, each stage presents unique challenges and opportunities for attackers. For example, attackers may exploit vulnerabilities, manipulate cookies, or employ phishing emails to gain initial access. Once inside a network, they utilize legitimate software for persistence, privilege escalation, lateral movement, encryption, and data exfiltration. 

One critical aspect of mitigating the risk posed by ransomware is embracing an identity-centric defense-in-depth approach. This approach places emphasis on important security controls such as endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR), email security, and patch management. By prioritizing least privilege and behavior analytics, organizations can strengthen their defenses and mitigate the risk of falling victim to ransomware attacks. 

As ransomware attacks continue to evolve and proliferate, organizations must prioritize identity security and adopt a proactive approach to defense. By recognizing and addressing the tactics employed throughout the ransomware attack lifecycle, businesses can bolster their defenses, enhance identity security, and safeguard against the ever-evolving threat of ransomware.
Read more »
mitigate risks
agencies CISA Cyber Security Cybersecurity emergency directive Microsoft hack mitigate risks

CISA Directs Affected Agencies to Mitigate Risks Arising from Microsoft Breach

 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new emergency directive aimed at U.S. federal agencies in response to the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group.

The directive, known as Emergency Directive 24-02, was issued on April 2 to Federal Civilian Executive Branch (FCEB) agencies. It mandates these agencies to conduct investigations into potentially affected emails, reset any compromised credentials, and implement measures to secure privileged Microsoft Azure accounts.

According to CISA, operatives from the Russian Foreign Intelligence Service (SVR) are now utilizing information pilfered from Microsoft's corporate email systems to gain unauthorized access to certain customer systems. CISA Director Jen Easterly emphasized the urgent need for action to mitigate risks to federal systems, highlighting the longstanding pattern of malicious cyber activity associated with Russia.

Microsoft, in conjunction with the U.S. cybersecurity agency, has notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by the Russian hackers.

This emergency directive marks the first official confirmation by the U.S. government that federal agency emails were compromised in the January Microsoft Exchange breaches. Affected agencies are instructed to assess the entirety of their correspondence with compromised Microsoft accounts and conduct a cybersecurity impact analysis by April 30, 2024.

Agencies detecting signs of authentication compromises are required to take immediate remedial action, including resetting compromised credentials and reviewing account activity logs for potential malicious activity.

While the requirements of Emergency Directive 24-02 specifically target FCEB agencies, the implications of the exfiltration of Microsoft corporate accounts extend to other organizations. These organizations are encouraged to seek guidance from their respective Microsoft account teams and bolster their security measures, including the use of strong passwords, multifactor authentication, and secure communication practices.

The APT29 hacking group, also known as Midnight Blizzard and NOBELIUM, gained access to Microsoft's corporate email servers in January through a password spray attack targeting a legacy non-production test tenant account lacking multifactor authentication. Subsequently, the attackers exploited an OAuth application with elevated access to steal data from corporate mailboxes belonging to Microsoft leadership and personnel in cybersecurity and legal departments.

APT29 previously made headlines for its involvement in the 2020 SolarWinds supply chain attack, which compromised several U.S. federal agencies and numerous companies, including Microsoft. In June 2021, the group breached another Microsoft corporate account, granting access to customer support tools.
Read more »
Vulnerabilities and Exploits
CISA cyber threat DLL hijacking North Korea North Korea Hackers Security Breach Vulnerabilities and Exploits

Navigating the Complex Landscape of Cyber Threats: Insights from the Sisense Breach and North Korean Tactics

 

In the intricate tapestry of cybersecurity, recent events have thrust vulnerabilities and threats into the spotlight once again. The breach of data analytics powerhouse Sisense, coupled with the emergence of novel sub-techniques utilized by North Korean threat actors, underscores the dynamic and relentless nature of cyber warfare. Let's delve deeper into these incidents and glean valuable insights for bolstering our defenses against evolving cyber threats. 

Sisense, a formidable player in the realm of business intelligence software, recently found itself ensnared in a security breach that rippled through critical infrastructure organizations. With offices sprawled across strategic locations such as New York City, London, and Tel Aviv, and a prestigious clientele including Nasdaq, ZoomInfo, Verizon, and Air Canada, Sisense's allure to cyber adversaries is palpable. 

