Cyber trends for 2023

1,768 Comments

1. October 2, 2023 at 7:49 am

   Tomi Engdahl says:

   Valtava määrä ”valepuheluita” on häirinnyt suomalaisia jo vuosia – ei enää
   https://yle.fi/a/74-20052128

   Yle Uutiset kertoi kesäkuussa, miten suomalaisen kirjanpitäjän puhelinnumeroa käytettiin ulkomailta tuleviin huijauspuheluihin. Lokakuun 2. päivästä alkaen näiden huijausten mahdollisuus pienenee, kun Liikenne- ja viestintävirasto Traficomin määräyksen viimeinen velvoite teleoperaattoreille astuu voimaan.

   Se velvoittaa seulomaan väärennöksistä myös sellaiset, joissa uskotellaan puhelun tulevan suomalaisesta kännykkäliittymästä. Traficomin Kyberturvallisuuskeskuksen Lauri Isotalo sanoo, että vielä on pieni mahdollisuus siihen, että valenumerot välkkyvät suomalaisten älypuhelinnäytöillä. Rikollisilla kun on aina jotain teknologioita käytettävissään.

   – Jos puhutaan, että loppuvatko ne kaikki aivan varmasti, niin sitä on tietysti mahdotonta luvata. Tavoitteena on kuitenkin painaa se niin matalaksi kuin mahdollista, sanoo Kyberturvallisuuskeskuksen kehityspäällikkö Lauri Isotalo.

   Reply
2. October 2, 2023 at 7:50 am

   Tomi Engdahl says:

   A Closer Look at the Snatch Data Ransom Group https://krebsonsecurity.com/2023/09/a-closer-look-at-the-snatch-data-ransom-group/

   Earlier this week, KrebsOnSecurity revealed that the darknet website for the Snatch ransomware group was leaking data about its users and the crime gang’s internal operations. Today, we’ll take a closer look at the history of Snatch, its alleged founder, and their claims that everyone has confused them with a different, older ransomware group by the same name. According to a September 20, 2023 joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Administration (CISA), Snatch was originally named Team Truniger, based on the nickname of the group’s founder and organizer — Truniger.

   The FBI/CISA report says Truniger previously operated as an affiliate of GandCrab, an early ransomware-as-a-service offering that closed up shop after several years and claims to have extorted more than $2 billion from victims.
   GandCrab dissolved in July 2019, and is thought to have become “REvil,” one of the most ruthless and rapacious Russian ransomware groups of all time.

   Reply
3. October 2, 2023 at 9:08 am

   Tomi Engdahl says:

   Tietoturva-asian­tuntijan yllättävä kehotus: Valehtele! https://www.is.fi/digitoday/art-2000009871873.html

   Reply
4. October 2, 2023 at 10:56 am

   Tomi Engdahl says:

   Meet LostTrust ransomware — A likely rebrand of the MetaEncryptor gang https://www.bleepingcomputer.com/news/security/meet-losttrust-ransomware-a-likely-rebrand-of-the-metaencryptor-gang/

   The LostTrust ransomware operation is believed to be a rebrand of MetaEncryptor, utilizing almost identical data leak sites and encryptors.
   LostTrust began attacking organizations in March 2023 but did not become widely known until September, when they began utilizing a data leak site.
   Currently, the data leak site lists 53 victims worldwide, with some having their data leaked already for not paying a ransom. It is unclear if the ransomware gang only targets Windows devices or if they utilize a Linux encryptor as well.

   MetaEncryptor is a ransomware operation that is believed to have launched in August 2022, amassing twelve victims on their data leak site through July 2023, after which no new victims were added to the site. This month, a new data leak site for the ‘LostTrust’ gang was launched, with cybersecurity researcher Stefano Favarato quickly noticing it utilizes the same exact template and bio as MetaEncryptor’s data leak site.

   Reply
5. October 2, 2023 at 11:16 am

   Tomi Engdahl says:

   CISA Unveils New HBOM Framework to Track Hardware Components
   https://www.securityweek.com/cisa-unveils-new-hbom-framework-to-track-hardware-components/

   CISA unveils a new Hardware Bill of Materials (HBOM) framework for buyers and sellers to communicate about components in physical products.

   The US government’s cybersecurity agency CISA has unveiled a new Hardware Bill of Materials (HBOM) framework offering a consistent, repeatable way for vendors to communicate with purchasers about hardware components in physical products.

   The new framework provides what CISA describes as “a reliable and predictable structure for HBOMs” and a set of clearly defined data fields of HBOM components and their attributes.

   “With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience,” said CISA assistant director Mona Harrington.

   Harrington said the HBOM framework [.pdf] includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used.

   The HBOM framework, created by the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, is meant to be flexible and allow purchasers and vendors to tailor it to their specific circumstances or use cases.

   https://www.securityweek.com/cisa-unveils-new-hbom-framework-to-track-hardware-components/

   Reply
6. October 2, 2023 at 11:17 am

   Tomi Engdahl says:

   A Hardware Bill of Materials
   (HBOM) Framework for
   Supply Chain Risk
   Management
   https://www.cisa.gov/sites/default/files/2023-09/A%20Hardware%20Bill%20of%20Materials%20Framework%20for%20Supply%20Chain%20Risk%20Management%20%28508%29.pdf

   Reply
7. October 3, 2023 at 9:06 am

   Tomi Engdahl says:

   Wireless BadUSB With Flipper Zero’s Bluetooth — NO CABLES!
   https://www.youtube.com/watch?v=lh99ssUy6FE

   Was feeling cute, so updated a custom firmware and badUSB-ed without a USB cable in sight. You?

   Reply
8. October 3, 2023 at 11:23 am

   Tomi Engdahl says:

   ICS/OT
   Number of Internet-Exposed ICS Drops Below 100,000: Report
   https://www.securityweek.com/number-of-internet-exposed-ics-drops-below-100000-report/

   The number of internet-exposed ICS has dropped below 100,000, a significant decrease from the 140,000 in 2019.

   The number of internet-exposed industrial control systems (ICS) has continued to decrease over the past years, dropping below 100,000 as of June 2023, according to a report from cybersecurity ratings company Bitsight.

   Companies and researchers regularly scan the internet for exposed ICS, and in the past decade they have reported seeing tens of thousands and even millions of systems, depending on their methodology and length of the study.

   However, it’s interesting to see year-over-year trends from the same company, which presumably has a consistent methodology.

   Bitsight has been tracking the number of internet-facing ICS, mapping these systems to its inventory of global organizations. It’s worth noting that while the company refers to the identified systems as ICS, they include — based on the targeted protocols — not only systems used in industrial environments, but also IoT, building management and automation devices, and other operational technology (OT).

