Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Anatomy of a campaign to inject JavaScript into compromised WordPress sites https://www.theregister.com/2022/05/13/wordpress-redirect-hack/
A years-long campaign by miscreants to insert malicious JavaScript into vulnerable WordPress sites, so that visitors are redirected to scam websites, has been documented by reverse-engineers.
Tomi Engdahl says:
Väitös: Inhimillisyyden huomioiminen lisää kyberturvallisuutta https://www.epressi.com/tiedotteet/tiede-ja-tutkimus/vaitos-inhimillisyyden-huomioiminen-lisaa-kyberturvallisuutta.html
Yliopistonlehtori Mirva Salminen tarkastelee väitöstutkimuksessaan kriittisesti digitalisaatiota ja kyberturvallisuutta yhteiskunnallisina kehitysohjelmina. Salmisen mukaan digitalisoituvan yhteiskunnan turvaaminen edellyttää, että inhimillisyys huomioidaan nykyistä paremmin niin tieto- ja viestintäteknologioiden, digitaalisten sovellusten ja palveluiden kehittämisessä kuin yhteiskunnallisissa politiikkaohjelmissa.
Tomi Engdahl says:
COBALT MIRAGE Conducts Ransomware Operations in U.S https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us
The Iranian threat group blurs the line between financially motivated attacks and espionage.
Tomi Engdahl says:
Most organizations hit by ransomware would pay up if hit again https://www.theregister.com/2022/05/13/organizations_pay_ransomware/
Almost nine in 10 organizations that have suffered a ransomware attack would choose to pay the ransom if hit again, according to a new report, compared with two-thirds of those that have not experienced an attack. also:
https://www.kaspersky.com/blog/anti-ransomware-day-report/
Tomi Engdahl says:
- From 0-Day to Mirai: 7 days of BIG-IP Exploits
https://isc.sans.edu/diary/rss/28644
We all know vulnerabilities have a lifecycle. First, they start as closely held secrets, hopefully known to the company producing the vulnerable software. After becoming publically known, there is often a “mad dash” to a public exploit. During this phase, security companies often show their skills by hinting at privately developed exploits first until the exploit is publically known. Once a public exploit is available, the next race starts among adversaries to collect the largest possible market share of vulnerable devices. In this stage, some nation-states may attempt to expand their attack network, while at the same time, kids in basements and North Korea are looking for coin mining bots. Oddly enough, they often do not patch the vulnerability, and you end up with devices being exploited repeatedly.
In the end, you have the crustaceans among the attackers picking apart the crumbs or looking for web shells dropped by others. Finally, Iran and Mirai try to see if anything is left for them.
Tomi Engdahl says:
Anatomy of a Security Update
https://msrc-blog.microsoft.com/2022/05/13/anatomy-of-a-security-update/
Often-times we are asked, why can’t Microsoft release security updates faster? Why can’t you release a security update instantly after a zero-day vulnerability has been identified? Why do you rely on coordinated vulnerability disclosure? These are great questions.
Tomi Engdahl says:
Tervetuloa kyberrikosjengiin!
https://www.tivi.fi/uutiset/tv/597c0556-e870-4ef8-be11-855143372fcd
Yrityksesi liikevaihto on ennätyslukemissa ja organisaatiosi on herättänyt kansainvälisesti huomiota. Samalla luet uutisista, miten vastaavanlaisen yrityksen toimijoita on otettu kiinni ja viety oikeuden eteen. Jossain ylempänä komentoketjussa aletaan unelmoida omasta lohkoketjusta ja jopa kasinosta. Sinulle riittää että voit elättää perheesi. TÄHÄN LOPPUU kuvitteellinen mutta todellisuuteen pohjaava tarina työskentelystä organisoidun, kiristyshaittaohjelmiin erikoistuneen kyberrikollisuuden parissa. Esimerkit rekryprosessista, yrityksen toimintatavoista ja jopa tiimin yhteisöllisyydestä ovat peräisin Conti-kyberrikollisjengin vuodetuista viestilogeista. Vuonna
2022 kyberrikollisuus on organisoidumpaa kuin koskaan aikaisemmin.
Tomi Engdahl says:
Follow the Money: How eCriminals Monetize Ransomware https://www.crowdstrike.com/blog/how-ecriminals-monetize-ransomware/
Cybercrime has evolved over the past several years from simple “spray and pray” attacks to a sophisticated criminal ecosystem centered around highly effective monetization techniques that enable adversaries to maximize success and profitability. Monetization is the step attackers take to receive a payout when an operation is complete.
Threat actors are constantly evolving their methods through trial and error to avoid getting caught. A greater understanding of how this process works including transaction details, value of recent compromises and participating adversaries can help organizations fight modern threat actors. CrowdStrike threat intelligence offers IT and security decision-makers insights into eCrime monetization through our eCrime Index intelligence reports. Here, we dig into our recent observations and share key takeaways for defenders.
