Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,203 Comments
Tomi Engdahl says:
Tietoturvaguru Mikko Hyppönen jakaa vinkkejä uutuuskirjassaan: Väärä PIN-koodi tussilla pankkikorttiin
Mikko Hyppönen uutuuskirjassa: Navigaattorin ei kannata laittaa kotisi sijaintia
https://www.iltalehti.fi/tietoturva/a/b5833240-20d9-46bb-9c4c-85c4f2e9467e
Pelottaa, että pankkiautomaattikorttini viedään. Miten voisin hankaloittaa rosvojen elämää?
– Ota paksukärkinen musta tussi, ja kirjoita epäselvällä käsialalla automaattikorttiisi: ”PIN: 2983.” Älä käytä oikeaa PIN-koodiasi. Kun rosvo kokeilee variaatioita väärästä PIN-koodista, automaatti nielaisee kortin ja pankki palauttaa sen sinulle, Hyppönen kirjoittaa.
Unohdan aina pankkiautomaattikorttini PIN-koodin. Mikä avuksi?
– Tee kuten Friends-tv-sarjan Joey: Mene sen pankkiautomaatin luo, jota yleensä käytät ja kirjoita tussilla PIN-koodisi pankkiautomaatin etupeltiin. Siitä sinun on helppo tarkastaa se.
”Kyseessä on testi”
Työpaikan käytävällä tuli vastaa kaveri, jota en ole nähnyt ennen. Hänellä oli puku päällä, ja hän vaikutti tuttavalliselta. Hänellä ei kuitenkaan ollut kulkukorttia kaulassa, vaikka pitäisi olla. Pitäisikö minun haastaa häntä tästä? Se tuntuu vähän nololta.
– Kun joudut tällaiseen tilanteeseen, oleta aina, että kyseessä on testi. Testi, jossa testataan, toimitko oikein. Käytävällä vastaan tullut kaveri voi hyvin olla tietoturvayrityksen konsultti, joka testaa, huomataanko käytävillä pyörivä vieras kaveri, jolla ei ole kulkukorttia. Jos et puutu hänen toimintaansa, velttoilusi kirjataan ylös. Varminta on siis ottaa härkää sarvista ja kysyä kaverilta, missä hänen korttinsa on. Jos kortti on hukassa, vie hänet hakemaan korttia vastaanoton vartijoilta. Siellä asia kyllä selviää.
– Navigaattorit pyytävät merkitsemään kotisi sijainnin. Älä tottele niitä. Navigaattori kysyy kotiasi siksi, että se osaa ohjata sinut takaisin kotiin tien päältä, mutta jos autosi varastetaan, haluatko että varkaat tietävät, missä asut.
Viesti vaikuttaa vähän kummalta ja sen mukana tuli liitetiedosto.
– Älä avaa liitettä, vaan lähetä asiakkaallesi sen sijaan tekstari. Älä siis vastaa sähköpostitse, koska sähköpostisi saattaa päättyä hyökkääjälle, vaan tekstaa esimerkiksi: ”Hei, sain sähköpostisi, jonka juuri lähetit. Palaan asiaan vielä tänään!” Jos vastaanottamasi viesti on aito, asiakkaasi on tyytyväinen, että reagoit siihen herkästi. Jos taas kyseessä oli hyökkäysyritys tai sähköpostiväärennös, tapaus selviää heti, koska asiakkaasi ihmettelee, mistä sähköpostista puhut. Win-win.
Tomi Engdahl says:
Common initial attack vectors
How attackers are most apt to get into target companies’ infrastructure.
https://www.kaspersky.com/blog/most-common-initial-attack-vectors/42379/
Tomi Engdahl says:
The Case for Cybersecurity Education for Engineers
https://securityintelligence.com/articles/case-for-cybersecurity-education-engineers/
Engineering and cybersecurity are two distinct disciplines, each demanding its own rigorous education and training. But should there be crossover? Should engineers or engineering students invest in cybersecurity education as well? What are the opportunities for engineers to gain expertise in protecting against threat actors in the software realm?
As the world becomes more complex and the use of cyberattacks grows, the world of cybersecurity benefits more and more from engineering expertise, and vice versa. Here’s why.
Tomi Engdahl says:
NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques
https://us-cert.cisa.gov/ncas/current-activity/2021/10/08/nsa-releases-guidance-avoiding-dangers-wildcard-tls-certificates
Tomi Engdahl says:
US schools gave kids laptops during the pandemic. Then they spied on them
https://www.theguardian.com/commentisfree/2021/oct/11/us-students-digital-surveillance-schools
According to one survey, 81% of teachers in America said their schools monitor devices. Students are not always aware
When the pandemic started last year, countless forms of inequality were exposed – including the millions of American families who don’t have access to laptops or broadband internet. After some delays, schools across the country jumped into action and distributed technology to allow students to learn remotely. The catch? They ended up spying on students. “For their own good”, of course.
According to recent research by the Center for Democracy and Technology (CDT), “86% of teachers reported that, during the pandemic, schools provided tablets, laptops, or Chromebooks to students at twice the rate (43%) prior to the pandemic, an illustration of schools’ attempts to close disparities in digital access.”