   The company’s analysis showed that the number of exposed systems has gradually decreased from roughly 140,000 in 2019 to less than 100,000 in June 2023.

   “This is a positive development, suggesting that organizations may be properly configuring, switching to other technologies, or removing previously exposed ICSs from the public internet,” Bitsight noted.

   In addition, the number of exposed organizations has dropped from approximately 4,000 to 2,300 over the same period. Entities that still have public-facing systems include organizations across 96 countries, including Fortune 1000 companies.

   The top 10 impacted countries are the United States, Canada, Italy, the UK, France, the Netherlands, Germany, Spain, Poland and Sweden.

   The most impacted sectors are education, technology, government, business services, manufacturing, utilities, real estate, energy, tourism, and finance.

   In 2023, the most commonly observed protocols were Modbus, KNX, BACnet, Niagara Fox, Siemens’ S7, Ethernet/IP, Lantronix, Automatic Tank Gauge (ATG), Moxa’s NPort, and Codesys.

   “While the aggregate number of exposed ICSs has been trending downward, we detected unique behavior on a protocol-by-protocol basis,” Bitsight explained. “Exposed systems and devices communicating via the Modbus and S7 protocols are more common in June 2023 than before, with the former increasing in prevalence from 2020 and the latter more recently from mid-2022.”

   Bitsight also noted that companies should focus on securing specific protocols based on their location. For instance, systems using Codesys, KNX, Nport and S7 protocols are mainly in the European Union, while ATG and BACnet are primarily seen in the United States.

   Bitsight identifies nearly 100,000 exposed industrial control systems
   https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-industrial-control-systems

   Bitsight has identified nearly 100,000 exposed industrial control systems (ICS) owned by organizations around the world, potentially allowing an attacker to access and control physical infrastructure such as power grids, traffic light systems, security and water systems, and more. ICSs — a subset of operational technology (OT) — are used to manage industrial processes like water flow in municipal water systems, electricity transmission via power grids, and other critical processes. Critical infrastructure sectors heavily rely on ICSs to control cyber-physical systems, compounding concerns that the exposed systems identified in this research could present significant risks to organizations and communities around the world.

   Fortune 1000 organizations are among the exposed, including organizations from 96 countries and a variety of sectors.

   Reply
9. October 3, 2023 at 11:25 am

   Tomi Engdahl says:

   ICS/OT
   NIST Publishes Final Version of 800-82r3 OT Security Guide
   https://www.securityweek.com/nist-publishes-final-version-of-800-82r3-ot-security-guide/

   NIST has published the final version of the SP 800-82 Revision 3 guide to operational technology (OT) security.

   NIST announced on Thursday that it has published the final version of its latest guide to operational technology (OT) security.

   NIST published the first draft of Special Publication (SP) 800-82r3 (Revision 3) in April 2021, with a second draft being released one year later. Now, Revision 3 of the OT security guide has been finalized.

   The 316-page document provides guidance on improving the security of OT systems while addressing their unique safety, reliability and performance requirements.

   “SP 800-82r3 provides an overview of OT and typical system topologies, identifies typical threats to organizational mission and business functions supported by OT, describes typical vulnerabilities in OT, and provides recommended security safeguards and countermeasures to manage the associated risks,” NIST explained.

   The guidance focuses on OT cybersecurity program development, risk management, cybersecurity architecture, and applying the NIST Cybersecurity Framework (CSF) to OT.

   The latest revision’s updates include expansion in scope from industrial control systems (ICS) to OT in general, as well as updates to OT threats, vulnerabilities, risk management, recommended practices, current security activities, and tools and capabilities.

   The document also aligns with other OT security guides and standards, and provides tailored security control baselines for low-, moderate- and high-impact OT systems.

   SP 800-82 Revision 3 is available for download in PDF format for free from NIST’s website.

   https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

   Reply
10. October 3, 2023 at 11:26 am

    Tomi Engdahl says:

    Artificial Intelligence
    National Security Agency is Starting an Artificial Intelligence Security Center
    https://www.securityweek.com/national-security-agency-is-starting-an-artificial-intelligence-security-center/

    The NSA is starting an artificial intelligence security center — a crucial mission as AI capabilities are increasingly acquired, developed and integrated into U.S. defense and intelligence systems.

    “We maintain an advantage in AI in the United States today. That AI advantage should not be taken for granted,” Nakasone said at the National Press Club, emphasizing the threat from Beijing in particular.

    Nakasone was asked about using AI to automate the analysis of threat vectors and red-flag alerts — and he reminded the audience that U.S. intelligence and defense agencies already use AI.

    “AI helps us, But our decisions are made by humans. And that’s an important distinction,” Nakasone said. “We do see assistance from artificial intelligence. But at the end of the day, decisions will be made by humans and humans in the loop.”

    The AI security center’s establishment follows an NSA study that identified securing AI models from theft and sabotage as a major national security challenge, especially as generative AI technologies emerge with immense transformative potential for both good and evil.

    Nakasone said it would become “NSA’s focal point for leveraging foreign intelligence insights, contributing to the development of best practices guidelines, principles, evaluation, methodology and risk frameworks” for both AI security and the goal of promoting the secure development and adoption of AI within “our national security systems and our defense industrial base.”

    He said it would work closely with U.S. industry, national labs, academia and the Department of Defense as well as international partners.

    Reply
11. October 3, 2023 at 11:28 am

    Tomi Engdahl says:

    Risk Management
    Moving From Qualitative to Quantitative Cyber Risk Modeling
    https://www.securityweek.com/moving-from-qualitative-to-quantitative-cyber-risk-modeling/

    Migrating to a quantitative cyber risk model of analysis allows for more accurate data, which leads to more informed decision-making.

    Reply
12. October 4, 2023 at 7:21 am

    Tomi Engdahl says:

    Combating Ransomware Attacks: Insights from Unit 42 Incident Response https://www.paloaltonetworks.com/blog/2023/09/combating-ransomware-attacks-insights/

    Ransomware attacks have evolved over the years from a threat primarily targeting individuals with modest ransom demands, to a sophisticated form of cybercrime that now jeopardizes large companies, government agencies and critical infrastructure. It’s increasingly common to hear of a major corporation, educational institution or local government falling victim to a ransomware attack, in addition to the incidents that make national headlines.
    These attacks have far-reaching implications, affecting everything from critical public services, like hospitals, disruptions in supply chains, and even taking critical gas pipelines offline. I recently had the opportunity to testify before two subcommittees of the U.S. House of Representatives Committee on Oversight and Accountability on combating ransomware attacks.