The breach, currently under scrutiny by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the precarious balance between innovation and security in today's digital landscape. At the heart of the Sisense breach lie two sub-techniques that have become favoured tools in the arsenal of North Korean threat actors. The first involves the manipulation of Transparency, Consent, and Control (TCC), a foundational security protocol governing application permissions on Apple's macOS. 

Despite the robustness of security measures such as Full Disk Access (FDA) and System Integrity Protection (SIP), attackers have exhibited a remarkable ability to circumvent these controls, gaining unfettered access to macOS environments. This tactic underscores the imperative of continuous monitoring and adaptive security strategies to thwart the nefarious designs of cyber adversaries. 

The second sub-technique, colloquially known as "phantom" Dynamic Link Library (DLL) hijacking, sets its sights on Windows environments, leveraging nonexistent DLL files referenced by the operating system. By capitalizing on this loophole, threat actors such as the Lazarus Group and APT 41 can inject malicious code undetected, posing a grave threat to system integrity. 

The clandestine nature of this tactic exemplifies the ingenuity and adaptability of cyber adversaries in navigating the labyrinthine landscape of cybersecurity defenses. Mitigating these sophisticated threats necessitates a multifaceted approach that encompasses both technical fortifications and user awareness initiatives. For macOS users, safeguarding the integrity of System Integrity Protection (SIP) and exercising caution with app permissions are imperative steps in mitigating the risk of TCC manipulation. 

In Windows environments, proactive monitoring, robust application controls, and preemptive measures to block remote DLL loading are indispensable in thwarting phantom DLL attacks. Moreover, fostering a culture of collaboration and information sharing between industry stakeholders and government agencies is paramount in confronting the ever-evolving threat landscape. 

By pooling resources, sharing threat intelligence, and adopting a unified front against cyber adversaries, organizations can amplify their collective resilience and fortify their defenses against emerging threats. 

In conclusion, the Sisense breach and the intricate tactics employed by North Korean threat actors serve as poignant reminders of the relentless onslaught of cyber threats. By remaining vigilant, proactive, and collaborative, organizations can navigate the turbulent waters of cybersecurity with resilience and fortitude, safeguarding their digital assets and preserving the integrity of our interconnected world.
Read more »
US Cybersecurity
Breach CISA critical infrastructure risk Cyber Security Data Analytics Information Security supply chain attacks US Cybersecurity

CISA Investigates Sisense Breach: Critical Infrastructure at Risk

 

In the fast-paced landscape of cybersecurity, recent events have once again brought to light the vulnerabilities that critical infrastructure organizations face. The breach of data analytics company Sisense, under investigation by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the importance of robust security measures in protecting sensitive data and systems. 

Sisense, a prominent American business intelligence software company, found itself at the center of a security incident impacting not only its own operations but also critical infrastructure sector organizations across the United States. 

With offices in New York City, London, and Tel Aviv, and a clientele including major players like Nasdaq, ZoomInfo, Verizon, and Air Canada, the breach sent shockwaves through the cybersecurity community. CISA's involvement underscores the severity of the situation, with the agency actively collaborating with private industry partners to assess the extent of the breach and its implications for critical infrastructure. 

As investigations unfold, the focus is on understanding the nature of the compromise and mitigating potential risks to affected organizations. In response to the breach, CISA has issued recommendations for all Sisense customers to reset any credentials and secrets that may have been exposed or used to access the company's platform and services.

This proactive measure aims to prevent further unauthorized access and protect sensitive information from exploitation. Sisense's Chief Information Security Officer, Sangram Dash, echoed CISA's advice in a message to customers, emphasizing the importance of promptly rotating credentials used within the Sisense application. This precautionary step aligns with best practices in cybersecurity, where rapid response and mitigation are essential to minimizing the impact of security incidents. 

Additionally, customers are urged to report any suspicious activity related to potentially exposed credentials or unauthorized access to Sisense services to CISA. This collaborative approach between organizations and government agencies is crucial in addressing cybersecurity threats effectively and safeguarding critical infrastructure from harm. The incident involving Sisense is not an isolated event. 

