Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Redfly: Espionage Actors Continue to Target Critical Infrastructure https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks
Espionage actors are continuing to mount attacks on critical national infrastructure (CNI) targets, a trend that has become a source of concern for governments and CNI organizations worldwide. Symantec’s Threat Hunter Team has found evidence that a threat actor group Symantec calls Redfly used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year. The attackers managed to steal credentials and compromise multiple computers on the organization’s network.
The attack is the latest in a series of espionage intrusions against CNI targets. In May 2023, the U.S., UK, Australian, Canadian, and New Zealand governments issued a joint alert about threat actors targeting CNI organizations in the U.S. using techniques that could potentially be replicated against targets in other countries. The alert followed Microsoft’s report on Volt Typhoon, an espionage actor that compromised several critical infrastructure organizations in the U.S.
Tomi Engdahl says:
Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities
Windows arbitrary file deletion vulnerabilities should no longer be considered mere annoyances or tools for Denial-of-Service (DoS) attacks. Over the past couple of years, these vulnerabilities have matured into potent threats capable of unearthing a portal to full system compromise. This transformation is exemplified in CVE-2023-27470 (an arbitrary file deletion vulnerability in N-Able’s Take Control Agent with a CVSS Base Score of 8.8) demonstrating that what might initially seem innocuous can, in fact, expose unexpected weaknesses within your system.
As a follow up to the Escalating Privileges via Third-Party Windows Installers blog post, this post will delve further into the realm of file-based local privilege escalation attacks. We will unravel and showcase how Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerabilities could enable attackers to delete files on a Windows system and demonstrate how they can subsequently be leveraged to secure an elevated Command Prompt. Furthermore, we will equip software developers with the knowledge to counteract these potential threats.
Tomi Engdahl says:
10 years ago, Apple finally convinced us to lock our phones https://www.theverge.com/23868464/apple-iphone-touch-id-fingerprint-security-ten-year-anniversary
Every phone you pick up today has a fingerprint scanner, a face scanner, an option for PINs with four, six, or more digits, and often all of them at once.
Phones prompt you to set up a scan and a passcode the first time you turn them on, and you’d be hard-pressed to find anyone who doesn’t have some form of security set up.
But go back just 10 years, and the story was very different. Back when our phones were still used almost entirely as phones and not teeny personal computers, most of the “locking” features on mobile devices were designed more to prevent you from butt-dialing anyone than to protect your sensitive information.
It wasn’t until the iPhone 5S came along — 10 years ago this month — that everything changed.
Tomi Engdahl says:
Criminals Are Allegedly Using Apple AirTags To Track Illegal Weapons https://www.forbes.com/sites/thomasbrewster/2023/09/12/apple-airtags-used-to-track-illegal-weapons-dhs-says/
In November last year, Customs and Border Protection intercepted a package en route from Illinois to Israel. It contained a George Foreman Grill — innocuous enough. But when agents X-rayed the item and opened it up, they found rifle barrels wrapped in tinfoil and an Apple AirTag.
When Apple launched the dime-sized location tracking devices in 2021, they were pitched as a cheap piece of tech to help you keep tabs on your belongings, like luggage, keys and wallets. But AirTags and similar devices like Tile have also been put to use by criminals, most notably stalkers.
Now, CBP inspectors claim to have found evidence of another illicit use for
AirTags: helping illegal weapons smugglers keep tabs on their shipments, according to a search warrant for an Apple iCloud account linked to the trackers that was obtained by Forbes.
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Symantec: Chinese cyberespionage group Redfly used the ShadowPad trojan to compromise a national grid in an Asian country from February 28 until August 3, 2023
‘Redfly’ hackers infiltrated power supplier’s network for 6 months
https://www.bleepingcomputer.com/news/security/redfly-hackers-infiltrated-power-suppliers-network-for-6-months/
An espionage threat group tracked as ‘Redfly’ hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months.
These new findings come from Symantec, who found evidence of ShadowPad malware activity in the organization’s network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers.
The ShadowPad variant seen in the attacks masquerades its components (exe and dll) as VMware files, dropping them on the victim’s filesystem.
The program also achieves persistence by creating services named after VMware again, set to launch the malicious executable and DLL upon system boot.
The lengthy dwell period seen in this attack is characteristic of espionage actors who infect systems and keep a low profile to collect as much intelligence as possible.
While the attackers’ intent to disrupt the power supply remains uncertain, the potential risk poses a significant threat.
“Attacks against CNI targets are not unprecedented. Almost a decade ago, Symantec uncovered the Russian-sponsored Dragonfly group’s attacks against the energy sector in the U.S. and Europe,” concluded Symantec’s report.
“More recently, the Russian Sandworm group mounted attacks against the electricity distribution network in Ukraine that were directed at disrupting electricity supplies.”
Redfly: Espionage Actors Continue to Target Critical Infrastructure
National grid in Asia compromised by attackers using ShadowPad Trojan.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks
Espionage actors are continuing to mount attacks on critical national infrastructure (CNI) targets, a trend that has become a source of concern for governments and CNI organizations worldwide. Symantec’s Threat Hunter Team has found evidence that a threat actor group Symantec calls Redfly used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year. The attackers managed to steal credentials and compromise multiple computers on the organization’s network.
