Search This Blog

Showing posts with label Cybersecurity. Show all posts

DIHK Suffers Cyberattacks, Shuts Down IT Systems


About the DIHK Attack

The association of German Chambers of Industry and Commerce (DIHK) was compelled to close down all of its IT systems and shut off digital services, telephones, e-mail servers, as a counter measure to the cyberattack. 

DIHK is an association of 79 chambers that represent organizations within the German state, with more than 3 million members having business ranging from small shops to large enterprises within the country. 

The organisations attends to matters of legal representation foreign trade promotion, consultation, regional economic development, training, and offers generic assistance services to the members. 


How did attackers breach DIHK

A statement released on the DIHK site explains the shutdown as a precautionary measures, and provide IT teams time to find a solution and bring out a counter measure. 

Few services of the companies are slowly getting available again after some aggressive reviews that make sure it's safe to use them. But, the restoration of service isn't complete at the moment. 

DIHK general manager Michael Bergmann via a LinkedIn post told the public about the cyberattack incident that happened on Wednesday, and noted the incident as 'massive.' Currently, DIHK can't sayfor how long the urgent shutdown measures will be needed. 

The attack shows hints of ransomware, the systems have been shut down to stop the malware from spreading further, however, this information hasn't been verified officially. 

Besides this, no announcements of a successful compromise off DIHK on any of the big ransomware websites, however, it is too soon to comment on that. The cyberattack's impact doesn't have any local focus. 

Bleeping Computers reports "individual divisions in North Rhine-Westphalia, Lower Saxony, Bavaria, and Mecklenburg-Western Pomerania have all confirmed facing problems. For example, the Chamber of Industry and Commerce in Köln informed the public that phone lines work to a limited extent, while its website was still offline at the time of this writing."





XFiles Malware Exploits Follina, Expands ItsAttacks

What is XFiles?

The X-Files info stealer malware has put a new vulnerability in its systems to exploit CVE-2022-30190- Follina, and attack targeted systems with malicious payloads. A cybersecurity firm said that the new malware uses Follina to deploy the payload, run it, and take control of the targeted computer. "In the case of the XFiles malware, researchers at Cyberint noticed that recent campaigns delivering the malware use Follina to download the payload, execute it, and also create persistence on the target machine," says Bleeping Computers.  

How is Follina infected? 

•The malware, sent in the victims' spam mail, consists of an OLE object that directs to an HTML file on an external resource that has JavaScript code, which exploits Follina. 

•After the code is executed, it gets a base64-encoded string that contains PowerShell commands to make a presence in the Windows startup directory and deploy the malware. 

•The second-stage module, "ChimLacUpdate.exe," consists of an AES decryption key and a hard-coded encryption shellcode. An API call decodes it and deploys it in the same running process. 

•After infection, XFiles starts normal info stealer malware activities like targeting passwords and history stored in web browsers, cookies, taking screenshots, and cryptocurrency wallets, and look for Telegram and Discord credentials. 

•The files are locally stored in new directories before they are exfiltrated via Telegram. 

The XFiles is becoming more active 

• A cybersecurity agency said that XFiles has expanded by taking in new members and initiating new projects. 

• A project launched earlier this year by Xfiles is called the 'Punisher Miner.' 

• However, it's an irony that a new mining tool will charge $9, the same as how much XFiles costs for a month of renting the info stealer. 

CyWare Social says "it appears that the XFiles gang is expanding and becoming more prolific. The gang is recruiting talented malware authors, becoming stronger, and thus providing their users with more readymade tools that do not require experience or coding knowledge. Successful incorporation of the Follina-exploiting document increases the chances of infection and consequently increases the success rate of attacks."

US Eye Clinic Suffers Data Breach, 92,000 Patients Hit

 

A healthcare clinic based in Missouri US named ‘Mattax Neu Prater Eye Center’ has suffered a cyber attack, in the wake of which, the center announced the breach at the end of June. However, the attack took place in December 2021. The center has informed the US regulators of a data breach in which more than 92,000 individuals have been affected.

“This incident has affected eye care practices across the country, and is not specific to Mattax Neu Prater. This data security incident occurred entirely within Eye Care Leaders’ network environment, and there were no other remedial actions available to Mattax Neu Prater,” center added. 

Mattax Neu Prater Eye Center is a premier provider of advanced laser vision correction, such as LASIK, as well as cataract correction and advanced technology replacement lenses in Springfield, Missouri US. It provides surgical and non-surgical care and has reported that the “third-party data security incident” may have compromised the sensitive data of patients. 

“However, a lack of available forensic evidence prevented Eye Care Leaders from ruling out the possibility that some protected health information and personally identifiable information may have been exposed to the bad actor,” the clinic added. 

Further, Mattax Neu Prater said that at present the firm does not hold any evidence of identity theft as a result of the incident, but following the attack, the clinic has informed its patients who might be impacted via postal mail. 

Cybersecurity experts suggest that all healthcare organizations should adopt a zero-trust approach to digital facilities. This approach treats every connected device as a potential intruder until it is accurately verified. According to the Experts, old-school approaches like using firewalls and antivirus software have become less effective. 

