Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
US, EU Sign Data Transfer Deal to Ease Privacy Concerns
https://www.securityweek.com/us-eu-sign-data-transfer-deal-ease-privacy-concerns
The European Union and United States made a breakthrough in their yearslong battle over the privacy of data that flows across the Atlantic with a preliminary agreement Friday that paves the way for Europeans’ personal information to be stored in the U.S.
President Joe Biden and European Commission President Ursula von der Leyen announced the deal during Biden’s stop in Brussels while on a European tour amid Russia’s war in Ukraine.
Business groups hailed the announcement, saying it will provide relief to thousands of companies, including tech giants like Google and Facebook, that faced uncertainty over their ability to send data between the U.S. and Europe, which has much stricter regulations on data privacy.
Tomi Engdahl says:
Maksukortin voi murtaa 6 sekunnissa
https://etn.fi/index.php?option=com_content&view=article&id=13334&via=n&datum=2022-03-22_15:45:18&mottagare=30929
Tutkijat arvioivat, että maksukortti voidaan murtaa vain kuudessa sekunnissa. NordVPN:n julkaisemassa tutkimuksessa analysoitiin 4 miljoonaa maksukorttia 140 maasta. Yleisin tapa hakkeroida maksukortti on brute force -laskenta. Tämäntyyppinen murto voidaan suorittaa muutamassa sekunnissa.
NordVPN:n teknologiajohtaja Marijus Briediksen mukaan vain brute force selittää sen, että niin valtava määrä maksukortteja voi ilmestyä dark webiin. – Käytännössä siis rikolliset yrittävät pohjimmiltaan arvata kortin numeron ja CVV-tunnisteen. Ensimmäiset 6-8 numeroa ovat kortin myöntäjän tunnusnumero. Tämä jättää hakkereille 7–9 numeroa arvattavaksi, koska 16. numero on tarkistussumma ja sitä käytetään vain määrittämään, onko numeroa syötettäessä tehty virheitä.
https://nordvpn.com/fi/research-lab/payment-card-details-theft/
Tomi Engdahl says:
Verkkorikollisen uralle pääsee parilla kympillä
https://etn.fi/index.php/13-news/13352-verkkorikollisen-uralle-paeaesee-parilla-kympillae
Verkkorikollisuus kaikissa eri muodoissaan yleistyy edelleen kovaa vauhtia. Yksi merkittävä tekijä kasvussa on se, että pimeästä verkosta voi ostaa täysin valmiita haittaohjelmia mitättömillä summilla. Parilla kympillä saa kokonaisen haittaohjelmistopaketin, ransomware-ohjelman lähdekoodeineen 50 dollarilla.
Tomi Engdahl says:
Hackers weigh in on programming languages of choice
Small, self-described sample, sure. But results show shifts over time
https://www.theregister.com/2022/03/24/hacker_language_study/
Tomi Engdahl says:
https://hackersonlineclub.com/top-12-cybersecurity-tools-you-should-use/
Tomi Engdahl says:
3 Immutable Operating Systems: Bottlerocket, Flatcar and Talos Linux
https://thenewstack.io/3-immutable-operating-systems-bottlerocket-flatcar-and-talos-linux/
For those that don’t know, immutable operating systems have been increasing in popularity recently. An immutable operating system is one in which some, or all, of the operating system file systems, are read-only, and cannot be changed.
Immutable operating systems have a lot of advantages. They are inherently more secure, because many attacks and exploits depend on writing or changing files. Also, even if an exploit is found, bad actors cannot change the operating system on disk (which in itself will thwart attacks that depend on writing to the filesystem), so a reboot will clear any memory-resident malware and recover back to a non-exploited state.
Immutable systems are also easier to manage and update: the operating system images are not patched or updated but replaced atomically (in one operation that is guaranteed to fully complete or fully fail — no partial upgrades!)
Immutable systems also can claim to be more stable than traditional operating systems, simply by virtue of eliminating many of the vectors that introduce instability into a system — most of which are human. No sysadmins can “just change this one setting to fix things” — with unforeseen impacts that aren’t found until hours later. (I’ve been that sysadmin.) No partially complete terraform or puppet runs that leave systems in odd states…
Tomi Engdahl says:
https://www.ecommerce-webs.com/bgp-lab/
Tomi Engdahl says:
Pandemic Leaves Firms Scrambling for Cybersecurity Specialists
Companies have trouble retaining workers, with almost two-thirds of business reporting unfilled positions and massive unmet demand for technical cybersecurity professionals, study shows.
https://www.darkreading.com/remote-workforce/pandemic-leaves-firms-scrambling-for-cybersecurity-specialists
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/phishing-kits-constantly-evolve-to-evade-security-software/
Tomi Engdahl says:
https://techcrunch.com/2022/03/25/daily-crunch-eu-us-reach-agreement-in-principle-on-trans-atlantic-data-flows/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/public-redis-exploit-used-by-malware-gang-to-grow-botnet/
Tomi Engdahl says:
30% of Apache Log4j Security Holes Remain Unpatched
https://thenewstack.io/30-of-apache-log4j-security-holes-remain-unpatched/
Tomi Engdahl says:
Cybersecurity Month campaign reduces Cyber Incidents
https://www.enisa.europa.eu/news/enisa-news/cybersecurity-month-campaign-reduces-cyber-incidents
The deployment report of the European Cybersecurity Month (ECSM) for 2021, is released today and summarises the activities introduced towards reducing cyber incidents.