Tomi Engdahl says:
Security Team Huddle: Using the Full NIST Cybersecurity Framework for the Win
https://www.securityweek.com/security-team-huddle-using-the-full-nist-cybersecurity-framework-for-the-win/
Just as a professional football team needs coordination, strategy and adaptability to secure a win on the field, a well-rounded cybersecurity strategy must address specific challenges and threats.
Tomi Engdahl says:
Finding Your Way in Cloud Security
https://www.securityweek.com/finding-your-way-in-cloud-security/
The next time you see CNAPP, CASB, WAAS, CSPM or many of the other phrases, it will be helpful to take a deep breath and realize enterprise security has never been a binary one or zero.
Workloads: This is your running, high-value applications that process data. Think about what data is exposed and how they communicate with each other and externally.
Identity: This is the who or what touches every point of your infrastructure, things like developers or service account. Think about how these are managed, verified, and have permissions reduced.
Posture: This is the many configurations, settings, networking, security groups and all of the millions of other pieces that exist within one or more architectures. Think about how these settings are checked and verified continually.
Enterprise: This is the pipeline, code, deployment and integration before the workloads are active. Think about how your supply chain works and how to find issues early.
The next time you see CNAPP, CASB, WAAS, CSPM or many of the other phrases, it will be helpful to take a deep breath and realize enterprise security has never been a binary one or zero. It’s never a question of do you have this or that.
Tomi Engdahl says:
Useimmat eivät tunnista tietojenkalastelusivustoa
https://etn.fi/index.php/13-news/15308-useimmat-eivaet-tunnista-tietojenkalastelusivustoa
Tietoturvayritys NordLayerin analyysi paljastaa kymmenen yleisintä kyberturvallisuusvirhettä, joita työntekijät tekevät. Nykyään yli 90 % kaikista kyberhyökkäyksistä alkaa tietojenkalasteluviestillä. Huolestuttavaa on se, etteivät useimmat tunnista näistä phishing-sivustoja.
Organisaatiot eivät koostu vain reitittimistä, palvelimista ja verkoista, vaan myös ihmisistä. Joskus työntekijöiden huolimattomuus voi johtaa kyberhyökkäyksiin, koska ihmisen huijaaminen on aina helpompaa eikä vaadi yhtä paljon teknistä tietoa kuin kehittyneen turvajärjestelmän huijaaminen, ja hakkerit tietävät sen.
Tomi Engdahl says:
Chromen selainlaajennukset käyttäjien uusi riesa
https://etn.fi/index.php/13-news/15309-chromen-selainlaajennukset-kaeyttaejien-uusi-riesa
Check Point Software kertoo elokuun haittaohjelmakatsauksessaan, että uusi Chrome-käyttäjiin kohdistuva Shampoo-kampanja levittää haitallisia selainlaajennuksia. FBI:n johdolla kaadettu Qbot-pankkitroijalainen säilytti vielä elokuussa sijansa maailman ja Suomen yleisimpänä haittaohjelmana.
Shampoo levittää haitallisia selainlaajennuksia sisältäviä mainoksia. ChromeLoader-selainkaappari havaittiin ensimmäistä kertaa vuonna 2022. Shampoo-kampanjassa uhrit huijataan suorittamaan VBScript-tiedostoja, jotka asentavat haitallisia Chrome-laajennuksia. Asennettuina ne voivat kerätä henkilökohtaisia tietoja ja häiritä selaamista ei-toivotuilla mainoksilla.
Elokuussa FBI ilmoitti onnistuneensa merkittävässä globaalissa operaatiossaan Qbotia (eli Qakbotia) vastaan.
Tomi Engdahl says:
White House urging dozens of countries to publicly commit to not pay ransoms https://therecord.media/counter-ransomware-initiative-members-ransom-payments-statement
The U.S. National Security Council (NSC) is urging the governments of all countries participating in the International Counter Ransomware Initiative
(CRI) to issue a joint statement announcing they will not pay ransoms to cybercriminals, according to three sources with knowledge of the plans.
CRI’s 47 members will convene in Washington for its annual summit on October 31, according to public comments from NSC officials. At least one of the three sources said the White House’s goal is to have the statement in place before the summit. However, it is unclear if that timeline will be possible given the evolving nature of the effort.
The statement would apply to the participating governments themselves, not to companies and other organizations.
Tomi Engdahl says:
“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments https://securityintelligence.com/posts/adversaries-use-valid-credentials-compromise-cloud-environments/
Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past year. Improper use of credentials made up the top cause of cloud compromises that X-Force responded to in the past year, reaffirming the need for businesses to double down on hardening their credential management practices.
Tomi Engdahl says:
Dutch Groups Launch Major Privacy Lawsuit Against Google https://www.forbes.com/sites/emmawoollacott/2023/09/13/dutch-groups-launch-major-privacy-lawsuit-against-google/
Two Dutch consumer groups have launched a wide-ranging lawsuit against Google, alleging the company has been committing ‘large-scale privacy violations’.