The problem is, a lot of those electronics were being used to monitor students, even combing through private chats, emails and documents all in the name of protecting them. More than 80% of surveyed teachers and 77% of surveyed high school students told the CDT that their schools use surveillance software on those devices, and the more reliant students are on those electronics, unable to afford supplementary phones or tablets, the more they are subjected to scrutiny.
Tomi Engdahl says:
Woo Vee Ting
Many businesses now rely heavily on Internet, and many don’t notice it’s significance until something important breaks down.
Experts suggest widespread outages are becoming more frequent and more disruptive.
“One of the things that we’ve seen in the last several years is an increased reliance on a small number of networks and companies to deliver large portions of Internet content,”
Why does the internet keep breaking?
https://www.bbc.com/news/business-58873472
Tomi Engdahl says:
Vakoilee älypuhelimesi sinua? Tee testi
https://etn.fi/index.php/13-news/12689-vakoilee-aelypuhelimesi-sinua-tee-testi
Erilaisten käyttäjää valvovien sovellusten asennukset kasvoivat viime vuonna viisi prosenttia. Jotkut käyttäjät kuitenkin epäilevät, että heidän älypuhelimensa vakoilevat heitä, vaikka he eivät ole asentaneet valvontaohjelmia. NordVPN kehottaa testaamaan, pitääkö tämä paikkansa.
Virtuaaliset avustajat, kuten Siri, Google Assistant tai Alexa, kuuntelevat käyttäjää koko ajan. Tämä on tietysti välttämätöntäkin, jotta avustajat voivat kuulla äänikomennot ja totella niitä. Jotkut käyttäjän mukaan rekisteröidyt asiat on kuitenkin rekisteröity yritysten omaksi hyödyksi, esimerkiksi palvelun laadun parantamiseksi tai markkinointitarkoituksiin.
Kun pyydät Google Assistantia tai Siriä etsimään jotain, näitä tietoja käytetään verkkomainontaan. – Ja viisas, virtuaalinen avustaja on pohjimmiltaan hakukone, sanoo NordVPN:n asiantuntija Daniel Markuson.
NordVPN:n mukaan paras tapa nähdä, auttaako puhelimesi markkinoijia, on luoda ansa. Ensiksi pitää valita jokin aihepiiri. Sen pitäisi olla jotain, jota ei voida yhdistää persoonallisuuteesi, ja olla jotain, josta et koskaan puhu. Sen jälkeen tämä aihe pitää eristää puhelimesta. Puhelinta tai muuta laitetta ei saa käyttää tiedon etsimiseen aiheesta. Kannattaa myös varmistaa, ettet ole koskaan googlettanut aiheesta aiemmin.
Tämän jälkeen pitää valita avainsanat. Kannattaa luoda luettelo avainsanoista, jotka voivat käynnistää hakukoneet. Sen jälkeen pitää puhua aiheesta selvästi puhelimen vieressä. Ei ole väliä, oletko yksin vai puhutko siitä jonkun toisen kanssa muutaman minuutin ajan. Tee tämä muutaman päivän peräkkäin. Varmista, että et etsi aihetta millään muulla tavalla – sinun pitäisi puhua vain siitä.
Kun olet asettanut ansaan, sinun on pidettävä silmällä, ovatko uudet mainokset alkaneet kohdistaa sinua sosiaalisen median tai muiden digitaalisten kanavien kautta. Jos näin on, tämä johtuu siitä, että puhelimesi kuuntelee sinua.
Kun käyttäjät käyttävät virtuaalista avustajaa, he hyväksyvät palveluntarjoajan ehdot. Koska he ovat antaneet suostumuksensa, on laillista seurata keskusteluja Google Assistantin, Sirin, Alexan ja muiden palveluiden kanssa markkinointitarkoituksiin. Kuuntelusta tulee laitonta vain, jos sovellus vakoilee käyttäjää ilman suostumustasi. Siksi on tärkeää tarkistaa tietyille palveluille annetut käyttöoikeudet ja tietää, miten puhelin seuraa sinua
Tomi Engdahl says:
Inside Apple: How macOS attacks are evolving https://blog.malwarebytes.com/malwarebytes-news/2021/10/inside-apple-how-macos-attacks-are-evolving/
The start of fall 2021 saw the fourth Objective by the Sea (OBTS) security conference, which is the only security conference to focus exclusively on Apples ecosystem. As such, it draws many of the top minds in the field. This year, those minds, having been starved of a good security conference for so long, were primed and ready to share all kinds of good information. Conferences like this are important for understanding how attackers and their methods are evolving. Like all operating systems, macOS presents a moving target to attackers as it acquires new features and new forms of protection over time.
Tomi Engdahl says:
Azure network security helps reduce cost and risk according to Forrester TEI study https://www.microsoft.com/security/blog/2021/10/12/azure-network-security-helps-reduce-cost-and-risk-according-to-forrester-tei-study/
As organizations move their computing from on-premises to the cloud, they realize that leveraging cloud-native security tools can provide additional cost savings and business benefits to their security infrastructure. Microsoft Azure network security offers a suite of cloud-native security tools to protect Azure workloads while automating network management, implementing developer security operations (DevSecOps) practices, and reducing the risk of a material security breach.