Tomi Engdahl says:
EU haluaa suojella lapsia, ja se asettaa vaakalaudalle viestipalveluiden päästä-päähän-salauksen “tehkää mahdoton, saatte itse päättää miten”
https://www.tivi.fi/uutiset/tv/b14f5325-66bc-4511-ac91-7d8becad6369
EU:n ehdotuksessa viestipalveluiden tuottajien pitäisi pystyä skannaamaan ihmisten lähettämät viestit läpi lapsipornon ja lasten hyväksikäytön varalta. Tämä siitä huolimatta, että viestit olisi salattu päästä-päähän. Näin toimii muun muassa pikaviestiohjelma WhatsApp. Monet asiantuntijat ovat yrittäneet teroittaa komissiolle sitä, että päästä-päähän-salaus ei ole purettavissa. Salauksen purkuun tarvittava erityinen avain ei ole palveluntarjoajalla vaan viestin vastaanottajalla ja lähettäjällä. Lisäksi viestin lähettäjällä on oma uniikki avaimensa, jotta kukaan ei voi napata lähetettyä viestiä ja purkaa sen salausta kesken matkan. Myös saksalaismeppi Moritz Körner lataa täyslaidallisen komission ehdotukselle. Körner kuvailee ehdotusta Stasi 2.0:ksi. Stasi oli Saksan demokraattisen tasavallan
(DDR) valtiollinen turvallisuuselin.
Tomi Engdahl says:
Hunting Cobalt Strike Servers
https://bank-security.medium.com/hunting-cobalt-strike-servers-385c5bedda7b
A comprehensive view on the techniques used to fingerprint Cobalt Strike’s C2s. If you are looking for a method to hunt Cobalt Strike servers this is the article for you. I have grouped different techniques for this purpose and I created Shodan queries to have an overview of all active Cobalt Strike command and control (C2) servers.
Tomi Engdahl says:
FBI myöntää harkinneensa pahamaineisen vakoiluohjelman käyttämistä https://www.tivi.fi/uutiset/tv/62855d27-8831-4835-89ad-baddbe8629eb
FBI ilmoitti kirjeessään Israelin hallitukselle hankkineensa käyttöönsä pahamaineisen Pegasus-vakoiluohjelman, jolla voidaan ladata puhelimesta henkilökohtaista tietoa käyttäjän tietämättä. FBI:n kirje on vuodelta 2018, ja se on toistaiseksi tähän asti selvin todiste siitä, että liittovaltion poliisi suunnitteli vakoiluohjelman käyttöä operaatioissaan.
Tomi Engdahl says:
Undisclosed “legal issues” are preventing the US from announcing which cryptographic algorithms should be used as standard to protect data from future quantum computers. Meanwhile, security experts at Google warn that data being sent today is already at risk and that firms need to prepare themselves to adopt the new algorithms as soon they are announced.
Read more: https://www.newscientist.com/article/2319212-google-calls-for-urgent-switch-to-quantum-safe-encryption-as-us-delays/#ixzz7TQyl8hLt
Tomi Engdahl says:
The downside of debugging’ ransomware
https://www.welivesecurity.com/2022/05/16/downside-debugging-ransomware/
The decision to release a ransomware decryptor involves a delicate balancing act between helping victims recover their data and alerting criminals to errors in their code
Tomi Engdahl says:
A Look Into Public Clouds From the Ransomware Actor’s Perspective https://unit42.paloaltonetworks.com/ransomware-in-public-clouds/
Traditional ransomware mainly targets on-premises IT infrastructure but doesn’t work well in cloud environments, which is one reason we haven’t heard much about ransomware in public clouds. However, ransomware actors could adapt their tactics, techniques and procedures
(TTPs) to be more cloud native, and now is a good time for organizations to get ahead of this possibility. Here, we explore how ransomware threat actors might operate in cloud environments what approaches they might use to attack and impact resources in public clouds.
Tomi Engdahl says:
How COVID-19 fuelled a surge in malware
https://blog.malwarebytes.com/reports/2022/05/how-covid-19-fuelled-a-surge-in-malware/
2021 saw a massive surge in detections of malware, adware, and Potentially Unwanted Programs (PUPs). It didn’t matter what the computers were used for or what operating system they ranacross business and home computers, on Windows and on Mac, detections went up, enormously. Detections of malware on Windows business machines were 143% higher in 2021 than in 2020, and 65% higher on consumer machines.
Tomi Engdahl says:
San Francisco police use driverless cars for surveillance https://www.theregister.com/2022/05/16/in_brief_security/
San Francisco police have been using driverless cars for surveillance to assist in law enforcement investigations. According to an SFPD training document obtained by Motherboard [PDF]: “Autonomous vehicles are recording their surroundings continuously and have the potential to help with investigative leads.”
Tomi Engdahl says:
HTML attachments in phishing e-mails
https://securelist.com/html-attachments-in-phishing-e-mails/106481/
The use of embedded HTML documents in phishing e-mails is a standard technique employed by cybercriminals. It does away with the need to put links in the e-mail body, which antispam engines and e-mail antiviruses usually detect with ease. HTML offers more possibilities than e-mail for camouflaging phishing content.
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Report: the real-time bidding industry exposes a person’s online activity and location 747 times per day on average in the US and 376 times per day in Europe — New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today …
Report spotlights vast scale of adtech’s ‘biggest data breach’
https://techcrunch.com/2022/05/16/iccl-rtb-report-google-gdpr/
New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today by the Irish Council for Civil Liberties (ICCL), suggests Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billions of times per day.
“RTB is the biggest data breach ever recorded,” argues the ICCL. “It tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.”
The ICCL’s report, which is based on industry figures that the rights organization says it obtained from a confidential source, offers an estimate of RTB per person per day across U.S. states and European countries which suggests that web users in Colorado and the U.K. are among the most exposed by the system — with 987 and 462 RTB broadcasts apiece per person per day.
Tomi Engdahl says:
Afsaneh Rigot / Wired:
Tech that is designed for marginalized and vulnerable groups from the start is better, safer, more innovative, robust, and integrative of privacy
If Tech Fails to Design for the Most Vulnerable, It Fails Us All
Building around the so-called typical user is a dangerous mistake.
https://www.wired.com/story/technology-design-marginalized-communities/
What do Russian protesters have in common with Twitter users freaked out about Elon Musk reading their DMs and people worried about the criminalization of abortion? It would serve them all to be protected by a more robust set of design practices from companies developing technologies.