Tomi Engdahl says:
Tech support fraud is still very much alive, says latest FBI report https://blog.malwarebytes.com/tech-support-scams/2022/03/tech-support-fraud-is-still-very-much-alive-says-latest-fbi-report/
The FBI’s Internet Crime Complaint Center (IC3) has released its annual report. In 2021, IC3 continued to receive a record number of complaints from the American public: 847, 376 reported complaints, which was a 7% increase from 2020, with potential losses exceeding
$6.9 billion. Annual report:
https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
Tomi Engdahl says:
Emotet is Back
https://blogs.cisco.com/security/emotet-is-back
Emotet (also known as Geodo and Heodo) is a banking trojan, but it is also a modular malware that can be used to download other malware as Trickbot and IcedID. …Emotet rose again in November 2021, and it has shown more activity since 2022
Tomi Engdahl says:
Attackers getting faster at latching onto unpatched vulnerabilities for stealth hacking campaigns report https://portswigger.net/daily-swig/attackers-getting-faster-at-latching-onto-unpatched-vulnerabilities-for-stealth-hacking-campaigns-report
Attackers are exploiting security vulnerabilities more quickly, often within a week of their public disclosure, according to a study by Rapid7.
Tomi Engdahl says:
Ransomware Trends: Higher Ransom Demands, More Extortion Tactics https://www.paloaltonetworks.com/blog/2022/03/ransomware-trends-demands-dark-web-leak-sites/
Today, as we publish our 2022 Unit 42 Ransomware Threat Report, we’re once again reporting that payments hit new records as cybercriminals increasingly turned to dark web “leak sites” where they pressured victims to pay up by threatening to release sensitive data.
Tomi Engdahl says:
Russia facing internet outages due to equipment shortage https://www.bleepingcomputer.com/news/technology/russia-facing-internet-outages-due-to-equipment-shortage/
Russia’s RSPP Commission for Communications and IT, the country’s largest entrepreneurship union, has warned of imminent large-scale service Internet service outages due to the lack of available telecom equipment.
Tomi Engdahl says:
The Elusive Goal of Network Security
https://www.securityweek.com/elusive-goal-network-security
While it’s never perfect, it can always get better
You may have heard there was a recent breach at a major cell phone provider, exposing the personal information of about 40 million people. And what was the public response to this outrage? They yawned.
That hack was just one of thousands of breaches publicly reported in the first six months of 2021, hacks which exposed a total of 18.8 billion records. Most never made it into the evening news. Apparently even criminals are getting bored. Reuters cited a report from Vice saying that the seller had been offering data on 30 million of the mobile phone victims for 6 Bitcoin, or around $270,000. However, later reports suggested that the asking price had slumped, and the entire data cache was being unloaded for just $200.
With so much data theft going on, even as massive a heist as that one fails to generate much public concern. But becoming inured to the loss of privacy and bored about leaks of personal information is itself a great danger. That’s because shrugging off data breaches ignores the fact that in the United States today, just about everything is connected to the internet — and therefore susceptible to attack. Advanced hacking tools, including many developed by U.S. intelligence agencies for their own espionage purposes, have been stolen and made available to hostile countries. In some cases, they have been sold to criminal enterprises over the dark web. These exploitations not only have the ability to siphon off your personal information, they can also be used to shut down the power grid, computer networks, the air traffic control system, banks, water treatment plants, factories, communications, and just about everything else.
In a recent well-documented book with the ominous title “This is How They Tell Me the World Ends,” New York Times cybersecurity reporter Nicole Perlroth explored the secretive market for zero-days – unpatched vulnerabilities discovered in frequently used software, capable of providing covert access to a network – as well as software companions created to exploit those flaws. Sometimes those hacks actually string together a series of zero days. And hostile nations are eager to acquire these tools. But while the offensive capabilities they present are huge, at least in the United States, they have not been matched by developments to defend against them – a dangerous imbalance.
Tomi Engdahl says:
A new study by security company Tessian found that one in four employees (26%) lost their job in the last 12 months after making a mistake that compromised their company’s security.
25% Of Workers Lost Their Jobs In The Past 12 Months After Making Cybersecurity Mistakes: Report
https://www.forbes.com/sites/edwardsegal/2022/03/29/25-of-workers-lost-their-jobs-in-the-past-12-months-after-making-cybersecurity-mistakes-report/
For business leaders, there is never a good time for their employees to make mistakes on the job. This is especially true now for workers who have anything to do with the cybersecurity of their companies and organizations. Given the growing risks of cyberattacks across the world and the increased threats posed by Russia in the aftermath of their invasion of Ukraine, these are certainly perilous times.
Indeed, a new study released today by email security company Tessian found that one in four employees (26%) lost their job in the last 12 months after making a mistake that compromised their company’s security.
Indeed, a new study released today by email security company Tessian found that one in four employees (26%) lost their job in the last 12 months after making a mistake that compromised their company’s security.
Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error
Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT
On average, a U.S. employee sends four emails to the wrong person every month—and organizations are taking tougher action in response to these mistakes that compromise data.
Nearly a third of employees (29%) said their business lost a client or customer after sending an email to the wrong person—up from 20% in 2020. One in four respondents (21%) also lost their job because of the mistake, versus 12% in July 2020.
Over one-third (35%) of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built.
When asked why these mistakes happened, half of the employees said they had sent emails to the wrong person because they were under pressure to send the email quickly—up from 34% reported by Tessian in their 2020 study
Over 40% of respondents cited distraction and fatigue as reasons for falling for phishing attacks.
More employees attributed their mistakes to fatigue and distraction in the past year, versus figures reported in 2020, likely brought on by the shift to hybrid working, Tessian said.