    Reply
13. October 4, 2023 at 7:24 am

    Tomi Engdahl says:

    How to Embrace a Cloud Security Challenge Mindset https://www.trendmicro.com/en_us/ciso/23/j/cloud-security-challenges.html

    Back in June, Trend Micro predicted enterprise security operations centers
    (SOCs) would be more or less fully responsible for cloud security by 2026.
    It’s definitely not that CISOs need more to do, but with public cloud services so central to enterprise IT—to the tune of $600 billion in spending by the end of this year—an enterprise-wide function is required to protect them.

    Bryan Webster, Trend Micro’s VP of Product Management, explained why this poses challenges in a recent AWS SecurityLIVE! segment. To start with, cloud environments are dynamic, rolling out apps and spinning up infrastructure to drive agility and create value. New content, code, and features often emerge on a daily basis, if not multiple times a day.

    Traditional enterprise cybersecurity doesn’t move that fast. It’s typically reactive, not proactive, and less directly connected to business outcomes. So how can CISOs manage risk and meet the security expectations of the business at ‘cloud speed’? The keys are to adopt a cloud mindset, embrace the cloud ethos, and leverage any cloud expertise that’s immediately available.

    Reply
14. October 4, 2023 at 7:27 am

    Tomi Engdahl says:

    Are Local LLMs Useful in Incident Response?
    https://isc.sans.edu/diary/Are+Local+LLMs+Useful+in+Incident+Response/30274

    LLMs have become very popular recently. I’ve been running them on my home PC for the past few months in basic scenarios to help out. I like the idea of using them to help with forensics and Incident response, but I also want to avoid sending the data to the public LLMs, so running them locally or in a private cloud is a good option.

    I use a 3080 GPU with 10GB of VRAM, which seems best for running the 13 Billion model (1). The three models I’m using for this test are Llama-2-13B-chat-GPTQ , vicuna-13b-v1.3.0-GPTQ, and Starcoderplus-Guanaco-GPT4-15B-V1.0-GPTQ. I’ve downloaded this model from
    huggingface.co/ if you want to play along at home.

    Llama2 is the latest Facebook general model. Vicuna is a “Fine Tuned” Llama one model that is supposed to be more efficient and use less RAM. StarCoder is trained on 80+ coding languages and might do better on more technical explanations.

    Reply
15. October 4, 2023 at 7:30 am

    Tomi Engdahl says:

    Overall, these small models did poorly on this test. They do a good job on everyday language tasks, like giving text from an article and summarizing it or helping with proofreading. A specific version of Star is just for Python, which also works well. As expected for small models, the more specific they are trained, the better the results.
    https://isc.sans.edu/diary/Are+Local+LLMs+Useful+in+Incident+Response/30274

    Reply
16. October 4, 2023 at 8:18 am

    Tomi Engdahl says:

    ICS/OT
    ZDI Discusses First Automotive Pwn2Own
    https://www.securityweek.com/zdi-discusses-first-automotive-pwn2own/

    The Zero Day Initiative (ZDI) will host a new Automotive Pwn2Own at the Automotive World Conference in Tokyo, January 24 to 26, 2024.

    Reply
17. October 4, 2023 at 8:26 am

    Tomi Engdahl says:

    Cloud Security
    Network, Meet Cloud; Cloud, Meet Network
    https://www.securityweek.com/network-meet-cloud-cloud-meet-network/

    The widely believed notion that the network and the cloud are two different and distinct entities is not true.

    The widely believed notion that the network and the cloud are two different and distinct entities is not true. While it may have been so 10 to 15 years ago that the network was an on-prem architecture that operated independently and required different solutions or protections separate from the cloud, that is no longer the case.

    While many organizations have embraced the cloud as part and parcel of their network infrastructure, some companies are still evolving. And it is easy to see why. On-prem architecture ensures that your team has full control over your network, right down to the wire. With appliances, you essentially have one built-in inspection point, you can buy routers and firewalls and then segment everything behind the scene. With the cloud all of this is gone; you lose some of these controls in that your network is not neatly contained within a physical infrastructure. You spin up your resources wherever you want – in other regions, other countries – and in doing so, the choke point you once relied on in the on-prem environment, is now multiplied across many different access points.

    There is comfort in having the control provided with managing an on-prem-only network. But this approach is no longer tenable. As organizations grow, dropping in appliances at every site or datacenter is expensive and often requires additional resources and manpower to set up and deploy.

    Cloud services offer the ability to scale resources up or down based on demand. This flexibility is critical for handling varying workloads and ensuring network resources are efficiently utilized and security measures are properly deployed. AWS, Azure and other cloud environments all have great ways to protect, but visibility becomes an issue. You lose the control to dive into packets or you pay a premium to have the ability to do this.

    Organizations must rethink ways to jointly achieve both visibility and security for networks that are not one-size-fits-all. A comprehensive security strategy that encompasses both on-premises, multi-cloud and hybrid environments. This strategy should include regular risk assessments, security policy enforcement, continuous monitoring and threat detection, and incident response mechanisms. Collaboration between CloudOps and SecOps teams to ensure a holistic security approach is critical, along with implementing security solutions that are designed for multi-cloud environments.

    Cloud-native security solutions that combine network metadata with context from third parties can provide a better understanding of what is happening on the network and in a way that teams can visualize the data and know which actions to take.

    It’s important to note that the perceived separation between network and cloud can vary widely from one organization to another and may evolve over time as technology and business needs change. Many companies are gradually adopting a more integrated approach, where network and cloud resources are managed holistically to maximize efficiency, scalability, and agility while meeting specific business requirements.

    Reply
18. October 5, 2023 at 7:01 am

    Tomi Engdahl says:

    CISA and NSA Release New Guidance on Identity and Access Management https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-and-nsa-release-new-guidance-identity-and-access-management

    Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.

    This publication, which follows ESF’s Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.

    Reply
19. October 5, 2023 at 7:05 am

    Tomi Engdahl says:

    Coalition to give NGOs free access to cybersecurity services to protect against attacks https://therecord.media/coalition-to-give-ngos-free-access-to-cyber-services-netherlands

    The Hague, Netherlands – The CyberPeace Institute announced Wednesday it will set up a portal with a coalition of cyber response teams to help non-governmental organizations, or NGOs, in the Netherlands protect themselves from cyberattacks. The CyberPeace Institute is a Geneva-based nonprofit that monitors cyberattacks and their effect on society. As part of that mission, it announced at the ONE cybersecurity conference that it will work with The Hague Humanity Hub, the Dutch Institute for Vulnerability Disclosure, and the global Computer Security Incident Response Team to provide free training, tools and advice to help NGOs in the Netherlands become more cyber resilient.

    The coalition will use open-source intelligence and a vetted network of ethical hackers to provide a kind of cyber early warning system for nonprofits. NGOs will be able to sign up into a portal where they can share information about attacks and vulnerabilities, as well as find resources for help should an attack occur.