Tomi Engdahl says:
Ransomware cost US companies almost $21 billion in downtime in 2020
https://www.welivesecurity.com/2021/10/11/ransomware-cost-us-companies-almost-21billion-downtime-2020
An analysis of 186 successful ransomware attacks against businesses in the United States in 2020 has shown that the companies lost almost
US$21 billion due to attack-induced downtime, according to technology website Comparitech. Compared to 2019, the number of disclosed ransomware attacks skyrocketed by 245%.
Tomi Engdahl says:
Zero-day hunters seek laws to prevent vendors suing them for helping out and doing their jobs https://www.theregister.com/2021/10/11/cyan_zero_day_legislative_project/
Cybersecurity Advisors Network (CyAN), the Paris-based body that represents infosec pros, has created a new working group to advocate for legislation that stops vendors from suing when security researchers show them zero-day bugs in their kit. Peter Coroneos, CyAN international veep and leader of its new “Zero Day Legislative Project” told The Register the organisation recently staged a virtual meeting of 150-plus security researchers and the topic of aggressive legal responses to disclosures was high on their list of worries.
Tomi Engdahl says:
Why Choke-Point Analysis Is Essential in Active Directory Security https://www.darkreading.com/application-security/why-choke-point-analysis-is-essential-in-active-directory-security
Attackers that want to steal data, deploy ransomware, or conduct espionage must go through a series of steps, from initial access through establishing persistence and lateral movement to eventually exfiltrating the data. Abusing identity attack paths in Microsoft Active Directory (AD) is a popular method for attackers to accomplish several of these steps, including achieving persistence, privilege escalation, defensive evasion, credential access, discovery, and lateral movement.
Tomi Engdahl says:
Why does the internet keep breaking?
https://www.bbc.com/news/business-58873472
I doubt Mark Zuckerberg reads the comments people leave on his Facebook posts. But, if he did, it would take him approximately 145 days, without sleep, to wade through the deluge of comments left for him after he apologised for the meltdown of services last week. “Sorry for the disruption today” the Facebook founder and chief executive posted, following almost six hours of Facebook, WhatsApp and Instagram being offline. Facebook blamed a routine maintenance job for the disruption – its engineers had issued a command that unintentionally disconnected Facebook data centres from the wider internet.
Tomi Engdahl says:
Hackers target the Swiss town of Montreux
https://www.swissinfo.ch/eng/hackers-target-the-swiss-town-of-montreux/47017914
Hackers have carried out a cyber attack against databases belonging to the Montreux authorities in southwestern Switzerland. This follows a similar hack earlier this year against the Rolle municipal authorities, also in canton Vaud. It is unclear whether the latest attack, which was identified on October 10, resulted in data being stolen, Swiss public radio, RTS, reportedExternal link on Monday.
Tomi Engdahl says:
CrowdStrike Launches Falcon XDR, Free Edition of Humio Data Warehouse
https://www.securityweek.com/crowdstrike-launches-falcon-xdr-free-edition-humio-data-warehouse
CrowdStrike made two major announcements at its own Fal.Con (virtual) conference this week, launching a free Community Edition of Humio, and announcing Falcon XDR.
Humio is a data warehouse that excels in speed and scale. The company was bought by CrowdStrike in February 2021 for $400 million. The new free Community Edition of Humio is the first major announcement since that acquisition. It enables users to ingest 16 GB of data per day and retain the data for up to seven days with ongoing access with no limited trial period.
“Humio provides the most powerful capabilities needed for modern observability,” comments George Kurtz, CEO and co-founder of CrowdStrike. “Humio is able to ingest any data, structured or unstructured, in streaming speeds and at scale, unlike any other solution currently available in the market. Humio’s log management platform is unmatched in speed, performance and storage abilities, and Humio Community Edition offers customers unprecedented access to best-in-class log management that you won’t see anywhere else – for absolutely free.”
While Humio is a stand-alone product, it also provides a back end for CrowdStrike’s second announcement: the launch of Falcon XDR. XDR, or eXtended Detect and Response, is a concept introduced by Gartner. Today’s IT infrastructures are complex, with endpoints, data centers, remote workers, SaaS, PaaS and other cloud services. There is no single security solution for this. SIEMs struggle, and SOAR has arguably not taken off. Gartner’s suggestion is effectively that EDR solutions should extend their threat hunting capabilities across the entire ecosphere rather than attempt to integrate multiple different products.
XDR is not intended to replace these products, but to use the threat hunting capability of EDR across everything. Humio’s part in CrowdStrike’s XDR is to provide the data lake of information gathered from other third-party solutions for CrowdStrike’s threat hunting beyond the endpoint.
Tomi Engdahl says:
CISO Forum Panel: Navigating SBOMs and Supply Chain Security Transparency
https://www.securityweek.com/ciso-forum-panel-navigating-sboms-and-supply-chain-security-transparency
At SecurityWeek’s 2021 CISO Forum, a high-powered panel of experts discussed specific ways an SBOM can improve supply chain security and where expectations may be overblown. The conversation covers edge cases that are turning out to be more troublesome than anticipated and what might come next after SBOM and where there are opportunities for innovation (e.g., new tooling or standards) on top of SBOMs.