Let’s back up. Last month, Russian police coerced protesters into unlocking their phones to search for evidence of dissent, leading to arrests and fines. What’s worse is that Telegram, one of the main chat-based apps used in Russia, is vulnerable to these searches. Even just having the Telegram app on a personal device might imply that its owner doesn’t support the Kremlin’s war. But the builders of Telegram have failed to design the app with considerations for personal safety in high-risk environments, and not just in the Russian context. Telegram can thus be weaponized against its users.
Likewise, amid the back and forth about Elon Musk’s plan to buy Twitter, many people who use the platform have expressed concerns over his bid to forefront algorithmic content moderation and other design changes on the whim of his $44 billion fancy. Bringing in recommendations from someone with no framework of risk and harms to highly marginalized people leads to proclamations of “authenticating all humans.” This seems to be a push to remove online anonymity, something I’ve written about very personally. It is ill-thought-through, harmful to those most at risk, and backed by no actual methodology or evidence.
Tomi Engdahl says:
Mike Masnick / Techdirt:
Twitch’s takedown of the May 14 mass murder livestream seems to violate Texas’ social media law, given that an amendment for terrorism content exceptions failed
Did Twitch Violate Texas’ Social Media Law By Removing Mass Murderer’s Live Stream Of His Killing Spree?
https://www.techdirt.com/2022/05/16/did-twitch-violate-texas-social-media-law-by-removing-mass-murderers-live-stream-of-his-killing-spree/
As you’ve no doubt heard, on Saturday there was yet another horrific shooting, this one in Buffalo, killing 10 people and wounding more. From all current evidence, the shooter, a teenager, was a brainwashed white nationalist, spewing nonsense and hate in a long manifesto that repeated bigoted propaganda found in darker corners of the internet… and on Fox News’ evening shows. He also streamed the shooting rampage live on Twitch, and apparently communicated some of his plans via Discord and 4chan.
Twitch quickly took down the stream and Discord is apparently investigating. All of this is horrible, of course. But, it seems worth noting that it’s quite possible Twitch’s removal could violate Texas’ ridiculously fucked up social media law. Honestly, the only thing that might save the two companies (beyond the fact that it’s unlikely someone would go to court over this… we think) is that both Twitch and Discord might be just ever so slightly below the 50 million average monthly US users required to trigger the law. But that’s not entirely clear (another reason why this law is stupid: it’s not even clear who is covered by it).
Focusing on Twitch: taking down the streamer’s account might violate the law. Remember that the law says that you cannot “censor” based on viewpoint. And anyone in the state of Texas can bring a lawsuit claiming they were deprived of content based on viewpoint. Some will argue back that a livestream of a killing spree isn’t about viewpoint, but remember, this idiot teenager made it clear he was doing this as part of his political views. At the very least, there’s a strong argument that any effort to take down his manifesto (if not the livestream) could be seen as violating the law.
And just to underline that this is what the Texas legislature wanted
So, yes, the Texas legislature made it abundantly clear that this law should block the ability of website to remove such content.
And, due to the way the law is structured, it’s not just those who were moderated who can sue, but anyone who feels their “ability to receive the expression of another person” was denied over the viewpoint of the speaker. So, it appears that a white nationalist in Texas could (right now) sue Twitch and demand that it reinstate the video, and Twitch would have to defend its reasons for removing the video, and convince a court it wasn’t over “viewpoints” (or that Twitch still has fewer than 50 million monthly average users, and that it has never passed that threshold).
Seems kinda messed up either way.
Of course, I should also note that NY’s governor is already suggesting (ridiculously) that Twitch should be held liable for not taking the video down fast enough.
Gov. Hochul said the fact that the live-stream was not taken down sooner demonstrates a responsibility those who provide the platforms have, morally and ethically, to ensure hate cannot exist there. She also said she hopes it will also demonstrate a legal responsibility for those providers.
“The fact that this act of barbarism, this execution of innocent human beings could be live-streamed on social media platforms and not taken down within a second says to me that there is a responsibility out there … to ensure that such hate cannot populate these sites.”
So, it’s possible that Twitch could face legal fights in New York for being too slow to take down the video and in Texas for taking down the video at all.
It would be kind of nice if politicians on both sides of the political aisle remembered how the 1st Amendment actually works, and focused the blame on those actually responsible, not the social media tools that are used to communicate.
Tomi Engdahl says:
Weak Security Controls and Practices Routinely Exploited for Initial Access – Alert (AA22-137A) https://www.cisa.gov/uscert/ncas/alerts/aa22-137a
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom.
Tomi Engdahl says:
UK updates strategy to harden nuclear sector from cyberattacks https://therecord.media/uk-updates-strategy-to-harden-nuclear-sector-from-cyberattacks/
The UK on Friday released new plans to address the cyber risks to the country’s civil nuclear sector as the government helps orchestrate a shift towards net-zero carbon emissions. The strategy outlines four key objectives for the sector to meet by 2026 including; prioritizing cybersecurity management through outcome-focused regulation, proactively acting to mitigate cyber threats, minimizing recovery time by responding cohesively to cyber incidents, and collaborating within the sector to advance cyber skills and a positive security climate.