    Reply
20. October 5, 2023 at 7:31 am

    Tomi Engdahl says:

    Reuters:
    BlackBerry plans to split its IoT and cybersecurity units and target a subsidiary IPO for the IoT unit in its next FY, after reviewing options since May 2023 — Canadian technology company BlackBerry (BB.TO), said on Wednesday it would separate its Internet of Things (IoT) …

    BlackBerry to separate IoT and cybersecurity businesses, plans IPO
    https://www.reuters.com/technology/blackberry-separate-iot-cybersecurity-business-units-2023-10-04/

    Canadian technology company BlackBerry (BB.TO), said on Wednesday it would separate its Internet of Things (IoT) and cybersecurity business units and target a subsidiary initial public offering for the IoT business next fiscal year.

    BlackBerry joins a number of companies that have split their units in recent years, favoring a leaner corporate structure to help investors better evaluate their separate businesses.

    Reply
21. October 5, 2023 at 7:31 am

    Tomi Engdahl says:

    Financial Times:
    Belgium’s intelligence service has been monitoring Alibaba’s logistics hub in Europe at Liège’s cargo airport to detect “possible espionage” by Chinese entities

    https://www.ft.com/content/256ee824-9710-49d2-a8bc-f173e3f74286

    Reply
22. October 5, 2023 at 7:54 am

    Tomi Engdahl says:

    NSA and CISA Release Guide To Protect Baseboard Management Controllers
    https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3426648/nsa-and-cisa-release-guide-to-protect-baseboard-management-controllers/

    FORT MEADE, Md. — Baseboard management controllers (BMCs) are common components of server-class computers. Malicious cyber actors could use these controllers’ capabilities to compromise industry and government systems.

    “Implementation of effective security defenses for these embedded controllers is frequently overlooked,” said Neal Ziring, the Technical Director for NSA’s Cybersecurity Directorate. “The firmware in these controllers is highly privileged. Malicious actors can use the firmware’s capabilities to remotely control a critical server while bypassing traditional security tools.”

    Organizations need to take action to secure servers with BMCs. To assist network defenders in this, NSA and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released the Cybersecurity Information Sheet, “Harden Baseboard Management Controllers.” The guidance includes recommendations and mitigations for network defenders to secure their systems.

    NSA and CISA recommend system owners and network defenders implement the mitigations listed in the report, including:

    Hardening BMC credentials and configurations
    Monitoring BMC integrity and updating BMCs
    Establishing virtual network separation to isolate BMC network connections

    Harden Baseboard Management Controllers
    https://media.defense.gov/2023/Jun/14/2003241405/-1/-1/0/CSI_HARDEN_BMCS.PDF

    Recommended actions
    These recommended actions align with the cross-sector cybersecurity performance goals
    (CPGs) CISA and the National Institute of Standards and Technology (NIST) developed. The
    CPGs provide a minimum set of practices and protections that CISA and NIST recommend all
    organizations implement.

    1. Protect BMC credentials
    Change the default BMC credentials as soon as possible. Establish unique user accounts for
    administrators, if supported. Always use strong passwords compliant with NIST guidelines

    2. Enforce VLAN separation
    Establish a virtual local area network (VLAN) to isolate BMC network connections since many
    BMC products have a dedicated network port not shared with the OS or virtual machine
    manager (VMM). Limit the endpoints that may communicate with BMCs in the enterprise
    infrastructure—commonly referred to as an Administrative VLAN. Limit or block BMC access to
    the internet. If the BMC requires internet access to update, create rules such that only update-
    supporting traffic is permitted during the update download

    3. Harden configurations
    Consult vendor guides and recommendations for hardening BMCs against unauthorized access
    and persistent threats. UEFI hardening configuration guidance may apply to many BMC settings

    4. Perform routine BMC update checks
    BMC updates are delivered separately from most other software and firmware updates.
    Establish a routine to conduct monthly or quarterly checks for BMC updates according to the
    system vendor’s recommendations and scheduled patch releases.

    5. Monitor BMC integrity
    Some BMCs report integrity data to a root of trust (RoT). The RoT could take the form of a TPM,
    dedicated security chip or coprocessor (multiple trademarked names in use), or a central
    processing unit (CPU) secure memory enclave. Monitor integrity features for unexpected
    changes and platform alerts

    6. Move sensitive workloads to hardened devices
    Older server and cloud nodes may lack any BMC integrity monitoring mechanism. The presence
    of a TPM does not guarantee that BMC integrity data is collected. Place sensitive workloads on
    hardware designed to audit both the BMC firmware and the platform firmware

    7. Use firmware scanning tools periodically
    Some modern EDR and platform scanning tools support BMC firmware capture. Establish a
    schedule to collect and inspect BMC firmware for integrity and unexpected changes.

    8. Do not ignore BMCs
    A user may accidentally connect and expose an ignored and disconnected BMC to malicious
    content. Treat an unused BMC as if it may one day be activated. Apply patches. Harden
    credentials. Restrict network access. If a BMC cannot be disabled or removed, carry out
    recommended actions appropriate to the sensitivity of the platform’s data

    Reply
23. October 5, 2023 at 1:27 pm

    Tomi Engdahl says:

    How To Access the DARK WEB in 2023 (3 Levels)
    https://www.youtube.com/watch?v=U2-JPqrALsA

    Ever heard of the Dark Web and wondered how to access it? The allure of the unknown is captivating, but it can also be perilous. In this video, I guide you through 3 different methods to access the Dark Web, ranging from basic to high-security measures. We’ll delve into what the Dark Web actually is, its legitimate uses, and the precautions you should take when navigating this mysterious part of the internet.

    What You’ll Learn:

    The Good, the Bad, and the Ugly of the Dark Web
    Why the ToR Browser alone might not be enough
    How a VPN can add an extra layer of security
    The ultimate security with Tails
    Bonus: The NetworkChuck Cloud Browser

    Reply
24. October 5, 2023 at 1:29 pm

    Tomi Engdahl says:

    Hacking the Power Grid – Their password is TERRIBLE!
    https://www.youtube.com/watch?v=MBgiu7ex-no

    1:02 / 8:02
    Hacking the Power Grid – Their password is TERRIBLE!
    RECESSIM
    31.5K subscribers
    31,565 views Sep 30, 2023 Smart Meter Hacking
    BECOME A PATREON!
    https://www.patreon.com/RECESSIM

    Building a hacking tool from a smart grid modem. Learn how to build your own hacking tools by following along with me on my journey building this one.