The Consumers’ Association and the Foundation for the Protection of Privacy Interests claim the company has been collecting users’ online behavior and location data, without providing enough information or having obtained their permission.
The company then shares that information with hundreds of parties via its online advertising platform, they say. The data includes, for example, highly sensitive personal data about health, ethnicity and political preference.
Tomi Engdahl says:
Germany still lags in cybersecurity ‐ report reveals https://www.euractiv.com/section/cybersecurity/news/germany-still-lagging-behind-in-cybersecurity-%e2%80%90-report/
Since 2021, phishing cases increased the most out of all types of cybercrime, rising sixteen-fold globally, according to a cybersecurity report published on Monday (11 September).
Instances of identity theft were the second-biggest increase, up threefold since 2021.
In Germany, however, this huge threat increase is barely being addressed, and it ranks 18th out of 61 and far behind France and Spain.
“This shows again that there is still a lot of room for improvement,” Valentin Weber, Research Fellow at DGAP’s Centre for Geopolitics, Geo-economics and Technology, told Euractiv.
Tomi Engdahl says:
Threat landscape for industrial automation systems. Statistics for H1 2023 https://securelist.com/threat-landscape-for-industrial-automation-systems-statistics-for-h1-2023/110605/
In the first half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased from H2 2022 by just 0.3 pp to 34%.
That said, he percentage of attacked ICS computers dropped in Q1 2023, but then rose again in Q2 2023, reaching highest quarterly figure since 2022 – 26.8%.
Tomi Engdahl says:
CISOs and Board Reporting – an Ongoing Problem
https://www.securityweek.com/cisos-and-board-reporting-an-ongoing-problem/
Boards often complain they receive overly-technical reports from management teams that fail to put governance in business and financial terms.
For CISOs to gain the support of the board, they must first translate and report highly technical cybersecurity concerns and solutions into a language that can be understood by less technical businesspeople. The quality of this reporting becomes directly proportional to the degree of board support and the subsequent implementation of enterprise cybersecurity.
CyberSaint, a risk management company, has talked to CISO members of the Advanced Cyber Security Center (ACSC) about this problem. The purpose was to uncover the challenges, opportunities, and effectiveness of risk reporting in large enterprises.
The primary challenges for CISOs are threefold: the technical complexity of the issues concerned, making it difficult for non-technical businesspeople to understand; the lack of any standard reporting metrics, making it difficult to compare performance across business units within an organization and industry peers in other organizations; and the time, expertise, and cost of reporting, causing many CISOs to resort to simple spreadsheets.
The three primary priorities that business leaders seek to understand are the management of strategic risk; the organization’s alignment with compliance requirements; and how cybersecurity purchases affect top-of-mind threats (such as ransomware).
Tomi Engdahl says:
https://www.securityweek.com/securityweek-to-host-cyber-ai-automation-summit/
Tomi Engdahl says:
https://www.securityweek.com/cisa-offering-free-vulnerability-scanning-service-to-water-utilities/
Tomi Engdahl says:
US Agencies Publish Cybersecurity Report on Deepfake Threats
https://www.securityweek.com/us-agencies-publish-cybersecurity-report-on-deepfake-threats/
CISA, FBI and NSA have published a cybersecurity report on deepfakes and recommendations for identifying and responding to such threats.
Several US government agencies on Tuesday published a cybersecurity information sheet focusing on the threat posed by deepfakes and how organizations can identify and respond to deepfakes.
Deepfake is a term used to describe synthetic media — typically fake images and videos. Deepfakes have been around for a long time, but advancements in artificial intelligence (AI) and machine learning (ML) have made it easier and less costly to create highly realistic deepfakes.
Deepfakes can be useful for propaganda and misinformation operations. For example, deepfakes of both Russia’s president, Vladimir Putin, and his Ukrainian counterpart, Volodymyr Zelensky, have emerged since the start of the war.
However, in their new report, the FBI, NSA and CISA warn that deepfakes can also pose a significant threat to organizations, including government, national security, defense, and critical infrastructure organizations.
“Organizations and their employees may be vulnerable to deepfake tradecraft and techniques which may include fake online accounts used in social engineering attempts, fraudulent text and voice messages used to avoid technical defenses, faked videos used to spread disinformation, and other techniques,” the agencies said.
https://media.defense.gov/2023/Sep/12/2003298925/-1/-1/0/CSI-DEEPFAKE-THREATS.PDF
Tomi Engdahl says:
How Next-Gen Threats Are Taking a Page From APTs
https://www.securityweek.com/how-next-gen-threats-are-taking-a-page-from-apts/
Cybercriminals are increasingly trying to find ways to get around security, detection, intelligence and controls as APTs start to merge with conventional cybercrime.
One of the ongoing threats that defenders have to deal with is APTs: advanced persistent threats. APT attackers use more complex tactics to compromise networks than a typical attacker might, such as the deployment of a Trojan or other straightforward software. For instance, an APT attacker may employ complex espionage techniques over an extended period of time and involve numerous individuals inside an organization to achieve their ultimate objective.