Similar supply chain attacks have targeted critical infrastructure organizations in the past, highlighting the need for heightened vigilance and resilience in the face of evolving cyber threats. One such attack, involving the 3CX breach a year ago, had far-reaching consequences, impacting power suppliers responsible for generating and distributing energy across the grid in the United States and Europe. 

As organizations grapple with the aftermath of the Sisense breach, lessons learned from this incident can inform future cybersecurity strategies. Proactive measures such as continuous monitoring, regular security assessments, and robust incident response plans are essential for mitigating risks and protecting critical infrastructure assets. 

The Sisense breach serves as a wake-up call for the cybersecurity community, emphasizing the interconnected nature of cyber threats and the imperative of collaboration in defending against them. By working together and adopting a proactive stance, organizations can bolster their defenses and safeguard critical infrastructure from cyber adversaries.
Read more »
VPN
2024 cyber crimes CISA Cyber crimes cybersecurity advisory Cybersecurity Experts Data Breach Data protection FBI IMF VPN

Rising Cybercrime Threats and Prevention Measures Ahead of 2024

 

According to projections from Statista, the FBI, and the IMF, the global cost of cybercrime is anticipated to experience a substantial increase. By 2027, it is estimated to surge to $23.84 trillion, marking a significant rise from the $8.44 trillion reported in 2022. 

Security expert James Milin-Ashmore, from Independent Advisor VPN, has provided a comprehensive list of 10 crucial guidelines aimed at enhancing digital safety by avoiding sharing sensitive information online. 

These guidelines serve as proactive measures to combat the rising threat of cybercrime and safeguard personal and confidential data from potential exploitation. 

1. Avoid Sharing Your Phone Number on Random Sites 

Sharing your phone number online can expose you to a range of security risks, warns an expert. Cybercriminals could exploit this information to gather personal details, increasing the likelihood of identity theft and other malicious scams: 

  • Subscriber Fraud: Scammers set up fake cell phone accounts with stolen info. 
  • Smishing: Fraudsters send text messages to trick victims into revealing data or visiting harmful sites.
  • Fake Call Frauds: Scammers pose as legitimate entities to extract sensitive information. 
  • Identity Theft: Phone numbers are exploited to commit financial fraud and impersonate individuals. 

2. Do Not Update Your Current Location 

It is not new or unknown that people share their current locations on social media handles however, experts caution against sharing personal addresses or current locations online, citing heightened risks of theft, stalking, and malicious online activity. 

Such information can be exploited to tailor phishing attempts, rendering them more convincing and increasing the likelihood of falling victim to scams. 

3. Do Not Post Your Holiday Plans 

As the holiday season approaches, many individuals may feel inclined to share their vacation plans on social media platforms. However, security experts are warning against this seemingly innocent practice, pointing out the potential risks associated with broadcasting one's absence from home. 

Announcing your vacation on social media not only informs friends and family of your whereabouts but also alerts criminals that your residence will be unoccupied. This information could make your home a target for burglary or other criminal activities. 

4. Do Not Take Risks of Sharing Password Online 

Passwords serve as the primary defense mechanism for safeguarding online accounts, making them crucial components of digital security. However, security expert emphasizes the importance of protecting passwords and refraining from sharing them online under any circumstances. Sharing passwords, regardless of the requester's identity, poses a significant risk to online security. 

Unauthorized access to sensitive accounts can lead to various forms of cybercrime, including identity theft, financial fraud, and data breaches. 

 5. Protect Your Financial and Employment Information 

Experts caution against sharing sensitive financial or employment details online, highlighting the potential risks associated with divulging such information. Financial details, including credit card numbers and bank account details, are highly sought after by online fraudsters. Similarly, sharing employment information can inadvertently provide criminals with valuable data for social engineering scams. 

 6. Protect Your ID Documentation 

Expert urges individuals to refrain from posting images of essential identification documents such as passports, birth certificates, or driver's licenses online. These documents contain sensitive information that could be exploited by identity thieves for various criminal activities, including opening unauthorized bank accounts or applying for credit cards. 

7. Stop Sharing Names of Your Loved Ones/Family/Pets 

Security experts advise against sharing personal details such as the names of loved ones or pets online. Hackers frequently attempt to exploit these details when guessing passwords or answering security questions. 