    Reply
25. October 6, 2023 at 4:48 am

    Tomi Engdahl says:

    david Pogue — After Apple blocked cookies in its Safari browser, Google has now built, RIGHT INTO CHROME, a tracker that ‘tracks the web pages you visit and generates a list of advertising topics that it will share with web pages whenever they ask

    Google gets its way, bakes a user-tracking ad platform directly into Chrome
    https://arstechnica.com/gadgets/2023/09/googles-widely-opposed-ad-platform-the-privacy-sandbox-launches-in-chrome/?fbclid=IwAR1tL7bgIuIovtIdff6CVd_BtaSCUR5UKkY2NlpTDVUSNDK3xQBtCFn6MU4

    Chrome now directly tracks users, generates a “topic” list it shares with advertisers.

    Don’t let Chrome’s big redesign distract you from the fact that Chrome’s invasive new ad platform, ridiculously branded the “Privacy Sandbox,” is also getting a widespread rollout in Chrome today. If you haven’t been following this, this feature will track the web pages you visit and generate a list of advertising topics that it will share with web pages whenever they ask, and it’s built directly into the Chrome browser. It’s been in the news previously as “FLoC” and then the “Topics API,” and despite widespread opposition from just about every non-advertiser in the world, Google owns Chrome and is one of the world’s biggest advertising companies, so this is being railroaded into the production builds.

    Google seemingly knows this won’t be popular. Unlike the glitzy front-page Google blog post that the redesign got, the big ad platform launch announcement is tucked away on the privacysandbox.com page. The blog post says the ad platform is hitting “general availability” today, meaning it has rolled out to most Chrome users. This has been a long time coming, with the APIs rolling out about a month ago and a million incremental steps in the beta and dev builds, but now the deed is finally done.

    Users should see a pop-up when they start up Chrome soon, informing them that an “ad privacy” feature has been rolled out to them and enabled. The new pop-up has been hitting users all week. As you can see in the pop-up, all of Google’s documentation about this feature feels like it was written on opposite day, with Google calling the browser-based advertising platform “a significant step on the path towards a fundamentally more private web.”

    The argument here is that someday—not now, but someday—Google promises to turn off third-party tracking cookies in Chrome, and the new ad platform, which has some limitations, is better than the free-for-all that is third-party cookies. The thing is, third-party cookies mostly only affect Chrome users. Apple and Firefox have both been blocking third-party cookies for years and won’t be implementing Google’s new advertising system—it’s only the Chromium browsers that still allow them.

    That’s actually what started this whole process: Apple dealt a giant blow to Google’s core revenue stream when it blocked third-party cookies in Safari in 2020. While it was a win for privacy, Google’s not following suit until it can secure its advertising business. The Federated Learning of Cohorts and now the Topics API are part of a plan to pitch an “alternative” tracking platform, and Google argues that there has to be a tracking alternative—you can’t just not be spied on. The Electronic Frontier Foundation also argued this when it called Google’s FLoC a “terrible idea,” saying “[Google's] framing is based on a false premise that we have to choose between ‘old tracking’ and ‘new tracking.’ It’s not either-or. Instead of re-inventing the tracking wheel, we should imagine a better world without the myriad problems of targeted ads.”

    Chrome has some controls for this built into the browser now. Just go to the Chrome Settings, then “Privacy and Security,” then “Ad privacy” (alternatively, paste “chrome://settings/adPrivacy” into the address bar). From there, you can click through to each of the three individual pages and turn off the top checkbox, and in a mere six clicks, you can presumably turn off the ad platform. If you leave it on for a while, you can check out the “Ad topics” page, where Google will show you what ads Chrome thinks you would like to see. This list gets sent to advertisers when you visit a page.

    Google says it will block third-party cookies in the second half of 2024—presumably after it makes sure the “Privacy Sandbox” will allow it to keep its profits up

    Reply
26. October 6, 2023 at 7:34 am

    Tomi Engdahl says:

    Kampanja tunnisti ja korjasi toimitusketjuihin liittyviä kyberriskejä https://www.huoltovarmuuskeskus.fi/a/kampanja-tunnisti-ja-korjasi-toimitusketjuihin-liittyvia-kyberriskeja

    Traficomin Kyberturvallisuuskeskuksen Ketjutonttu-kampanja paransi suomalaisen yrityskentän tietoturvaa tunnistamalla ja korjaamalla riskejä niiden toimitusketjuissa. Huoltovarmuuskeskuksen Digitaalinen turvallisuus 2030 -ohjelmasta rahoitettuun kampanjaan osallistui 150 organisaatiota ja yritystä.
    Kampanja osoitti, että kyberturvallisuutta voidaan parantaa keveilläkin menetelmillä. Kampanjaan osallistuneiden organisaatioiden toimittajat saavat maksuttoman, avoimiin tietolähteisiin perustuvan tietoturvan tarkastuksen ja lisäksi apua korjausten tekemiseen.

    Yksittäistä osallistujaa kohtaan tunnistettiin keskimäärin 35 toimittajaa.
    Yhteensä kampanjan aikana tarkastettiin 2 312 toimittajaa, joille tarjottiin haavaraportit sekä apua korjauksiin. Kampanjan aikana raportoitiin 856 tietoturvahavaintoa. Avoimiin tietolähteisiin perustuvan lähestymistavan ansiosta tarkastus voitiin suorittaa laajalle toimittajajoukolle ilman erillistä sopimista. Avunannossa keskityttiin niihin toimittajiin, joilta tietoturvaongelmia löytyi.

    Reply
27. October 6, 2023 at 8:26 am

    Tomi Engdahl says:

    Cybercrime gangs now deploying ransomware within 24 hours of hacking victims https://therecord.media/ransomware-deployment-dwell-time-decreasing

    Cybercriminals are now deploying ransomware within the first day of initially compromising their targets, a dramatic drop on the 4.5 days that the task had been taking last year, according to a new threat report. Cybersecurity company Secureworks warns that “2023 may be the most prolific year for ransomware attacks to date” with three times as many victims listed on leak sites in May this year as there were in the same month a year ago.

    Leak sites are a poor metric for assessing the size of the ransomware problem, the company’s report notes, pointing out that the leak site for Hive — which was disrupted by law enforcement earlier this year — listed only around 10% of the total victims law enforcement knew about.

    Reply
28. October 6, 2023 at 8:27 am

    Tomi Engdahl says:

    Operation Jacana: Foundling hobbits in Guyana https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/

    In February 2023, ESET researchers detected a spearphishing campaign targeting a governmental entity in Guyana. While we haven’t been able to link the campaign, which we named Operation Jacana, to any specific APT group, we believe with medium confidence that a China-aligned threat group is behind this incident.