Although a company of any size could become a target, high-profile APT attacks have generally targeted notable companies, critical infrastructure or governments. However, we’re seeing these types of attacks being used beyond these specific types of targets, and it’s alarming that traditional cybercrime organizations are now using them, too. And what we’re increasingly seeing is that not only are these threats evolving, but bad actors are learning from these techniques and applying them to other types of attack methods.
Tomi Engdahl says:
CISA Releases Open Source Software Security Roadmap
https://www.securityweek.com/cisa-releases-open-source-software-security-roadmap/
CISA details its plan to support the open source software ecosystem and secure the use of open source software within the federal government.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday published a new document detailing its plan to support the open source software (OSS) ecosystem and to secure the use of OSS by federal agencies.
According to the agency, OSS, which can be accessed, modified, and distributed by anyone, can drive higher-quality code and foster collaboration, but also poses high risks through wide-impact vulnerabilities, such as Log4Shell.
CISA’s Open Source Software Security Roadmap (PDF) details priorities in securing the OSS ecosystem, by establishing the agency’s role in this endeavor, driving visibility into the use and risks of open source software, reducing risks to federal agencies, and hardening the ecosystem.
https://www.cisa.gov/sites/default/files/2023-09/CISA-Open-Source-Software-Security-Roadmap-508c%20%281%29.pdf
Tomi Engdahl says:
China Says No Law Banning iPhone Use in Govt Agencies
https://www.securityweek.com/china-says-no-law-banning-iphone-use-in-govt-agencies/
China said it was following media reports about suspected security issues with iPhones but insisted there was no ban on its officials using the devices
Tomi Engdahl says:
CISA panel pitches idea of a National Cybersecurity Alert System
https://therecord.media/national-cybersecurity-alert-system-idea-cisa-panel
The U.S. needs a national cybersecurity alert system that would provide actionable information on threats and risks, according to a panel that advises the Cybersecurity and Infrastructure Security Agency (CISA).
Without specifying what such a system would look like or how it would behave, the panel found that “there is a genuine need for a national cybersecurity alert system that routinizes the 24/7 consideration and provisioning of cyber alerts.”
The Cybersecurity Advisory Committee (CSAC), led by former National Cyber Director Chris Inglis, created a subcommittee in March to investigate the prospect of a National Cybersecurity Alert System. The panel released its findings Wednesday at the CSAC’s virtual meeting, the third this year.
Tomi Engdahl says:
Unit 42 Attack Surface Threat Research: Constant Change in Cloud Contributes to 45% of New High/Critical Exposures Per Month https://unit42.paloaltonetworks.com/unit-42-2023-attack-surface-threat-report/
It’s challenging to ensure proper protection for your organization in an ever-changing, vulnerable environment. In our survey of over 250 organizations, we found that 80% of security exposures are found in cloud environments and 20% of cloud services change every month. Trying to get a handle on this sort of volatility is not easy, but it is vitally important.
Our 2023 Unit 42 Attack Surface Threat Report explores the global attack surface landscape based on observable data on exposures that are publicly accessible over the internet. It also offers recommendations on how organizations should approach active attack surface management.
Tomi Engdahl says:
Malware distributor Storm-0324 facilitates ransomware access https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.
Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. This activity is not related to the Midnight Blizzard social engineering campaigns over Teams that we observed beginning in May 2023. Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.
Tomi Engdahl says:
Cybercrime Ecosystem Industrialises Ransom Attacks So Why Not Ban Payments?
https://www.forbes.com/sites/stewartroom/2023/09/14/cybercrime-ecosystem-industrialises-ransom-attacks-so-why-not-ban-payments/
Earlier this week the UK National Cyber Security Centre (“NCSC”), a wing of GCHQ and one of the world’s leading repositories of expert knowledge about cyber-attacks and cybercrime, published a White Paper on the ransomware cybercrime ecosystem. It provides fascinating insights into the rapidly evolving nature of the threats, with recommendations on preventive and protective measures that organisations can take to increase their resilience.
This publication was quickly followed by a Memorandum of Understanding between the NCSC and the Information Commissioner’s Office, about how they will work together to help improve cyber security.
Both publications, like countless others before them, demonstrate that there is a significant effort being made by public authorities to address ransomware attacks and other cyber risks. This pattern is mirrored around the world and rightly so: cybercrime in all its forms is a matter of utmost public importance and ransomware attacks are among the most disruptive of its variants, in terms of the effects felt.
Tomi Engdahl says:
Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
Since February 2023, Microsoft has observed password spray activity against thousands of organizations carried out by an actor we track as Peach Sandstorm (HOLMIUM). Peach Sandstorm is an Iranian nation-state threat actor who has recently pursued organizations in the satellite, defense, and pharmaceutical sectors around the globe. Based upon the profile of victim organizations targeted and the observed follow-on intrusion activity, Microsoft assesses that this initial access campaign is likely used to facilitate intelligence collection in support of Iranian state interests.