Tomi Engdahl says:
8 erilaista kyberiskua – näin Suomea vastaan voidaan hyökätä https://www.is.fi/digitoday/tietoturva/art-2000008819316.html
Suomen hakiessa Nato-jäsenyyttä maan uskotaan joutuvan useammantyyppisen vaikuttamisen kohteeksi. Näihin kuuluvat niin psykologinen vaikuttaminen kuin hybridioperaatiot. Yksi oletetuimmista vaikuttamisen tavoista ovat kyberhyökkäykset eli tietoverkoissa tapahtuva häirintä, lamauttaminen tai tuhoaminen. Hyökkäyksiä on monenlaisia, ja niiden vakavuus vaihtelee.
Tomi Engdahl says:
US warning: North Korea’s tech workers posing as freelance developers https://www.zdnet.com/article/us-warning-north-koreas-tech-workers-posing-as-freelance-developers/
Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms.
Tomi Engdahl says:
Useimmat tietävät 72 tunnin säännön – mutta myös tämä valmistautumisohje tulisi tuntea https://www.is.fi/digitoday/art-2000008680515.html
Tomi Engdahl says:
Emotet Summary: November 2021 Through January 2022 https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/
This blog provides a background on Emotet, and it reviews activity from this malware family since its return in November 2021. The information covers changes in Emotet operations from its revival through the end of January 2022. These examples will provide a more comprehensive picture and better indicate the worldwide threat Emotet currently poses.
Tomi Engdahl says:
Use Your Browser Internal Password Vault… or Not?
https://isc.sans.edu/diary/rss/28658
My recommendation is to not store your password in these browser vaults but use a real password manager instead! Most of them have plugins available to work with all common browsers and provide the same ease of use! Stay safe!
Tomi Engdahl says:
Oletko lataamassa sovellusta puhelimeesi – tämä asia kannattaa tarkistaa https://www.is.fi/digitoday/mobiili/art-2000008819928.html
Virallisista sovelluskaupoista on tullut hylättyjen sovellusten hautausmaa, uusi tutkimus paljastaa. Kiinnitä sovellusta valitessasi huomiota muuhunkin, kuin koska se on viimeksi päivitetty. Tarkista kuka sovelluksen on kehittänyt, paljonko sitä on ladattu, mitä käyttöoikeuksia sovellus vaatii ja millaisia arvioita sovellus on saanut.
Tomi Engdahl says:
How Dangerous Is the Cyber Attack Risk to Transportation?
https://securityintelligence.com/articles/how-dangerous-cyber-attack-risk-transportation/
If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause for concern.
It’s clear that transport organizations require strong security to keep their systems and passengers safe. As part of critical public infrastructure, transportation is uniquely at risk. Most people and businesses depend on transport, whether it’s getting to work on time, sending goods or receiving medical supplies. If an attack disrupts transportation, entire supply chains could come crashing down. Traffic light or rail transit disruption could cause physical harm.
Tomi Engdahl says:
In hot pursuit of cryware’: Defending hot wallets from attacks https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/
Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them. In this blog, we provide details of the different attack surfaces targeting hot wallets. We also offer best practice recommendations that help secure cryptocurrency transactions.
Tomi Engdahl says:
Long lost @ symbol gets new life obscuring malicious URLs https://blog.malwarebytes.com/social-engineering/2022/05/long-lost-symbol-gets-new-life-obscuring-malicious-urls/
Threat actors have rediscovered an old and little-used feature of web URLs, the innocuous @ symbol we usually see in email addresses, and started using it to obscure links to their malicious websites.
Tomi Engdahl says:
SOC Level Up: Threat Hunting and Detection With Sigma https://www.intezer.com/blog/threat-hunting/threat-hunting-sigma-detection-rules/
In the last part of the SOC Level Up series, we introduced Sigma an open-source framework to write one rule that can be used in multiple environments. In this blog, we will show how Sigma rules can be used for threat hunting and detection.
Tomi Engdahl says:
New Special Interest Group Aims to Enhance ICS/OT Cyber Defenses
https://www.securityweek.com/new-special-interest-group-aims-enhance-icsot-cyber-defenses
MITRE has announced a new special interest group (SIG) whose goal is to help enhance cyber defenses for industrial control systems (ICS) and operational technology (OT).
The new SIG is co-chaired by MITRE and the Cybersecurity Manufacturing Innovation Institute (CyManII), a cybersecurity research institute whose activity centers around manufacturing and supply chains in the United States.
The initiative is supported by the US Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) and Homeland Security’s Systems Engineering and Development Institute.
The initiative is an expansion of the Common Weakness Enumeration (CWE) program, which catalogs over 900 types of software and hardware weaknesses, and Common Attack Pattern Enumeration and Classification (CAPEC), which helps defenders identify and understand attacks.
The goal is to provide a forum for researchers and vendors to interact and share opinions and expertise in an effort to identify and classify vulnerabilities and common attack patterns that are specific to ICS and other OT.
Tomi Engdahl says:
Learn to Use This First: Four Fundamental Tactics to Protect Email Ecosystems
https://www.securityweek.com/learn-use-first-four-fundamental-tactics-protect-email-ecosystems
As email security is an ever-changing landscape, focusing on the most relevant issues in the threat landscape is where organizations need to start.
So, which email tactics are the most relevant and pressing issues to focus on? Based off insights from Cofense, these three types of attacks were the most prevalent from 2021:
• Credential Phishing
• Business Email Compromise (BEC)
• Malware
According to the analysts in Cofense’s Phishing Defense Center, credential phishing makes up about 70% of all attacks with BEC trailing behind at 7%, and malware (along with a few others) making up the rest. When you look at those numbers and combine it with what is given up during a successful credential phishing attack, it becomes clear that stopping credential attacks needs to be a top priority. This is not to say that BEC and malware attacks aren’t important to stop; they certainly are. Successful ones, much like resulting ransomware attacks, are often very lucrative for the attacker and terribly painful for the victim.
