Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Mobile Malware Attacks Dropped in 2021 but Sophistication Increased
https://www.securityweek.com/mobile-malware-attacks-dropped-2021-sophistication-increased
The number of mobile malware attacks saw a significant drop in 2021, but attacks were more sophisticated, according to the latest mobile malware report from Kaspersky.
The cybersecurity firm’s products detected nearly 3.5 million malicious installation packages on mobile devices in 2021, far less than the 5.7 million detected in the previous year. However, it’s worth noting that the number recorded in 2021 is almost exactly the same as in 2019.
A majority of these infection attempts targeted users in Asian countries, with Iran, China and Saudi Arabia accounting for the highest attack percentages.
Unsurprisingly, a majority of the packages blocked by Kaspersky delivered adware and potentially unwanted software.
When it comes to banking trojans, which accounted for less than 3% of attacks (97,000 malicious installation packages), these threats mostly targeted users in richer countries, such as Japan, Spain, Turkey, France, Australia, Germany, Norway, Italy, Croatia and Austria.
Tomi Engdahl says:
New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls
https://www.securityweek.com/new-cyclops-blink-malware-linked-russian-state-hackers-targets-firewalls
Following the 2018 public exposure of the VPNFilter malware, the Russia-linked Sandworm threat group has developed a replacement malware framework, which has mainly targeted firewall appliances, government agencies in the United States and the United Kingdom warn.
Also referred to as APT28, Fancy Bear, Sednit, Sofacy, and Voodoo Bear, the Sandworm hacking group is believed to be part of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Historically, Sandworm has engaged in numerous cyberattacks targeting Ukraine, such as the 2015 BlackEnergy and the 2016 Industroyer attacks, as well as incidents with a broader impact, such as the 2017 NotPetya operation, and the 2018 attacks on the Winter Olympics and Paralympics.
Tomi Engdahl says:
US, UK Warn of Iranian Cyberattacks on Government, Commercial Networks
https://www.securityweek.com/us-uk-warn-iranian-cyberattacks-government-commercial-networks
Governmental agencies in the United States and the United Kingdom warn of cyberespionage operations that the Iranian state-sponsored threat actor MuddyWater has been running against both public and private sector organizations worldwide.
Active since at least 2017 and also tracked as Static Kitten, Seedworm, and Mercury, MuddyWater is an advanced persistent threat (APT) actor believed to be a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
Tomi Engdahl says:
New York Plans Cybersecurity Hub to Coordinate Responses
https://www.securityweek.com/new-york-plans-cybersecurity-hub-coordinate-responses
New York wants to improve its cybersecurity defenses and will open a joint operations center in the coming months to coordinate between government agencies, critical businesses and utilities, Gov. Kathy Hochul said Tuesday.
Tomi Engdahl says:
Attacks From Within Seen as a Growing Threat to Elections
https://www.securityweek.com/attacks-within-seen-growing-threat-elections
Election officials preparing for this year’s midterms have yet another security concern to add to an already long list that includes death threats, disinformation, ransomware and cyberattacks — threats from within.
In a handful of states, authorities are investigating whether local officials directed or aided in suspected security breaches at their own election offices. At least some have expressed doubt about the 2020 presidential election, and information gleaned from the breaches has surfaced in conspiracy theories pushed by allies of former President Donald Trump.
Adding to the concern is a wave of candidates for state and local election offices this year who parrot Trump’s false claims about his loss to Democrat Joe Biden.
“Putting them in positions of authority over elections is akin to putting arsonists in charge of a fire department,” said Secretary of State Jocelyn Benson, a Democrat and former law school dean who serves as Michigan’s top elections official.
Experts say insider threats have always been a concern. But previously, the focus was mostly on what a volunteer poll worker or part-time employee could do to a polling place or county system, said Ryan Macias, who advises officials at the federal, state and local levels on election security. Now the potential harm extends to the very foundation of democracy — conducting fair elections.
Tomi Engdahl says:
Are You Prepared for 2022′s More Destructive Ransomware?
https://www.securityweek.com/are-you-prepared-2022s-more-destructive-ransomware
We’re barely into 2022, and already we’re seeing ransomware proliferate. What we saw last year is that while most attacks continue to exploit known vulnerabilities, cybercriminals have also redoubled efforts to target new ones – such as what we saw with Hafnium and new Microsoft Exchange vulnerabilities.
We expect that this year, as a result of the high-profile attacks of 2021, many organizations are finally dedicating time to basic cyber hygiene. And as they continue efforts to patch the one- to three-year-old Common Vulnerabilities and Exposures (CVEs) that most cybercriminals seek to exploit, 2022 will most likely be a record year for the number of CVEs reported – in excess of 22,000, we expect. This will likely raise the high-water mark even further as the attack surface continues to expand. And attackers will start to use those fresh or zero-day vulnerabilities to target unprepared organizations with speed.
Tomi Engdahl says:
3 Steps Security Leaders Can Take Toward Closing the Skills Gap
https://www.securityweek.com/3-steps-security-leaders-can-take-toward-closing-skills-gap
Much has been written about the Great Resignation as its impact is widespread. Sectors including hospitality, food, retail, manufacturing and healthcare have all been affected, making access to goods and services we took for granted hard to come by. You might think that the cybersecurity sector has also felt the pinch, but studies find that’s not the case.
In fact, cybersecurity made some headway as the workforce gap decreased from an estimated 3.12 million in 2020 to 2.72 million in 2021. Still, progress has been too little and, for many organizations, too late, as global cybercrime soars to new heights. The hard truth is that the skills shortage we face has been going on for more than a decade and currently 61% of IT security professionals say their teams are understaffed. To help address staffing challenges in this world, here are three areas for security leaders to consider.
1. Know your audience. Millennials currently make up the bulk of the workforce.
2. Automate with people in mind. For years we’ve hesitated to automate due to the fear of being burned when machines quarantine a system or block a port on a firewall in error.
3. Build organizational memory. Even if your organization is considered a great place to work, people will come and go. If you can capture and retain the institutional knowledge security teams build and have a way to share it with current and new team members, you can maintain continuity and even turn the situation into an opportunity.
HR and talent acquisition teams everywhere are working diligently to fill open cybersecurity positions, but they can’t do it alone. Fortunately, by scoping job descriptions realistically and incorporating automation and intelligence sharing to enable analyst success and growth, there’s a lot that security leaders can do to help close the skills gap in their organizations.