 8. Protect Your Medical Privacy 

Your medical history is a confidential matter and should be treated as such, caution experts. Sharing details about the hospitals or medical facilities you visit can inadvertently lead to a data breach, exposing personal information such as your name and address. 

 9. Protect Your Child's Privacy 

Expert warns against sharing information about your child's school online, as it can potentially put them at risk from online predators and expose them to identity theft. 

 10. Protect Your Ticket Information 

Expert advises against sharing pictures or details of tickets for concerts, events, or travel online. Scammers can exploit this information to impersonate legitimate representatives and deceive you into disclosing additional personal data. 

Furthermore, in 2023, the Internet Crime Complaint Center (IC3) reported a staggering surge in complaints from the American public. A total of 880,418 complaints were filed, marking a significant uptick of nearly 10% compared to the previous year. 

These complaints reflected potential losses exceeding $12.5 billion, representing a substantial increase of 22% in losses suffered compared to 2022. Also, according to the Forbes Advisors, Ransomware, Misconfigurations and Unpatched Systems, Credential Stuffing, and Social Engineering will be the most common threats in 2024.
Read more »
Threat Landscape
CISA Cyber Attacks LOTL Attacks Sophisticated Assaults Threat Landscape

Living-Off-the-Land (LOTL) Attacks: Here's Everything You Need to Know

 

In the unrelenting fight of cybersecurity, cyberattacks continue to become more elusive and sophisticated. Among these, threat actors who use Living Off the Land (LOTL) strategies have emerged as strong adversaries, exploiting legitimate system features and functionalities to stealthily compromise networks. 

As defenders deal with this stealthy threat, a new study from the Cybersecurity and Infrastructure Security Agency (CISA) sheds light on the tactics, methods, and procedures (TTPs) used by attackers and provides critical insights into recognising and combating LOTL attacks. LOTL attacks use pre-existing software and legitimate system tools to carry out malicious actions, allowing attackers to go undetected amid the chaos of network traffic. 

Rather than creating proprietary malware or tools, attackers take advantage of built-in programmes such as PowerShell, which has been accessible on all Windows operating systems since November 2006. 

Benefits of leveraging existing tools in cyber attacks 

The appeal of employing existing technologies stems from their widespread availability and familiarity inside enterprise environments. These tools enable simple access to both local and domain-based setups, allowing attackers to automate administrative activities and execute commands with ease. By using these tools, attackers avoid the time-consuming process of developing, testing, and distributing specialised tools, saving both time and resources. 

Furthermore, the intrinsic complexity of developing and distributing tooling across numerous operating systems and environments presents a significant challenge for cybercriminals. By leveraging existing tools, attackers avoid the need to address compatibility issues, dependencies, and potential detection systems. This method significantly lowers the chance of discovery because built-in tools blend smoothly into regular system activity, making it difficult for defenders to distinguish between authorised and malicious use. 

Prevention tips

It is impossible to overestimate the importance of mitigating LOTL tactics in light of the latest Volt Typhoon study published by CISA. Defenders need to be proactive and alert as cyber attackers continue to hone their strategies and identify vulnerabilities in organisational defences. 

Organisations can fortify their defences and mitigate the risks posed by LOTL attacks by utilising the insights in the research and implementing a defence-in-depth security strategy. Here's how organisations can successfully defend against LOTL attacks. 

Visibility is critical: relying just on preventative technology is insufficient to combat attackers that use authorised tools. Visibility into all operations throughout the entire infrastructure is required to detect and mitigate such risks. 

Identifying authorised users: Determine who should be utilising tools that can be used to launch LOTL attacks, such as scripting languages or administrative tools. 

Enable comprehensive logging: Use granular logging to monitor LOTL tool usage. For example, enabling enhanced logging for PowerShell scripting yields useful information.
Read more »
Vulnerabilites and Exploits
Apple CISA iOS iPad Vulnerabilites and Exploits

Apple iOS and iPadOS Memory Corruption Vulnerabilities: A Critical Alert


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) raised the alarm by adding two such vulnerabilities in Apple’s iOS and iPad to its Known Exploited Vulnerabilities catalog. These vulnerabilities are actively exploited, posing significant risks to users’ privacy, data, and device security.