Protecting the Embedded and IoT Software Build Environment with Software Composition Analysis
https://blackberry.qnx.com/content/dam/bbcomv4/qnx/resource-center/pdf/Whitepaper_Protecting%20the%20Embedded%20and%20IoT%20Software%20Build%20Environment%20with%20Software%20Composition%20Analysis%200122_IIoT_Final.pdf?utm_source=Paid+Search&utm_medium=Google&utm_campaign=Jarvis-wp-sca-iiot-world&utm_source=google&utm_medium=cpc&gclid=EAIaIQobChMI2uynnfTG8wIVhaOyCh0QlAlsEAAYAiAAEgJA2PD_BwE
Tomi Engdahl says:
Cybereason Partners With Google Chronicle on XDR Product
https://www.securityweek.com/cybereason-partners-google-chronicle-xdr-product
Extended Detection and Response (XDR) is touted as the security solution for the increasingly complex modern IT ecosphere. The principle is to extend EDR threat hunting beyond the endpoint and across the entire infrastructure. Cybereason has announced a partnership with Google Chronicle – the latter to provide ecosphere data, and the former to provide the threat hunting capability.
Yonatan Striem-Amit, CTO and co-founder at Cybereason, explains the concept: “Over the last 18 months the old paradigm for what a network looks like has completely changed. Now IT professionals need to secure an insanely complex and heterogeneous environment,” he told SecurityWeek.
“To be effective today, an analyst needs to understand endpoint threats, and network threats, and IoT threats,and e-mail, and SaaS and cloud and its services and infrastructure. Securing all of those with disparate tools becomes an incredibly complex problem.”
For an EDR solution to become an XDR solution, it requires a combination of first accumulating data from the existing IT security stack, and then extending the EDR data analytics to also analyze the accumulated data.
Tomi Engdahl says:
Meeting Backup Requirements for Cyber Insurance Coverage
https://www.securityweek.com/meeting-backup-requirements-cyber-insurance-coverage
Many companies wrongly assume that having backups in the cloud can prevent or reduce the impacts of a ransomware attack
The prevalence of ransomware has had a devastating impact on businesses over the past few years, with insurance underwriters seeing increasingly large ransomware payouts. As a result, some core cyber security hygiene fundamentals are being required by insurers to qualify for coverage.
For example, secure cloud backup has become a hard and fast requirement. Most cyber insurance providers are demanding that companies supply proof of their backup implementation in order to obtain an affordable policy. Furthermore, there are some additional capabilities that must now be implemented with cloud backups in order to pass the underwriting process. These include malware scanning, encryption, segmentation and multi-factor authentication.
Many companies wrongly assume that having backups in the cloud can prevent or reduce the impacts of a ransomware attack. In fact, a recent survey conducted by Ermetic into the security posture of AWS environments and their vulnerability to ransomware attacks found that in every single account tested, nearly all of an organization’s S3 buckets were vulnerable to ransomware.
As a result, insurers do not consider all backup scenarios as acceptable. Underwriters often require that a company’s most sensitive applications be offline, immutable, and clearly catalogued through audit. The use of data has become an essential force multiplier for businesses, but data exposure in turn creates tremendous risks. Whether it is a data lake, business intelligence data warehouse, customer information, or security telemetry, it is essential that organizations protect these crown jewels in a highly secure environment.
Tomi Engdahl says:
Lots and Lots of Bots: Looking at Botnet Activity in 2021
https://www.securityweek.com/lots-and-lots-bots-looking-botnet-activity-2021
botnet today can be used as a foundation for bad actors to carry out other attacks later
Botnets continue to be a major problem for cybersecurity teams. With the growth in sophisticated threats, botnets are becoming more malicious, sometimes able to create hundreds of thousands of drones that can attack a variety of machines, including Mac systems, Linux, Windows systems, edge devices, IoT devices, and so on.
Examining threat trends around botnet activity is helpful because it provides a glimpse into the malicious activities tied to Command and Control tactics. In the first half of 2021, the percentage of organizations detecting botnet activity jumped from 35% to 51%, according to the latest global threat landscape report from FortiGuard Labs.
That increase was led by a surge in the use of TrickBot, which was taken offline in 2020 but came back on the radar in mid-2021, not as prolific as before. Designed initially as a banking trojan but since evolved into a sophisticated, modular and multi-stage toolkit supporting a range of illicit activities. TrickBot certainly wasn’t the only such botnet being used however, as FortiGuard Labs researchers saw.
Tomi Engdahl says:
Mariella Moon / Engadget:
1Password launches Psst!, which lets users share login credentials with just a link — Even those who don’t have a 1Password account. — Password sharing in the workplace and at home is a common practice, but doing so securely can be tricky. 1Password aims to address that with its new feature …
1Password’s new feature lets you safely share passwords using just a link
Even those who don’t have a 1Password account.
https://www.engadget.com/1-passwords-new-feature-will-let-you-securely-share-logins-with-anyone-130044719.html
Tomi Engdahl says:
How To Protect Your Linux Server From Hackers!
https://www.youtube.com/watch?v=fKuqYQdqRIs
Do you have a linux server and do you know how to prevent getting hacked? In this video we will critically discuss a few best practices. The video can be summarized as: “a lot of fluff, not much use”.