Tomi Engdahl says:
EU haluaa turvalliset satelliittiyhteydet ja avaruusromun hallintaan
https://etn.fi/index.php/13-news/13198-eu-haluaa-turvalliset-satelliittiyhteydet-ja-avaruusromun-hallintaan
Tomi Engdahl says:
Maksukortti salaa datansa tiukemmin
https://etn.fi/index.php/13-news/13220-maksukortti-salaa-datansa-tiukemmin
NXP on esitellyt uuden älysirun maksukorttipiirien MIFARE Ultralight -sarjaansa. Uusin piiri käyttää AES-salausta ja Common Criteria EAL3+ -turvasertifikaattia, joten sensitiivinen data on entistä paremmin suojattu.
MIFARE Ultralight AES käyttää salausta, jossa on NIST:n (National Institute of Standards and Technology) suosittelema riittävä avaimen pituus turvallista todennusta ja suojattua tietojen käyttöä varten
Lisätiedot
Suojattu tietojen käyttö perustuu AES-todennukseen 128-bittisellä avaimen pituudella ja valinnaisella komentolaskurilla negatiivisten todennusyritysten rajoittamiseksi
Konfiguroitava suojattu viestintätila CMAC:n kanssa eheyden suojaamiseksi
7-tavuinen UID valinnaisella Random ID -tuella parantaa yksityisyyttä
ECC-pohjainen alkuperäisyysallekirjoitus mahdollistaa tuotteen validoinnin julkisen avaimen perusteella (esiohjelmoitu)
AES-pohjainen alkuperäisyyden tarkistus vahvistaa IC:n alkuperä NXP-työkalujen tuella
ISO/IEC 14443 A -2 / -3 -yhteensopiva
144 tavun EEPROM-käyttäjämuisti
Tomi Engdahl says:
EU:n datasäädös palauttaa datan käyttäjän haltuun
https://etn.fi/index.php/13-news/13221-eu-n-datasaeaedoes-palauttaa-datan-kaeyttaejaen-haltuun
Data on uusi öljy, kuulee usein sanottavan. Euroopan komissio on nyt ehdottanut uusia sääntöjä siihen, kuka voi käyttää ja saada käyttöönsä EU:ssa talouden eri aloilla tuotettua dataa. Säädös muuttaa toteutuessaan digitaalisia liiketoiminnan alueita, kaikenkokoisten yritysten oikeuksia ja mahdollisuuksia ja myös yksittäisen käyttäjän oikeuksia säädellä omaa dataansa.
Datasäädösehdotus pitää sisällään
Toimenpiteet, joiden ansiosta verkkoon liitettyjen laitteiden käyttäjät voivat saada pääsyn laitteidensa tuottamaan dataan – jota usein keräävät yksinomaan laitteiden valmistajat – ja jakaa tällaista dataa muille osapuolille jälkimarkkinapalvelujen tai muiden datavetoisten innovatiivisten palvelujen tarjoamiseksi. Säädöksellä säilytetään tuotteiden valmistajien kannustimet investoida jatkossakin korkealaatuisen datan tuottamiseen, sillä siinä puututaan datan siirtämiseen liittyviin kustannuksiin ja suljetaan pois jaetun datan käyttö suorassa kilpailussa olevissa tuotteissa.
Toimenpiteet, joilla tasapainotetaan pk-yritysten neuvotteluvoimaa estämällä sopimusehtojen epätasapainon väärinkäyttö datan jakamista koskevissa sopimuksissa. Datasäädös tarjoaa suojaa vahvemmassa neuvotteluasemassa olevan osapuolen määräämiltä epäoikeudenmukaisilta sopimusehdoilta. Komissio aikoo myös laatia mallisopimusehtoja auttaakseen pk-yrityksiä laatimaan ja neuvottelemaan oikeudenmukaisia datanjakosopimuksia.
Keinot, joilla julkisen sektorin elimet voivat saada ja käyttää poikkeusoloissa tarpeellista yksityissektorin hallussa olevaa dataa, erityisesti yleisen hätätilan, kuten tulvien tai maastopalojen, yhteydessä, tai ottaa käyttöön oikeudellinen velvoite, jos data ei ole muuten saatavilla. Dataan perustuvaa ymmärrystä tarvitaan, jotta voidaan reagoida nopeasti ja turvallisesti ja minimoida yrityksille aiheutuvat rasitteet.
Uudet säännöt, joiden avulla asiakkaat voivat vaihtaa helposti datan käsittelyä tarjoavien pilvipalvelujen välillä ja joilla otetaan käyttöön suojatoimia datan laitonta siirtämistä vastaan.
Kuluttajat ja yritykset saavat käyttöönsä laitteidensa datan ja voivat käyttää sitä jälkimarkkinoilla ja lisäarvopalveluissa, kuten ennakoivassa ylläpidossa. Lisätiedon avulla esimerkiksi kuluttajat, maanviljelijät, lentoyhtiöt tai rakennusyritykset voivat tehdä parempia päätöksiä, kuten ostaa laadukkaampia tai kestävämpiä tuotteita ja palveluja, mikä edistää vihreän kehityksen ohjelman tavoitteiden saavuttamista.
Tomi Engdahl says:
Euroopan komissio aikoo selkeyttää datatietojen käyttöä
https://www.uusiteknologia.fi/2022/02/25/euroopan-komissio-aikoo-selkeyttaa-datatietojen-kayttoa/
Euroopan komissio ehdottaa uusia sääntöjä siitä, kuka voi käyttää ja saada käyttöönsä EU:ssa tuotettua dataa talouden eri aloilta. Datasäädöksellä halutaan turvata kansalaisten oikeudet digitaalisessa ympäristössä, mutta samalla edistää eurooppalaista datavetoista innovointia ja tietojen saatavuutta.
Euroopan komission uudella datasäädöksellä tulee olemaan keskeinen rooli digitalisaation tavoitteiden saavuttamisessa vuoteen 2030 mennessä. Uusien sääntöjen mukaan haetaan uusia, innovatiivisia palveluja sekä kilpailukykyisemmät hinnat verkkoon liitettyjen tuotteiden jälkimarkkinapalveluissa ja korjaamisessa.
”Haluamme antaa kuluttajille ja yrityksille entistäkin enemmän sananvaltaa siihen, mitä heidän datallaan saa tehdä. Sen vuoksi selkiytetään sitä, kuka voi saada sen käyttöönsä ja millä ehdoilla. Tämä on keskeinen digitaalinen periaate, joka auttaa vakaan ja oikeudenmukaisen datavetoisen talouden luomisessa ja digitaalisen siirtymän toteuttamisessa vuoteen 2030 mennessä”, kommentoi säädösehdotusta Euroopan digitaalisesta valmiudesta vastaava komission johtava varapuheenjohtaja Margrethe Vestager.