Josh Yavor, the chief information security officer at Tessian, said, “It’s surprising to see how many more businesses are losing customers over mistakes like employees sending emails to the wrong recipient and also how many more employees are losing their jobs because of these errors.
Yavor observed that “It’s also surprising to see that people are making more mistakes than compromise security as a result of distraction or fatigue in the last 18 months.
“When you combine these findings with the Zoom fatigue study, carried out by Stanford researchers and referenced in the report, it becomes clear that hybrid working set-ups are significantly impacting people’s cognitive loads and their abilities to stay focused at work.
“So rather than scaring employees into compliance, encourage employees to engage with security by creating positive security experiences so that you can cement a partnership mindset between security teams and staff. Those positive incentives will help combat security nihilism and build stronger security cultures,” he predicted.
Yavor counseled executives to “Consider how stress impacts cybersecurity behaviors, particularly when employees work in a remote or hybrid way, and take steps to mitigate this.
He thought business leaders should, “Educate employees on advanced phishing attacks – like business email compromise and account takeover—and new channels in which cybercriminals will target them—like smishing. By understanding what to look out for, why they could be a target, and the steps they should take if something doesn’t look right, employees will feel more confident in spotting attacks and reporting them to IT teams.”
Tomi Engdahl says:
Europe’s quest for energy independence and how cyberrisks come into play https://www.welivesecurity.com/2022/03/29/europe-quest-energy-independence-cyber-risks/
Soaring energy prices and increased geopolitical tensions amid the Russian invasion of Ukraine bring a sharp focus on European energy security. It is generally understood that the world is deeply interconnected, especially when it comes to energy supplies and the global energy trade. Maintaining complex, but reliable business and nation-state relationships has been central to ensuring a smooth and sustained functioning of the energy supply chain.
Tomi Engdahl says:
FBI warns election officials of credential phishing attacks https://www.bleepingcomputer.com/news/security/fbi-warns-election-officials-of-credential-phishing-attacks/
The Federal Bureau of Investigation (FBI) warned US election officials on Tuesday of an ongoing and widespread phishing campaign trying to steal their credentials since at least October 2021. “As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials.”. Lisäksi:
https://therecord.media/fbi-election-officials-in-at-least-nine-states-received-invoice-themed-phishing-emails-in-2021/.
FBI notification: https://www.ic3.gov/Media/News/2022/220329.pdf
Tomi Engdahl says:
Singapore offers certification scheme to tag companies with robust security posture https://www.zdnet.com/article/singapore-offers-certification-scheme-to-tag-companies-with-robust-security-posture/
Cyber Security of Singapore introduces two certification programmes to identify small and midsize businesses that have adopted baseline cybersecurity measures and large enterprises with robust cybersecurity practices.
Tomi Engdahl says:
Supo varoittaa: Venäjän vakavien kyberiskujen uhka on kasvanut suomalaisten syytä varautua vihamieliseen vaikuttamiseen
https://yle.fi/uutiset/3-12378792
Suojelupoliisin mukaan suurimpia kansallisen turvallisuuden uhkia ovat Venäjän laaja-alainen vaikuttaminen Suomeen ja laiton tiedustelu.
Terroriuhka on edelleen aiemmalla kohonneella tasolla.
Tomi Engdahl says:
With War Next Door, EU is Warned on Cybersecurity Gaps
https://www.securityweek.com/war-next-door-eu-warned-cybersecurity-gaps
As Russia’s invasion of Ukraine accelerates European Union defense cooperation, a watchdog said Tuesday that EU institutions face vulnerabilities on another front: cybersecurity.
The warning by the European Court of Auditors covers the wide range of EU bodies — from the executive arm based in Brussels to specialist agencies located across Europe — that run the 27-nation bloc’s day-to-day business.
“The EU must step up its efforts to protect its own organizations,” Bettina Jakobsen, a member of the ECA, said in a statement accompanying a special report on cyberthreats. “Such attacks can have significant political implications.”
Cyberattacks against EU bodies are increasing “sharply,” with major incidents jumping more than tenfold between 2018 and 2021, according to the Luxembourg-based ECA.
Cybersecurity has jumped up the political agenda in Europe following attacks in recent years that targeted EU nations such as Germany and other industrialized countries including the United States, Britain and Australia.
In 2020, the EU imposed cyber sanctions for the first time, blacklisting a number of Russian, Chinese and North Korean hackers.
Nonetheless, the European auditors said Tuesday that EU organizations were failing to enact some “essential” cybersecurity controls and underspending in this area. The auditors also alleged a lack of “systematic” cybersecurity training and information sharing.
EU entities as a whole handle political, diplomatic, financial, economic and regulatory matters. The spectrum of activities underpins the bloc’s status as a geopolitical force, a global setter of industrial rules and the world’s most lucrative single market.
The sensitive information processed by EU bodies makes them attractive targets for hackers, according to the report, which said the risks have grown as a result of remote working prompted by the COVID-19 pandemic.
“This has considerably increased the number of potential access points for attackers,” the ECA said.
Tomi Engdahl says:
Cloaked Snags $25M Funding to Tackle Data-Sharing Privacy
https://www.securityweek.com/cloaked-snags-25m-funding-tackle-data-sharing-privacy
A Boston startup has raised $25 million in early-stage funding to tackle the erosion of privacy in today’s data sharing ecosystems.
The startup, called Cloaked, said the Series A investment was co-led by Lux Capital and Human Capital and will be used to exit beta and drive growth in a competitive marketplace.
