Cyber trends for 2023

Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.

HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.

Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.

Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications

Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.

Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.

Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.

MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.

Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.

EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.

Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.

Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.

Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.

Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.

Governance: For boards and management, heightened pressure around climate action dovetails with the SEC’s proposed rules about cybersecurity oversight, which may soon become law. When they do, companies will need to prepare for more disclosures about their cybersecurity policies and procedures. With fresh scrutiny on directors’ cybersecurity expertise, or lack thereof, boards will need to take their cyber savviness to the next level as well.

Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.

Auditing: Audit’s role in corporate governance and risk management has been evolving. Once strictly focused on finance and compliance, internal audit teams are now increasingly expected to help boards and executive management identify, prioritize, manage and mitigate interconnected risks across the organization.

Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workersleaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.

Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers

Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.

Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.

Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”

Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.

Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,

War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.

Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.

ISC: ICS and SCADA systems remain trending attack targets also in 2023.

Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.

Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.

PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.

SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.

Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.

Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.

Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.

MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!

Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-

Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.

VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.

AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.

AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?

Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.

Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.

Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.

Sources:

Asiantuntija neuvoo käyttämään pilkkua sala­sanassa – taustalla vinha logiikka

Overseeing artificial intelligence: Moving your board from reticence to confidence

Android is adding support for updatable root certificates amidst TrustCor scare

Google Play now lets children send purchase requests to guardians

Diligent’s outlook for 2023: Risk is the trend to watch

Microsoft will turn off Exchange Online basic auth in January

Google is letting businesses try out client-side encryption for Gmail

Google Workspace Gets Client-Side Encryption in Gmail

The risk of escalation from cyberattacks has never been greater

Client-side encryption for Gmail available in beta

AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range

Microsoft: Edge update will disable Internet Explorer in February

Is Cloud Native Security Good Enough?

The Privacy War Is Coming

Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023

Google Chrome preparing an option to block insecure HTTP downloads

Cyber attacks set to become ‘uninsurable’, says Zurich chief

The Dark Risk of Large Language Models

Police Must Prepare For New Crimes In The Metaverse, Says Europol

Policing in the metaverse: what law enforcement needs to know

Cyber as important as missile defences – an ex-NATO general

Misconfigurations, Vulnerabilities Found in 95% of Applications

Mind the Gap

Yritysten kyberturvassa edelleen isoja aukkoja Asiantuntija: Kysymys jopa kansallisesta turvallisuudesta

Personnel security in the cloud

Multi-factor auth fatigue is real – and it’s why you may be in the headlines next

MFA Fatigue attacks are putting your organization at risk

Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience | News | European Parliament

NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset

Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

Poor software costs the US 2.4 trillion

Passkeys Now Fully Supported in Google Chrome

Google Takes Gmail Security to the Next Level with Client-Side Encryption

Executives take more cybersecurity risks than office workers

NIST Retires SHA-1 Cryptographic Algorithm

NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Over 85% of Attacks Hide in Encrypted Channels

GitHub Announces Free Secret Scanning, Mandatory 2FA

Leaked a secret? Check your GitHub alerts…for free

Data Destruction Policies in the Age of Cloud Computing

Why PCI DSS 4.0 Should Be on Your Radar in 2023

2FA is over. Long live 3FA!

Google: With Cloud Comes APIs & Security Headaches

Digesting CISA’s Cross-Sector Cybersecurity Performance Goals

Zero Trust Shouldnt Be The New Normal

Don’t click too quick! FBI warns of malicious search engine ads

FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads

Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users

Kyberturvan ammattilaisista on huutava pula

Is Enterprise VPN on Life Support or Ripe for Reinvention?

Cyber as important as missile defences – an ex-NATO general

1,768 Comments

  1. Tomi Engdahl says:

    Valtava määrä ”valepuheluita” on häirinnyt suomalaisia jo vuosia – ei enää
    https://yle.fi/a/74-20052128

    Yle Uutiset kertoi kesäkuussa, miten suomalaisen kirjanpitäjän puhelinnumeroa käytettiin ulkomailta tuleviin huijauspuheluihin. Lokakuun 2. päivästä alkaen näiden huijausten mahdollisuus pienenee, kun Liikenne- ja viestintävirasto Traficomin määräyksen viimeinen velvoite teleoperaattoreille astuu voimaan.