Tomi Engdahl says:
MITRE Sightings Report Provides Guidance on Key Cyberattack Techniques https://www.fortinet.com/blog/threat-research/mitre-sightings-report-provides-guidance-on-key-cyberattack-techniques
Its common knowledge in the cybersecurity industry that attackers are evolving, and their attacks are becoming more sophisticated. As a result, the harm and cost to targeted victims and organizations are also steadily increasing. This situation demands a smart and innovative response from security practitioners because no organization can defend against every threat. Trying to protect against all the adversarial TTPs (tactics, techniques, and procedures) threat actors deploy would be extraordinarily costly and difficult to maintain for most enterprises.
Tomi Engdahl says:
How the Eastern Europe Conflict Has Polarized Cyberspace https://blog.checkpoint.com/2022/02/27/how-the-eastern-europe-conflict-polarized-cyberspace/
The war between Russia and Ukraine is advancing. People everywhere are deciding who they will support. The same dynamic happens in the cyberspace. Hacktivists, cybercriminals, white hat researchers or even technology companies are picking a clear side, emboldened to act on behalf of their choices. Historically, Russia has had superiority over Ukraine in the cyberspace. And last week, Ukraine was attacked by destructive wiping malware. However, the situation is starting to change, as most of the non-nation cyber state actors are taking the side of Ukraine. To defend itself, the Ukrainian government has created an international IT army of hacktivists.
Tomi Engdahl says:
How Microsoft can help reduce insider risk during the Great Reshuffle https://www.microsoft.com/security/blog/2022/02/28/how-microsoft-can-help-reduce-insider-risk-during-the-great-reshuffle/
These are exciting and demanding days for organizations adapting to hybrid work realities, including a wider distributed workforce and more rapid change in employee roles. Organizations are becoming more agile as they refocus on employee onboarding and empowerment, opportunities with third-party partners, and cloud transformation.
These dramatic shifts drive business resilience and upside in a world still coping with pandemic disruptions.
Tomi Engdahl says:
Instagram scammers as busy as ever: passwords and 2FA codes at risk https://nakedsecurity.sophos.com/2022/02/28/instagram-scammers-as-busy-as-ever-passwords-and-2fa-codes-at-risk/
We monitor a range of email addresses related to Naked Security, so we receieve a regular (a word we are using here to mean unrelenting) supply of real-world spams and scams. Some of our email addresses are obviously directly associated with various Sophos-related social media accounts; others are more general business-oriented addresses; and some are just regular, consumer-style emails.. As a result, we like to think that our personal scam supply is a reliably representative sample of what the crooks are up to
Tomi Engdahl says:
The report released today is designed to give guidance on building cybersecurity zones and conduits for a railway system https://www.enisa.europa.eu/news/building-cyber-secure-railway-infrastructure
The approach taken is based on the recently published CENELEC Technical Specification 50701 and is complemented with a guidance to help railway operators with the practical implementation of the zoning process.. The work gathers the experience of the European Rail ISAC and of their members such as European infrastructure managers and railway undertakings, which are Operators of Essential Services (OES) as defined in the Security of Network and Information Systems (NIS) directive and is designed to help them implement the cybersecurity measures needed in the zoning and conduits processes.
Tomi Engdahl says:
Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese Threat Actor
https://www.securityweek.com/symantec-super-stealthy-daxin-backdoor-linked-chinese-threat-actor
Threat hunters at Symantec are calling global attention to a new, highly sophisticated piece of malware being used by a Chinese threat actor to burrow into — and hijack data from — government and critical infrastructure targets.
The malware, called Daxin, features “technical complexity previously unseen by such actors” and SecurityWeek sources confirm it is the handiwork of a Chinese threat actor first documented by Microsoft in December 2012.
“Most of the targets appear to be organizations and governments of strategic interest to China. In addition, other tools associated with Chinese espionage actors were found on some of the same computers where Daxin was deployed,” according to public documentation from Symantec’s Threat Hunter Team.
“Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor,” the team declared, warning that Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into an infected network to exfiltrate data without raising suspicions.
Tomi Engdahl says:
https://hackaday.com/2022/02/26/you-break-it-we-fix-it/
Tomi Engdahl says:
https://hackaday.com/2022/02/20/how-a-pentester-gets-root/
https://kaizoku.dev/htb-devoops
Tomi Engdahl says:
Elections GoRansom a smoke screen for the HermeticWiper attack https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/
On February 24, 2022, Avast Threat Research published a tweet announcing the discovery of new Golang ransomware, which they called HermeticRansom. This malware was found around the same time the HermeticWiper was found, and based on publicly available information from security community it was used in recent cyberattacks in Ukraine.
The new ransomware was likely used as a smokescreen for the HermeticWiper attack due to its non-sophisticated style and poor implementation. In this report, we present our analysis of HermeticRansom, which we also call Elections GoRansom.
Tomi Engdahl says:
TCP Middlebox Reflection: Coming to a DDoS Near You https://www.akamai.com/blog/security/tcp-middlebox-reflection
In recent weeks, Akamai researchers began observing multiple distributed denial of service (DDoS) attack campaigns against Akamai customers that had included SYN flooding and high volumes of traffic:
up to 11 Gbps at 1.5 million packets per second (Mpps). Upon examining the TCP packets used in the attack, we realized that they are leveraging a new technique known as TCP Middlebox Reflection.
Tomi Engdahl says:
Nordea: Verkkopankin ongelmat johtuvat ulkopuolisesta häirinnästä, palveluiden hitaus jatkuu https://www.hs.fi/talous/art-2000008650264.html
Nordean verkkopankkipalvelut ovat kärsineet maanantaina ja tiistaina ongelmista palvelunestohyökkäyksen takia. Häiriöt olivat vakavia, sillä kaikki asiakkaat eivät päässeet kirjautumaan verkkopankkitunnuksilla lainkaan. Tilapäisen häiriön vuoksi Nordean pankkitunnuksilla tai tunnuslukusovelluksella ei voi tunnistautua
verkko- tai mobiilipankkiin tai muiden palveluntarjoajien palveluihin, yhtiö kertoi aamulla verkkosivuillaan.. Myös:
https://www.tivi.fi/uutiset/tv/a9494fc2-b799-40ee-81b7-f3bbd8fb0e22
Tomi Engdahl says:
Digital technology and the war in Ukraine https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/
All of us who work at Microsoft are following closely the tragic, unlawful and unjustified invasion of Ukraine. This has become both a kinetic and digital war, with horrifying images from across Ukraine as well as less visible cyberattacks on computer networks and internet-based disinformation campaigns. We are fielding a growing number of inquiries about these aspects and our work, and therefore we are putting in one place a short summary about them in this blog. This includes four areas: protecting Ukraine from cyberattacks; protection from state-sponsored disinformation campaigns; support for humanitarian assistance; and the protection of our employees.. Also:
https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/
Tomi Engdahl says:
Geoblocking when you can’t Geoblock
https://isc.sans.edu/forums/diary/Geoblocking+when+you+cant+Geoblock/28392/
Given recent events, I’ve gotten a flood of calls from clients who want to start blocking egress traffic to specific countries, or block ingress traffic from specific countries (or both). This seems like something the more “aware” organizations have tried quite a while back, and in many cases have tried it and given it up as not so effective. But just this last week we’ve been seeing a flood of folks who are thinking about it as something they need to do NOW. In many cases, depending on your hardware and licensing it’s as simple as a few tickboxes or lines in an ACL. Even freely available firewalls such as pfSense do a good job of this, using MaxMind (look at pfBlockerNG for pfSense).