Founded by two brothers, Arjun and Abhijay Bhatnagar, Cloaked is promising to help users change the way data is provided to online services.
Instead of sharing personal information like a phone number, email, or credit card with websites, Cloaked is providing an app and browser extension to let users create unlimited, unique identities.
“Cloaked creates instant identifiers and smart settings to make it easy for individuals to choose what, when, where and with whom they share information. When browsing online or in-person, Cloaked automatically generates unique email addresses, phone numbers, credit cards, passwords, and other account information,” the company explained.
“With every account sign up, [Cloaked] creates a new, encrypted database for every user where all personal information is stored, giving them the keys and control to manage or delete at any point,” it added.
Tomi Engdahl says:
A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages
https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.html
A threat actor dubbed “RED-LILI” has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules.
“Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks,” Israeli security company Checkmarx said. “As it seems this time, the attacker has fully-automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot.”
The findings build on recent reports from JFrog and Sonatype, both of which detailed hundreds of NPM packages that leverage techniques like dependency confusion and typosquatting to target Azure, Uber, and Airbnb developers.
“As supply chain attackers improve their skills and make life harder for their defenders, this attack marks another milestone in their progress,” the researchers said. “By distributing the packages across multiple usernames, the attacker makes it harder for defenders to correlate [and] take them all down with ‘one stroke.’ By that, of course, making the chances of infection higher.”
Tomi Engdahl says:
Why Bullying Employees Into Compliance Won’t Work
https://www.securityweek.com/why-bullying-employees-compliance-wont-work
Security leaders need to understand that people working from home require more than technological support to improve security
The majority of compromises start from human error – such as falling for a phishing attack. But despite increased awareness spending and training, such failures are continuing and the effects are worsening – and it may partly be due to the new hybrid home/office work paradigm.
Email security firm Tessian surveyed 2,000 security professionals (1,000 in the US and 1,000 in the UK) aged from 18 to 51+ for the latest edition of its Psychology of Human Error (PDF) report. It found that mistakes are still being made, but more are unreported than they were two years ago – that is, before the pandemic accelerated the move to hybrid working.
More than a quarter of the employees fell for a phishing email. More than one half of these said the email impersonated a senior executive at their company – which was a 41% increase over 2020.
Two-fifths of employees have sent an email to the wrong person, leading to the business loss of a client or customer in almost one-third of cases. According to Tessian, 21% of employees who made a cybersecurity mistake lost their job. This may partly explain the most worrying statistic: the number of employees who did not report their mistake to the IT team rose from 16% to 21%.
The continuing success of social engineering attacks is partly due to more advanced malicious techniques, and partly due to the different pressures of home working. Two recognized effects of remote working are ‘presenteeism’ and ‘distraction’. The former is the tendency to work longer hours to avoid any perception of slacking. This leads to tiredness. The latter is inevitable when kids and pets may continually interrupt.
The result is an unrecognized cognitive overload that is more likely to be experienced in the home environment than in the office environment. The human brain is only capable of processing a certain amount of information – it cannot handle both work and distractions simultaneously. Switching between the two – especially when tired – can lead to mistakes.
“With the shift to hybrid work, people are contending with more distractions, frequent changes to working environments, and the very real issue of Zoom fatigue – something they didn’t face two years ago,” says Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University. “When distracted and fatigued, people’s cognitive loads become overwhelmed and that’s when mistakes happen.”
Security leaders need to understand that people working from home require more than technological support to improve security. More than ever, security is a people problem, and the people as well as their devices require additional support.
“This requires earning the trust of employees,” explains Tessian’s CISO, Josh Yavor. “Bullying employees into compliance won’t work. Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions.”
Tomi Engdahl says:
Gaining and Retaining Security Staff in The Age of the Great Resignation
https://www.securityweek.com/gaining-and-retaining-security-staff-age-great-resignation
Tomi Engdahl says:
White House Proposes $10.9 Billion Budget for Cybersecurity
https://www.securityweek.com/white-house-proposes-109-billion-budget-cybersecurity
The White House on Monday unveiled President Joe Biden’s $5.8 trillion budget plan for fiscal year 2023, and cybersecurity appears to be a key priority, with a significant increase in spending compared to the previous year.
The president’s budget request includes roughly $10.9 billion for civilian cybersecurity-related activities, which represents an 11% increase compared to 2022.
A large chunk of that amount — specifically $2.5 billion — has been allocated to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA). That is nearly $500 million more than in the previous year.
The funding should help improve the protection of federal infrastructure and service delivery against sophisticated cyber threats, including to “maintain critical cybersecurity capabilities implemented in the American Rescue Plan; expand network protection throughout the Federal executive Branch; and bolster support capabilities, such as cloud business applications, enhanced analytics, and stakeholder engagement.”
The budget should also help the Office of the National Cyber Director improve “national coordination in the face of escalating cyber attacks on Government and critical infrastructure.” In addition, funding has been allocated to improving the safety and security of elections, and creating public-private partnerships.
Much of the funding is dedicated to goals outlined in the cybersecurity executive order signed by President Biden in May 2021. Some of the initiatives described in the executive order were announced earlier this year, including one related to boosting the cybersecurity of National Security Systems, a federal zero trust strategy, and a cyber safety review board.
Tomi Engdahl says:
US Brands Russian Cybersecurity Firm Kaspersky ‘Security Threat’
https://www.securityweek.com/us-brands-russian-cybersecurity-firm-kaspersky-security-threat
US regulators have deemed antivirus software maker Kaspersky a “threat to national security,” a designation that will restrict its dealings in the United States.