    Se velvoittaa seulomaan väärennöksistä myös sellaiset, joissa uskotellaan puhelun tulevan suomalaisesta kännykkäliittymästä. Traficomin Kyberturvallisuuskeskuksen Lauri Isotalo sanoo, että vielä on pieni mahdollisuus siihen, että valenumerot välkkyvät suomalaisten älypuhelinnäytöillä. Rikollisilla kun on aina jotain teknologioita käytettävissään.

    – Jos puhutaan, että loppuvatko ne kaikki aivan varmasti, niin sitä on tietysti mahdotonta luvata. Tavoitteena on kuitenkin painaa se niin matalaksi kuin mahdollista, sanoo Kyberturvallisuuskeskuksen kehityspäällikkö Lauri Isotalo.

    Reply
  2. Tomi Engdahl says:

    A Closer Look at the Snatch Data Ransom Group https://krebsonsecurity.com/2023/09/a-closer-look-at-the-snatch-data-ransom-group/

    Earlier this week, KrebsOnSecurity revealed that the darknet website for the Snatch ransomware group was leaking data about its users and the crime gang’s internal operations. Today, we’ll take a closer look at the history of Snatch, its alleged founder, and their claims that everyone has confused them with a different, older ransomware group by the same name. According to a September 20, 2023 joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Administration (CISA), Snatch was originally named Team Truniger, based on the nickname of the group’s founder and organizer — Truniger.

    The FBI/CISA report says Truniger previously operated as an affiliate of GandCrab, an early ransomware-as-a-service offering that closed up shop after several years and claims to have extorted more than $2 billion from victims.
    GandCrab dissolved in July 2019, and is thought to have become “REvil,” one of the most ruthless and rapacious Russian ransomware groups of all time.

    Reply
  3. Tomi Engdahl says:

    Tietoturva-asian­tuntijan yllättävä kehotus: Valehtele! https://www.is.fi/digitoday/art-2000009871873.html

    Reply
  4. Tomi Engdahl says:

    Meet LostTrust ransomware — A likely rebrand of the MetaEncryptor gang https://www.bleepingcomputer.com/news/security/meet-losttrust-ransomware-a-likely-rebrand-of-the-metaencryptor-gang/

    The LostTrust ransomware operation is believed to be a rebrand of MetaEncryptor, utilizing almost identical data leak sites and encryptors.
    LostTrust began attacking organizations in March 2023 but did not become widely known until September, when they began utilizing a data leak site.
    Currently, the data leak site lists 53 victims worldwide, with some having their data leaked already for not paying a ransom. It is unclear if the ransomware gang only targets Windows devices or if they utilize a Linux encryptor as well.

    MetaEncryptor is a ransomware operation that is believed to have launched in August 2022, amassing twelve victims on their data leak site through July 2023, after which no new victims were added to the site. This month, a new data leak site for the ‘LostTrust’ gang was launched, with cybersecurity researcher Stefano Favarato quickly noticing it utilizes the same exact template and bio as MetaEncryptor’s data leak site.

    Reply
  5. Tomi Engdahl says:

    CISA Unveils New HBOM Framework to Track Hardware Components
    https://www.securityweek.com/cisa-unveils-new-hbom-framework-to-track-hardware-components/

    CISA unveils a new Hardware Bill of Materials (HBOM) framework for buyers and sellers to communicate about components in physical products.

    The US government’s cybersecurity agency CISA has unveiled a new Hardware Bill of Materials (HBOM) framework offering a consistent, repeatable way for vendors to communicate with purchasers about hardware components in physical products.

    The new framework provides what CISA describes as “a reliable and predictable structure for HBOMs” and a set of clearly defined data fields of HBOM components and their attributes.

    “With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience,” said CISA assistant director Mona Harrington.