Tomi Engdahl says:
PRH:n tietopalvelussa on ollut ostettavissa henkilötunnuksia ja passikopioita sisältäviä asiakirjoja Ostoja tehty lähes 3500 https://www.kauppalehti.fi/uutiset/prhn-tietopalvelussa-on-ollut-ostettavissa-henkilotunnuksia-ja-passikopioita-sisaltavia-asiakirjoja-ostoja-tehty-lahes-3500/e279c645-4f81-44fc-849e-8fa28621dbab
Kyse ei ole tietomurrosta, ja ostajat eivät ole ennalta voineet tietää, mitä heidän ostamansa asiakirjat sisältävät. Patentti- ja rekisterihallitus (PRH) on havainnut, että Virre-tietopalvelussa on ollut ostettavissa asiakirjoja, joissa on henkilötunnuksia ja passikopioita. Kyse ei ole tietomurrosta, eivätkä ostajat ole etukäteen voineet tietää ostamiensa asiakirjojen sisältöä. Asiakirjat ovat kaupparekisteri-ilmoituksia ja niiden liitteitä, joihin ilmoituksen tehnyt yritys olisi PRH:n ohjeen mukaan saanut liittää vain julkisia tietoja, ei siis esimerkiksi henkilötunnuksia.
Tomi Engdahl says:
Axis Communications shares details on disruptive cyberattack https://www.bleepingcomputer.com/news/security/axis-communications-shares-details-on-disruptive-cyberattack/
Axis Communications has published a post mortem about a cyberattack that caused severe disruption in their systems, with some systems still partially offline. The Swedish manufacturer of network cameras, access control systems, and surveillance network appliances suffered a cyberattack on Sunday, February 20, 2021, forcing it to shut down all systems to limit the impact.
Tomi Engdahl says:
Signal Confirms Hack Claims Are Part Of Misinformation Campaign https://www.forbes.com/sites/kateoflahertyuk/2022/03/01/signal-confirms-hack-claims-are-part-of-misinformation-campaign/
Encrypted messaging app Signal has not been hacked, the app maker has confirmed. As Signal use in Eastern Europe increases, rumors had started to circulate that the encrypted messaging app had been hacked.. But as misinformation around the Russia Ukraine conflict escalates, Signal says the hack rumors are part of a coordinated misinformation campaign.
Tomi Engdahl says:
The Value of Penetration Testing ICS/OT Environments https://www.dragos.com/blog/the-value-of-penetration-testing-ics-ot-environments/
When establishing and testing a brand-new cybersecurity program, it can be difficult to know exactly what steps are reasonable to take, and when to take them. In this blog, we will talk about when to begin thinking about a penetration test, and considerations to make when youve decided its time to order one for your industrial control systems (ICS) and operational technology (OT) environments. Building a cybersecurity program is a marathon, not a race. It can be exciting finally getting to the point of ordering a penetration test, but testing should be considered a late-stage maturity activity. In other words, system owners should make sure that they have the basic building blocks of a cybersecurity program in place before considering a penetration test.
Tomi Engdahl says:
DDoS Attacks Abuse Network Middleboxes for Reflection, Amplification
https://www.securityweek.com/ddos-attacks-abuse-network-middleboxes-reflection-amplification
Threat actors specializing in distributed denial-of-service (DDoS) attacks have started abusing network middleboxes for reflection and amplification, Akamai warns.
The use of misconfigured network middleboxes and censorship systems for DDoS reflection was theorized last year by a group of researchers at the University of Maryland and University of Colorado Boulder.
In their paper, the academics showed that censorship infrastructure could be abused to achieve DDoS amplification ratios of up to 700,000:1. Furthermore, they showed that firewalls and intrusion prevention systems deployed within non-censoring nation-states could also be weaponized.
Although still small compared to other vectors, attacks that abuse the “TCP Middlebox Reflection” technique appear to be growing in popularity, Akamai says. To date, the method has been used against the banking, gaming, media, travel, and web-hosting sectors.
While the first attacks only peaked at 50Mbps, the most recent assaults hit 2.7 gigabytes per second (Gbps) and 11 Gbps, the latter also peaking at 1.5 million packets per second (Mpps).
With hundreds of thousands of middlebox systems worldwide vulnerable to such attacks, an adversary no longer needs access to a large number of compromised systems and the potential for TCP reflection abuse is very high, especially since TCP Middlebox Reflection has been tested and tried.
Mitigation options, however, are relatively easy to implement, Akamai says. Because SYN packets are typically used to initiate the TCP handshake and not for data transmission, any such packet that has a length greater than 0 bytes is suspect and can be used to trigger defenses.
TCP Middlebox Reflection: Coming to a DDoS Near You
https://www.akamai.com/blog/security/tcp-middlebox-reflection
Executive summary
Over the past week, Akamai Security Researchers have detected and analyzed a series of TCP reflection attacks, peaking at 11 Gbps at 1.5 Mpps, that were leveled against Akamai customers.
The attack, amplified with a technique called TCP Middlebox Reflection, abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim machine, creating a powerful DDoS attack.
Middleboxes range from nation-state censors, such as the Great Firewall of China, to corporate enterprise content filtering systems, and can be found globally.
The novel technique was presented in theory last August by researchers from the University of Maryland and the University of Colorado; however, this is the first we’re seeing it live and in the wild.
This type of attack dangerously lowers the bar for DDoS attacks, as the attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint.
Some middlebox implementations allow attackers to add SYN, ACK, or PSH+ACK flooding to the attack, on top of the volumetric TCP attack.
Attacks have been observed against organizations in the banking, travel, gaming, media, and web-hosting industries.