The Federal Communications Commission has added Kaspersky to a threat list — which blocks paying the firm with certain US government subsidies — that also includes Chinese companies like Huawei and ZTE.
The FCC’s statement released Friday did not mention Russia’s invasion of Ukraine, but Kaspersky responded to the designation by saying it was imposed “on political grounds.”
“This decision is not based on any technical assessment of Kaspersky products,” the firm added in a statement.
German cyber security agency BSI urged consumers earlier this month against using Kaspersky’s antivirus software, warning that the company could be implicated — willingly or unwillingly — in hacking assaults amid Russia’s war in Ukraine.
Tomi Engdahl says:
https://www.securityweek.com/russia-ukraine-and-danger-global-cyberwar
Tomi Engdahl says:
Google, Microsoft aim to make their cloud environments more secure as cyberattacks increase
https://www.cnbc.com/2022/03/29/google-microsoft-ramp-up-cloud-security-as-cyberattacks-increase.html
KEY POINTS
Amazon Web Services (AWS), Microsoft Azure and Google Cloud have all made acquisitions in the cybersecurity space over the past year.
By 2025, Gartner predicts more than 95% of new digital workloads will be deployed on cloud-native platforms, up from just 30% in 2021.
The Cloud Security Alliance (CSA) earlier this month launched a countdown to April 14, 2030, the date by which CSA estimates a quantum computer will be able to break present-day cybersecurity infrastructure.
When cybersecurity company Mandiant announced in early March that it had entered into a definitive agreement to be acquired by Google in a transaction valued at about $5.4 billion, it marked the latest sign that security expertise and capabilities have become critical for effective cloud service operations.
All three of the biggest public cloud providers — Amazon Web Services (AWS), Microsoft Azure and Google Cloud — have made acquisitions in the cybersecurity space over the past year — and it’s quite possible others will follow as these companies look to shore up their data protection efforts.
Tomi Engdahl says:
Ministeriryhmä koolla kyberturvallisuudesta kybersuojaus “torjuu uhkia joka päivä”
https://www.kauppalehti.fi/uutiset/ministeriryhma-koolla-kyberturvallisuudesta-kybersuojaus-torjuu-uhkia-joka-paiva/a25907e1-beea-4829-b927-e16b696cb94d
Digitalisaation, datatalouden ja julkisen hallinnon kehittämisen ministerityöryhmä päätti kokouksessaan 14. maaliskuuta käynnistää valmistelun kyberturvallisuuden ja julkisen hallinnon varautumiseksi.
Toisen kerran ministeriryhmä kokoontui perjantaina 18. maaliskuuta ja keskusteli tarvittavista kyberturvallisuutta parantavista toimenpiteistä. Liikenne- ja viestintäministeriön mukaan kyberturvallisuuden varautumisen taso Suomessa on hyvä. Varautumisella sillä on pitkät, toimivat perinteet. Tiedotteen mukaan kehitettävää kuitenkin on esimerkiksi kuntasektorin sekä tieto- ja viestintäjärjestelmien kyberturvallisuudessa.
Tomi Engdahl says:
Franchises, partnerships emerge in Ransomware-as-a-Service operations https://www.zdnet.com/article/franchises-partnerships-emerge-in-ransomware-as-a-service-operations/
RaaS has arguably become one of the most prolific and dangerous threats to enterprise security today. Cybercriminals have worked out that they can make serious profits from leasing out their ransomware creations, and especially if it is used against large companies able to pay high ‘ransom’ payments to have their data decrypted after a successful infection. On Friday, KELA published a report on ransomware operators’ overall trends and movements over 2021. The cybersecurity firm says that the number of major organizations tracked as ransomware victims increased from 1460 to 2860, with many appearing on ransomware leak sites and negotiation platforms.
Tomi Engdahl says:
- From BlackMatter to BlackCat: Analyzing two attacks from one affiliate https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
BlackCat ransomware, also known as “ALPHV, ” has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It first appeared in November 2021 and, since then, several companies have been hit across the globe. However, more than 30 percent of the compromises happened to U.S.-based companies. While researching a BlackCat ransomware attack from December 2021, we observed a domain (and respective IP
addresses) used to maintain persistent access to the network. This domain had also been used in a BlackMatter attack in September 2021.
Further analysis revealed more commonalities, such as tools, file names and techniques that were common to both ransomware variants.
Tomi Engdahl says:
Scans for Movable Type Vulnerability (CVE-2021-20837) https://isc.sans.edu/forums/diary/Scans+for+Movable+Type+Vulnerability+CVE202120837/28454/
Yesterday, our honeypots started seeing many requests scanning for the Movable Type API. Movable Type is a content management system comparable to WordPress or Drupal. Unlike the other two written in PHP, Movable Type uses a Perl backend. Movable Type also has no free version available. Late last year, Movable Type patched a critical vulnerability in its API, CVE-2021-20837. Exploiting this vulnerability, an attacker could execute arbitrary code on the server.
The vulnerability exploitation is trivial, and exploits have been available for quite a while. Oddly, it took that long to see mass scanning for the vulnerability.
Tomi Engdahl says:
How to protect RDP
https://blog.malwarebytes.com/security-world/business-security-world/2022/03/protect-rdp-access-ransomware-attacks/
Over the last five years, one of the primary attack vectors for ransomware attacks has been the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, a tool for remotely controlling a PC that gives you all the power and control you would have if you were actually sitting behind itwhich is what makes it so dangerous in the wrong hands. If you want to deploy software to remotely operate your work computers, RDP is essentially a safe and easy-to-use protocol, with a client that comes pre-installed on Windows systems and is also available for other operating systems.