The Vulnerabilities

CVE-2024-23225: This vulnerability targets the kernel of both Apple iOS and iPadOS. A flaw in memory handling allows malicious actors to corrupt critical system memory, potentially leading to unauthorized access, privilege escalation, or even remote code execution. Exploiting this vulnerability can have severe consequences, compromising the integrity of the entire operating system.

CVE-2024-23296: Another memory corruption vulnerability affecting Apple iOS and iPadOS, CVE-2024-23296, has also been identified. While specific technical details are not publicly disclosed, it is evident that attackers are leveraging this flaw to gain unauthorized access to sensitive data or execute arbitrary code on affected devices.

The Impact

These vulnerabilities are not merely theoretical concerns; they are actively being exploited in the wild. Cybercriminals are capitalizing on them to compromise iPhones and iPads, potentially gaining access to personal information, financial data, and corporate secrets. The impact extends beyond individual users to organizations, government agencies, and enterprises relying on Apple devices for daily operations.

Immediate Action Required

CISA’s Binding Operational Directive (BOD) 22-01 specifically targets Federal Civilian Executive Branch (FCEB) agencies, urging them to take immediate action to remediate these vulnerabilities. However, the urgency extends beyond the federal sector. All organizations, regardless of their affiliation, should prioritize the following steps:

Patch Management: Ensure that all iOS and iPadOS devices are updated to the latest available versions. Apple has released security patches addressing these vulnerabilities, and users must apply them promptly.

Security Awareness: Educate users about the risks associated with memory corruption vulnerabilities. Encourage them to be cautious while clicking on suspicious links, downloading unverified apps, or interacting with unfamiliar content.

Monitoring and Detection: Implement robust monitoring mechanisms to detect any signs of exploitation. Anomalies in system behavior, unexpected crashes, or unusual network traffic patterns may indicate an active attack.

Incident Response: Develop and test incident response plans. In case of successful exploitation, organizations should be prepared to isolate affected devices, investigate the breach, and remediate the impact swiftly.

Beyond the Technical Realm

The addition of Apple iOS and iPadOS memory corruption vulnerabilities to CISA’s Known Exploited Vulnerabilities catalog serves as a wake-up call. It reminds us that threats are real, and proactive measures are essential to protect our devices, data, and digital lives.

Read more »
Ransomware
CISA Cyber Security Cyberalert Cyberattacks CyberCrime Ransomware

CISA's Proactive Measures averted Ransomware, Millions Preserved

 


The threat of ransomware attacks has increased in recent years, causing significant disruptions across a wide range of industries across the country, causing significant disruptions. Various industries have been affected by these attacks, with schools closing, hospitals diverting patients, and businesses going through operational changes. 

It has never been more pressing for a robust defence mechanism to be in place because mitigation and recovery costs have been astronomical. It is the mission of the Cybersecurity and Infrastructure Security Agency (CISA) to combat this menace in a concerted manner. 

As a result of its collaboration with various stakeholders, CISA is committed to reducing both ransomware attack frequencies and severity. As a part of this initiative, organizations are also launching several programs designed to help them swiftly address the vulnerabilities that are frequently exploited by ransomware attackers to avoid them being compromised. 

To further the anti-ransomware campaign, CISA has announced the Pre-Ransomware Notification Initiative as a significant step forward. It is part of the interagency Joint Ransomware Task Force's efforts to mitigate ransomware damage, which are already making significant headway in mitigating ransomware damage. Using tips from cybersecurity researchers, infrastructure providers, and threat intelligence firms, CISA's Joint Cyber Defense Collaborative notifies victims of early-stage ransomware activity to prevent victims from becoming victims being damaged. 

A major increase in notifications of potential pre-ransomware intrusions was carried out by the federal cyber authorities during the first quarter of 2023 across multiple critical infrastructure sectors across multiple different sectors. The notification activity continued to be substantially ramped up during the remainder of the year.  CISA does not stop at alerts when it comes to ransomware. 

In February, CISA assisted a Fortune 500 company that had been hit with a $60 million ransomware attack to establish a CISO position, as well as identify areas for improving its IT infrastructure and security controls. Additionally, the agency said it assisted a mass transit operator in preventing an attack of $350 million on critical infrastructure of the transit system. 