Although the current attack traffic is relatively small, we expect to see this type of attack to grow in the future, due to the significant amplification it offers an attacker.
Tomi Engdahl says:
Three Ways to Defeat Ransomware
https://www.securityweek.com/three-ways-defeat-ransomware
Ransomware is very difficult to stop, mostly because the attackers are adept at locking up a network long before anybody in an organization even sees a ransom note. In many attacks, the malware combines an encryption payload with automated propagation.
This potent combination can be delivered using various attack techniques which enable threat actors to bypass delivery and execution security measures by leveraging compromised credentials. The ransomware is then able to rapidly encrypt the data of one endpoint after another — until a network is crippled.
Over the past few years, the growing sophistication of the ransomware ‘industry’ has spawned niche players and specialized variants. For example, Hades (a variant of WastedLocker) almost exclusively targets large organizations — a practice known as “big game hunting.”
Given the risk, it is hard to believe that many organizations practically invite attacks by leaving Remote Desktop Protocol (RDP) ports open to the internet. Although RDP uses modern encryption, it lacks multi-factor authentication (MFA) in its default state, thereby exposing organizations to attack.
Another self-inflicted weakness is the widespread failure to apply security patches to protect against Common Vulnerabilities and Exposures (CVEs).
How to Prevent and Contain Ransomware Attacks
The first step is to create a robust cyber defense readiness strategy to stop, or at least contain, an attack from the outset. However, because of the multiplicity of access vectors and the diversity of techniques, there’s no magic bullet. Organizations should consider the following preventative measures:
People-related Security
Attack Surface Reduction
Segment Security Architecture
A great way to contain threats in a given area is to implement network segmentation and micro-segmentation. Such segmentation prevents threats or attacks from moving laterally in data centers, clouds, and campus networks. Ideally, every threat is contained in a segment of the network, thus reducing the impact of the ransomware.
Protecting against ransomware is difficult, but not impossible. Armed with the right cyber defense strategy, tools, and security controls, organizations can defend themselves against these attacks. The key weapon in every organization’s arsenal is, of course, knowledge — which has to be nurtured continuously and extensively via hands-on skills development for IT staff.
Tomi Engdahl says:
Makena Kelly / The Verge:
SOTU: Biden asks Congress to pass new rules to enhance child safety on social media, including banning targeted ads to, and data collection of, children
Biden demands Congress protect kids online in State of the Union address
He wants to ban targeted advertising to kids
https://www.theverge.com/2022/3/1/22957505/biden-children-kids-privacy-tech-facebook-instagram-frances-haugen-sotu?scrolla=5eb6d68b7fedc32c19ef33b4
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Symantec details China-linked backdoor Daxin, a Windows kernel driver that can hijack TCP connections to stealthily connect with command-and-control servers
Chinese cyberspies target govts with their ‘most advanced’ backdoor
https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/
Security researchers have discovered Daxin, a China-linked stealthy backdoor specifically designed for deployment in hardened corporate networks that feature advanced threat detection capabilities.
According to a technical report published by Symantec’s Threat Hunter team today, Daxin is one of the most advanced backdoors ever seen deployed by Chinese actors.
One point of differentiation in Daxin is its form, which is a Windows kernel driver, an atypical choice in the malware landscape. Its stealthiness comes from its advanced communication features, which mix its data exchange with regular internet traffic.
“Daxin is, without doubt, the most advanced piece of malware Symantec researchers have seen used by a China-linked actor,” Symantec said in a new report.
“Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.”
Hiding in legitimate network traffic
Backdoors provide threat actors with remote access to a compromised computer system, allowing them to steal data, execute commands, or download and install further malware.
Because these tools are typically used to steal information from protected networks or further compromise a device, they need to involve some form of data transfer encryption or obfuscation to evade raising alarms on network traffic monitoring tools.
Daxin does this by monitoring network traffic on a device for specific patterns. Once these patterns are detected, it will hijack the legitimate TCP connection and use it to communicate with the command and control server.
By hijacking TCP communications, the Daxin malware can hide malicious communication in what is perceived as legitimate traffic and thus remain undetected.
“Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies,” explains the report by Symantec.
Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
Espionage tool is the most advanced piece of malware Symantec researchers have seen from China-linked actors.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage
New research by the Symantec Threat Hunter team, part of Broadcom Software, has uncovered a highly sophisticated piece of malware being used by China-linked threat actors, exhibiting technical complexity previously unseen by such actors. The malware appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets.
Daxin in detail
Daxin is a backdoor that allows the attacker to perform various operations on the infected computer such as reading and writing arbitrary files. The attacker can also start arbitrary processes and interact with them. While the set of operations recognized by Daxin is quite narrow, its real value to attackers lies in its stealth and communications capabilities.
Daxin is capable of communicating by hijacking legitimate TCP/IP connections. In order to do so, it monitors all incoming TCP traffic for certain patterns. Whenever any of these patterns are detected, Daxin disconnects the legitimate recipient and takes over the connection. It then performs a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange. A successful key exchange opens an encrypted communication channel for receiving commands and sending responses. Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies.
Daxin’s built-in functionality can be augmented by deploying additional components on the infected computer. Daxin provides a dedicated communication mechanism for such components by implementing a device named “\\.\Tcp4”. The malicious components can open this device to register themselves for communication. Each of the components can associate a 32-bit service identifier with the opened \\.\Tcp4 handle. The remote attacker is then able to communicate with selected components by specifying a matching service identified when sending messages of a certain type. The driver also includes a mechanism to send back any responses.
Tomi Engdahl says:
F-Securen ilmainen työkalu luo murtamattomat salasanat
https://etn.fi/index.php/13-news/13244-f-securen-ilmainen-tyoekalu-luo-murtamattomat-salasanat
Kyberturvallisuusyhtiö F-Secure on tuonut tarjolle ilmaisen verkkotyökalun, jonka avulla voi luoda erittäin vahvoja salasanoja erilaisille tileille ja palveluille. Vain muutamassa sekunnissa salasanageneraattori voi luoda uuden salasanan, joka on riittävän vahva vastustamaan hakkereiden murtautumisyrityksiä.
F-Securen kuluttajaliiketoiminnan johtaja Timo Laaksosen mukaan nyt pitäisi kaikkien tiedossa olla, että erilaiset verkkotilit kannattaa suojata vahvoilla ja ainutlaatuisilla salasanoilla. – Aina kun jokin sivusto tai palvelu hakkeroidaan ja käyttäjien salasanoja vuodetaan julkisuuteen, näemme valitettavan usein liian helppoja kirjautumistietoja, kuten 12345 tai password1. Tämä uusi työkalu tekee vahvojen ja yksilöllisten salasanojen luomisesta eri tileille erittäin helppoa, Laaksonen kehuu.