For all three of these attacks, there are a few fundamental tactics organizations should do to ensure they are protecting their email ecosystem.
Training Users
Reporting
Rapid Response
Post-Delivery Analysis
Tomi Engdahl says:
SOC Level Up: Threat Hunting and Detection With Sigma
https://www.intezer.com/blog/threat-hunting/threat-hunting-sigma-detection-rules/
In the last part of the SOC Level Up series, we introduced Sigma – an open-source framework to write one rule that can be used in multiple environments. In this blog, we will show how Sigma rules can be used for threat hunting and detection.
Security teams and especially SOC analysts are overwhelmed with data while attack surfaces are growing and cyber attackers find new ways to breach organizations while staying undetected, making the security team’s difficulties more painful. The solution might sound obvious – have a well-defined security posture to prevent threats from getting into the system, but with the constantly evolving threat landscape and existing pain points of security teams, this is easier said than done. Therefore, it is critical to proactively hunt and detect threats in the organization, for any incidents in which the threat bypassed all of the security measures and infiltrated the environment.
How Sigma Can Help in Threat Hunting
To detect threats you need to know what is happening in the environment, which can be accomplished using logs and monitoring tools (which are based on logs too). But these days the issue is that there are too many logs – too much information – that SOC analysts and security teams are not capable of analyzing and processing them all. So SIEM platforms came to help, providing the ability to aggregate, query, and extract important information from the logs. Essentially making it possible to proactively hunt for threats inside the organization.
How to Use Sigma Rules For Threat Hunting
Creating detection rules is not an easy task, for two main reasons.
First, you need to find indicators that can be used to detect the threat, either by performing an analysis of existing samples of the threat or by locating them in technical reports and threat intelligence feeds. Frequently the detection information is “hidden” among the rest of the details. Either way, it requires time and effort to find useful information that can be used in detection rules.
The other difficulty is making an efficient rule, one that will not trigger false positive alerts and is not too strict to avoid miss detection of threats. Detection rules are made of different indicators of compromise and behavior artifacts, all of which can be arranged in what is known as the Pyramid of Pain (created by David J Bianco). The idea is to organize attack indicators in ascending order based on the “pain” it will cause the attackers when these indicators are detected and denied from them by security tools. But the more harm it will cause the attacker, the harder it is for security teams to identify these indicators.
For example, a file’s hash is the easiest indicator to find and to detect but it is also trivial for threat actors to modify it simply by changing one bit in a file. On the other hand, detecting a threat based on its behavior (TTPs) requires more effort from the security team – they need to execute the threat in a sandbox and understand its execution flow. But for threat actors, it is also much harder to change the behavior of the threat and stay undetected.
Take the Detection Opportunities a Step Further
To be able to detect Emotet and similar threats that evolve, we need to find the detection indicators that are shared among the malware family. This detection strategy will produce alerts that are specific for a certain threat, because we will use indicators that are part of the threat’s behavior and were used more than once.
To implement this approach we will need to have information about the connections between samples of the same malware family, and identify detection indicators that are common in a specific malware family.
Intezer offers this capability, with a proprietary code reuse database that also extracts valuable information about the detection indicators of different malware samples.
Conclusion
Creating good and efficient detection rules is a form of art. There could be more than one “correct” way to write a rule from the same indicators. But at the end of the day, our goal is to detect threats and stop them and for that we need to know which indicators are unique to a specific threat and less likely to change among the variants of the malware.
SOC Level Up: Introduction to Sigma Rules
https://www.intezer.com/blog/threat-hunting/intro-to-sigma-rules/
Sigma rules are catching on more and more for SOC teams, as a way to write one rule that can be used across multiple environments. By learning how Sigma rules work and how to create them, you can take your SOC skills to the next level.
Detecting security breaches inside an infrastructure is heavily based on analyzing and monitoring events using logs. There are different types of logs, aggregation systems, strategies and technologies that help SOC analysts in their day to day job. While it’s excellent that there are a wide range of tools SOC teams and organizations can implement in their security posture, it also complicates the process of sharing information and knowledge within the organization and the community – each SIEM has its own query syntax (or language) and each log has it’s own unique fields.
Often analysts create rules to detect active threats or attacks and organizations would want to use them to alert upon a possible breach. For example, we might have an excellent rule to detect the creation of a specific malicious process and we want to share the rule with the community, partners, or clients. Having said that, sharing detection rules for behavior is complicated because each organization has its own way to digest logs, infrastructure and tools, so it might be more challenging for them to understand the rules and to integrate them into existing infrastructures.
The solution is using Sigma rules. These rules are written in a well-defined format using a markup language. Sigma is used for generating queries for specific SIEMs and configurations. Using Sigma for writing detection rules makes it easier to share and integrate them in the organization, regardless of specific tools and logs that are used.
What Are Sigma Rules?
Sigma is an open-source framework that provides the ability to write rules to analyze logs – similar to YARA for files or Snort for network analysis. Sigma rules are written using a predefined syntax in YAML format, and then they are converted (using sigmac or online converter) to a format that fits the target SIEM or platform used in the organization. There are many supported targets such as: Splunk, Elasticsearch, Microsoft Defender, and many more. Sigma can be used with different log sources.
The agility of Sigma rules and the fact that one rule can be used in environments that use different configurations, makes it easier for analysts to write these rules and share them with colleagues and the community.