    In the attack, the operators used a previously undocumented C++ backdoor that can exfiltrate files, manipulate Windows registry keys, execute CMD commands, and more. We named the backdoor DinodasRAT based on the victim identifier it sends to its C&C: the string always begins with Din, which reminded us of the hobbit Dinodas from the Lord of the Rings.

    Reply
29. October 6, 2023 at 8:27 am

    Tomi Engdahl says:

    Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities https://any.run/cybersecurity-blog/lu0bot-analysis/

    In this article, we’ll examine a Lu0Bot malware sample we stumbled upon while tracking malicious activity in ANY.RUN’s public tasks. What caught our interest is that the sample is written in Node.js. While initially, it appeared to be a regular bot for DDOS attacks, things turned out to be a lot more complex.

    Node.js malware is intriguing because it targets a runtime environment commonly used in modern web applications. The runtime’s platform-agnostic nature depends on the specific code and libraries used, but it often allows for greater versatility. Typically, this kind of malware employs multi-layer obfuscation techniques using JavaScript. It combines traditional malware characteristics with web technologies, making it a unique challenge for detection and analysis.

    Reply
30. October 6, 2023 at 8:28 am

    Tomi Engdahl says:

    NSA and CISA reveal top 10 cybersecurity misconfigurations https://www.bleepingcomputer.com/news/security/nsa-and-cisa-reveal-top-10-cybersecurity-misconfigurations/

    The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed today the top ten most common cybersecurity misconfigurations discovered by their red and blue teams in the networks of large organizations. Today’s advisory also details what tactics, techniques, and procedures (TTPs) threat actors use to successfully exploit these misconfigurations with various goals, including gaining access to, moving laterally, and targeting sensitive information or systems.

    The information included in the report was collected by the two agencies’ Red and Blue teams during assessments and during incident response activities.
    “These teams have assessed the security posture of many networks across the Department of Defense (DoD), Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) governments, and the private sector,”
    the NSA said.

    Reply
31. October 6, 2023 at 8:30 am

    Tomi Engdahl says:

    The evolutionary tale of a persistent Python threat https://checkmarx.com/blog/the-evolutionary-tale-of-a-persistent-python-threat/

    Since early April 2023, an attacker has been relentlessly deploying hundreds of malicious packages through various usernames, accumulating nearly 75,000 downloads. The attacker’s evolution is evident, with transitions from plain-text to encryption and subsequently to multilayered obfuscation and secondary disassembly payloads.

    The malicious package casts a wide net, aiming to steal extensive amounts of sensitive data including from the target system, applications, browsers, and user. Additionally, they target cryptocurrency users by modifying cryptocurrency addresses to redirect transactions to the attacker. The threat actors’ most recent packages adeptly dismantle system defenses, leaving it exposed and vulnerable.

    The malicious code is explicitly designed to run on Windows systems. The evidence of the attackers success is palpable, with one of their crypto wallet addresses showing incoming transactions (funds directed into the attacker’s
    account) amounting to six figures during the period the malicious packages were active.

    Reply
32. October 6, 2023 at 12:48 pm

    Tomi Engdahl says:

    BLUE OLEX 2023: Getting Ready for the Next Cybersecurity Crisis in the EU https://www.enisa.europa.eu/news/blue-olex-2023-getting-ready-for-the-next-cybersecurity-crisis-in-the-eu

    Together with the European Commission under the Spanish Presidency of the EU Council, the European Union Agency for Cybersecurity (ENISA) co-organised and co-hosted the Blue Olex table-top cyber exercise in the Hague, Netherlands.
    With the upcoming EU elections and cyber threats spreading widely, the EU needs to strengthen its capacities. This was precisely the objective of the Blue Olex exercise to test the preparedness of the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe), the cooperation network for Member States national authorities in charge of cyber crisis management.

    BlueOlex ‘23 tested the EU preparedness in the event of a cyber-related crisis affecting the EU Member States and to strengthen the cooperation between the national cybersecurity authorities, the European Commission and ENISA. The aim of the exercise is to build a stronger relationship among the cybersecurity community participating in the exercise, increase the situational awareness and share best practices. Finally, it sets the scene for a high-level political discussion, on strategic cyber policy issues, in particular, shaping a coherent framework for crisis management at EU level.

    —

    Reply
33. October 6, 2023 at 12:51 pm

    Tomi Engdahl says:

    BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html

    Cybersecurity experts have discovered yet another malware-as-a-service (MaaS) threat called BunnyLoader that’s being advertised for sale on the cybercrime underground. “BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more,” Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh said in an analysis published last week.

    Among its other capabilities include running remote commands on the infected machine, a keylogger to capture keystrokes, and a clipper functionality to monitor the victim’s clipboard and replace content matching cryptocurrency wallet addresses with actor-controlled addresses. A C/C++-based loader offered for $250 for a lifetime license, the malware is said to have been under continuous development since its debut on September 4, 2023, with new features and enhancements that incorporate anti-sandbox and antivirus evasion techniques.

    Reply
34. October 6, 2023 at 12:52 pm

    Tomi Engdahl says:

    FBI warns of surge in ‘phantom hacker’ scams impacting elderly https://www.bleepingcomputer.com/news/security/fbi-warns-of-surge-in-phantom-hacker-scams-impacting-elderly/

    The FBI issued a public service announcement warning of a significant increase in ‘phantom hacker’ scams targeting senior citizens across the United States.
    “This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target,” the FBI said.

    “Victims often suffer the loss of entire banking, savings, retirement, or investment accounts under the guise of ‘protecting’ their assets.” In such scams, multiple fraudsters masquerading as bank representatives are contacting unsuspecting victims, falsely alleging that their accounts have fallen victim to hacking attempts.

    Reply
35. October 9, 2023 at 7:28 am

    Tomi Engdahl says:

    Clorox Crisis Shows Cyber Risk’s Harsh Business Downside https://www.forbes.com/sites/noahbarsky/2023/10/06/clorox-crisis-shows-cyber-risks-harsh-business-downside/

    The Clorox cyberattack crisis warrants every board’s attention. The consumer-products giant spent over $500 million on IT upgrades and earned a spot on the 2023 Forbes Most Cybersecure Companies list. Nonetheless, an August breach halted its operations with devastating supply chain and business consequences.

    While the cybercrime details remain unclear, Clorox disclosed that it was forced back to manual processes, as automation systems took nearly six weeks to normalize. That left retailers and consumers scrambling for merchandise. In terms of the financial aftermath, its preliminary FY2024 Q1 results suffered significantly.

    Reply
36. October 9, 2023 at 7:46 am

    Tomi Engdahl says:

    Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform https://unit42.paloaltonetworks.com/hooking-framework-in-sandbox-to-analyze-android-apk/

    One of the biggest challenges we face in analyzing Android application package
    (APK) samples at scale is the diversity of Android platform versions that malware authors use. When trying to utilize static and dynamic analysis techniques in the malware detection space, the sheer variety of platform versions can feel overwhelming.