Chapters:
00:00 – Intro and Motivation
01:47 – 1. Disable SSH Password Login
03:47 – Detour: Password Login for Websites (https)
04:39 – Password Recommendations
05:33 – 2. Disable Direct root SSH Login
07:07 – Creating user and add to sudo
08:47 – 3. Change Default SSH Port
10:42 – 4. Disable IPv6 for SSH
13:40 – 5. Setup a Basic Firewall
15:43 – 6. Unattended Server Auto Upgrade
19:04 – Conclusion
Protect Linux Server From Hackers
https://liveoverflow.com/protect-linux-server-from-hackers/
Tomi Engdahl says:
Romance scams with a cryptocurrency twist new research from SophosLabs https://nakedsecurity.sophos.com/2021/10/13/romance-scams-with-a-cryptocurrency-twist-new-research-from-sophoslabs/
Sadly, weve needed to write and warn about romance scams and romance scammers many times in recent years. Indeed, in February 2021 we published an article entitled Romance scams at all-time high: heres what you need to know, following a report from the US Federal Trade Commission (FTC), Americas official consumer protection watchdog, warning that romance scammers are making more money than ever before.
Tomi Engdahl says:
The Anatomy of an Attack Against a Cloud Supply Pipeline https://www.paloaltonetworks.com/blog/2021/10/anatomy-ci-cd-pipeline-attack/
The most recent Unit 42 Cloud Threat Report contains the high-level results of a red team exercise performed against a SaaS customers continuous integration and continuous development (CI/CD) pipeline. In other words, a customer asked our researchers to think like attackers, with the aim of revealing vulnerabilities and misconfigurations in their development operations (DevOps) processes. During the red team exercise, researchers took guidance from the strategies and techniques used by the attackers behind the SolarWinds Orion supply chain attack, in order to emulate a real-world threat and assess the security practices against known attacker techniques.
Tomi Engdahl says:
Australia to tackle ransomware data breaches by deleting stolen files https://www.bleepingcomputer.com/news/security/australia-to-tackle-ransomware-data-breaches-by-deleting-stolen-files/
Australia’s Minister for Home Affairs has announced the “Australian Government’s Ransomware Action Plan,” which is a set of new measures the country will adopt in an attempt to tackle the rising threat.
Ransomware is a global problem, and Australian businesses aren’t excluded from costly service-disrupting attacks. In July, the government warned of an escalation of LockBit activity in the country.
Tomi Engdahl says:
Incident Response: 5 Principles to Boost the Infosec/Legal Relationship https://threatpost.com/incident-response-infosec-legal-relationship/175461/
As an information-security professional, would you feel ready to respond to a state attorney in the event of a cyber-incident?. Around half (47 percent) of organizations polled for Krolls The State of Incident Response 2021 report said that their teams lack clarity around when to engage legal counsel about a potential incident. The potential impact of current and emerging cyber-incidents is so great that cybersecurity can no longer remain solely within the scope of an organizations information-security team.
Tomi Engdahl says:
Onko koneessasi haittaohjelma? Näin tunnistat https://www.iltalehti.fi/tietoturva/a/7ce42086-b3af-4008-9225-e4ab450ae93a
Lokakuu on Euroopan kyberturvallisuuskuukausi. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus on jakanut sivuillaan tosielämän tapauksen, jossa Patrik Pallagin kone hakkeroitiin. Videolla Pallagi kertoo lainanneensa konettaan kaverilleen, jota hän piti luotettavana. Kun Pallagi avasi koneensa seuraavana päivänä, alkoi se toistaa musiikkia ja esiin ilmestyi ponnahdusikkuna. Ponnahdusikkunassa näkyi edullinen tarjous palvelusta, jota Pallagi käytti usein.
Tomi Engdahl says:
The cost of hiring a hacker on the dark web: report https://www.comparitech.com/blog/information-security/hiring-hacker-dark-web-report/
Comparitech researchers collected more than 100 listings from 12 hacking services to find out how much these mostly illegal services cost, and which seem to be in highest demand. Many of the websites we examined have similar a la carte menus for various black hat services on offer.
Tomi Engdahl says:
Vendor Risk Management Firm Black Kite Raises $22 Million
https://www.securityweek.com/vendor-risk-management-firm-black-kite-raises-22-million
Black Kite, a provider of third-party cyber risk rating services, announced today that it has raised $22 million in a Series B funding round led by Volition Capital, bringing the total raised by the Boston, Mass.-based company to more than $33.1 million.
Black Kite offers a cyber ratings platform that evaluates risk from a technical, financial, and compliance perspective to help customers determine which vendors pose the highest risk to their organization on a continuous and automated basis.
Black Kite LogoBlack Kite leverages commonly used frameworks developed by MITRE to calculate ratings and convert technical terms into letter grades for simplicity. The platform also uses the Open FAIR model to calculate the probable financial impact resulting from a breach at a third-party vendor or partner.
With the additional funding, Black Kite hopes to expand its presence in a growing, yet increasingly competitive market that includes key players such as BitSight, SecurityScorecard, RiskRecon (acquired by Mastercard), UpGuard, Panorays, SecZetta, and others.
Tomi Engdahl says:
OpenSSF Bags $10 Million Investment
https://www.securityweek.com/openssf-bags-10-million-investment
The Linux Foundation has secured a new $10 million investment that will help expand and support the Open Source Security Foundation (OpenSSF).
The funding will help OpenSSF focus on identifying and addressing security vulnerabilities in open source software, thus securing the software supply chain. The foundation is also working on the development of best practices, tooling, training, and vulnerability disclosure practices.