Sigma rules are a powerful tool that makes it easy to analyze different types of logs and find specific action or threat. It can be used in two ways:
Identify and alert on suspicious activity
Sigma rules can be integrated into SIEM platforms and detect different events as they happen thus helping to detect and stop them before any further damage. For example we can create †rules to detect: unauthorized actions, web/resource access, file modification, process creation and much more.
Threat Hunting
Sigma rules can be used to hunt for threats:
Use the rules to detect when a certain attack or threat targets your organization.
Check if your organization was breached by applying Sigma rules to old logs (assuming your organization aggregates logs for at least a few months). Often it takes an organization several months before they discover that an attacker is already in the system. By analyzing the logs for suspicious activity you increase the chances of discovering a security breach and starting an incident response process sooner.
Compiling Sigma Rules
After we write the rule we need to save the file and use sigmac (available in the repo) to compile the rule. The command will look like this:
./sigmac -t -c
To compile a rule you must specify the target SIEM, provide a configuration file and the path to the rule. Each argument is very significant for a successful compilation of the rule and the integration of the rule in SIEM systems. We will explain each argument in the command.
Target
Target is the SIEM or the system that will analyze the logs: it can be splunk, stix, sysmon, etc. Each system has its own syntax so the output will differ.
Configuration File
Each environment and organization can use different log sources or index the logs differently. To make Sigma rules relevant and usable in environments regardless of the logs they use, Sigma relies on configuration files. A configuration file contains the mapping of the logs and the fields that are being used in the environment to the fields used in the rules. We can think of it as a translation between the rule and our environment.
Conclusion
In this blog we presented Sigma rules – a well-defined and formatted structure for writing detection rules, that can be used in all types of operating systems and environments. Sigma allows you to share information but also consume it, making it easier to integrate new detection rules and protect your environment.
Tomi Engdahl says:
Long lost @ symbol gets new life obscuring malicious URLs https://blog.malwarebytes.com/social-engineering/2022/05/long-lost-symbol-gets-new-life-obscuring-malicious-urls/
Threat actors have rediscovered an old and little-used feature of web URLs, the innocuous @ symbol we usually see in email addresses, and started using it to obscure links to their malicious websites.
As weird as it looks, the URL in this phishing campaign sticks to the rules of what’s allowed in a web address. The part you see least often is the @ symbol. RFC 3986 refers to anything after https:// and before the @ symobl, highlighted below, as userinfo. This part of the URL is for passing authentication information like a username and password, but it is very rarely used, and is simply ignored as a so-called “opaque string” by many systems.
The last part of the URL after the # is also ignored when you click the link. This is called the fragment identifier and it represents a piece of the destination page. The browser might use it to scroll to a section of the destination page, or it might be used to pass information to the destination page, but it plays no part in determining what the destination actually is.
If you are one of the 2.6 billion people using Chrome, the answer is “yes”, URLs that use the @ symbol work in Chrome and other Chromium-based browsers such as Vivaldi, Brave, and Microsoft Edge.
Firefox and Firefox-based browsers, such as Tor and Pale Moon, are also affected.
The wide support for the confusing and little-used @ symbol could see it used more widely. In a Threat Post interview, Perception Point’s Vice President of Customer Success and Incident Response, Motti Elloul, predicted that this won’t be the last time we’ll see phishing attacks taking advantage of it.
“The technique has the potential to catch on quickly, because it’s very easy to execute,” he said. “In order to identify the technique and avoid the fallout from it slipping past security systems, security teams need to update their detection engines in order to double check the URL structure whenever @ is included.”
Tomi Engdahl says:
https://etn.fi/index.php/13-news/13580-kyberturva-ei-ole-vain-tekninen-kysymys
Tomi Engdahl says:
Kyberturva ei ole vain tekninen kysymys
https://etn.fi/index.php/13-news/13580-kyberturva-ei-ole-vain-tekninen-kysymys
Messukeskuksessa viime viikolla järjestetyssä Cyber Security Nordic 2022 -tapahtumassa oli ennätykselliset 41 näytteilleasettajaa ja tapahtumaan osallistui 1455 kyberalan ammattilaista sekä yksityisen ja julkisen alan päättäjää. Tapahtumaan osallistuttiin aktiivisesti myös verkon kautta.
Tapahtumassa puhutti totta kai Suomen käynnissä oleva Nato-projekti. Kyberalan eli FISC:n toimitusjohtaja Peter Sundin mukaan päättäjille on käynyt ilmeiseksi, että kyberturvallisuus ei ole vain tekninen kysymys.
Tomi Engdahl says:
Mikko Hyppönen: Verkkorikollisista tulee liian rikkaita
https://etn.fi/index.php/13-news/13593-mikko-hyppoenen-verkkorikollisista-tulee-liian-rikkaita
WithSecuren tutkimusjohtaja Mikko Hyppönen oli yksi viime viikolla järjestetyn Cyber Security Nordcin pääpuhujista. Hyppönen kiinnitti huomionsa siihen, että kyberrikollisryhmistä on tulossa liian varakkaita. – He kisaavat pian samoista tekoäly- ja koneoppimisosaajista kuin kyberturvayritykset.
Vanhan sanonnan mukaan rikos ei kannata. Kyberrikos kuitenkin näyttää kannattavan. He eivät maksa veroja ja haluavansa pitää varansa bitcoineja tai muina kryptovaluuttoina. – Bitcoinia ei voi säädellä eikä sanktioida, Hyppönen muistutti.