In cases where Peach Sandstorm successfully authenticated to an account, Microsoft observed the group using a combination of publicly available and custom tools for discovery, persistence, and lateral movement. In a small number of intrusions, Peach Sandstorm was observed exfiltrating data from the compromised environment.
Tomi Engdahl says:
Artificial Intelligence
Tech Industry Leaders Endorse Regulating Artificial Intelligence at Rare Summit in Washington
https://www.securityweek.com/tech-industry-leaders-endorse-regulating-artificial-intelligence-at-rare-summit-in-washington/
Tech executives discussed the idea of government regulations for artificial intelligence (AI) at an unusual closed-door meeting in the U.S. Senate on September 13th.
Tomi Engdahl says:
Management & Strategy
A One-Two Punch for Security ROI
https://www.securityweek.com/a-one-two-punch-for-security-roi/
Cost avoidance is a powerful way to kick-off ROI discussions. However, to quickly move beyond objections, shifting to a more tangible approach to calculate ROI can help.
Traditionally, as an industry, we rely heavily on metrics like the cost of a data breach as a tool to discuss return on investment (ROI). Third-party data provides a level of credibility when engaging in discussions about the need for specific capabilities to prevent specific types of attacks and avoid losses. But when decision makers start to dig a little deeper invariably questions arise, and pushback happens, like “what are the odds of that happening to us?” or “we aren’t that big”. It can be a stretch for decision makers to internalize the data and believe that it is relevant to them and their organization. Cost avoidance is not tangible for several reasons.
Challenges with cost avoidance
An in-depth study by CISA on the “Cost of a Cyber Incident: Systematic Review and Cross-Validation” discussed some of the challenges with gathering credible data on the cost of an incident. These include:
Relying on historical data. Only a fraction of successful attacks is publicly disclosed. Convenience sampling is not statistically representative. There is no way to know how many incidents went unreported and how they varied in type, size, scope, and impact from the sample used.
Extrapolating future potential losses. Adversaries adapt to changes in the cybersecurity environment and also shift their focus from one industry to another, which makes it extremely difficult to use historical data for future insights.
Variations in methodology. Estimates vary widely from one cost analysis to another based on the size of the target organization, their industry and region, as well as the regulatory environment and penalties. Additionally, “softer” factors such as reputational damage may be included in total costs, but how those factors are measured often isn’t clear.
Likelihood of the incident. Making the case for investment based solely on cost avoidance is amorphous because that data breach or specific type of incident may not happen to that organization, much less in a way that directly maps to how the cost was calculated.
Despite these challenges, cost avoidance is a powerful way to kick-off the ROI discussion. However, to quickly move beyond objections, shifting to a more tangible approach to calculate ROI can help.
Tomi Engdahl says:
https://www.securityweek.com/tech-industry-leaders-endorse-regulating-artificial-intelligence-at-rare-summit-in-washington/
Tomi Engdahl says:
Cyber Recovery + Cyber Posture = Complete Cyber Resilience
Tomi Engdahl says:
Threat Group Assessment: Turla (aka Pensive Ursa) https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Turla (aka Pensive Ursa, Uroburos, Snake) is a Russian-based threat group operating since at least 2004, which is linked to the Russian Federal Security Service (FSB). In this article, we will cover the top 10 most recently active types of malware in Pensive Ursa’s arsenal: Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, HyperStack and TinyTurla.
Tomi Engdahl says:
Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
A hallmark of UNC3944 incidents is the use of smishing messages sent to employees of targeted organizations for stealing valid credentials. In the majority of cases where we identified the initial access vector, UNC3944 obtained access to the victim environment after a successful smishing attack.
After obtaining credentials, the threat actors have also impersonated employees on calls to victim organizations’ service desks in an attempt to obtain multi factor authentication (MFA) codes and/or password resets.
Tomi Engdahl says:
Suomessa on meneillään uudenlainen puhelinterrori – uhrin numerosta jopa tuhansia soittoja vieraille https://www.is.fi/digitoday/tietoturva/art-2000009856630.html
Ilmiö ei ole uusi, mutta se on aktivoitunut kesällä. Traficomin Kehityspäällikkö Lauri Isotalon mukaan huijauskampanjoita saattaa olla käynnissä useita. Numeroväärennöksiä myydään tiettävästi palveluna, mikä tekee siitä helposti saatavan niin rikollisille kuin vainoojille.
ONGELMAAN on määrä tulla ratkaisu noin kahden viikon päästä. Traficom velvoittaa teleoperaattoreita estämään soittajan numeron väärentämisen ja huijaussoittojen välittämisen puhelun vastaanottajille.
Velvoitteet astuvat voimaan 2.10.2023 matkapuhelinnumeroiden osalta.
Lankapuhelinnumeroiden osalta vastaavat velvoitteet astuivat voimaan jo viime vuonna.