Cybersecurity researchers also believe that the best way to protect the system is by deleting passwords altogether. Some other cybersecurity tips that can help healthcare professionals are given below:

• Store patient data on systems that are not connected to the internet. 
• Train staff on phishing attacks and how they work. 
• Use two-factor or multi-factor (biometrics) for logins instead of passwords.
• Never click links in email or download attachments. 
• Encrypt all data so if it is accessed or compromised, it will not be exposed.

Google Announces Password Manager Updates to Enhance User Security

 

Last week, Google updated its Password Manager service dedicated to users who have been facing troubles with their passwords. 

The users using the Chrome browser can now utilize Google Password Manager's auto-fill option to enable the browsers to remember the passwords and keep them in memory of all the sites which the users are visiting, the company told in a blog post. 

Earlier, users were allowed to add passwords to Google Password Manager only when Google used to prompt the user to enter the password; now, they can manually add passwords at any time. 

Although Google is not yet comfortable with making Password Manager a standalone app, users on Android can now add a shortcut to it on the home screen. Customers can use their iPhones to generate unique, strong passwords for their apps when they opt for Chrome as the default autofill provider. 

Additionally, the built-in Password Checkup feature on Android is receiving an upgrade of its own too. Beyond checking for hacked credentials, it can further highlight weak and reused passwords à la Apple iOS. Google is also expanding the compromised password warnings to Chrome users across all operating systems. 

Last but not least, Google is launching a new "Touch-to-Login" to Chrome on Android that allows users to sign in to websites with a single tap after entering the credentials with autofill. It's worth noting that Apple implemented a similar feature in Safari with iOS 12.2. 

According to Google's blog post, the latest updates and added features have been designed at the Google Safety Engineering Center, where the privacy and security experts work on creating a secured ecosystem for the customers. 

The blogpost further stated, “Of course, our efforts to create a safer web are a truly global effort – from our early work on 2-step verification to our future investments in technologies like passkeys – and these updates that we are rolling out over the next months are an important part of that work.” 

The announcement comes after Verizon’s 2022 Data Breach Investigations Report highlighted that compromised credentials accounted for almost 50% of data breaches.

Alert! Teen Hackers are Using Discord to Disseminate Malware

 

Avast security researchers found a Discord channel where a group of teenagers is developing, updating, promoting, and selling malware and ransomware outbreaks, allegedly to make pocket money. 

The researchers assume they are all minors since they referenced their parents and instructors frequently and casually used age-specific slurs. Researchers discovered their actions via their Discord chat. The hackers sell malware variants of Snatch, Lunar, and Rift and provide a variety of services ranging from data theft to ransomware and crypto mining. 

However, researchers discovered that teen hackers mostly give easy-to-use malware builders and toolkits, allowing users to utilise them without real programming by using the "Do it yourself" (DIY) technique. 

How does the Group function? 

To become a group member or utilise the malware-as-a-service capability, interested parties must pay a charge. The registration price ranges from €5 to €25. Avast researchers observed in their analysis that about 100 accounts have already enrolled to get access to a hacking group. The malware dissemination method is a little unusual. 

The hackers posted a YouTube video displaying a bogus crack for a popular computer game or commercial software, along with a download link in the description. To establish credibility, additional users of the Discord group leave comments on the video, thanking the originator and confirming that the connection works. This method is even more twisted than bots for commenting since it becomes hard to recognise. 

How Should One Handle Teen Hackers? 

This scenario is undoubtedly troubling. As a result, hacking ability among teenagers and minors must be channelled towards beneficial, ethical endeavours for the general benefit of the cybersecurity sector. 

Parents must communicate to their children to understand the motivational elements that drive them to distribute malware. There are several tools accessible on Discord and other platforms to assist anyone interested in pursuing a career in the cybersecurity field. 

The first step, though, is for parents to interact with their children without passing judgement. It is worth emphasising that the organisation distributes unlawful malware without comprehending the gravity of the situation and dismissing it as a prank.

Project Zero- Exploited Flaws in H1 2022 Variants of Previous Flaws

Project Zero

Google Project Zero says that in H1 2022, around half of the Zero-day vulnerabilities exploited in attacks were linked to old flaws not appropriately patched. Maddie Stone, a researcher in Google Project Zero posted a blog post continuing part of her speech at the First conference held in June 2022, her presentation is called "0-day In The Wild Exploitation in 2022...so far." 

Stone disclosed that 9 out of 18 zero-day vulnerabilities identified and revealed as exploited in-the-wild in 2022 are variants of earlier patched vulnerabilities. 

"As of June 15, 2022, 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests.” said Stone in her blog. “On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months after the original in-the-wild 0-day patched, attackers came back with a variant of the original bug.” It suggests that the attacks in most incidents weren't sophisticated and the players that exploited the flaws returned and triggered the known vulnerability via a different technique. 

For instance, the Follina Windows vulnerability found recently, known as CVE-2022-30190, is another variant for CVE-2021-40444. 

"When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take action to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, and they must develop a brand new exploitation method.” writes Stone. "To do that effectively, we need correct and comprehensive fixes." 

To deal properly with Zero-day vulnerabilities, Google experts suggest platform security teams and other freelance security experts invest in root cause analysis, patch analysis, variant analysis, and exploit technique analysis. 

Symbiote: A Stealth Malware that Attacks Banking Institutions

 

Cybersecurity experts discovered a "nearly-impossible-to-detect" Linux malware that can be exploited to backdoor infected systems. Known as Symbiote by threat intelligence firms Blackberry and intezer, the stealth malware is known for its capability to hide itself in running processes and network traffic and extract the target's data like a parasite. 