Jo nyt on olemassa rikollisjoukkoja, joilla on varallisuutta yli miljardi euroa. Ne ovat Hyppösen mukaan kyberrikollisalan yksisarvisia. – Jos ryhmällä oli viisi vuotta sitten 10 miljoonan edesät bitcoineja, nyt he ovat miljardöörejä.
Tämä on aidosti iso ongelma. Rikollisjärjestöt tulevat vauraiksi ja alkavat tapella samoista osaajista kuin kyberturvayritykset. Ja näistä osaajista on valtava pula. Tämä on jo johtanut omituisuuksiin kyberturva-alalla.
- Esimerkiksi Bastion Secure niinen yritys maksaa kovia palkkoja etätyöntekijöille penetraatiotestauksesta. Kyse ei kuitenkaan ole testausyrityksestä, vaan venäläisen kyberrikollisjoukon keulakuvasta. Pian osaavat ammattilaiset työskentelevät rikollisille ilman, että tietävät tekevänsä niin, Hyppönen ennusti.
Seuraavassa vaiheessa sama tapahtuu tekoäly- ja koneoppimisosaajille. Niistä on vielä suurempi pula kuin kyberturvaosaajista. – Nyt olemme lähellä sitä, että rikollisjoukoilla on resurssit alkaa palkata näitä osaajia. Pian alamme siis nähdä tekoäly- ja koneoppimismalleihin perustuvia haittaohjelmia. Ja pahaa tekoälyä vastaan voi taistella vain hyvä tekoäly.
Kyberrikosten roolia ei pidä liioitella sodankäynnissä, mutta vaikutusta sillä ilman muuta on. Hyppönen muistutti Venäjän hyökkäyssodan ensimmäisen viikonlopun uutisista, joissa kerrottiin ukrainalaisten naisten ja lasten joutuneen jonottamaan rajalla maasta poispääsyä jopa 36 tuntia, koska venäläiset onnistuivat pyyhkimään pois rajavalvonnan tietokannat Hermetic Viper -haittaohjelmalla. – Raja oli auki, mutta kaikki jouduttiin tekemään käsin, kun tietokoneet eivät toimineet.
Tomi Engdahl says:
Kali Linux 2022.2 released with 10 new tools, WSL improvements, and more
https://www.bleepingcomputer.com/news/security/kali-linux-20222-released-with-10-new-tools-wsl-improvements-and-more/
Offensive Security has released Kali Linux 2022.2, the second version in 2022, with desktop enhancements, a fun April Fools screensaver, WSL GUI improvements, terminal tweaks, and best of all, new tools to play with!
Kali Linux is a Linux distribution for cybersecurity professionals and ethical hackers to perform penetration testing, security audits, and research against internal and remote networks.
Tomi Engdahl says:
Google to create security team for open source projects https://therecord.media/google-open-source-security-team-openssf/
Google announced on Thursday that it is creating a new “Open Source Maintenance Crew” tasked with improving the security of critical open source projects. Google also unveiled two other projects Google Cloud Dataset from Open Source Insights designed to help developers better understand the structure and security of the software they use. “This dataset provides access to critical software supply chain information for developers, maintainers and consumers of open-source software, ”
Google explained in a blog post. also:
https://blog.google/technology/safety-security/shared-success-in-building-a-safer-open-source-community/
Frederic Lardinois / TechCrunch:
Google Cloud launches new software supply chain and zero trust tools, including one that gives governments and enterprises access to vetted open-source packages — Google Cloud is holding its annual Security Summit this week and unsurprisingly, the company used the event to launch a few new security features.
Google Cloud launches new software supply chain and zero trust security services
https://techcrunch.com/2022/05/17/google-cloud-launches-new-software-supply-chain-and-zero-trust-security-services/
Google Cloud is holding its annual Security Summit this week and unsurprisingly, the company used the event to launch a few new security features. This year, the announcements focus on software supply chain security, Zero Trust and tools for making it easier for enterprises to adopt Google Cloud’s security capabilities.
It’s no surprise that software supply chain security makes an appearance at this year’s event. Thanks to recent high-profile attacks, it’s been the focus of White House summits and, just last week, an industry group that includes Google, Amazon, Ericsson, Intel, Microsoft and VMware pledged $30 million to work with the Linux Foundation and Open Source Security Foundation to improve the security of open-source software.
At today’s Summit, Google Cloud announced the launch of its Assured Open Source Software service, which gives enterprises and government users access to the same vetted open source packages that Google itself uses in its projects. According to the company, these packages are regularly scanned, analyzed and fuzz-tested for vulnerabilities and built with Google Cloud’s Cloud Build service with evidence of SLSA-compliance (that’s “Supply-chain Levels for Software Artifacts,” a framework for safeguarding artifact integrity across software supply chains). These packages are also signed by Google and distributed from Google’s secured registry. “Assured OSS helps organizations reduce the need to develop, maintain and operate a complex process for securely managing their open source dependencies,” Google explains in its announcement today.
Also new today is BeyondCorp Enterprise Essentials, a new edition of Google Cloud’s BeyondCorp Enterpirse Zero Trust solution that promises to “help organizations quickly and easily take the first steps toward Zero Trust implementation.”
Finally, Google is also launched a new Security Foundation solution for enterprises that aims to make it easier for them to adopt Google Cloud’s security capabilities. It joins Google’s other ready-made solutions, which so far have focused on specific industries (retail, media and entertainment, financial services, etc.) as opposed to this more general security-centric package.