OpenSSF received financial help from tech giants such as Amazon, Cisco, Dell, Facebook, Google, Intel, Microsoft, and Oracle. Other organizations committed to helping the cross-industry collaboration include Aiven, Cybertrust Japan, Deepfence, DTCC, GitLab, Tencent, and Wind River, among others.
Tomi Engdahl says:
Tom Warren / The Verge:
Activision announces the Ricochet anti-cheating system for Call of Duty: Warzone, which uses a PC kernel-level driver and ML to examine player behavior — Activision is cracking down on Call of Duty cheaters — Activision and Raven Software are finally cracking down on cheating in Call of Duty: Warzone.
Call of Duty’s new anti-cheat system includes a kernel-level driver to catch PC cheaters
Activision is cracking down on Call of Duty cheaters
https://www.theverge.com/2021/10/13/22724037/call-of-duty-ricochet-anti-cheat-system-kernel-level-driver?scrolla=5eb6d68b7fedc32c19ef33b4
Activision is finally cracking down on cheating in Call of Duty: Warzone. A new Ricochet anti-cheat system is arriving in both Call of Duty: Warzone and Call of Duty: Vanguard. The system will use a combination of a PC kernel-level driver, machine learning algorithms to examine player behavior, and a “team of dedicated professionals” working to investigate cheaters.
The PC kernel-level driver has been developed internally for the Call of Duty franchise by Activision, and will launch first for Call of Duty: Warzone with the upcoming Pacific update. PC games are increasingly using kernel-level drivers to detect sophisticated cheating, but since they run at such a high level in Windows, there are always privacy concerns surrounding such an approach.
The Ricochet anti-cheat system in Call of Duty will not always be on, according to Activision. That means the kernel-level driver only operates when you open up Call of Duty: Warzone, and the driver will shut down when you exit. The driver itself will monitor processes interacting with Warzone to see if they’re trying to inject code or manipulate the game, and report the results back.
Activision says it has tested the driver across a large range of PCs, and it will be required to play Call of Duty: Warzone when the Pacific map update launches later this year. The kernel-level driver will eventually arrive in Call of Duty: Vanguard “at a later date.”
Call of Duty players will welcome this new anti-cheat effort, even if there will be inevitable questions and concerns over a kernel-level driver.
While Activision has been banning thousands of accounts, cheaters have still been ruining Call of Duty: Warzone for months. Prominent Warzone players have become highly vocal about the problem, forcing Raven Software to communicate more frequently about the cheating issues and promise a full anti-cheat system in August.
Call of Duty: Warzone isn’t the only PC game affected by cheaters, though. Cheating in some of the world’s top PC games has been getting worse over the past year, and aimbots and wallhacks are now common in the industry’s most competitive shooters. Aimbots automatically lock onto opponents, making it easy to hit head shots. Wallhacks expose everyone on a map, so cheaters get a huge advantage by knowing where their opponents are at all times.
The industry has been struggling to combat cheaters even with tools like Easy Anti-Cheat and BattlEye that also use kernel-level drivers. Valorant has had some success with its own custom kernel-level driver, but it’s still a big investment to have teams dedicated to fighting what are effectively hackers and malware authors. It’s a continuous cat and mouse game, as hackers regularly work around protections.
Tomi Engdahl says:
Kyberturvakeskukset täynnä turhia työkaluja
https://etn.fi/index.php/13-news/12691-kyberturvakeskukset-taeynnae-turhia-tyoekaluja
Tietoturvayritys Trend Micron uusi tutkimus paljastaa vakavia haasteita, jotka rajoittavat uusia kyberuhkia etsivien ja niihin varautuvien tietoturvatiimien tehokkuutta. Raportti osoittaa, että globaaleilla organisaatioilla on käytössään keskimäärin 29 kyberturvallisuusratkaisua, joiden suuri määrä vaikeuttaa tietoturvavalvomoiden toimintaa näiden yrittäessä priorisoida hälytyksiä ja hallita kyberriskejä tehokkaasti.
Tutkimukseen osallistuneilla suomalaisilla organisaatioilla on tällä hetkellä käytössä keskimäärin 27 eri kyberturvallisuusratkaisua. Lähes kaksi kolmasosaa eli 62 prosenttia suomalaisista vastaajista kertoo, etteivät he enää juurikaan käytä useimpia näistä.
Työkaluja ei käytetä monista syistä. Yleisin on heikko tai olematon integraatio, jonka mainitsee syyksi 48 prosenttia haastatelluista. Osaajapulan mainitsi neljä kymmenestä (40%), saman verran moitti, ettei työkaluja osata hyödyntää (42 %). 44 prosenttia syytti vanhentuneita työkaluja.
Nämä haasteet voivat käydä kalliiksi: suomalaisten vastaajien mukaan heidän organisaationsa kustannukset voivat nousta yli 140 000 euroon, jos he esimerkiksi rikkovat vahingossa GDPR-tietosuoja-asetuksia. Työkaluvalikoiman hallitsematon paisuminen on yhä yleisempi ongelma kaikenkokoisissa kansainvälisissä organisaatioissa.