There are a few things you can do to make it a lot harder to gain access to your network over unauthorized RDP connections.
Tomi Engdahl says:
Europe, US warn of fake chip danger to national security, critical systems https://www.theregister.com/2022/03/18/eu_us_counterfeit_chips/
Counterfeiters are making the most of the ongoing electronics supply crunch by peddling sham semiconductors to desperate buyers and it’s caught the attention of governments. In a report out this month, the European Union’s law enforcement agency Europol highlighted the dangers of knockoff semiconductors to critical infrastructure as well as people’s private devices. See also:
https://www.europol.europa.eu/cms/sites/default/files/documents/Report.%20Intellectual%20property%20crime%20threat%20assessment%202022_2.pdf
Tomi Engdahl says:
Sota Ukrainassa lisännyt kyberhyökkäyksiä myös Suomessa
https://etn.fi/index.php/13-news/13366-sota-ukrainassa-lisaennyt-kyberhyoekkaeyksiae-myoes-suomessa
Eurooppalaisiin organisaatioihin kyberhyökätään nyt 18 prosenttia enemmän kuin ennen Venäjän hyökkäystä Ukrainaan. Suomessakin hyökkäysten määrä on kasvanut 26 prosenttia, kertoo tietoturvayhtiö Check Point Research.
Viime viikolla sekä Venäjällä että Ukrainassa kyberhyökkäykset lisääntyivät selvästi (10 ja 17 prosenttia). CPR on myös havainnut kyberhyökkäysten lisääntyneen maailmanlaajuisesti 16 prosenttia sodan. CPR uskoo, että hakkerit pyrkivät hyödyntämään Venäjän ja Ukrainan välistä konfliktia joka puolelta.
Kyberhyökkäysten määrän kasvaa nyt sekä Venäjää että Ukrainaa vastaan. Ukrainassa keskimääräiset viikoittaiset hyökkäykset organisaatiota kohden olivat viime viikolla 1697, mikä on 39 prosenttia enemmän kuin ennen konfliktin alkamista ja 17 prosenttia enemmän kuin viikkoa aiemmin. Venäjällä keskimääräiset viikoittaiset hyökkäykset organisaatiota kohden olivat viime viikolla 1550, mikä on 22 prosenttia enemmän kuin ennen konfliktin alkamista ja 10 prosenttia enemmän kuin viikkoa aiemmin.
Euroopassa keskimääräiset viikoittaiset hyökkäykset organisaatiota kohden olivat viime viikolla 1101, mikä on 18 prosenttia enemmän kuin ennen sotaa.
https://blog.checkpoint.com/2022/03/28/resurgence-of-increased-cyber-attacks-on-both-russia-and-ukraine-a-month-into-the-war/
Tomi Engdahl says:
Consistency in password resets helps block credential theft
https://www.bleepingcomputer.com/news/security/consistency-in-password-resets-helps-block-credential-theft/
Phishing attacks have become a massive problem for organizations of all sizes. According to Expert Insights’ recent study, “almost 20% of all employees are likely to click on phishing email links and, of those, a staggering 67.5% go on to enter their credentials on a phishing website.”
This type of credential theft can have far-reaching consequences ranging from data leakage to human-operated ransomware attacks.
The most disturbing part of this is knowing that any user can potentially unleash a devastating attack on your organization with a single mouse click. Organizations must therefore take decisive action to prevent users from falling victim to phishing attacks.
Mail filtering is not enough
Unfortunately, there is no one single solution that will effectively stop all phishing attacks.
As such, organizations should practice defense in depth. Filtering inbound email and removing phishing messages before they make it into a user’s inbox is a critical first step, but that alone is not enough.
Some phishing messages will inevitably slip through even the best filter.
End user education
Since organizations cannot depend on mail filtering to block all attempted phishing attacks, organizations must place a heavy emphasis on end user education.
In the past, such efforts were largely ineffective
More recently, organizations have begun launching their own simulated phishing attacks to educate users
Microsoft is just one of several companies that offer phishing attack simulation tools. Some of the other vendors that offer such tools include Phishing Box, Phished, and Barracuda, just to name a few.
This practice is debated, however, as we want end users to trust their IT departments rather than fear an orchestrated phishing hack—but it can be an effective tool in curbing dangerous online activities.
When a user gets phished
In this simulated attack, if a user does fall for the phishing email, the user will typically see a message telling them that they have fallen for a simulated malicious message.
Bring consistency to the password reset process
As important as end user training and message filtering may be, there is a third thing that organizations can do to help tip the odds in their favor. Because credential harvesting phishing attacks so often come disguised as password reset messages, it is important to handle password resets in a way that makes it obvious to users that email messages are not part of the password reset process.
For example, an organization might use Specops uReset to manage password reset requests. Specops uReset never asks for the Windows password before the user is authenticated with another method first; if users know this to be true, they can be suspicious of any phishing-style email that tries to get them to enter their AD password to reset it.
Taking email out of the equation makes it less likely that a user will ever click on a phony password reset message—simulated or not.
Ultimately, you can’t depend on filtering to remove all phishing email messages. The technology simply is not good enough to catch 100% of all the phishing attacks.
That’s why it’s so important to educate your users on how to identify a phishing message, and potentially assess a user’s ability to identify such messages through subsequent simulated phishing campaigns.
It’s arguably more important to standardize the password reset process in a way that will help users to immediately recognize password reset messages as phony, and thus prevent them from clicking on such messages.