Tuoreessa F-Securen tutkimuksessa havaittiin, että COVID-19-pandemian alusta lähtien monet ihmiset ovat tulleet entistä riippuvaisemmiksi erilaisista verkkopalveluista sekä tileistä. Yli kolmannes kuluttajista (38%) ilmoitti lisänneensä tietokoneillaan tehtyjen verkko-ostosten määrää kriisin alettua. Kuluttajista 32% kertoi tehneensä ostoksia yhä enemmän matkapuhelimellaan ja 31% sanoivat tekevänsä enemmän töitä kotona.
https://www.f-secure.com/en/home/free-tools/password-generator
Tomi Engdahl says:
Ilmainen salasanageneraattori vahvojen tunnusten luomiseen
https://www.uusiteknologia.fi/2022/03/01/ilmainen-salasanageneraattori-vahvojen-tunnusten-luomiseen/
Suomalainen tietoturvayhtiö F-Secure tarjoaa ilmaisen verkkotyökalun, jonka avulla voi luoda erittäin vahvoja salasanoja erilaisille tileille ja palveluille. Salasanageneraattorilla voidaan luoda muutamassa sekunnnissa salasana, joka on riittävän vahva vastustamaan hakkereiden murtautumisyrityksiä.
Tuoreessa F-Securen tutkimuksessa havaittiin, että COVID-19-pandemian alusta lähtien monet ihmiset ovat tulleet entistä riippuvaisemmiksi erilaisista verkkopalveluista sekä tileistä. Tilien suojaaminen vahvoilla, ainutlaatuisilla salasanoilla on tehokas toimenpide tällaisten hyökkäysten estämiseksi.
Tomi Engdahl says:
Crowd-sourced attacks present new risk of crisis escalation https://blog.talosintelligence.com/2022/03/ukraine-update.html
An unpredictable and largely unknown set of actors present a threat to organizations, despite their sometimes unsophisticated techniques.
Customers who are typically focused on top-tier, state-sponsored attacks should remain aware of these highly motivated threat actors, as well. Misattribution of these actors carries the risk of nations escalating an already dangerous conflict in Ukraine. Based on data from our fellow researchers at Cisco Kenna, customers should be most concerned about threat actors exploiting several recently disclosed vulnerabilities, highlighting the importance of consistently updating software and related systems.
Tomi Engdahl says:
Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization https://unit42.paloaltonetworks.com/infusion-pump-vulnerabilities/
Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. We reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations using IoT Security for Healthcare from Palo Alto Networks. An alarming 75 percent of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers.
Tomi Engdahl says:
Threat Spotlight: Attacks on Log4Shell vulnerabilities https://blog.barracuda.com/2022/03/02/threat-spotlight-attacks-on-log4shell-vulnerabilities/
The Log4Shell complex of vulnerabilities in the Log4J software have now been publicly known for more than two months. Barracuda researchers analyzed the attacks and payloads detected by our systems since December 10, 2021, and they found that the volume of attacks attempting to exploit these vulnerabilities has remained relatively constant with a few dips and spikes over the past two months. Given the popularity of the software, the exploitability of the vulnerability and the payoff when a compromise happens, we expect to see this attack pattern continue, at least for the short-term.
Tomi Engdahl says:
Companies are Struggling Against a 681% Increase in API Attacks, the Latest State of API Security Report Shows https://salt.security/blog/companies-are-struggling-against-a-681-increase-in-api-attacks-the-latest-state-of-api-security-report-shows
Salt Security today released the latest findings of its bi-annual report on API security trends. Over the past 12 months, attack traffic grew at nearly twice the rate of non-malicious traffic. Empirical data from the Salt Security SaaS cloud platform shows a 681% increase in attack traffic compared to a 321% increase in overall API call volume.
At the same time, 95% of companies surveyed in the latest State of API Security report suffered an API security incident last year.
Tomi Engdahl says:
How a Strong Identity Protection Strategy Can Accelerate Your Cyber Insurance Initiatives https://www.crowdstrike.com/blog/how-identity-protection-can-accelerate-your-cyber-insurance-initiatives/
The growth in frequency and severity of cyberattacks has caused organizations to rethink their security strategies.. Major recent security threats, such as high-profile ransomware attacks and the Log4Shell vulnerabilities disclosed in 2021, have led to a greater focus on identity protection as adversaries rely on valid credentials to move laterally across target networks.
Tomi Engdahl says:
NATO cybersecurity center finishes tests of quantum-proof network https://www.zdnet.com/article/nato-cybersecurity-center-finishes-tests-of-quantum-proof-network/
The NATO Cyber Security Centre (NCSC) has completed its test run of secure communication flows that could withstand attackers using quantum computing. Konrad Wrona, principal scientist at the NCSC, told ZDNet that it is becoming increasingly important to create protection schemes against current and future threats. “Securing NATO’s communications for the quantum era is paramount to our ability to operate effectively without fear of interception,” Wrona said.
Tomi Engdahl says:
The Many Faces of Threat Intelligence Part 1: Identifying the Problems
https://www.securityweek.com/many-faces-threat-intelligence-part-1-identifying-problems
Threat intelligence data has become more and more crucial to effective enterprise security practices. Threat intelligence solutions gather raw data and indicators about existing and emerging threat actors and threats. This data is then analyzed with the hope of informing and preparing organizations for cybersecurity risks like zero-day risks, threat actor attacks, advanced persistent threats, and the exploitation of known vulnerabilities. Many organizations view threat intelligence exclusively in this context. They view it as part of the solution to cybersecurity concerns. This is far from the truth.
Let’s start by looking at the different business problems and risks faced by enterprises. Obviously, these problems and their importance will vary based upon industry, organizational size, and go-to-market strategies. The simplest way to begin this exploration is to look at the different intelligence domains and associated risks. Intelligence solutions for enterprise security teams typically break down into the following categories:
● Cyber Threat Intelligence
● Reputation Intelligence
● Fraud Intelligence
● Platform Intelligence
● Protective Intelligence
● Third-Party Intelligence
Cyber Threat Intelligence
The domain that everybody thinks of first is Cyber Threat Intelligence—the domain of cybersecurity teams. Here, threats to confidentiality and integrity, and availability to data, systems, and networks are all well understood. Identifying digital threats outside firewalls, unmasking insiders within networks, and hunting for threats on the dark web are well-established services.