    Harrington said the HBOM framework [.pdf] includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used.

    The HBOM framework, created by the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, is meant to be flexible and allow purchasers and vendors to tailor it to their specific circumstances or use cases.

    https://www.securityweek.com/cisa-unveils-new-hbom-framework-to-track-hardware-components/

    Reply
  6. Tomi Engdahl says:

    Wireless BadUSB With Flipper Zero’s Bluetooth — NO CABLES!
    https://www.youtube.com/watch?v=lh99ssUy6FE

    Was feeling cute, so updated a custom firmware and badUSB-ed without a USB cable in sight. You?

    Reply
  7. Tomi Engdahl says:

    ICS/OT
    Number of Internet-Exposed ICS Drops Below 100,000: Report
    https://www.securityweek.com/number-of-internet-exposed-ics-drops-below-100000-report/

    The number of internet-exposed ICS has dropped below 100,000, a significant decrease from the 140,000 in 2019.

    The number of internet-exposed industrial control systems (ICS) has continued to decrease over the past years, dropping below 100,000 as of June 2023, according to a report from cybersecurity ratings company Bitsight.

    Companies and researchers regularly scan the internet for exposed ICS, and in the past decade they have reported seeing tens of thousands and even millions of systems, depending on their methodology and length of the study.

    However, it’s interesting to see year-over-year trends from the same company, which presumably has a consistent methodology.

    Bitsight has been tracking the number of internet-facing ICS, mapping these systems to its inventory of global organizations. It’s worth noting that while the company refers to the identified systems as ICS, they include — based on the targeted protocols — not only systems used in industrial environments, but also IoT, building management and automation devices, and other operational technology (OT).

    The company’s analysis showed that the number of exposed systems has gradually decreased from roughly 140,000 in 2019 to less than 100,000 in June 2023.

    “This is a positive development, suggesting that organizations may be properly configuring, switching to other technologies, or removing previously exposed ICSs from the public internet,” Bitsight noted.

    In addition, the number of exposed organizations has dropped from approximately 4,000 to 2,300 over the same period. Entities that still have public-facing systems include organizations across 96 countries, including Fortune 1000 companies.

    The top 10 impacted countries are the United States, Canada, Italy, the UK, France, the Netherlands, Germany, Spain, Poland and Sweden.

    The most impacted sectors are education, technology, government, business services, manufacturing, utilities, real estate, energy, tourism, and finance.

    In 2023, the most commonly observed protocols were Modbus, KNX, BACnet, Niagara Fox, Siemens’ S7, Ethernet/IP, Lantronix, Automatic Tank Gauge (ATG), Moxa’s NPort, and Codesys.

    “While the aggregate number of exposed ICSs has been trending downward, we detected unique behavior on a protocol-by-protocol basis,” Bitsight explained. “Exposed systems and devices communicating via the Modbus and S7 protocols are more common in June 2023 than before, with the former increasing in prevalence from 2020 and the latter more recently from mid-2022.”

    Bitsight also noted that companies should focus on securing specific protocols based on their location. For instance, systems using Codesys, KNX, Nport and S7 protocols are mainly in the European Union, while ATG and BACnet are primarily seen in the United States.

    Bitsight identifies nearly 100,000 exposed industrial control systems
    https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-industrial-control-systems

    Bitsight has identified nearly 100,000 exposed industrial control systems (ICS) owned by organizations around the world, potentially allowing an attacker to access and control physical infrastructure such as power grids, traffic light systems, security and water systems, and more. ICSs — a subset of operational technology (OT) — are used to manage industrial processes like water flow in municipal water systems, electricity transmission via power grids, and other critical processes. Critical infrastructure sectors heavily rely on ICSs to control cyber-physical systems, compounding concerns that the exposed systems identified in this research could present significant risks to organizations and communities around the world.

    Fortune 1000 organizations are among the exposed, including organizations from 96 countries and a variety of sectors.