Tomi Engdahl says:
Wizard Spider hackers hire cold callers to scare ransomware victims into paying up https://www.zdnet.com/article/wizard-spider-hacking-group-hires-cold-callers-to-scare-ransomware-victims-into-paying-up/
Researchers have exposed the inner workings of Wizard Spider, a hacking group that pours its illicit proceeds back into the criminal enterprise. In Wizard Spider’s case, this also means pouring some of its profits back into development with investments in tools and software, and paying for new hires. The report suggests that the group commands “hundreds of millions of dollars in assets.”. “The group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives, ” the researchers say. “Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits.”.
Wizard Spider also uses virtual private networks (VPNs) and proxies to hide their tracks. However, the group has also invested in some unusual tools, including VoIP systems and employees tasked with cold-calling individuals and scaring them into paying up after a security incident. Prodaft report (PDF):
https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf
Tomi Engdahl says:
USB Devices Redux
http://windowsir.blogspot.com/2022/05/usb-devices-redux.html
The overall point is that we can no longer consider all USB-connected devices to be the same, and as such, we may need to look in different locations within the OS, including different locations within the Registry and within different Windows Event Logs, to find the information pursuant to our analysis goals.
Tomi Engdahl says:
Do you want 30 BTC? Nothing is easier (or cheaper) in this phishing campaign..
https://isc.sans.edu/diary/rss/28662
Cryptocurrency scams have become ubiquitous over the past few years, but from time to time, one still comes over an interesting or unusual one. And the one that recently made its way to us at the ISC certainly was interesting, as it was much more sophisticated than usual…
Though, as you may see, one would not have guessed it from the less than believable initial e-mail message.
Tomi Engdahl says:
Turvallisuuskriittisen teknologian trendit 2022 -katsaus https://www.erillisverkot.fi/turvallisuuskriittisen-teknologian-trendit/
Erillisverkkojen toisessa teknologiatrendit -katsauksessa aiheena on erityisesti Ukrainan sota tietoliikenteen ja mobiiliverkkojen näkökulmasta. Tarkastelemme myös erilaisia kehittyviä avaruuspalveluja ja niiden mahdollisuuksia viranomaisille ja turvallisuustoimijoille.
Tomi Engdahl says:
State of internet crime in Q1 2022: Bot traffic on the rise, and more https://www.theregister.com/2022/05/18/fraud_economy_booms/
The fraud industry, in some respects, grew in the first quarter of the year, with crooks putting more human resources into some attacks while increasingly relying on bots to carry out things like credential stuffing and fake account creation. That’s according to Arkose Labs, which claimed in its latest State of Fraud and Account Security report that one in four online accounts created in Q1 2022 were fake and used for fraud, scams, and the like. Arkose Labs also dived into the growing cybercrime workforce, and while The Register does not condone crime, or encourage anyone to pursue a career in this illicit field, the earnings potential here can’t be ignored. According to the report, “rookie fraudsters, ” individuals with little experience who rely on the growing fraud ecosystem to make money, can earn up to $20, 000 per month.
Tomi Engdahl says:
Google Cloud Launches SOC Of The Future’
https://www.forbes.com/sites/tonybradley/2022/05/17/google-cloud-launches-soc-of-the-future/
Cybersecurity is a top priority for every organization. At least, it should be. The challenge is that the attack surface is expanding, and the threat landscape is adapting so quickly that it is increasingly difficult to keep up with the sheer volume of threatsnever mind effectively defend against them. At the Google Cloud Security Summit today, Google Cloud revealed plans for a “SOC of the Future” to help companies address these security challenges.
Tomi Engdahl says:
Improving ICS/OT Security Perimeters with Network Segmentation https://www.dragos.com/blog/improving-ics-ot-security-perimeters-with-network-segmentation/
A flat network is problematic for several reasons. Flat networks often combine assets that should be separated into their own networks such as VoIP Phones and IP Cameras. These readily accessible assets may use vulnerable protocols which are easily compromised. Additionally, once an adversary gets initial access, a flat network allows access to the entire network and any connected assets. This is especially true of industrial control system/operation technology (ICS/OT) networks as the assets they connect may lack the traditional security controls found on a Corporate/IT network. Fortifying your security perimeters requires a solid understanding of your OT architecture. The strategies for strengthening the security perimeters discussed in this post can be accomplished using well known cybersecurity tools.
Tomi Engdahl says:
Kyberisku vei verkon liki 6000 tuulivoimalalta – Korjaamiseen meni kuukausia
https://www.tivi.fi/uutiset/tv/ad692ccc-5964-4373-9b15-4b2d49285bb9
Saksalaisen median mukaan maan tuulivoimatuottajiin on kohdistunut useita kyberiskuja viime kuukausina. Maassa epäillään, että kyberiskuja tekevät venäläiset mutta varmuutta asiasta ei ole. Suomen tuulivoimayhdistyksen mukaan Suomessa alaan ei ole kohdistunut tavallista enempää kyberiskuja tai niiden yrityksiä viime kuukausina.
Tomi Engdahl says:
APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days https://threatpost.com/apts-overwhelmingly-share-known-vulnerabilities-rather-than-attack-o-days/179657/
Most advanced persistent threat groups (APTs) use known vulnerabilities in their attacks against organizations, suggesting the need to prioritize faster patching rather than chasing zero-day flaws as a more effective security strategy, new research has found.
Security researchers at the University of Trento in Italy did an assessment of how organizations can best defend themselves against APTs in a recent report published online. What they found goes against some common security beliefs many security professionals and organizations have, they said. One belief the research debunked is that all APTs are highly sophisticated and prefer attacking zero-day flaws rather than ones that have already been patched. “Contrary to common belief, most APT campaigns employed publicly known vulnerabilities, ” they wrote in the report.