The Hacker News says "this is not the first time a malware with similar capabilities has been spotted in the wild. In February 2014, ESET revealed a Linux backdoor called Ebury that's built to steal OpenSSH credentials and maintain access to a compromised server." 

The actors behind Symbiote are believed to have started working on the malware in November 2021, using it for targeting financial institutions in Latin America, which includes banks such as Banco do Brazil and Caixa. 

The main aim of Symbiote is to get credentials and fecilitate backdoor access to the target's systems. What makes Symbiote standout from other Linux malware is that it corrupts running processes instead of using a standalone file execution to cause damage. 

It is done by leveraging a local Linux feature known as LD_PRELOAD- a technique earlier used by malware like Pro-Ocean and Facefish. It is later deployed by the dynamic linker into the running operations and start infecting the host. Other than hiding itself in the file system, Symbiote can also cloak its network traffic via using the extended Berkeley Packet Filter (eBPF) feature. 

The task is attained via injecting the malware into an inspection software's processing and deploying BPF to categorize the results that will disclose the activities. 

"Upon hijacking all running processes, Symbiote enables rootkit functionality to further hide evidence of its existence and provides a backdoor for the threat actor to log in to the machine and execute privileged commands. It has also been observed storing captured credentials encrypted in files masquerading as C header files," reports The Hacker News.

Cyware is Changing the Cybersecurity Landscape

 

Cybercriminals often have an equivalent or sometimes superior technical prowess as their cyber security counterparts! This has led to an ever-evolving landscape of cybercrimes that constantly outsmart modern cyber security technologies. So, does that end our fight against cyber threats? No, the answer lies in increasing cognizance and implementation of automation technologies.

Akshat Jain, CTO & Co-founder, of Cyware shared his vision and the role of automation technologies in eliminating cyber threats. Here are the key points he discussed in an interview with Elets CIO: -

The vision of Cyware 

Anuj Goel and I started the company in 2016 with the vision of assisting organizations to reimagine the way they approach and manage cybersecurity. Our prior experiences in steering large security and technology teams made us realize the inadequacies of reactive, manually-driven, and intelligence-deprived cybersecurity strategies that put organizations at a disadvantage against threat actors. 

Today, Cyware is helping organizations transform their security postures through our cyber fusion solutions that combine the capabilities of Threat Intel Platforms (TIP) and Security Orchestration, Automation, and Response (SOAR) to make security proactive and to integrate and accelerate different security functions, including threat detection, response, vulnerability management, threat hunting, and others. 

Role of Automation in advanced security operations 

Automation plays an important role in the enrichment, correlation, analysis, and last-mile delivery of this threat intelligence to different teams within an organization or with external partners, industry peers, regulatory bodies, and information sharing community (ISAC/ISAO) members, and others. Using this telemetry, they are expected to take mitigating actions to contain and respond effectively to those threats. 

“Automation assists in detecting the variety of threats by using historical indicators of compromise (IOCs), and the knowledge of threat actors’ tactics, techniques, and procedures (TTPs) to trigger machine-driven detection alerts. From there, security teams can once again automate containment actions to ensure that a threat does not spread laterally across their systems and networks, thereby minimizing the impact of a threat. 

Response actions needed to finally eliminate the threat can also be executed rapidly through automated workflows leveraging security orchestration for information exchange and actioning across a variety of tools,” Jain explained. 

 Importance of Cyber Innovation and Global Collective Defence in the cloud-first economy

Cyber innovation is the need of the hour to help organizations adopt new security technologies and strategies to deal with these new challenges. With the increasingly distributed nature of today’s work environment, it is essential to boost collaboration in cybersecurity across all sectors to develop collective defense strategies for resilient cyberspace for all. 

As threat actors become stealthier and quicker, organizations should also make smart use of threat intel collected from both internal and external sources to drive proactive actions against potential threats to their infrastructure. 

Cyware’s progress in designing a first-of-its-kind global collective defense network 

Cyware is creating the first-of-its-kind global collective defense network through its advanced cross-sectoral threat intel sharing platforms that link all the stakeholders within an organization, as well as its business partners, vendors, industry peers, national CERTs, information sharing communities (ISACs/ISAOs), and others.

The network will assist organizations in sharing strategic, tactical, technical, and operational threat intelligence in real-time to ensure a timely response to various threats. More than 20 information-sharing communities (ISACs, ISAOs, and CERTs) from financial services, automotive, space, aviation, healthcare, retail, energy, and manufacturing sectors, among others, are using Cyware’s solutions to share threat intelligence with their 10,000+ member organizations.

Brazilian Banks Place a Priority on A.I. and Cybersecurity

 

According to a new survey, artificial intelligence (AI) and cybersecurity are some of the top concerns for banking institutions in Brazil's technology strategy. Analysis of data and the complexity of data analysis strategies relating to evidence gained through the ongoing Open Finance initiative are also a top priority for 78 percent of participants, according to the yearly basis research published by the Brazilian Banking Federation (Febraban) in collaboration with Deloitte.

"It merely came to our attention at the time." For the past 3 decades, it has been Brazilian banks, not fintech or startups, who are at the forefront and remain to be at the stage of international banking technology. Banks have always been digital, innovative, and sophisticated, but most importantly, safe and dependable. "We are not dedicated to it," says FEBRABAN President Isaac Sidney. 