    Reply
  8. Tomi Engdahl says:

    ICS/OT
    NIST Publishes Final Version of 800-82r3 OT Security Guide
    https://www.securityweek.com/nist-publishes-final-version-of-800-82r3-ot-security-guide/

    NIST has published the final version of the SP 800-82 Revision 3 guide to operational technology (OT) security.

    NIST announced on Thursday that it has published the final version of its latest guide to operational technology (OT) security.

    NIST published the first draft of Special Publication (SP) 800-82r3 (Revision 3) in April 2021, with a second draft being released one year later. Now, Revision 3 of the OT security guide has been finalized.

    The 316-page document provides guidance on improving the security of OT systems while addressing their unique safety, reliability and performance requirements.

    “SP 800-82r3 provides an overview of OT and typical system topologies, identifies typical threats to organizational mission and business functions supported by OT, describes typical vulnerabilities in OT, and provides recommended security safeguards and countermeasures to manage the associated risks,” NIST explained.

    The guidance focuses on OT cybersecurity program development, risk management, cybersecurity architecture, and applying the NIST Cybersecurity Framework (CSF) to OT.

    The latest revision’s updates include expansion in scope from industrial control systems (ICS) to OT in general, as well as updates to OT threats, vulnerabilities, risk management, recommended practices, current security activities, and tools and capabilities.

    The document also aligns with other OT security guides and standards, and provides tailored security control baselines for low-, moderate- and high-impact OT systems.

    SP 800-82 Revision 3 is available for download in PDF format for free from NIST’s website.

    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

    Reply
  9. Tomi Engdahl says:

    Artificial Intelligence
    National Security Agency is Starting an Artificial Intelligence Security Center
    https://www.securityweek.com/national-security-agency-is-starting-an-artificial-intelligence-security-center/

    The NSA is starting an artificial intelligence security center — a crucial mission as AI capabilities are increasingly acquired, developed and integrated into U.S. defense and intelligence systems.

    “We maintain an advantage in AI in the United States today. That AI advantage should not be taken for granted,” Nakasone said at the National Press Club, emphasizing the threat from Beijing in particular.

    Nakasone was asked about using AI to automate the analysis of threat vectors and red-flag alerts — and he reminded the audience that U.S. intelligence and defense agencies already use AI.

    “AI helps us, But our decisions are made by humans. And that’s an important distinction,” Nakasone said. “We do see assistance from artificial intelligence. But at the end of the day, decisions will be made by humans and humans in the loop.”

    The AI security center’s establishment follows an NSA study that identified securing AI models from theft and sabotage as a major national security challenge, especially as generative AI technologies emerge with immense transformative potential for both good and evil.

    Nakasone said it would become “NSA’s focal point for leveraging foreign intelligence insights, contributing to the development of best practices guidelines, principles, evaluation, methodology and risk frameworks” for both AI security and the goal of promoting the secure development and adoption of AI within “our national security systems and our defense industrial base.”

    He said it would work closely with U.S. industry, national labs, academia and the Department of Defense as well as international partners.

    Reply
  10. Tomi Engdahl says:

    Risk Management
    Moving From Qualitative to Quantitative Cyber Risk Modeling
    https://www.securityweek.com/moving-from-qualitative-to-quantitative-cyber-risk-modeling/

    Migrating to a quantitative cyber risk model of analysis allows for more accurate data, which leads to more informed decision-making.

    Reply
  11. Tomi Engdahl says:

    Combating Ransomware Attacks: Insights from Unit 42 Incident Response https://www.paloaltonetworks.com/blog/2023/09/combating-ransomware-attacks-insights/

    Ransomware attacks have evolved over the years from a threat primarily targeting individuals with modest ransom demands, to a sophisticated form of cybercrime that now jeopardizes large companies, government agencies and critical infrastructure. It’s increasingly common to hear of a major corporation, educational institution or local government falling victim to a ransomware attack, in addition to the incidents that make national headlines.
    These attacks have far-reaching implications, affecting everything from critical public services, like hospitals, disruptions in supply chains, and even taking critical gas pipelines offline. I recently had the opportunity to testify before two subcommittees of the U.S. House of Representatives Committee on Oversight and Accountability on combating ransomware attacks.