It was announced by CISA that its rundown of accomplishments in 2023 was quite impressive, including the fact that over 1,700 alerts were sent out for its ransomware vulnerability warning program and that nearly 7,000 organizations that are vital to global trade and commerce were scanned for vulnerabilities. This initiative has been a very successful one with the support of the Joint Cyber Defense Collaborative (JCDC), which has played a central role in ensuring the success of the project. 

Several cybersecurity researchers, infrastructure providers, and threat intelligence companies provide information to the JCDC on the earliest signs of ransomware activity that should be kept an eye on by the JCDC. A field representative will respond immediately to a tip and address the mitigation needs of the affected organization. 

The CISA global CERT partners will work closely with CISA to ensure timely notification is achieved when a case involves an international component. There have been over 60 entities in critical sectors such as energy, healthcare, water/wastewater, and education that have been notified by CISA of potential pre-ransomware intrusions that have been detected since the beginning of 2023. 

The majority of companies managed to identify and remediate these intrusions promptly, stopping further damage from occurring. As a result, the JCDC works closely with the affected entities when the encryption of data has already occurred, giving them insight into the new threat actors' tactics, procedures, and techniques (TTPs) and providing guidance on how to mitigate the vulnerability. 

Additionally, the development of advisories on ransomware actors and variants is also a contribution made to the broader cybersecurity community, providing better network defences on a wider scale by providing information on the actors and variants of the ransomware. To strengthen collective cyber defences, collaborative efforts and information sharing are essential. 

The CISA urges organizations to report any ransomware-related activities, as well as indicators of compromise and techniques for removing ransomware, to their federal law enforcement partner or CISA or their partner IT security company. It helps to immediately respond to an attack, and it also compliments the pool of intelligence available to prevent future attacks from occurring in the future.
Read more »
Technology
AI regulations Artificial Intelligence ChatGPT CISA CSA Data protection Data Safety Technology

2024 Data Dilemmas: Navigating Localization Mandates and AI Regulations

 


Data has been increasing in value for years and there have been many instances when it has been misused or stolen, so it is no surprise that regulators are increasingly focused on it. Shortly, global data regulation is likely to continue to grow, affecting nearly every industry as a result.

There is, however, a particular type of regulation affecting the payments industry, the "cash-free society," known as data localization. This type of regulation increases the costs and compliance investments related to infrastructure and compliance. 

There is a growing array of overlapping (and at times confusing) regulations on data privacy, protection, and localization emerging across a host of countries and regions around the globe, which is placing pressure on the strategy of winning through scale.

As a result of these regulations, companies are being forced to change their traditional uniform approach to data management: organizations that excelled at globalizing their operations must now think locally to remain competitive. 

As a result, their regional compliance costs increase because they have to invest time, energy, and managerial attention in understanding the unique characteristics of each regulatory jurisdiction in which they operate, resulting in higher compliance costs for their region. 

As difficult as it may sound, it is not an easy lift to cross geographical boundaries, but companies that find a way to do so will experience significant benefits — growth and increased market share — by being aware of local regulations while ensuring that their customer experiences are excellent, as well as utilizing the data sets they possess across the globe. 

Second, a trend has emerged regarding the use of data in generative artificial intelligence (GenAI) models, where the Biden administration's AI executive order, in conjunction with the EU's AI Act, is likely to have the greatest influence in the coming year.

The experts have indicated that enforcement of data protection laws will continue to be used more often in the future, affecting a wider range of companies, as well. In 2024, Troy Leach, chief strategy officer for the Cloud Security Alliance (CSA), believes that the time has come for companies to take a more analytical approach towards moving data into the cloud since they will be much more aware of where their data goes. 

The EU, Chinese, and US regulators put an exclamation point on data security regulations in 2023 with some severe fines. There were fines imposed by the Irish Data Protection Commission on Meta, the company behind Facebook, in May for violating localization regulations by transferring personal data about European users to the United States in violation of localization regulations. 

For violating Chinese privacy and data security regulations, Didi Global was fined over 8 billion yuan ($1.2 billion) in July by Chinese authorities for violating the country's privacy and data security laws. As Raghvendra Singh, the head of Tata Consultancy Services' cybersecurity arm, TCS Cybersecurity, points out, the regulatory landscape is becoming more complex, especially as the age of cloud computing grows. He believes that most governments across the world are either currently defining their data privacy and protection policies or are going to the next level if they have already done so," he states.