Tomi Engdahl says:
How the Lazarus Group is stepping up crypto hacks and changing its tactics https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics
The elite North Korean hacking group Lazarus appears to have recently ramped up its operations, conducting a confirmed four attacks against crypto entities since June 3rd. Now, they are suspected of carrying out a fifth attack, this time targeting CoinEx on September 12. In response to this, CoinEx have released several tweets indicating that suspicious wallet addresses are still being identified, and therefore the total value of stolen funds is not yet known, however it is currently believed to be around $54 million.
Tomi Engdahl says:
Probe reveals previously secret Israeli spyware that infects targets via ads https://www.theregister.com/2023/09/16/insanet_spyware/
Israeli software maker Insanet has reportedly developed a commercial product called Sherlock that can infect devices via online adverts to snoop on targets and collect data about them for the biz’s clients.
This is according to an investigation by Haaretz, which this week claimed the spyware system had been sold to a country that is not a democracy.
The newspaper’s report, we’re told, marks the first time details of Insanet and its surveillanceware have been made public. Furthermore, Sherlock is capable of drilling its way into Microsoft Windows, Google Android, and Apple iOS devices, according to cited marketing bumf.
Tomi Engdahl says:
Cyber-attacks: the apex of crime-as-a-service (IOCTA 2023) https://www.europol.europa.eu/cms/sites/default/files/documents/Spotlight%20Report%20-%20Cyber-attacks%20the%20apex%20of%20crime-as-a-service.pdf
The Spotlight Report ‘Cyber-attacks: the apex of crime-as-a-service’, examines the developments in cyber-attacks, discussing new methodologies and threats as observed by Europol’s operational analysts. It also outlines the types of criminal structures that are behind cyber-attacks, and how these increasingly professionalised groups are exploiting changes in geopolitics as part of their methodologies.
Tomi Engdahl says:
Imagine Making Shadowy Data Brokers Erase Your Personal Info. Californians May Soon Live the Dream
https://www.securityweek.com/imagine-making-shadowy-data-brokers-erase-your-personal-info-californians-may-soon-live-the-dream/
California state Legislature has passed the Delete Act to allow individuals to order data brokers to delete their personal data — and to cease acquiring and selling it in the future.
You may not know it, but thousands of often shadowy companies routinely traffic in personal data you probably never agreed to share — everything from your real-time location information to private financial details. Even if you could identify these data brokers, there isn’t much you can do about their activities, including in California, which has some of the strongest digital privacy laws in the U.S.
That’s on the verge of changing. Both houses of the California state Legislature have passed the Delete Act, which would establish a “one stop shop” where individuals could order hundreds of data brokers registered in the state to delete their personal data — and to cease acquiring and selling it in the future — with a single request.
The Delete Act isn’t law yet. Democratic Gov. Gavin Newsom still has to decide whether to sign the measure, whose impact could potentially extend well beyond state lines given California’s history of setting similar trends.
Tomi Engdahl says:
A One-Two Punch for Security ROI
https://www.securityweek.com/a-one-two-punch-for-security-roi/
Cost avoidance is a powerful way to kick-off ROI discussions. However, to quickly move beyond objections, shifting to a more tangible approach to calculate ROI can help.
Traditionally, as an industry, we rely heavily on metrics like the cost of a data breach as a tool to discuss return on investment (ROI). Third-party data provides a level of credibility when engaging in discussions about the need for specific capabilities to prevent specific types of attacks and avoid losses. But when decision makers start to dig a little deeper invariably questions arise, and pushback happens, like “what are the odds of that happening to us?” or “we aren’t that big”. It can be a stretch for decision makers to internalize the data and believe that it is relevant to them and their organization. Cost avoidance is not tangible for several reasons.
Tomi Engdahl says:
Pentagon’s 2023 Cyber Strategy Focuses on Helping Allies
https://www.securityweek.com/pentagons-2023-cyber-strategy-focuses-on-helping-allies/
The Pentagon has published an unclassified summary of its 2023 Cyber Strategy, outlining both offensive and defensive plans.
The US Department of Defense (DoD) this week published an unclassified summary of its 2023 Cyber Strategy, outlining plans for both offensive and defensive efforts.
One key focus of the 2023 Cyber Strategy is the commitment to boost the cyber capabilities of allies and partners, and to increase collective resilience against cyberattacks.
This includes augmenting the capacity of partners and expanding their access to cybersecurity infrastructure, as well as helping them mature their cyber workforce through training events and exercises.
Partners may also be directly helped in developing their capabilities by enabling functions they need but do not have.
Another key effort of the cyber strategy is defending the nation and its critical infrastructure. This involves not only actual defense but also disrupting and degrading threat actors’ capabilities and infrastructure.
https://media.defense.gov/2023/Sep/12/2003299076/-1/-1/1/2023_DOD_Cyber_Strategy_Summary.PDF
Tomi Engdahl says:
Extradited Russian Hacker Behind ‘NLBrute’ Malware Pleads Guilty
https://www.securityweek.com/extradited-russian-hacker-behind-nlbrute-malware-pleads-guilty/
Russian hacker Dariy Pankov has pleaded guilty to computer fraud and now faces a maximum penalty of five years in federal prison.