    Reply
  12. Tomi Engdahl says:

    How to Embrace a Cloud Security Challenge Mindset https://www.trendmicro.com/en_us/ciso/23/j/cloud-security-challenges.html

    Back in June, Trend Micro predicted enterprise security operations centers
    (SOCs) would be more or less fully responsible for cloud security by 2026.
    It’s definitely not that CISOs need more to do, but with public cloud services so central to enterprise IT—to the tune of $600 billion in spending by the end of this year—an enterprise-wide function is required to protect them.

    Bryan Webster, Trend Micro’s VP of Product Management, explained why this poses challenges in a recent AWS SecurityLIVE! segment. To start with, cloud environments are dynamic, rolling out apps and spinning up infrastructure to drive agility and create value. New content, code, and features often emerge on a daily basis, if not multiple times a day.

    Traditional enterprise cybersecurity doesn’t move that fast. It’s typically reactive, not proactive, and less directly connected to business outcomes. So how can CISOs manage risk and meet the security expectations of the business at ‘cloud speed’? The keys are to adopt a cloud mindset, embrace the cloud ethos, and leverage any cloud expertise that’s immediately available.

    Reply
  13. Tomi Engdahl says:

    Are Local LLMs Useful in Incident Response?
    https://isc.sans.edu/diary/Are+Local+LLMs+Useful+in+Incident+Response/30274

    LLMs have become very popular recently. I’ve been running them on my home PC for the past few months in basic scenarios to help out. I like the idea of using them to help with forensics and Incident response, but I also want to avoid sending the data to the public LLMs, so running them locally or in a private cloud is a good option.

    I use a 3080 GPU with 10GB of VRAM, which seems best for running the 13 Billion model (1). The three models I’m using for this test are Llama-2-13B-chat-GPTQ , vicuna-13b-v1.3.0-GPTQ, and Starcoderplus-Guanaco-GPT4-15B-V1.0-GPTQ. I’ve downloaded this model from
    huggingface.co/ if you want to play along at home.

    Llama2 is the latest Facebook general model. Vicuna is a “Fine Tuned” Llama one model that is supposed to be more efficient and use less RAM. StarCoder is trained on 80+ coding languages and might do better on more technical explanations.

    Reply
  14. Tomi Engdahl says:

    Overall, these small models did poorly on this test. They do a good job on everyday language tasks, like giving text from an article and summarizing it or helping with proofreading. A specific version of Star is just for Python, which also works well. As expected for small models, the more specific they are trained, the better the results.
    https://isc.sans.edu/diary/Are+Local+LLMs+Useful+in+Incident+Response/30274

    Reply
  15. Tomi Engdahl says:

    ICS/OT
    ZDI Discusses First Automotive Pwn2Own
    https://www.securityweek.com/zdi-discusses-first-automotive-pwn2own/

    The Zero Day Initiative (ZDI) will host a new Automotive Pwn2Own at the Automotive World Conference in Tokyo, January 24 to 26, 2024.

    Reply
  16. Tomi Engdahl says:

    Cloud Security
    Network, Meet Cloud; Cloud, Meet Network
    https://www.securityweek.com/network-meet-cloud-cloud-meet-network/

    The widely believed notion that the network and the cloud are two different and distinct entities is not true.

    The widely believed notion that the network and the cloud are two different and distinct entities is not true. While it may have been so 10 to 15 years ago that the network was an on-prem architecture that operated independently and required different solutions or protections separate from the cloud, that is no longer the case.

    While many organizations have embraced the cloud as part and parcel of their network infrastructure, some companies are still evolving. And it is easy to see why. On-prem architecture ensures that your team has full control over your network, right down to the wire. With appliances, you essentially have one built-in inspection point, you can buy routers and firewalls and then segment everything behind the scene. With the cloud all of this is gone; you lose some of these controls in that your network is not neatly contained within a physical infrastructure. You spin up your resources wherever you want – in other regions, other countries – and in doing so, the choke point you once relied on in the on-prem environment, is now multiplied across many different access points.