Frequent use cases include:
● Vulnerabilities and exposure outside the perimeter
● Human behaviors of insider threats
● Data leakage
● Identifying unknown assets with attack surface monitoring
● External threat hunting
● Open-Source Intelligence Research (OSINT) on the open/deep web
Reputation Intelligence
Reputation intelligence is not exclusively concerned with “the brand”. CMOs and their teams are concerned with brand awareness and user sentiment toward products or services with an eye to the impact of that information on go-to-market or product management strategy. Reputation intelligence goes beyond sentiment analysis and looks at threats to the brand that could indicate a coordinated effort by adversaries, insiders, or competitors. Simple keyword searches for negative sentiment across the internet will not achieve this objective and will lead to excessive and often irrelevant findings and noise.
Examples of use cases of concern to enterprises include:
● Disgruntled employees
● Short and distort schemes
● Domain and application spoofing
● Disinformation
Platform Intelligence
Closely related to fraud intelligence and also of concern to trust and safety teams is platform intelligence. It can be used to address adversaries that abuse platforms and negatively impact the consumer experiences and trust in the brand.
Common use cases include:
● Misuse or abuse of credentials
● Counterfeiting APIs
● API manipulation via scripts and bots
● Population manipulation via misrepresentative content syndication
● Gaming the ratings
● Fraudulent department operations
Tomi Engdahl says:
Google Paid Out Over $100,000 for Vulnerabilities Patched by Chrome 99
https://www.securityweek.com/google-paid-out-over-100000-vulnerabilities-patched-chrome-99
Google this week released Chrome 99 to the stable channel with a total of 28 security fixes inside, including 21 for vulnerabilities reported by external researchers.
Nine of the externally reported security holes are rated high severity, the majority of which are use-after-free bugs affecting components such as Cast UI, Omnibox, Views, WebShare, and Media.
Google says it has paid out a total of $33,000 in bug bounties for these five vulnerabilities, including $7,000 for each of the first four issues and $5,000 for the fifth.
A higher bug bounty reward – of $10,000 – was handed out for a heap-buffer overflow issue in ANGLE (CVE-2022-0789).
At $15,000, the highest bug bounty was awarded for a medium-severity use-after-free vulnerability in MediaStream. Google also handed out a $10,000 reward for a medium-severity policy enforcement bug in Installer.
Tomi Engdahl says:
Cyber Incident Disclosure Bill Passes in Senate Amid Fears of Russian Attacks
https://www.securityweek.com/cyber-incident-disclosure-bill-passes-senate-amid-fears-russian-attacks
A recently introduced legislative package whose goal is to strengthen the cybersecurity of critical infrastructure and government networks has passed in the Senate as the U.S. is increasingly concerned about Russian cyberattacks.
As Russia is attempting to invade Ukraine, a war is also taking place in cyberspace and the United States and its allies are concerned that Russia could step up its cyberattacks. Threat groups linked to Moscow have mostly focused on cyberespionage when targeting the West, but they have been known to launch destructive attacks in other parts of the world.
Last month, U.S. senators Gary Peters (D-MI) and Rob Portman (R-OH) introduced a package named Strengthening American Cybersecurity Act of 2022, which combines three bills introduced in the fall of 2021, including the Cyber Incident Reporting Act.
This bill requires critical infrastructure owners and operators, as well as civilian federal agencies, to inform the Cybersecurity and Infrastructure Security Agency (CISA) of any significant cyberattack within 72 hours.
Lawmakers Introduce Combined Bill for Strengthening Critical Infrastructure Security
https://www.securityweek.com/lawmakers-introduce-combined-bill-strengthening-critical-infrastructure-security
Tomi Engdahl says:
Microsoft Defender Takes Aim at Mid-Market
https://www.securityweek.com/microsoft-defender-takes-aim-mid-market
Microsoft this week announced the general availability of Defender for Business, an endpoint security solution aimed small- and medium-sized businesses (SMBs).
Defender for Business packs ant-malware protection alongside attack surface reduction, endpoint detection and response (EDR), and threat and vulnerability management and offers support for both desktop and mobile operating systems.
The Redmond, Wash. software maker said the product was designed to help organizations of up to 300 employees stay protected from ransomware and other malicious threats.
Separately, Microsoft announced the integration of Microsoft 365 Lighthouse with Defender for Business to provide customers with security alerts from across tenants.
Tomi Engdahl says:
Maryland Officials Outline Package to Tighten Cybersecurity
https://www.securityweek.com/maryland-officials-outline-package-tighten-cybersecurity
Maryland lawmakers highlighted a package of measures Wednesday to tighten cybersecurity in the state.
Maryland House Speaker Adrienne Jones noted that Baltimore County was one of about 50 school systems across the nation attacked with ransomware in 2020, costing the county millions of dollars. In December, Maryland’s health department was hit by a ransomware attack that impeded information about health metrics relating to COVID-19.
“This package will help give our state agencies and local governments every tool in the toolbox to secure our IT networks and ensure our response to a cyberattack is swift, unified and coordinated,” Jones, a Baltimore County Democrat, said during a videoconference.
One of the measures would increase coordination between state and local governments in cybersecurity.
“Other states have moved toward centralization, and we join them in that move nationally, which makes it easier to address a threat as well as makes it, at least from what we’ve seen, less expensive to then recover from a threat,” said Del. Pat Young, a Baltimore County Democrat.
Tomi Engdahl says:
Kiristyshaittaohjelmat yritysten suurin riesa tänä vuonna
https://etn.fi/index.php/13-news/13252-kiristyshaittaohjelmat-yritysten-suurin-riesa-taenae-vuonna
Kiristyshaittaohjelmat ovat ehdottomasti merkittävin uhka organisaatioiden tietoturvalle vuonna 2022, minkä vuoksi organisaatioiden on nostettava kyberturvavalmiuttaan jo hyvissä ajoin. Näin sanoo Innofactorin kyberturvallisuusyksikön johtaja Jarno Limnéll. – Vuoden 2021 ensimmäisellä puoliskolla kiristyshaittaohjelmien hyökkäysten määrä kasvoi jopa 151 prosenttia, joten hyökkäyksen kohteeksi joutuminen on yhä todennäköisempää.
Kiristyshaittaohjelmien aiheuttama uhka organisaatioiden tietoturvalle on kasvanut merkittävästi. Hyökkäyksiä tapahtuu vuosi vuodelta yhä enemmän, minkä lisäksi haittaohjelmat ovat tekniseltä toteutukseltaan aiempaa edistyneempiä. Kasvavaan uhkaan varautuakseen organisaatioiden on kehitettävä kyberresilienssiään.