Tomi Engdahl says:
https://www.securityweek.com/in-other-news-china-blames-nsa-for-hack-ai-jailbreaks-netography-spin-off/
ExtraHop open sources DGA detector dataset
ExtraHop is open sourcing its 16 million row detector dataset on GitHub, to help organizations defend against domains generated by algorithms. Threat actors leverage domain generation algorithms (DGAs) to maintain control within victims’ environments and make attacks more difficult to identify. ExtraHop’s detector dataset allows researchers and organizations to create ML classifier models to quickly detect DGAs and prevent attacks.
https://github.com/ExtraHop/DGA-Detection-Training-Dataset
The dataset is intended to be used for research into the area DGA (Domain Generation Algorithm) detection, but has other applications as well. Being able to quickly and accurately identify a DGA is one of the keys to neutralizing the C&C (Command and Control) network of a Botnet. We use it for model design, training, validating our models.
Tomi Engdahl says:
Europol cybercrime report
Europol has published its Cyber Attacks: The Apex of Crime-as-a-Service (PDF) report, which contains information on the criminal structures orchestrating cyberattacks and on how these hacking groups adapt their tactics to changes in geopolitics. While malware-based attacks, such as ransomware, are the most prominent threat, the number of DDoS attacks against EU organizations has been growing in the context of the Russia-Ukraine war, Europol says.
https://www.europol.europa.eu/cms/sites/default/files/documents/Spotlight%20Report%20-%20Cyber-attacks%20the%20apex%20of%20crime-as-a-service.pdf
Tomi Engdahl says:
https://www.securityweek.com/in-other-news-china-blames-nsa-for-hack-ai-jailbreaks-netography-spin-off/
Stealing information over Wi-Fi without hacking
A group of academic researchers demonstrates how sensitive information transmitted over Wi-Fi can be stolen without hacking being involved. The proposed approach, dubbed WiKI-Eve, exploits BFI (beamforming feedback information), a new feature in the latest Wi-Fi hardware, which is transmitted between the device and AP in cleartext.
Password-Stealing without Hacking: Wi-Fi Enabled Practical Keystroke Eavesdropping
https://arxiv.org/pdf/2309.03492.pdf
we propose WiKI-Eve to eavesdrop keystrokes on smart-
phones without the need for hacking. WiKI-Eve exploits a new
feature, BFI (beamforming feedback information), offered by latest
Wi-Fi hardware: since BFI is transmitted from a smartphone to
an AP in clear-text, it can be overheard (hence eavesdropped) by
any other Wi-Fi devices switching to monitor mode. As existing
keystroke inference methods offer very limited generalizability,
WiKI-Eve further innovates in an adversarial learning scheme to
enable its inference generalizable towards unseen scenarios. We
implement WiKI-Eve and conduct extensive evaluation on it; the
results demonstrate that WiKI-Eve achieves 88.9% inference accu-
racy for individual keystrokes and up to 65.8% top-10 accuracy for
stealing passwords of mobile applications (e.g., WeChat).
Tomi Engdahl says:
Banned, But Available: Unbelievable Gadgets You Can Purchase Today
https://www.youtube.com/watch?v=fef-mw5CbDE
Some gadgets defy regulations and push boundaries, yet they’re surprisingly accessible in today’s tech-savvy landscape. From the hidden corners of the internet to specialized markets, these forbidden devices have captured our imagination.
In this episode, we’ll take you on a journey through a curated list of these remarkable gadgets that have managed to find their way into the hands of enthusiasts and curious minds alike.
Chapters#
00:00 Introduction to Illegal Gadgets You Can Still Buy
00:27 Car Key Grabber
01:33 Laramie Clip Camera
02:04 Multi Pick Kronos
02:52 Destruct Hard Drive Data Eraser
03:34 SRT Weight Listening Device
04:20 The Pocket Chip
05:13 Many GPS Tracker
06:14 Night Vision Goggles
07:07 Keychain Knives
07:45 Security Tag Magnet Remover
Tomi Engdahl says:
11 BANNED GADGETS YOU STILL CAN BUY ON AMAZON
https://www.youtube.com/watch?v=KpxgdtPOikg
00:00 – ATM Skimmer
01:02 – Car Key Grabber
02:02 – Cloud Scanner
02:25 – Ray-Ban Stories Wayfarer
03:17 – USBKill V4.0
04:15 – Magnetic GF07 Mini GPS Tracker
05:06 – HU83 Turbodecoder
06:00 – WIFI LED Light Bulb Video Camera
06:53 – Digital Voice Recorder USB
07:52 – Booster Bag
08:59 – Security Tag Magnet Remover
09:48 – Arctic Spyder III
10:38 – JDSU LB110 Lil’ Buttie Test Set
Tomi Engdahl says:
DoD: China’s ICS Cyber Onslaught Aimed at Gaining Kinetic Warfare Advantage https://www.darkreading.com/threat-intelligence/dod-china-ics-cyber-onslaught-kinetic-warfare-advantage
China’s onslaught of cyberattacks on critical infrastructure is likely a contingency move designed to gain a strategic advantage in the event of kinetic warfare, according to the US Department of Defense (DoD).