    In this article, we will discuss this issue of how malware authors use obfuscation to make analyzing their Android malware more challenging. We will review two such case studies to illustrate those obfuscation techniques in action. Finally, we’ll cover some overall techniques researchers can use to address these obstacles.

    Reply
37. October 9, 2023 at 7:46 am

    Tomi Engdahl says:

    BELGIAN INTELLIGENCE SERVICE VSSE ACCUSED ALIBABA OF ‘POSSIBLE ESPIONAGE’ AT EUROPEAN HUB IN LIEGE https://securityaffairs.com/152039/intelligence/belgian-intelligence-service-vsse-accused-alibaba.html

    The Belgian intelligence service VSSE revealed that is investigating potential cyber espionage activities carried out by Chinese firms, including the Alibaba Group Holding, at a cargo airport in Liege.

    Reply
38. October 9, 2023 at 7:51 am

    Tomi Engdahl says:

    Ukraine, Israel, South Korea top list of most-targeted countries for cyberattacks https://therecord.media/microsoft-2023-report-countries-most-targeted-cyberattacks

    More than 120 countries faced cyberattacks over the last year, with Ukraine, Israel, South Korea and Taiwan topping the list of the most targeted countries, according to a new report from Microsoft.

    The findings are part of Microsoft’s Digital Defense Report 2023 — which used troves of the company’s data to track cybersecurity trends between July 2022 and June 2023.

    Reply
39. October 9, 2023 at 7:52 am

    Tomi Engdahl says:

    To Schnorr and beyond (Part 1)
    https://blog.cryptographyengineering.com/2023/10/06/to-schnorr-and-beyond-part-1/

    In this post I’m going to talk about signature schemes, and specifically the Schnorr signature, as well as some related schemes like ECDSA. These signature schemes have a handful of unique properties that make them quite special among cryptographic constructions. Moreover, understanding the motivation of Schnorr signatures can help understand a number of more recent proposals, including post-quantum schemes like Dilithium — which we’ll discuss in the second part of this series.

    Reply
40. October 9, 2023 at 7:53 am

    Tomi Engdahl says:

    Mielipidekirjoitus / Yangon asiakastietokohun taustalla kehitys, joka pakottaa yritykset toimimaan – Miten oikeus hallita omia tietoja toteutuu?
    https://www.talouselama.fi/uutiset/yangon-asiakastietokohun-taustalla-kehitys-joka-pakottaa-yritykset-toimimaan-miten-oikeus-hallita-omia-tietoja-toteutuu/5015fac4-8e1a-409b-a49c-4a8fcc3f0615

    Digitaalista suvereniteettia ei voi sivuuttaa liiketoimintastrategiassa, toteaa mielipidekirjoittaja.

    Reply
41. October 9, 2023 at 7:57 am

    Tomi Engdahl says:

    Puhelinnumero, sähkö­posti­osoite, kirjautumis­tiedot, luottokortti… Näin tarkistat, ovatko tietosi vuotaneet nettiin https://www.is.fi/digitoday/tietoturva/art-2000009872043.html

    Koska olet viimeksi tarkistanut, onko tietojasi kuten salasanasi vaarantunut esimerkiksi tietovuodossa? Siihen ei mene paljoa aikaa. Tietoturvayhtiö F-Securen kyberuhkatiedustelupäällikkö Laura Kankaala kertoo, miten sinun kannattaa toimia. IS Digitoday täydensi ohjeita paikoin.

    Reply
42. October 9, 2023 at 7:59 am

    Tomi Engdahl says:

    In our ever-evolving digital landscape, the fusion of artificial intelligence (AI) and machine learning (ML) technologies has ushered in a new era of innovation and efficiency. However, as we step into 2024, we must also prepare for the darker side of this technological advancement — the looming cybersecurity threats posed by both AI and ML

    Reply
43. October 9, 2023 at 9:20 am

    Tomi Engdahl says:

    Microsoft Releases New Report on Cybercrime, State-Sponsored Cyber Operations
    https://www.securityweek.com/microsoft-releases-new-report-on-cybercrime-state-sponsored-cyber-operations/

    US, Ukraine, and Israel remain the most heavily attacked by cyberespionage and cybercrime threat actors, Microsoft says.

    Reply
44. October 9, 2023 at 9:23 am

    Tomi Engdahl says:

    Network Security
    Organizations Warned of Top 10 Cybersecurity Misconfigurations Seen by CISA, NSA
    https://www.securityweek.com/organizations-warned-of-top-10-cybersecurity-misconfigurations-seen-by-cisa-nsa/

    CISA and the NSA are urging network defenders and software developers to address the top ten cybersecurity misconfigurations.

    The US cybersecurity agency CISA and the NSA have issued new guidance on addressing the most common cybersecurity misconfigurations in large organizations.

    Impacting many organizations, including those that have achieved a mature security posture, these misconfigurations illustrate a trend of systemic weaknesses and underline the importance of adopting secure-by-design principles during the software development process, CISA and the NSA note.

    The ten most common network misconfigurations, the two agencies say, include default software configurations, improper separation of privileges, lack of network segmentation, insufficient network monitoring, poor patch management, bypass of access controls, poor credential hygiene, improper multi-factor authentication (MFA) methods, insufficient access control lists (ACLs) on network shares, and unrestricted code execution.

    These misconfigurations, CISA and the NSA note, were identified after years of assessing the security posture of more than 1,000 network enclaves within the Department of Defense (DoD), federal agencies, and US government agencies.

    NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

    The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

    Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

    Default configurations of software and applications
    Improper separation of user/administrator privilege
    Insufficient internal network monitoring
    Lack of network segmentation
    Poor patch management
    Bypass of system access controls
    Weak or misconfigured multifactor authentication (MFA) methods
    Insufficient access control lists (ACLs) on network shares and services
    Poor credential hygiene
    Unrestricted code execution

    Reply
45. October 9, 2023 at 9:28 am

    Tomi Engdahl says:

    Addressing the People Problem in Cybersecurity
    https://www.securityweek.com/addressing-the-people-problem-in-cybersecurity/

    Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into a position where they must work harder.

    The people problem is two-fold: a lack of security awareness among users and a lack of cybersecurity talent. Let’s start with the first challenge, what organizations can do to raise security awareness among users.