Tomi Engdahl says:
Researchers Used a Decommissioned Satellite to Broadcast Hacker TV >
https://www.wired.com/story/satellite-hacking-anit-f1r-shadytel/
Tomi Engdahl says:
Using Russian tech? It’s time to look at the risks again, says cybersecurity chief
If you are relying on Russian software or services it might be time to consider the level of risk that involves, says NCSC.
https://www.zdnet.com/google-amp/article/using-russian-tech-its-time-to-look-at-the-risks-again-says-cybersecurity-chief/
Organisations using Russian-linked software or products have been told to take time to consider the risk involved with using those technologies following Russia’s invasion of Ukraine.
New guidance from the National Cyber Security Centre (NCSC) – part of GCHQ – says organisations in several key areas in particular should reconsider the risk of using Russian-controlled products as part of their network or supply chain because of the risk of potential cyberattacks.
NCSC said that Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so might increase in a time of war.
Tomi Engdahl says:
State-backed hacking attacks are a big worry, but most firms don’t know what to watch out for https://www.zdnet.com/article/state-backed-hacking-attacks-are-a-big-worry-but-most-firms-dont-know-what-to-watch-out-for/
The vast majority of information security personnel think their business is a target for foreign cyberattacks – but identifying and defending against them is a challenge.
Tomi Engdahl says:
The Need for Resilient Zero Trust
https://www.securityweek.com/need-resilient-zero-trust
It is essential to ensure that any Zero Trust technology used is resilient to external factors
The growing threat of cyberattacks like SolarWinds, JBS USA, and Colonial Pipeline has underscored that organizations can no longer depend on conventional perimeter-based defenses to protect critical systems and data. The Log4j vulnerability is the latest sign that organizations must assume that cyber adversaries are already in their network. Against the backdrop of these high-profile incidents and growing concerns of retaliatory cyberattacks by Russia following its invasion of Ukraine, legislators have stepped up their efforts to bolster resilience and response capabilities against these threats (e.g., U.S. Cyber Incident Reporting for Critical Infrastructure Act, European Union Rules for Common Cybersecurity and Information Security Measures).
New regulations are aimed at shifting the cybersecurity paradigm – away from the old mantra of “trust but verify” and instead toward a Zero Trust approach, whereby access to applications and data is denied by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.
A good example is the federal strategy that the Office of Management and Budget (OMB) released earlier this year. The strategy details a series of specific security goals for agencies, serving as a blueprint for shifting the federal government to a new cybersecurity paradigm – namely Zero Trust – that intends to help protect our nation. The strategy requires agencies to achieve specific Zero Trust goals by the end of fiscal year 2024 and aligns closely with the Cybersecurity and Infrastructure Agency’s Zero Trust Maturity Model (PDF) and its five complementary areas of effort:
Identity: Staff use enterprise-managed identities to access work applications. Phishing-resistant multi-factor authentication (MFA) protects personnel from sophisticated online attacks.
• Devices: Establish a complete inventory of every device operated and authorized for government use. Prevent, detect, and respond to incidents on those devices.
• Networks: Encrypt all DNS requests and HTTP traffic within the environment and begin executing a plan to break down perimeters into isolated environments.
• Applications and Workloads: Treat all applications as Internet-connected, routinely subject applications to rigorous empirical testing, and monitor external vulnerability reports.
• Data: Deploy protections that make use of thorough data categorization. Take advantage of cloud security services to monitor access to sensitive data and implement enterprise-wide logging and information sharing.
Tomi Engdahl says:
Six Ways to Expand Your Fraud Program
https://www.securityweek.com/six-ways-expand-your-fraud-program
While attackers and fraudsters are continually adapting and evolving, there are some measures that businesses can take to improve their fraud programs
Many businesses, particularly those in the financial sector and those that transact heavily online (ecommerce), already have a fraud program. In some cases, that fraud program may be quite mature, while in other cases, it might still be maturing. Regardless of the maturity of a fraud program, there are always steps that can be taken to improve its efficiency and effectiveness.
While there are many different metrics by which a fraud program can be measured, the amount/percentage of fraud detected and mitigated, along with the potential fraud loss avoided are two of the primary measures. With attackers and fraudsters continually adapting and evolving, what are some measures that businesses can take to improve their fraud programs?
Tomi Engdahl says:
Tanya Mohn / New York Times:
A look at geofencing trials in Sweden to regulate commercial and public transport traffic within a zone, determine whether those vehicles belong there, and more
https://www.nytimes.com/2022/03/28/world/europe/geofencing-sweden.html
Tomi Engdahl says:
Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”
https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/
There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena.
Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.
But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.
It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.
In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.
“We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers,” said Mark Rasch, a former prosecutor with the U.S. Department of Justice.
To make matters more complicated, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to succeed is illicit access to a single police email account.
THE LAPSUS$ CONNECTION
The reality that teenagers are now impersonating law enforcement agencies to subpoena privileged data on their targets at whim is evident in the dramatic backstory behind LAPSUS$, the data extortion group that recently hacked into some of the world’s most valuable technology companies, including Microsoft, Okta, NVIDIA and Vodafone.
In a blog post about their recent hack, Microsoft said LAPSUS$ succeeded against its targets through a combination of low-tech attacks, mostly involving old-fashioned social engineering — such as bribing employees at or contractors for the target organization.
“Other tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi-factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote of LAPSUS$.