The agency’s 2023 Cyber Strategy released this week flagged an uptick in state-sponsored cybercrime from the People’s Republic of China (PRC), specifically against sensitive targets that could have an effect on military response, in order “to counter US conventional military power and degrade the combat capability of the Joint Force.”
Tomi Engdahl says:
Unveiling the shadows: the dark alliance between Guloader and Remcos https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/
In a recent disturbing development, software advertised as legitimate has become the weapon of choice for cybercriminals. Two notable examples of this behavior are the Remcos RAT (remote administration tool) and GuLoader (also known as CloudEyE Protector).
These programs, which are positioned as legitimate tools, are constantly used in attacks and occupy top positions in the most prevalent malware rankings.
While the sellers state that these tools should only be employed lawfully, a deeper truth is that their primary customers are none other than cybercriminals.
Tomi Engdahl says:
DHS: Ransomware attackers headed for second most profitable year https://therecord.media/dhs-ransomware-headed-for-second-profits
“Ransomware attackers extorted at least $449.1 million globally during the first half of 2023 and are expected to have their second most profitable year.
This is due to the return of ‘big game hunting’ – the targeting of large organizations – as well as cyber criminals’ continued attacks against smaller organizations,” DHS said.
The findings were part of the department’s 2024 Homeland Threat Assessment report released last week, which outlined a range of issues related to foreign and domestic terrorism, illegal drugs, misinformation, transnational crime and activity by the governments of Russia, China and Iran.
Report at
https://www.dhs.gov/sites/default/files/2023-09/23_0913_ia_23-333-ia_u_homeland-threat-assessment-2024_508C_V6_13Sep23.pdf
Tomi Engdahl says:
NCSC: Why Cyber Extortion Attacks No Longer Require Ransomware https://www.darkreading.com/dr-global/ncsc-why-cyber-extortion-attacks-no-longer-require-ransomware
Speaking at 44CON in London, NCSC’s operations director Paul Chichester said ransomware remains a major concern for the agency and for businesses as the number of ransomware incidents continue to increase. But a lot of attackers often do not use the encryption malware anymore: They just steal data, put it on a leak site, and solicit for a payment in exchange for taking it down.
NCSC’s Chichester said the UK has a policy that recommends organizations do not pay ransom because the payments fuel the criminal ecosystem. Even so, some companies do pay in order to reassure their customers that their data is safe, he noted.
Sharing a story about a company that was attacked, Chichester said the attacker set the ransom payment to be a lower amount than a GDPR fine, so that it would appear that the company was paying less with the ransom rate than a regulatory fine and therefore saving money.
“That’s not true by the way: You still have to pay a GDPR fine for a data breach, but that’s the way that actors are socially engineering a victim,” he explained.
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
The UK’s parliament passes the Online Safety Bill, in the works since 2019, paving the way for Royal Assent and the bill becoming law in the coming days — Controversial UK legislation that brings in a new regime of content moderation rules for online platforms and services …
UK opens new chapter in digital regulation as parliament passes Online Safety Bill
https://techcrunch.com/2023/09/19/online-safety-bill-passed/
Controversial UK legislation that brings in a new regime of content moderation rules for online platforms and services — establishing the comms watchdog Ofcom as the main Internet regulator — has been passed by parliament today, paving the way for Royal Assent and the Online Safety Bill becoming law in the coming days.
Speaking during the bill’s final stages in the House of Lords, Lord Parkinson of Whitley Bay reiterated that the government’s intention for the legislation is “to make the UK the safest place in the world to be online, particularly for children”. Following affirmative votes as peers considered some last stage amendments he added that attention now moves “very swiftly to Ofcom… who stand ready to implement this — and do so swiftly”.
The legislation empowers Ofcom to levy fines of up to 10% (or up to £18M whichever is higher) of annual turnover for violations of the regime.
Another major strand of controversy is focused on the potential impact on web security and privacy as the bill hands sweeping powers to Ofcom to require platforms to scan message content for illegal material. A parade of end-to-end encrypted platforms and services have warned over the risks such powers pose — with several well known services threatening to exit the UK unless the bill was amended to safeguard strong encryption.
In the event, the government appears to have steered out of a direct clash with mainstream messaging services like WhatsApp by fudging the encryption issue with a carefully worded ministerial statement earlier this month. But, again, privacy and security experts remain watchful.
Additionally, there is concern the bill will lead to a mass age-gating of the UK internet as web services seek to shrink their liability by forcing users to confirm they are old enough to view content that might be deemed inappropriate for minors.
Wikipedia’s founder, Jimmy Wales, is among those raising concerns about the bill as an instrument of state censorship. He’s attacked the government’s approach as triply bad: “Bad for human rights”, “bad for Internet safety and “bad law” — and pledged the online encyclopedia “will not age-gate nor selectively censor articles under any circumstances”.
Beyond specific issues of concern, there is over-arching general worry over the scale of the regulatory burden the legislation will apply to the UK’s digital economy — since the rules apply not only to major social media platforms; scores of far smaller and less well resourced online services must also comply or risk big penalties.