Tomi Engdahl says:
A global study
MANAGING THE SECOPS TOOL SPRAWL CHALLENGE
https://www.trendmicro.com/explore/en_gb_soc-research-v2/01056-v1-en-rpt
Tomi Engdahl says:
How Do We Know About New Phishing Attacks? Because Some Human Reported It.
https://www.securityweek.com/how-do-we-know-about-new-phishing-attacks-because-some-human-reported-it
Keep training your people about the newest threats – the power of the collective is a critical element in how to stop phishing
We hear it all the time: “The human is the weakest link!” or “People can’t get their heads around the technology so how can we expect them to know bad when they see it?”
Yeah, right.
The fact is that humans can make all the difference. At the risk of an engineer making observations about humans, I’m going to step out on a limb here and say this: people are exceptionally good at recognizing patterns. And it is through pattern recognition that your people can be trained and equipped to be your best, first line of defense. All your people. From the CEO to the newest intern, I believe everyone can, if given the right equipment, make a substantive difference in our collective security posture.
Going back to the dawn of time, we evolved to recognize and avoid danger. Whether it is someone in the north woods tuned to recognize the tracks of a bear, or an executive in Tokyo wondering why the Microsoft logo is not quite the right color; we are very good at seeing differences in things that we are extremely familiar with. What we need is to take that sensitivity to cybersecurity and arm the masses with the tools to recognize the tracks of the bear. What’s cool about this is we only need one of those educated humans to report what they see, to make a tremendous dent in an ongoing phishing attack. That’s right, just one.
Tomi Engdahl says:
Microsoft Adds Power Platform to Bug Bounty Program
https://www.securityweek.com/microsoft-adds-power-platform-bug-bounty-program
Microsoft this week announced that it is now accepting vulnerability submissions for the Power Platform.
Security researchers who hunt for and report security errors in Power Platform can now earn up to $20,000 in bounty rewards for severe flaws, as part of the recently rebranded Dynamics 365 and Power Platform Bounty Program.
“Through this expanded program, we encourage researchers to discover and report high impact security vulnerabilities they may find in the new Power Platform scope to help protect customers,” Microsoft announced.
Power Platform products in scope of the bug bounty program include Power Apps, Power Automate, Power Virtual Agent, and Power Portals.
https://www.microsoft.com/en-us/msrc/bounty-dynamics
Tomi Engdahl says:
Nations Reveal Ransomware Pain at US-Led Summit
https://www.securityweek.com/nations-reveal-ransomware-pain-us-led-summit
A digital “disaster” in Germany, growing attacks in the United Arab Emirates and even Israel announcing a blitz underway: nations disclosed their struggle Wednesday against cyber-extortionists at a Washington-led anti-ransomware summit.
The United States has convened some 30 countries — with the notable exception of Russia — to boost cooperation in fighting the costly and disruptive attacks that have boomed around the world.
As if on cue, Yigal Unna, director of Israel’s National Cyber Directorate, broke news of the latest incident.
“I can disclose now that Israel is experiencing, as we speak, a major ransomware attack against one of its big hospitals,” Unna said.
If the experiences recounted are any indication, the threat is painful, widespread, and growing.
Germany recalled that this summer, for the first time, a local government in the eastern district of Anhalt-Bitterfeld declared a state of “cyber disaster” after being crippled by a ransomware attack.
The United States has also been hit, especially in the first half of 2021, by numerous ransomware attacks against businesses.
These attacks involve breaking into an entity’s networks to encrypt its data, then demanding a ransom, typically paid in cryptocurrency in exchange for the key to unlock it.
“We talked about… a 70 percent increase year over year in South Korea, 200 percent in the UAE,” said Anne Neuberger, deputy national security adviser for cyber.
Tomi Engdahl says:
VirusTotal Shares Analysis of 80 Million Ransomware Samples
https://www.securityweek.com/virustotal-shares-analysis-80-million-ransomware-samples
At least 130 ransomware families were active in 2020 and in the first half of 2021, according to a recent data analysis from Google’s VirusTotal scanning service.
Analysis of more than 80 million potential ransomware-related samples submitted from 140 countries worldwide reveals that GandCrab has been the most active ransomware family hitting Windows systems since the beginning of 2020.
The analyzed samples were grouped by 30,000 clusters of malware, and GandCrab accounted for 6,000, followed by Cerber with nearly 5,000 clusters, and Congur, with roughly 2,500 clusters.
GandCrab remains the leader even when it comes to the number of different samples submitted to VirusTotal, accounting for 78.5% of them. Babuk, which emerged in early 2021 and was used in the attack on Washington DC Metropolitan Police Department, came in second with 7.61 percent of the submitted samples.
Many of the big ransomware campaigns are short lived, but there’s a constant activity of roughly 100 ransomware families that continues at all times, according to the VirusTotal analysis.
Fresh samples are typically used for new campaigns, with botnets and remote access Trojans (RATs) used as delivery mechanisms. Attackers also use exploits for privilege escalation and for spreading their malware within internal networks.
The VirusTotal analysis also found that most ransomware continues to target Windows systems, as roughly 95 percent of the samples were Windows-based executables or dynamic link libraries (DLLs). Android ransomware accounted for 2 percent of the samples and Google also observed roughly 1 million EvilQuest ransomware samples targeting macOS machines.
RANSOMWAREIN A GLOBAL CONTEXT
https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf
Tomi Engdahl says:
How Coinbase Phishers Steal One-Time Passwords https://krebsonsecurity.com/2021/10/how-coinbase-phishers-steal-one-time-passwords
A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.