    There is comfort in having the control provided with managing an on-prem-only network. But this approach is no longer tenable. As organizations grow, dropping in appliances at every site or datacenter is expensive and often requires additional resources and manpower to set up and deploy.

    Cloud services offer the ability to scale resources up or down based on demand. This flexibility is critical for handling varying workloads and ensuring network resources are efficiently utilized and security measures are properly deployed. AWS, Azure and other cloud environments all have great ways to protect, but visibility becomes an issue. You lose the control to dive into packets or you pay a premium to have the ability to do this.

    Organizations must rethink ways to jointly achieve both visibility and security for networks that are not one-size-fits-all. A comprehensive security strategy that encompasses both on-premises, multi-cloud and hybrid environments. This strategy should include regular risk assessments, security policy enforcement, continuous monitoring and threat detection, and incident response mechanisms. Collaboration between CloudOps and SecOps teams to ensure a holistic security approach is critical, along with implementing security solutions that are designed for multi-cloud environments.

    Cloud-native security solutions that combine network metadata with context from third parties can provide a better understanding of what is happening on the network and in a way that teams can visualize the data and know which actions to take.

    It’s important to note that the perceived separation between network and cloud can vary widely from one organization to another and may evolve over time as technology and business needs change. Many companies are gradually adopting a more integrated approach, where network and cloud resources are managed holistically to maximize efficiency, scalability, and agility while meeting specific business requirements.

    Reply
  17. Tomi Engdahl says:

    CISA and NSA Release New Guidance on Identity and Access Management https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-and-nsa-release-new-guidance-identity-and-access-management

    Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.

    This publication, which follows ESF’s Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.

    Reply
  18. Tomi Engdahl says:

    Coalition to give NGOs free access to cybersecurity services to protect against attacks https://therecord.media/coalition-to-give-ngos-free-access-to-cyber-services-netherlands

    The Hague, Netherlands – The CyberPeace Institute announced Wednesday it will set up a portal with a coalition of cyber response teams to help non-governmental organizations, or NGOs, in the Netherlands protect themselves from cyberattacks. The CyberPeace Institute is a Geneva-based nonprofit that monitors cyberattacks and their effect on society. As part of that mission, it announced at the ONE cybersecurity conference that it will work with The Hague Humanity Hub, the Dutch Institute for Vulnerability Disclosure, and the global Computer Security Incident Response Team to provide free training, tools and advice to help NGOs in the Netherlands become more cyber resilient.

    The coalition will use open-source intelligence and a vetted network of ethical hackers to provide a kind of cyber early warning system for nonprofits. NGOs will be able to sign up into a portal where they can share information about attacks and vulnerabilities, as well as find resources for help should an attack occur.

    Reply
  19. Tomi Engdahl says:

    Reuters:
    BlackBerry plans to split its IoT and cybersecurity units and target a subsidiary IPO for the IoT unit in its next FY, after reviewing options since May 2023 — Canadian technology company BlackBerry (BB.TO), said on Wednesday it would separate its Internet of Things (IoT) …

    BlackBerry to separate IoT and cybersecurity businesses, plans IPO
    https://www.reuters.com/technology/blackberry-separate-iot-cybersecurity-business-units-2023-10-04/

    Canadian technology company BlackBerry (BB.TO), said on Wednesday it would separate its Internet of Things (IoT) and cybersecurity business units and target a subsidiary initial public offering for the IoT business next fiscal year.

    BlackBerry joins a number of companies that have split their units in recent years, favoring a leaner corporate structure to help investors better evaluate their separate businesses.

    Reply
  20. Tomi Engdahl says:

    Financial Times:
    Belgium’s intelligence service has been monitoring Alibaba’s logistics hub in Europe at Liège’s cargo airport to detect “possible espionage” by Chinese entities

    https://www.ft.com/content/256ee824-9710-49d2-a8bc-f173e3f74286

    Reply
  21. Tomi Engdahl says:

    NSA and CISA Release Guide To Protect Baseboard Management Controllers
    https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3426648/nsa-and-cisa-release-guide-to-protect-baseboard-management-controllers/

    FORT MEADE, Md. — Baseboard management controllers (BMCs) are common components of server-class computers. Malicious cyber actors could use these controllers’ capabilities to compromise industry and government systems.