Other innovations have been cited as vital, in addition to AI and cybersecurity, which were cited as key priorities and main areas of concentration in 2021 and remain so this year. 

Public cloud (94 %), Big Data (94 %), process mining (78 %), IoT (75 %), blockchain (67 %), and quantum computing (50 %) were all highlighted by IT decision-makers as current priorities. 

Other goals mentioned by the CEOs in the report were the creation of super apps or superstores (39%) and data-driven financial counseling (35%) as well as store transformation (30%) and WhatsApp-based transactions (30%). Initiatives focused on boosting customer trust in data sharing (22 percent) and expanding chatbot-based transactions are at the bottom of the list (17 percent ).
 
Other objectives highlighted by CEOs in the research included the construction of mega apps or superstores (39%) and data-driven financial advice (35%), as well as shop transformation (30%) and WhatsApp-based trades (30 percent ). At the bottom of the list are initiatives aimed at increasing trust in data sharing (22%), as well as extending chatbot-based transactions (17%).

For the study, Febraban polled 24 firms via a questionnaire, representing 90% of the Brazilian banking industry. The qualitative study enlisted the participation of 34 executives. During November and December 2021, one of three phases of research was completed. 

Banks are widely regarded as pioneers in digital transformation efforts. "If you look at that market, they have complexity in what they have," EY's Errol Gardner said in a recent interview with TechInformed. "But they are putting tremendous investment into digital and the services which wrap around it ." However, many banks continue to be particularly focused on the conventional, local branch network, methods of operating."

Analysis of Cryptocurrency Fundraising

 

A cryptocurrency is a form of digital currency meant to make internet transactions extremely safe. Investors and authorities are paying attention to the unexpected increase in the value of cryptocurrencies. The digital era has surely aided in the advancement of our understanding and use of money. We are also on the verge of a new financial revolution, which is linked to the fourth industrial revolution. There are currently 9,271 distinct cryptocurrencies available, with Bitcoin, Ethereum, Tether, BNB, and USD being the most renowned ones.  

Cryptocurrencies, despite being older than the iPad, have just entered the public sphere, with their impact being predominantly felt in the last three or four years. The aspect of digital currencies has spread to numerous banks, including JP Morgan and Wells Fargo, which are developing their own cryptos. Blockchain, AI, IoT, and a slew of other technologies are making inroads into our daily lives as more traditional concepts and technologies are scrambling to stay up or risk becoming obsolete. 

Bitcoin, one of the most popular cryptocurrencies, was launched in 2009 and employs peer-to-peer technology to enable rapid transactions without the involvement of institutional bodies such as banks or governments. A password or a private key is required to access the received cryptocurrency in the wallet. Furthermore, the transaction is safeguarded by blockchain technology when it is sent from one wallet to another.

Physical currency serves as a universal measure of worth as well as a quick means of transmitting it. The switch to such a system would very certainly be tough, as cash may become incompatible in the blink of an eye if the crypto world advance at the current pace. Established banking institutions would almost certainly have to hustle to adapt. Governments across the world are now accepting blockchain and cryptocurrency. According to the Gartner report, 83 nations are currently experimenting with or deploying as such Central Bank Digital Currencies, or CBDCs, which account for 90 percent of global GDP. While many businesses initially offered to accept Bitcoin during its first boom, this list has progressively reduced, reinforcing doubt about the cryptocurrency's potential as a medium of trade. 

In India, cryptocurrency boomed relatively late when it already cost millions of rupees, as a result, Indians have few Satoshis (small units of a bitcoin) but this isn't the case in every situation. People are dealing in smaller units such as milli or micro bitcoins as the worth of cryptocurrency. 

Furthermore, the price of a cryptocurrency varies between exchanges, which is a clear breach of the legislation of one price.

While bitcoin performs admirably as a wealth vault, its volatility makes it riskier and exposes it to increased danger of loss. Several variables influence the price of a single bitcoin, like supply and demand, competition, and regulation. Investor perceptions of cryptocurrency are also influenced by recent news events.

The lack of other traits for crypto in India is typically associated with modern physical currencies; they cannot be deposited in a bank and must be held in digital wallets, which are costly and risky due to the possibility of hacking, staff corruption, public IP addresses, and ransomware. In many aspects, government supervision over central currency is essential for regulation, and cryptocurrencies would function with far less government oversight. Bitcoin's supply is set; there is an absolute limit of 21 million units.

In order to maintain steady price levels, the money supply must be able to rise in lockstep with macroeconomic activity, otherwise, the problem can only be solved by raising the velocity of money or by a substantial drop in prices. This might put the economy in jeopardy. 

For investors, bitcoin's artificial scarcity is a benefit: increased demand combined with inelastic supply leads to a greater price. The lack of a central regulator renders investor protection untenable and raises the likelihood of greater instability. People engage in these markets expecting the cryptocurrencies would grow in the future; this presumption fuels speculative behaviours, and a quick shift in the presumption may cause the market to crash, injuring many naive investors. 

The magnitude of economic harm is influenced by the connectivity between crypto-assets and the traditional banking industry. According to economists, direct exposure from cryptocurrencies to the financial system might be transmitted, and indirect repercussions could expand to other asset classes. Crypto assets, according to the RBI financial stability report (2021), offer long-term risks for capital control management, financial and macroeconomic stability, and monetary policy transmission.