    Support for security awareness programs: According to the SANS 2023 Security Awareness Report: Managing Human Risk (PDF), maturity levels for security awareness programs are improving when compared to last year. However, organizations are struggling with the fundamentals of program development including lack of budget, limits on training time for employees, and lack of staffing and time for program management. It comes as no surprise that the most effective programs are backed by strong leadership support, have dedicated full-time employees, and promote a strong security culture where incident reporting is encouraged and made easy which helps mitigate risk.
    User training: Also not surprising, the SANS report finds that phishing/smishing/vishing tops the list of human risks, followed by passwords/authentication, detection/reporting, and IT admin misconfiguration. Training should focus on these four areas and go beyond annual computer-based training to include continuous training so that key concepts are reinforced year-round. Involving security teams in the development of human-focused security training helps ensure content remains highly relevant to the organization. Partnering with other departments such as communications and human resources and bringing on third-party training consultants will also help drive program effectiveness while optimizing resources.

    Looking at the second component of the people problem – a lack of cybersecurity talent – a combination of training and technology can help close the gap currently estimated at 663,600 in the U.S. alone. For example:

    Cybersecurity professionals training: Cybersecurity itself is a continuous learning experience, something that is often overlooked. New research by Enterprise Strategy Group (ESG) finds that 40% of cybersecurity professionals believe their organization should increase its commitment to cybersecurity training to help address the skills shortage by enabling the organization to get more out of existing resources. Partnering with security technology vendors that offer product training and make it available in multiple formats and form factors, including instructor-led/in-person, instructor-led/virtual, and self-service, provides flexibility to select what works best for your business model and your security teams.
    Security automation: An important benefit of security automation is that the highly skilled human resources you have can work smarter, not harder. In research we commissioned recently, security leaders say the number one way to address a top challenge – high turnover rates – is with smarter tools that simplify work. Additionally, over 60% expect automation to positively affect employee satisfaction and retention. A balanced approach to automation where repetitive, low-risk, time-consuming tasks are automated so that analysts are freed-up to take the lead on irregular, high-impact, time-sensitive work can improve retention and utilization while driving better security outcomes. And a data-driven approach to automation ensures that actions remain relevant for greater focus, accuracy and confidence in the outcomes. Additionally, security automation platforms that support low-code/no-code interfaces can make automation accessible to a range of users with varying skill sets.
    Additional, new technologies: Approaches and technologies like AI are already helping to drive efficiencies. Specifically, natural language processing is being used to identify and extract threat data, such as indicators of compromise, malware and adversaries, from unstructured text in data feed sources and intelligence reports so that analysts spend less time on manual tasks and more time proactively addressing risks. Machine learning (ML) techniques are being applied to make sense of all this data in order to get the right data to the right systems and teams at the right time to accelerate detection, investigation and response. And a closed loop model with feedback, ensures AI capable security operations platforms can continue to learn and improve over time.

    Addressing the people problem with effective approaches and tools for users and security practitioners to strengthen defenses will enable us to work smarter, and force attackers into a position where they must work harder.

    Reply
46. October 9, 2023 at 9:31 am

    Tomi Engdahl says:

    https://www.securityweek.com/in-other-news-funding-increase-abuse-of-smartphone-location-data-legal-matters/

    Experts respond to EU’s Cyber Resilience Act

    Experts have written a joint letter in response to the proposed EU Cyber Resilience Act (CRA), warning that “the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them”.

    Joint Letter of Experts on CRA and Vulnerability Disclosure
    https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-of-experts-on-cra-and-vulnerability-disclosure

    As concerned cybersecurity experts who have dedicated our lives to improving the security of the online environment, we urge you to reconsider the vulnerability disclosure requirements under the proposed EU Cyber Resilience Act (CRA). While we appreciate the CRA’s aim to enhance cybersecurity in Europe and beyond, we believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them.

    “Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors. There are several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities.”

    “While the intention behind disclosing vulnerabilities promptly may be to facilitate mitigation, CRA already requires software publishers to mitigate vulnerabilities without delay in a separate provision. We support this obligation, but also advocate for a responsible and coordinated disclosure process that balances the need for transparency with the need for security. We recommend that the CRA adopt a risk-based approach to vulnerability disclosure, taking into account factors such as the severity of the vulnerability, the availability of mitigations, the potential impact on users, and the likelihood of broader exploitation. With that in mind and to avoid unintentionally exposing consumers and organisations in Europe and beyond to new cybersecurity risks”

    Reply
47. October 10, 2023 at 6:26 am

    Tomi Engdahl says:

    Kyberhaitakkeiden top 10: Troijalaiset tekevät tuhoa Suomessa ja maailmalla, viestintäala kyberhyökkäysten suosituin kohde Pohjoismaissa
    https://www.epressi.com/tiedotteet/tietotekniikka/kyberhaitakkeiden-top-10-troijalaiset-tekevat-tuhoa-suomessa-ja-maailmalla-viestintaala-kyberhyokkaysten-suosituin-kohde-pohjoismaissa.html

    Check Point Software kertoo syyskuun haittaohjelmakatsauksessaan, että Formbook nousi maailman yleisimmäksi haitakkeeksi Qbotin alasajon jälkeen, ja myös Suomen listahuipulla puhalsivat uudet tuulet. Tutkijat havaitsivat syyskuussa laajan tietojenkalastelukampanjan, jonka takana on Remcos-etäkäyttötroijalainen. Hyökkäysten kohteena oli Pohjoismaissa useimmin viestintäala, maailman ja Euroopan laajuisesti koulutus- ja tutkimusala.

    Reply
48. October 10, 2023 at 6:33 am

    Tomi Engdahl says:

    IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits

    In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits.
    Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.

    Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ranging from the thousands to even tens of thousands. This highlights the campaign’s capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs.

    In this article, we will elaborate on how this threat leverages new vulnerabilities to control affected devices, along with the details of IZ1H9.

    Reply
49. October 10, 2023 at 6:33 am

    Tomi Engdahl says:

    HelloKitty ransomware source code leaked on hacking forum https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source-code-leaked-on-hacking-forum/

    A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.

    HelloKity is a human-operated ransomware operation active since November 2020 when a victim posted to the BleepingComputer forums, with the FBI later releasing a PIN (private industry notification) on the group in January 2021.

    The gang is known for hacking corporate networks, stealing data, and encrypting systems. The encrypted files and stolen data are then utilized as leverage in double-extortion machines, where the threat actors threaten to leak data if a ransom is not paid.

    Reply
50. October 10, 2023 at 6:34 am

    Tomi Engdahl says:

    R2R STOMPING – ARE YOU READY TO RUN?
    https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/

    This research introduces a new method for running hidden implanted code in ReadyToRun (R2R) compiled .NET binaries. The method focuses on the possibility of altering R2R compiled binaries in such a way that the original IL code of the assembly differs from the pre-compiled native code, which is a part of the produced binary too. Because of the .NET optimization, the pre-compiled native code will be prioritized and run, ignoring the original IL code.

    Reply