Tomi Engdahl says:
Get Outta Here: Securing Computing Systems by Storing Security Elsewhere
Feb. 5, 2022
This article details the architecture of the cybersecurity conflict and offers recommendations for how to tilt the scales in favor of the good guys.
https://www.electronicdesign.com/industrial-automation/article/21215467/kameleon-security-get-outta-here-securing-computing-systems-by-storing-security-elsewhere?utm_source=EG+ED+Connected+Solutions&utm_medium=email&utm_campaign=CPS220221103&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
What you’ll learn:
Why hackers historically have had an architectural advantage against software- and firmware-based security defenses.
How this edge has translated into increased attacks on firmware levels.
What enterprises and CSPs can do to protect themselves.
Cybersecurity has long been a game of cat and mouse between organizations looking to secure their networks, devices, and data with increasingly more sophisticated security solutions. Meanwhile, hackers look to poke and exploit whatever holes may exist in those defenses. The architecture of this conflict has disproportionately benefited hackers, as through trial and error they have been able to map a target’s defenses until the point where they identify a way in.
The location of where security solutions are stored plays a pivotal role here, as hackers’ perpetual probing only serves its purpose if a target’s defenses are visible, or worse, accessible. Storing unprotected encryption keys, credentials, and sensitive data anywhere reachable is equally unadvisable.
Don’t Store Your Security Solutions in These Spots
Cybersecurity defenses have typically been stored at the software, or application, layer. This exposes defenses to visibility and manipulation by any hacker who gains access to that layer, which is what happened in the recent Huawei Cloud attack. This cloud service provider (CSP) was hit with malware that used a software script to simply disable the security agent in charge of scans and reset user credentials.
Moving security solutions down to the firmware isn’t necessarily much safer, as hackers have shown great resourcefulness and little trouble in breaching this layer, too. The National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) shows that attacks on firmware have risen by 500% since 2018. Furthermore, survey data from a new Microsoft report shows that 83% of enterprise IT decision-makers have had their systems hit with a firmware attack in the last two years, but that only 29% of the average security budget is dedicated to protecting the firmware level.
Intel recently discovered the danger of under-securing this level themselves, as significant vulnerabilities were exposed in the BIOS firmware of various Intel processors. Intel advised that users apply available BIOS updates to patch the holes, but most motherboard vendors don’t release BIOS updates all that frequently, since it’s something of a legacy solution (replaced in many applications by UEFI firmware).
Become Isolated
Storing security defenses in an isolated processor creates an architectural advantage for security applications that prevents attackers from disabling or evading defenses. Unlike processor-based systems that are susceptible to trial-and-error attacks, where hackers try various techniques to glean information about a system’s defenses, isolated security chips provide very little visibility to would-be intruders.
Turn to TPMs
Trusted Platform Modules (TPMs) are a good step in this direction. TPMs sit separate from a computing system’s processor. They function as a sort of black box that attackers will struggle to access or even see into, and are assigned to hold valuable assets like keys as well as sensitive data while owning only low-level operations.
However, TPMs alone aren’t secure or flexible enough. Emerging solutions instead offload security, assets, and trust anchors to a more specialized and more dynamic security processing unit (SPU) chip. Under this approach, attackers are unable to access (and thus corrupt) security systems, data, and most importantly, the system’s root of trust (RoT). This means the integrity of its attestations from boot through runtime is preserved.
Isolated SPUs also are more convenient to manage. UEFI firmware authentication introduces logistical issues that can lock a CPU to a particular platform, which limits the ability to upgrade or change a CPU on the motherboard.
All told, what CIOs, CISOs, and IT decision-makers need to realize is that their systems are very much vulnerable, especially at the software and firmware levels. Storing security systems, let alone a RoT, at these levels is folly. Therefore, what’s needed is a hardware solution that can be used to store security beyond the hacker’s reach while also hosting a RoT that can authenticate and authorize any alteration of any stack level. In addition, it must be flexible enough to adapt to new vulnerabilities and enable security
Tomi Engdahl says:
Why VPNs are a WASTE of Your Money (usually…)
https://www.youtube.com/watch?v=9_b8Z2kAFyY
Commercial VPNs probably hurt your privacy and security more than they help. Behind the layers of marketing sits a darker side of the industry. Ask yourself questions like:
- Why trust a VPN company and their ISP over my own?
- Who’s actually running these companies?
- Why so many VPN ads on YouTube?
- What’s up with all the review sites?
VPNs are designed to transport devices from a network of low trust to high trust. Or bridge traffic between high and high trust. A site-to-site or corporate VPN both fall in this category.
With commercial VPNs, you’re more likely to be transporting your Internet to a network of lower or uncertain trust. Rather than just your ISP seeing your traffic, you grant this privilege to the VPN provider and their ISP too.
Most of the providers out there are owned by just a few parent companies. Many of them have hidden ownership and conflicting motivations. Many “no-logging” VPN companies have turned out to be doing the opposite.
You shouldn’t use a VPN if:
- You want to encrypt your traffic.
Most of your traffic is already encrypted because most common sites support HTTPS. Encrypting your DNS queries is becoming standard too in web browsers.
- You want to hide your identity.
There’s all kinds of other metadata in your network packets available to track you. Advanced actors can correlate them to track and discover your location.
There are some cases where using a VPN does make sense though.
- You want to mask your IP address.
- Circumventing IP blocks to watch Netflix
- Getting around national firewalls
- Bypassing download limits
- Performing offensive security assessments
- Conducting OSINT and research
If you do need a VPN, the best option is to do-it-yourself. Tunnel back to a home server. Set up a cloud server. Open-source software like Wireguard, Shadowsocks, and SSH makes this easy.