China has taken the toughest stance on cryptocurrencies, going from allowing crypto mining to outright prohibiting it as of June 2021. Regulations are divided between the federal and state governments in the United States and India. Most EU draught Markets in Crypto-Assets Regulation (MiCA) legislation was announced by the European Commission in September 2020. The UK  is currently supervised by the Financial Conduct Authority (FCA). It's worth noting that the South American nation was the first to declare Bitcoin to be legal cash.

If we look at the evolution of crypto as a currency, it has virtually achieved its goal of decentralisation, and is now one of the main firms such as Tesla, Microsoft, and Meta are investing in it. On the other hand, the emerging cryptocurrency has the issue of being hackable. In the long run, if cryptocurrency continues to develop at its current rate, it may eventually replace fiat currency, resolving the issues of hacking and extreme volatility.

Imperva: Majority of Indian Organisations Don't Have a Strategy for Stopping Insider Threats Despite Growing Risk

 

New research from Forrester (commissioned by Imperva) has found that three-quarters (74%) of APAC organisations do not have an insider risk management strategy or policy. In India, it is 69%. 
 
This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher due to the rapid shift to remote work and ‘The Great Resignation’. The research backs this up, with insider threats being the cause of the majority (58%) of incidents that negatively impacted sensitive data in the last 12 months. 
 
Other key findings of the report include: 
 
· The majority of APAC respondents blame lack of budget (41%) and internal expertise (38%) 
 
· The main strategies being used to protect against insider threats are encryption (54%) and periodical manual monitoring/auditing of employee activity (44%) 
 
New research, commissioned by Imperva and conducted by Forrester, found that the majority (58%) of incidents that negatively impacted sensitive data in the last 12 months was caused by insider threats, and yet more than half (59%) of APAC organisations do not prioritise insider threats the way they prioritise external threats. 
 
“This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher,” says George Lee, Vice President, Asia Pacific and Japan, Imperva. “The rapid shift to remote working means many employees are now outside the typical security controls that organisations employ, making it harder to detect and prevent insider threats. 
 
“Further, ‘The Great Resignation’ is creating an environment where there is a higher risk of employees stealing data. This data could be stolen intentionally by people looking to help themselves in future employment, or it could be taken inadvertently when an employee leaves the organisation.” 
 
Why are organisations not prioritising insider threats? The majority of APAC respondents blame lack of budget (41%) and internal expertise (38%), but other problems abound. A third (33%) of firms do not perceive insiders as a substantial threat, and 24% say their organisational indifference to insider threats is due to internal blockers such as a lack of executive sponsorship. In fact, three-quarters (74%) of APAC organisations do not have an insider risk management strategy or policy, and 70% do not have a dedicated insider threat team. 
 
Previous analysis by Imperva into the biggest data breaches of the last five years found one quarter (24%) of these were caused by human error (defined as the accidental or malicious use of credentials for fraud, theft, ransom or data loss) or compromised credentials. 
 
APAC firms are prioritising external threats over insider threats, despite the fact that insider events occur more often, says Lee, “Insider threats are hard to detect because internal users have legitimate access to critical systems, making them invisible to traditional security solutions like firewalls and intrusion detection systems. This lack of visibility is a significant risk to the security of an organisation's data. That is why leaders need to focus on the potential threats lurking within their own network.” 
 
The main strategies currently being used by APAC organisations to protect against insider threats and unauthorised usage of credentials are encryption (54%) and periodical manual monitoring/auditing of employee activity (44%). Many are also training employees to ensure they comply with data protection/data loss prevention policies (57%). Despite these efforts, breaches and other data security incidents are still occurring and more than half (55%) of respondents said that end users have devised ways to circumvent their data protection policies. 
 
“If your organisation hasn’t created a focused strategy to adequately address insider risk, this needs to be a priority for 2022. An effective insider threat detection system needs to be diverse, combining several tools to not only monitor insider behaviour, but also filter through the large number of alerts and eliminate false positives. Also, as protection of a companies’ intellectual property begins at the data layer, a comprehensive data protection plan must include a security tool that protects the data layer,” says Lee. 
 
According to Imperva, organisations looking to better protect against insider threats should take the following steps: 
 
● Gain stakeholder buy-in to invest in an insider risk program. Insider risk is a human problem, not a technology issue, and must be treated as such. It is also a risk that cuts across all parts of the business. Therefore it is important to get senior executives from across the company to endorse and support the insider risk program for it to be successful. Start at the top to gain buy-in and sponsorship, then engage with leaders from HR, Legal, IT, and other parts of the organisation. 
 
● Follow Zero Trust principles to address insider risk. Following a Zero Trust approach helps protect data and users while limiting the ability of insiders to use sensitive resources not required by their function. 
 
● Build a dedicated function to address insider risk. Since insider risk is a human problem and very sensitive in nature, it requires dedicated resources. These may be part of the security team or, better yet, a separate dedicated function. Either way, this team needs a specific mandate for insider risk and training to recognize and respond to insider threats. 
 
● Create processes for your insider risk program and follow them. The sensitivity of insider risk and its associated privacy concerns require that strict policies are implemented and followed. Treat every investigation as if it will end up in court and apply policies consistently. 
 