    “Implementation of effective security defenses for these embedded controllers is frequently overlooked,” said Neal Ziring, the Technical Director for NSA’s Cybersecurity Directorate. “The firmware in these controllers is highly privileged. Malicious actors can use the firmware’s capabilities to remotely control a critical server while bypassing traditional security tools.”

    Organizations need to take action to secure servers with BMCs. To assist network defenders in this, NSA and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released the Cybersecurity Information Sheet, “Harden Baseboard Management Controllers.” The guidance includes recommendations and mitigations for network defenders to secure their systems.

    NSA and CISA recommend system owners and network defenders implement the mitigations listed in the report, including:

    Hardening BMC credentials and configurations
    Monitoring BMC integrity and updating BMCs
    Establishing virtual network separation to isolate BMC network connections

    Harden Baseboard Management Controllers
    https://media.defense.gov/2023/Jun/14/2003241405/-1/-1/0/CSI_HARDEN_BMCS.PDF

    Recommended actions
    These recommended actions align with the cross-sector cybersecurity performance goals
    (CPGs) CISA and the National Institute of Standards and Technology (NIST) developed. The
    CPGs provide a minimum set of practices and protections that CISA and NIST recommend all
    organizations implement.

    1. Protect BMC credentials
    Change the default BMC credentials as soon as possible. Establish unique user accounts for
    administrators, if supported. Always use strong passwords compliant with NIST guidelines

    2. Enforce VLAN separation
    Establish a virtual local area network (VLAN) to isolate BMC network connections since many
    BMC products have a dedicated network port not shared with the OS or virtual machine
    manager (VMM). Limit the endpoints that may communicate with BMCs in the enterprise
    infrastructure—commonly referred to as an Administrative VLAN. Limit or block BMC access to
    the internet. If the BMC requires internet access to update, create rules such that only update-
    supporting traffic is permitted during the update download

    3. Harden configurations
    Consult vendor guides and recommendations for hardening BMCs against unauthorized access
    and persistent threats. UEFI hardening configuration guidance may apply to many BMC settings

    4. Perform routine BMC update checks
    BMC updates are delivered separately from most other software and firmware updates.
    Establish a routine to conduct monthly or quarterly checks for BMC updates according to the
    system vendor’s recommendations and scheduled patch releases.

    5. Monitor BMC integrity
    Some BMCs report integrity data to a root of trust (RoT). The RoT could take the form of a TPM,
    dedicated security chip or coprocessor (multiple trademarked names in use), or a central
    processing unit (CPU) secure memory enclave. Monitor integrity features for unexpected
    changes and platform alerts

    6. Move sensitive workloads to hardened devices
    Older server and cloud nodes may lack any BMC integrity monitoring mechanism. The presence
    of a TPM does not guarantee that BMC integrity data is collected. Place sensitive workloads on
    hardware designed to audit both the BMC firmware and the platform firmware

    7. Use firmware scanning tools periodically
    Some modern EDR and platform scanning tools support BMC firmware capture. Establish a
    schedule to collect and inspect BMC firmware for integrity and unexpected changes.

    8. Do not ignore BMCs
    A user may accidentally connect and expose an ignored and disconnected BMC to malicious
    content. Treat an unused BMC as if it may one day be activated. Apply patches. Harden
    credentials. Restrict network access. If a BMC cannot be disabled or removed, carry out
    recommended actions appropriate to the sensitivity of the platform’s data

    Reply
  22. Tomi Engdahl says:

    How To Access the DARK WEB in 2023 (3 Levels)
    https://www.youtube.com/watch?v=U2-JPqrALsA

    Ever heard of the Dark Web and wondered how to access it? The allure of the unknown is captivating, but it can also be perilous. In this video, I guide you through 3 different methods to access the Dark Web, ranging from basic to high-security measures. We’ll delve into what the Dark Web actually is, its legitimate uses, and the precautions you should take when navigating this mysterious part of the internet.