Limnéllin mukaan tehokkain tapa suojautua kiristyshaittaohjelmilta on parantaa organisaation kyberresilienssiä eli kykyä ennakoida, kestää ja toipua mahdollisista kyberhyökkäyksistä. Teknisen suojautumisen eli modernin päätelaitesuojauksen sekä muiden tietoturvaratkaisujen lisäksi kyberresilientti organisaatio on varautunut tietoturvahäiriöihin myös hallinnollisesti monin tavoin:
luomalla ja jalkauttamalla tietoturvapolitiikan, jossa määritetään organisaation tietoturvakäytännöt
laatimalla tietoturvapoikkeamien hallintasuunnitelman
sitouttamalla organisaation johdon ylläpitämään tietoturvamyönteistä toimintakulttuuria
ylläpitämällä henkilöstön ymmärrystä tietoturvallisista toimintatavoista
pitämällä verkon järjestelmät päivitettyinä sekä varmuuskopioimalla tiedostot säännöllisesti
Kyberresilienssi on avainasemassa, kun organisaatiot suojautuvat moderneja kyberuhkia vastaan digitalisoituneessa yhteiskunnassa. Resilienssin ylläpitäminen vaatii kuitenkin jatkuvaa työtä, jota ilman organisaatio on haavoittuvampi kyberhyökkäyksille ja niistä koituville talouteen, liiketoimintaan ja turvallisuuteen kohdistuville seurauksille.
Tomi Engdahl says:
Kiristyshaittaohjelmista merkittävä uhka kasvulle
https://www.uusiteknologia.fi/2022/03/03/kiristyshaittaohjelmista-merkittava-uhka-kasvulle/
Kiristyshaittaohjelmien aiheuttama uhka organisaatioiden tietoturvalle on kasvanut. Hyökkäyksiä tapahtuu vuosi vuodelta yhä enemmän, minkä lisäksi haittaohjelmat ovat aiempaa edistyneempiä, kertoo suomalaisen Innofactor Maailman talousfoorumin kyberturvallisuusraporttiin tukeutuen.
Innofactorin kyberturvallisuusyksikön johtaja Jarno Limnéll kehottaa organisaatioita varautumaan kiristyshyökkäyksiin. Nykyisin kiristyshaittaohjelman kohteeksi voi joutua niin pieni kuin suurikin organisaatio toimialasta riippumatta. Onnistunut tietomurto aiheuttaa taloudellisten seuraamusten lisäksi usein merkittävää mainehaittaa, josta toipuminen voi viedä pitkään.
Huoli kiristysohjelmien aiheuttamista vahingoista välittyy Maailman talousfoorumin tekemästä selvityksestä, jossa kyberturvallisuusjohtajat nimeävät juuri kiristyshaittaohjelmat suurimmaksi organisaationsa tietoturvaa uhkaavaksi tekijäksi.
Maailman talousfoorun kyberturvallisuusraportti (LINKKI, pdf)
https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2022.pdf
Innofactoribn blogikirjoitus (LINKKI)
https://blog.innofactor.com/fi/kiristyshaittaohjelma-uhkaa-organisaatioiden-tietoturvaa
Tomi Engdahl says:
What can bank robberies teach us about the need for physical cyber security?
https://www.information-age.com/bank-robberies-need-for-physical-cyber-security-123498223/?fbclid=IwAR3cviUlpbR-wY9n4_pag4C3QofLyeIvSp9AjIvaWSqpqLbxC4ELNglCi4A
Camellia Chan, CEO and founder of X-PHY, a Flexxon brand, discusses what bank robberies can teach us about the need for physical cyber security
As we witness the so-called ‘tech revolution’, with rapid developments in technology and the digitalisation of previously manual functions, we are also bystanders to a stark increase in cyber security risk. Whilst on a personal level this is alarming, when taking into account the quantity of sensitive data stored by organisations of all sizes, it becomes even more concerning.
Surges in technological development create the perfect environment for cyber crime to flourish. Cyber crime is expected to cost £7.5 trillion annually by 2025, with ransomware, in particular, growing in popularity amongst the nefarious. Even though the news is constantly reporting the fall of notorious cyber crime gangs, they continue to crop up under different guises. With trust between nations on the wane globally, due to a variation of geopolitical reasons – national, organisational and personal security are more important than ever.
In this way, business leaders and security teams need to find quick and durable solutions to prevent organisations from falling victim to cyber crime. And a physical last line of defence in the form of an AI-augmented solid-state drive (SSD) provides an answer.
Anti-virus alone is far from enough
Cyber security firmware, that uses low-level AI programming to analyse data and make intelligent decisions regarding access patterns, can overcome shortcomings in traditional cyber security efforts to mitigate against the potential catastrophic impact of a range of cyber attacks.
In isolation, anti-virus software is not exhaustive protection as it requires human intervention, weakening its function and leaving room for human error. The need to manually update software and disallow threats creates a weak point in the defence system. Through AI-augmented SSD, however, organisations will have mechanisms in place to detect anomalies in data access patterns to fend off cyber threats. It consistently identifies and learns, providing confidence that should attacks make it through the other defensive layers, the most intelligent barrier still stands strong.
Also critical is that businesses need a zero trust framework whereby it’s possible to track and question every single touch point and engagement. Much like a bulletproof vault in a bank, AI-augmented SSD serves to identify any form of threat and react to protect its contents without the need for a user to instruct it to do so.
Tomi Engdahl says:
Zero Trust Model against insider threats with X-PHY® SSD
https://x-phy.com/zero-trust-model-against-insider-threats-with-x-phy-ssd/
Tomi Engdahl says:
2021 Trends Show Increased Globalized Threat of Ransomware
https://www.cisa.gov/uscert/sites/default/files/publications/AA22-040A_2021_Trends_Show_Increased_Globalized_Threat_of_Ransomware_508.pdf
In 2021, cybersecurity authorities in the United
States,[1][2][3] Australia,[4] and the United
Kingdom[5] observed an increase in sophisticated,
high-impact ransomware incidents against critical
infrastructure organizations globally. The Federal
Bureau of Investigation (FBI), the Cybersecurity and
Infrastructure Security Agency (CISA), and the
National Security Agency (NSA) observed incidents
involving ransomware against 14 of the 16 U.S.
critical infrastructure sectors, including the Defense
Industrial Base, Emergency Services, Food and
Agriculture, Government Facilities, and Information
Technology Sectors.
Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware
threat actors’ growing technological sophistication and an increased ransomware threat to
organizations globally.
This joint Cybersecurity Advisory—authored by cybersecurity authorities in the United States,
Australia, and the United Kingdom—provides observed behaviors and trends as well as mitigation
recommendations to help network defenders reduce their risk of compromise by ransomware