● Implement a comprehensive data security solution. A complete solution goes beyond DLP to include monitoring, advanced analytics, and automated response to prevent unauthorised, accidental, or malicious data access. The technologies you deploy should support the processes you’ve created and the mandate for your insider risk function. Your organisation will see cost savings and a reduction of risk from business impacting security events. 
 

Corporate Website Contact Forms Used in BazarBackDoor Malware Campaign

 

BazarBackdoor malware is now spreading via website contact forms instead of typical phishing emails to avoid identification by security software. BazarBackdoor is a stealthy malware made by the TrickBot group, currently under development by the Conti ransomware operation. 

The malware offers threat actors remote access to internal devices, the launchpad can use it for further distribution in the network. The malware is usually spread via phishing emails that consist of documents that download and deploy the malware. 

But, safe email gateways are now more advanced in catching these malware droppers, distributers are now finding new ways of distributing the malware. In the latest report by Abnormal Security, analysts reveal that a new malware campaign started last year is targeting corporate victims with BazarBackdoor, the goal is most probably to deploy Cobalt Strike or ransomware payloads. Rather than sending phishing emails to targets, hackers first use corporate contact forms to start the communication. 

For instance, in many cases observed by cybersecurity experts, the hackers disguised as employees at a Canadian construction firm, submitting a request for a product supply quote. When the employees respond to the phishing emails, the threat actors send back a harmful ISO file related to the organization. 

To send these files is impossible as it would trigger security alerts, hackers use file-sharing services like WeTransfer and TransferNow. In a similar case related to the contact form exploit in August, fake DMCA infringement notices were sent via contact forms that installed BazarBackdoor. 

How BazarLoaderMalware Hides

"The ISO archive attachment contains a .lnk file and a .log file. The idea here is to evade AV detection by packing the payloads in the archive and having the user manually extract them after download. The .lnk file contains a command instruction that opens a terminal window using existing Windows binaries and loads the .log file, which is, in reality, a BazarBackdoor DLL," reports Bleeping Computer. Stay connected with CySecurity to know more.

Vodafone Investigates Source Code Theft Claims

Vodafone launched an inquiry after a group of hackers claimed that they stole a hundred GBs of source codes from the telecom company. The cybercrime group calls itself 'Lapsus$," which claims to have obtained around 200 GBs of source code files, representing around 5,000 GitHub repositories. According to a statement in an email, Vodafone confirmed that it knows about the situation, and an investigation has been started. 

The company said that it is currently enquiring about the claim with law agencies to verify its credibility. But, in general, the types of repositories referenced in the claim have proprietary source code and don't contain customer data. 

As of now, the hackers have not exposed any Vodafone source code which they claim to have stolen. However, they are asking tens of thousands of users that subscribed to their Telegram channel to what leak next- Vodafone, e-commerce company MercadoLibre, or Portuguese media company Impresa. The poll ends on March 13. The attack on Impresa resulted in disruption, MercadoLibre confirmed in an SEC filing that source code and 300,000 users' data were leaked. 

Last month, Vodafone Portugal has accused of service problems on a 'malicious cyberattack,' however, it's not clear if the cases are linked. Lapsus$ group has also leaked source codes and other information from NVIDIA and Samsung. 

NVIDIA confirmed that hackers stole employee credentials and signature certificates. Threat actors stole 190 GB of data from Samsung, confirmed the theft of source codes linked to Galaxy devices, however, it said that employee and customer data wasn't compromised. 

The hackers are thinking of getting big ransom payments from affected companies for not publishing the leaked data. From NVIDIA, threat actors asked the company to open-source drivers and delete a feature that restricts Ethereum mining capabilities in a few of the graphics cards. 

"The hackers gained access to the company’s Amazon Web Services account and sent emails and text messages to subscribers, the statement said. The hackers accessed some subscriber information, but Impresa said it had no evidence they got hold of subscribers’ passwords or credit card details," says Security Week.

Threat Actors are Using Leaked Stolen Nvidia Certificates to Hide Malware

 

Malicious actors are using stolen NVIDIA code signing certificates to gain remote access to unsuspecting machines and deploy malicious software in windows. 
 
Earlier this week, NVIDIA, an American multinational firm suffered a cyberattack that allowed hackers to steal credentials and proprietary data of 71,000 employees.  
 
The hacking group, known as Lapsus$, claimed that they stole 1TB of data during the attack and began leaking sensitive information online after NVIDIA rejected their ransom demand.  
 
The exposed data includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executable files before rolling them out to the public. It is a more secure way for Windows and prospective users to verify the ownership of the original file. To increase security in Windows, Microsoft also requires kernel-mode drivers to be code signed otherwise the OS will refuse to open the file.  
 
After Lapsus$ leaked NVIDIA's code-signing certificates, cybersecurity experts quickly discovered that the certificates were being used to sign malware and other tools used by threat actors.  
 
Certain variations of malware that were signed with the aforementioned Nvidia certificates were discovered on VirusTotal, a malware scanning service. The samples that were uploaded found that they were being used to sign hacking tools and malware, including Cobalt Strike Beacon, Mimikatz, backdoors, and remote access trojans.  
 