Tomi Engdahl says:
Analyzing Email Services Abused for Business Email Compromise https://www.trendmicro.com/en_us/research/21/j/analyzing-email-services-abused-for-business-email-compromise.html
Like a number of online attacks and threats that took advantage of the changing work dynamics, business email compromise (BEC) remains one of the cybercrimes that causes the most financial losses for businesses despite the decrease in number of victims. Our continued monitoring of BEC activities showed a consistent increase in numbers during the year
Tomi Engdahl says:
Google analysed 80 million ransomware samples: Here’s what it found https://www.zdnet.com/article/google-analysed-80-million-ransomware-samples-heres-what-it-found/
Google has published a new ransomware report, revealing Israel was far and away the largest submitter of samples during that period. The tech giant commissioned cybersecurity firm VirusTotal to conduct the analysis, which entailed reviewing 80 million ransomware samples from
140 countries. Lisäksi: the report
https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf.
Lisäksi:
https://www.darkreading.com/threat-intelligence/virustotal-shares-data-on-ransomware-activity.
Lisäksi:
https://thehackernews.com/2021/10/virustotal-releases-ransomware-report.html
Tomi Engdahl says:
Google: We’re Tracking 270 State-Sponsored Hacker Groups From Over 50 Countries https://thehackernews.com/2021/10/google-were-tracking-270-state.html
Google’s Threat Analysis Group (TAG) on Thursday said it’s tracking more than 270 government-backed threat actors from more than 50 countries, adding it has approximately sent 50, 000 alerts of state-sponsored phishing or malware attempts to customers since the start of 2021. Lisäksi:
https://blog.google/threat-analysis-group/countering-threats-iran/
Tomi Engdahl says:
DocuSign phishing campaign targets low-ranking employees https://www.bleepingcomputer.com/news/security/docusign-phishing-campaign-targets-low-ranking-employees/
Phishing actors are following a new trend of targeting non-executive employees but who still have access to valuable areas within an organization. As reported by Avanan researchers, half of all phishing emails they analyzed in recent months impersonated non-executives, and 77% of them targeted employees on the same level.
Tomi Engdahl says:
Microsoft releases Linux version of the Windows Sysmon tool https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-linux-version-of-the-windows-sysmon-tool/
Microsoft has released a Linux version of the very popular Sysmon system monitoring utility for Windows, allowing Linux administrators to monitor devices for malicious activity.
Microsoft has released a Linux version of the very popular Sysmon system monitoring utility for Windows, allowing Linux administrators to monitor devices for malicious activity.
For those not familiar with Sysmon (aka System Monitor), it is a Sysinternals tool that monitors a system for malicious activity and then logs any detected behavior into system log files.
Sysmon’s versatility comes from the ability to create custom configuration files that administrators can use to monitor for specific system events that may indicate malicious activity is occurring on the system.
https://github.com/Sysinternals/SysmonForLinux
Tomi Engdahl says:
Leave no trace: how a teenage hacker lost himself online
https://www.theguardian.com/technology/2021/oct/14/leave-no-trace-how-a-teenage-hacker-lost-himself-online?CMP=Share_AndroidApp_Other
Edwin Robbe had a troubled life, but found excitement and purpose by joining an audacious community of hackers. Then the real world caught up with his online activities
Tomi Engdahl says:
https://www.etteplan.com/stories/3-tips-towards-developing-cybersecure-products
Tomi Engdahl says:
https://www.salkunrakentaja.fi/2021/10/analyysi-nokia-laatuyhtio-tata-vaaditaan/
Tomi Engdahl says:
How effective are security solutions against ransomware?
Testing 11 advanced security solutions against the latest ransomware threats.
https://www.kaspersky.com/blog/ransomware-protection-test-2021/42324/
Tomi Engdahl says:
https://github.com/SamPatt/RCVS-hack
hacking tool to convert and decode HTML source code
Tomi Engdahl says:
Governments planned to misuse CSAM scanning tech even before Apple’s announcement
https://9to5mac.com/2021/10/15/governments-planned-to-misuse-csam-scanning-tech/
Tomi Engdahl says:
https://techcrunch.com/2021/10/15/researchers-show-facebooks-ad-tools-can-target-a-single-user/
Tomi Engdahl says:
An Israeli researcher has demonstrated that LAN cables’ radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.
Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.
“From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,” said Guri.
LAN cables can be sniffed to reveal network traffic with a $30 setup, says researcher
https://www.theregister.com/2021/10/14/lantenna_ethernet_cable_rf_emissions/
What’s a long length of electrical wire? A transmitter, of course
An Israeli researcher has demonstrated that LAN cables’ radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.
Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.
“From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,” said Guri.
His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet. The cable’s radiations could then be picked up by the SDR (in Guri’s case, both an R820T2-based tuner and a HackRF unit) and, via a simple algorithm, be turned back into human-readable characters.
Nicknamed LANtenna, Guri’s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.
He added that his setup’s $1 antenna was a big limiting factor and that specialised antennas could well reach “tens of metres” of range.
The academic’s previous research included a technique for turning DRAM into a form of wireless transmitter, as part of his work looking at ways of pwning air-gapped networks.