Within a country, data localization provisions restrict how data is stored, processed, and/or transferred. Generally, the restriction on storage and processing data is absolute, and a company is required to store and process data locally. 

However, transfer restrictions tend to be conditional. These laws are usually based on the belief that data cannot be transferred outside the borders of the country unless certain conditions are met. However, at their most extreme, data localization provisions may require very strict data processing, storing, and accessing procedures only to be performed within a country where data itself cannot be exported. 

Data storage, processing, and/or transfers within a company must be done locally. However, this mandate conflicts with the underlying architecture of the Internet, where caching and load balancing are often system-independent and are often borderless. This is especially problematic for those who are in the payments industry. 

After all, any single transaction involves multiple parties, involving data moving in different directions, often from one country to another (for instance, a U.S. MasterCard holder who pays for her hotel stay in Beijing with her American MasterCard). 

Business is growing worldwide and moving towards centralizing data and related systems, so the restriction of data localization requires investments in local infrastructure to provide storage and processing solutions. 

The operating architecture of businesses, business plans, and hopes for future expansion can be disrupted or made more difficult and expensive, or at least more costly, as a result of these disruptions. AI Concerns Lead to a Shift in The Landscape The technology of the cloud is responsible for the localization of data, however, what will have a major impact on businesses and how they handle data in the coming year is the fast adoption of artificial intelligence services and the government's attempts to regulate the introduction of this new technology. 

Leach believes that as companies become more concerned about being left behind in the innovation landscape, they may not perform sufficient due diligence, which may lead to failure. The GenAI model is a technology that organizations can use to protect their data, using a private instance within the cloud, he adds, but the data in the cloud will remain encrypted, he adds.
Read more »
Zeppelin2
CISA cybersecurity advisory Dark Web FBI malware Online Security Ransomware Threat Zeppelin2

Zeppelin2 Ransomware: An Emerging Menace in the Dark Web Ecosystem

 

In a recent update from an underground online forum, a user is actively promoting the sale of Zeppelin2 ransomware, providing both its source code and a cracked version of its builder tool. This malicious software, known for its destructive capabilities, has garnered the attention of cybersecurity experts and law enforcement agencies globally.

The forum post asserts that the user successfully breached the security measures of the Zeppelin2 builder tool, originally designed for data encryption. The post includes screenshots of the source code, shedding light on the intricate details of the build process and revealing that the ransomware is programmed in Delphi.

The Zeppelin2 ransomware builder tool, being promoted by the threat actor, showcases various features, such as file settings, ransom notes, IP logging, startup commands, task killers, and auto-unlocking busy files. The threat actor underscores the ransomware's capability to comprehensively encrypt files, rendering data recovery impossible without a unique private key held by the attackers.

Upon completing the encryption process, victims are presented with a ransom note declaring the encryption of all their files. The note instructs victims to contact the attackers via email and offers a method for testing the legitimacy of the decryptor by sending a non-valuable file.

Reports indicate that Zeppelin2 ransomware demands ransom payments in Bitcoin, with extortion amounts ranging from several thousand dollars to over a million dollars. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued a cybersecurity advisory to address the Zeppelin2 threat.

Zeppelin2, employed by threat actors since 2019 and continuing at least until June 2022, targets various sectors through its ransomware-as-a-service (RaaS) model. These sectors include defense contractors, educational institutions, manufacturers, technology companies, and notably, organizations in the healthcare and medical industries.

The ransomware's modus operandi involves exploiting vulnerabilities such as remote desktop protocol (RDP) exploitation, SonicWall firewall vulnerabilities, and phishing campaigns to gain access to victim networks. Before deploying the Zeppelin2 ransomware, threat actors meticulously map and enumerate the victim's network, identifying critical data enclaves, including cloud storage and network backups.

Consistent with ransomware groups, Zeppelin2 operators exfiltrate sensitive corporate data with the intention of making it accessible to buyers or the public if the victim resists complying with their demands.

Of significance, the FBI has observed instances where Zeppelin2 actors execute their malware multiple times within a victim's network, generating different IDs or file extensions for each attack instance, necessitating multiple unique decryption keys.
Read more »
Subscribe to: Posts (Atom)