Security researchers Kevin Beaumont and Will Dormann shared that the stolen certificates utilize the following serial numbers:  
 
43BB437D609866286DD839E1D00309F5 
14781bc862e8dc503a559346f5dcc518  
 
Both codes are effectively expired Nvidia signatures, but the operating system will still let them pass just the same. Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.  
 
“Signing certificates are the keys computers use to verify trust in software,” Casey Bisson, head of product and developer relations at code-security product provider BluBracket, stated. “Validating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).”  
 
To avoid susceptible drivers from being installed in Windows, David Weston, director of enterprise and OS security at Microsoft, tweeted that admins can configure Windows Defender Application Control policies to manage which specific Nvidia driver can be loaded onto the system.

Cyber-Attack on New York Ethics Watchdog



Databases maintained by New York’s public watchdog agency have to shut down their systems after state information technology researchers discovered a malicious cyber-attack on its web servers. 

The ethics watchdog, which regulates lobbying at the State Capitol reported last Friday evening that an investigation has been launched to determine the scope of the attack and the perpetrators behind the attack after it received an alert regarding suspicious activity on JCOPE’s network.

Following the attack, the Commission has shut down the systems as a precaution, including its lobbying application and financial disclosure statement online filing system.

JCOPE reported that the systems will remain shut down until the agency resume normal operations safely. As of the present, the Agency officials did not report anything regarding who was responsible for the attack. However, the agency said that they are planning to work with state law enforcement officials to investigate the attack.

“Our first and highest priority is the safety and integrity of the data entrusted to the Commission by the regulated community,” said JCOPE Executive Director Sanford Berland in a statement.

Following the attack, the public was not able to access the data about lobbyist expenditures. Lobbyists were kept from submitting their required records. JCOPE said that it will grant automatic extensions to the people who missed a deadline because of the outage. 

Walter McClure, a JCOPE spokesperson added that "the outage also affects searches using the agency’s legacy lobbyist filing system, which was in use until 2019".

Cyberattack on NATO Can Trigger Collective Defense Issue

 

Cyberattack on a NATO member State can incite Article 5, the collective defense clause, said a NATO official on Monday, amid threats that disturbance in cyberspace related to Russia's invasion of Ukraine could reach out to other countries. The military alliance since the beginning has made it clear that a cyberattack attack could entice the clause, however, such a scenario is mostly considered hypothetical. Allie also acknowledges that the effect of special malicious activities (Cybersecurity) in some situations can be considered an armed attack. 

"These are things that have been in hypothetical discussion for a decade, but because we've not come to any universal conclusion on what those standards should be, what level of attribution is needed, we're kind of in a very grey area," said U.S. Senate Intelligence Committee Chairman Mark Warner. As per officials, they will not speak about the seriousness of cyberattack, in triggering a collective response. Any action includes economic and diplomatic sanctions, conventional forces, and cyber measures. 

It all depends on the seriousness of the attack. To check if a cyberattack meets the set threshold of an attack that is large enough to enable Article 5 is decided by the NATO allies. The US and Britain have been alarmed about possible cyberattacks ok Ukraine which can lead to global consequences. For instance, a harmful virus was made to attack Ukranian networks which later spread to other areas. 

Another concern among cybersecurity experts is that Russia can work along with gangs that operate via malicious software, for instance, the infamous US colonial pipeline incident which happened last year. "According to Reuters "Mark posed the hypothetical case of a Russian cyberattack on Ukraine that impacts NATO member Poland, triggering power outages that result in hospital patients dying or knocking out traffic lights, causing fatal road accidents involving U.S. troops deployed there."

The Cat and Mouse Chase of Account Takeovers

Cequence Security Threat Research Team analyzed more than 21 billion applications transactions between June and December of 2021, API-based account registration and login transactions raised by 92 percent and around 850 million. It highlights the fact that hackers cherish APIs as developers do. The same database that shows account takeover (ATO) attacks on login APIs grew by 62 percent. An ATO causes an end-user to panic, with getting messages like “you have received a password reset notification from your favorite retailer/social media/financial institution because your account has been compromised.” 

If you are ever hit by an ATO, you will probably not want to conduct business with the organization that is associated with the account. This affects businesses by causing them to lose valuable customers and also hits the profit bottom lines due to loss in sales, brand damage, and infrastructure cost overruns. ATO techniques have evolved over credential stuffing, which is a high-volume, generally used technique. ATO now includes slow and low attacks having specific usernames and passwords. It follows a pattern, for instance, attacks on organizations and employees having some social presence (recommendations, reviews, etc.). 

For these people, ATOs have become a constant problem, the goal here is not to steal sensitive information, but to use these hijacked accounts for amplifying negative or positive information. The patterns observed in these attacks have been seen earlier in varying forms in different customer environments. Bots go silent for a while but return to cause more damage. Noticing these bot behaviors suggested that botters work together by sharing ideas, studying unsafe vectors (deprecated APIs), to prepare for the next attack. 

A robust defense system will require continuous monitoring, reviewing of all endpoints- mobile and Web API, cooperation between safety and peers. "ATO is a problem that more and more organizations are facing as threat actors want to steal gift cards, access one-click purchasing, and dominate hype-sales to buy and resell the inventory. As we have seen through this analysis, the pace and vigor are on the rise. All organizations that have an authenticated application should consider monitoring for ATO, and build mitigations to ensure their customer satisfaction remains high," writes Jason Kent for Threat Post.

Cyber Attack: North Korea Suffers Internet Outage

North Korea faced an internet shutdown, and experts suspect cyber-attacks are the main reason. The internet outage remained for six hours in the country on Wednesday last week during local morning time. It is the second incident causing internet outages in North Korea in the past two weeks. Cybersecurity expert Junaid Ali from Britain says the recent outage may be due to a denial-of-service (DDoS) attack. 

If a user in North Korea tried to connect to an IP address, the internet could not route the data into the country. The servers were back to normal within a few hours after the DDoS attack. Individual servers, however, could not function normally because of the disruption, these servers include-Naenara, the North Korean government official portal, Air Koryo Airlines, and the North Korea Ministry of Affairs. 

News website NK Pro reports network records and log files suggest that websites hosted in North Korean domains that end with ".kp" could not be accessed. A similar incident happened in North Korea earlier on January 24, 2022. In simple terms, network disturbance, not power cut, caused the internet outage. Experts observed that no internet traffic went in and out of North Korea during the attack. 

According to Junaid ", it is common for one server to go offline for some periods, but these incidents have seen all web properties go offline concurrently. It is not common to see their entire internet dropped offline. 

During the incidents, operational degradation would build up first with network timeouts, then individual servers going offline and then their key routers dropping off the internet." Internet access is restricted in North Korea, we don't know how many people have direct access to it, but the data suggests that around 25 million people have access to the internet, which is only 1% of the total population.

SLTT Organizations Targeted by Jupyter Malware

 

The Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Threat Intelligence Team (CTI) have uncovered Jupyter, a highly evasive and adaptive .NET infostealer, targeting state, local, tribal, and territorial (SLTT) organizations. 

To exploit SLTT entities, malicious actors have installed Jupyter widely, leveraging SEO-poisoning to design watering hole sites. Jupyter, also known as SolarMarker installs a multi-stage process, leveraging PowerShell and legitimate tools, such as Slim PDF Reader, to drop secondary payloads to fingerprint victim information, including computer name, OS version, architecture, permissions, and the user identifier. 

According to MS-ISAC, Jupyter targeting SLTTs is a part of a broader opportunistic effort, since the malware is impacting a wide range of sectors, including finance, healthcare, and education. Following a surge in activity during the fall, SLTT-Jupyter infections subsided with no incidents in December and a small resurgence through this past month.

The targeted organizations became aware of infections when their endpoint detection and response services (EDR) warned of unauthorized PowerShell commands attempting to establish links with command and control (C2) traffic. 

The researchers at MS-ISAC continue to investigate why malware authors are exfiltrating victims' private details. Additionally, researchers have noticed that Jupyter operators are altering their techniques, tactics, and procedures (TTPs), causing variation in intrusion details across infections. 

Despite the irregularity in Jupyter TTPs, multiple features are common among public-sourced and MS-ISAC-observed breaches. Prior to infection, the Jupyter operators inject over 2,000 keywords to push malicious Google and WordPress sites up search engine rankings, using a technique known as SEO-poisoning, thereby increasing the likelihood that an unsuspecting user will visit the page. 

Upon examining an SLTT Jupyter incident, researchers noticed that the initial infection occurred after an end-user attempted to install a malicious file embedded with an executable of a compromised website form.

19-Year-Old Claims to Have Hacked Into More Than 25 Teslas

 

A 19-year-old hacker claims to have remotely opened the doors and windows of over 25 Tesla vehicles in 13 countries, as well as turned= on their radios, flash their headlights, and even start their engines and begin "keyless driving." David Colombo, who claims to be an IT specialist based in Germany, also claims to have been able to disable the vehicles' anti-theft systems and determine whether or not a driver is present. 

In a Monday tweet, Colombo claimed to have "complete remote control" of the Teslas, but later explained that he was never able to take over automobiles to "remotely manage steering or acceleration and braking." 

"Yes, I potentially could unlock the doors and start driving the affected Tesla’s," he tweeted. "No I cannot intervene with someone driving (other than starting music at max volume or flashing lights) and I also cannot drive these Tesla’s remotely." Colombo tweeted on Tuesday that his breach was "not a vulnerability in Tesla's system," but rather "it’s the owners faults."

Colombo stated on Twitter that he was able to disable Sentry Mode, an anti-theft feature in which a built-in camera functions as a de facto alarm system. When an alert is triggered, cameras begin filming in the area around the vehicle. The video is then streamed to the vehicle's owner via a mobile app. 

This is not the first time that a Tesla vehicle has been hacked. The Tesla Model X's Autopilot was hacked many times in 2020. In one case, Israeli researchers from Ben Gurion University deceived the car by flashing "phantom" images on a road, wall, or sign, leading it to brake suddenly or steer in the wrong way. A few months later, Wired reported that Lennert Wouters, a researcher at KU Leuven, "stole" a Tesla Model X in 90 seconds. 

Tesla CEO Elon Musk said last fall that he will cooperate with regulators to ensure that electric car drivers' personal data is safe from hackers. With the rapid rise of autonomous driving technology, data security in automobiles is causing more public worry than ever before, he said through remote hook-up at an electric vehicle conference in China. 

By 2025, an estimated 470 million automobiles will be linked to a computerized database, making them prime targets for cybercriminals. According to Tech Monitor, the automobile cybersecurity industry is predicted to be worth $4 billion by that same year.