    What You’ll Learn:

    The Good, the Bad, and the Ugly of the Dark Web
    Why the ToR Browser alone might not be enough
    How a VPN can add an extra layer of security
    The ultimate security with Tails
    Bonus: The NetworkChuck Cloud Browser

    Reply
  23. Tomi Engdahl says:

    Hacking the Power Grid – Their password is TERRIBLE!
    https://www.youtube.com/watch?v=MBgiu7ex-no

    1:02 / 8:02
    Hacking the Power Grid – Their password is TERRIBLE!
    RECESSIM
    31.5K subscribers
    31,565 views Sep 30, 2023 Smart Meter Hacking
    BECOME A PATREON!
    https://www.patreon.com/RECESSIM

    Building a hacking tool from a smart grid modem. Learn how to build your own hacking tools by following along with me on my journey building this one.

    Reply
  24. Tomi Engdahl says:

    david Pogue — After Apple blocked cookies in its Safari browser, Google has now built, RIGHT INTO CHROME, a tracker that ‘tracks the web pages you visit and generates a list of advertising topics that it will share with web pages whenever they ask

    Google gets its way, bakes a user-tracking ad platform directly into Chrome
    https://arstechnica.com/gadgets/2023/09/googles-widely-opposed-ad-platform-the-privacy-sandbox-launches-in-chrome/?fbclid=IwAR1tL7bgIuIovtIdff6CVd_BtaSCUR5UKkY2NlpTDVUSNDK3xQBtCFn6MU4

    Chrome now directly tracks users, generates a “topic” list it shares with advertisers.

    Don’t let Chrome’s big redesign distract you from the fact that Chrome’s invasive new ad platform, ridiculously branded the “Privacy Sandbox,” is also getting a widespread rollout in Chrome today. If you haven’t been following this, this feature will track the web pages you visit and generate a list of advertising topics that it will share with web pages whenever they ask, and it’s built directly into the Chrome browser. It’s been in the news previously as “FLoC” and then the “Topics API,” and despite widespread opposition from just about every non-advertiser in the world, Google owns Chrome and is one of the world’s biggest advertising companies, so this is being railroaded into the production builds.

    Google seemingly knows this won’t be popular. Unlike the glitzy front-page Google blog post that the redesign got, the big ad platform launch announcement is tucked away on the privacysandbox.com page. The blog post says the ad platform is hitting “general availability” today, meaning it has rolled out to most Chrome users. This has been a long time coming, with the APIs rolling out about a month ago and a million incremental steps in the beta and dev builds, but now the deed is finally done.

    Users should see a pop-up when they start up Chrome soon, informing them that an “ad privacy” feature has been rolled out to them and enabled. The new pop-up has been hitting users all week. As you can see in the pop-up, all of Google’s documentation about this feature feels like it was written on opposite day, with Google calling the browser-based advertising platform “a significant step on the path towards a fundamentally more private web.”

    The argument here is that someday—not now, but someday—Google promises to turn off third-party tracking cookies in Chrome, and the new ad platform, which has some limitations, is better than the free-for-all that is third-party cookies. The thing is, third-party cookies mostly only affect Chrome users. Apple and Firefox have both been blocking third-party cookies for years and won’t be implementing Google’s new advertising system—it’s only the Chromium browsers that still allow them.

    That’s actually what started this whole process: Apple dealt a giant blow to Google’s core revenue stream when it blocked third-party cookies in Safari in 2020. While it was a win for privacy, Google’s not following suit until it can secure its advertising business. The Federated Learning of Cohorts and now the Topics API are part of a plan to pitch an “alternative” tracking platform, and Google argues that there has to be a tracking alternative—you can’t just not be spied on. The Electronic Frontier Foundation also argued this when it called Google’s FLoC a “terrible idea,” saying “[Google's] framing is based on a false premise that we have to choose between ‘old tracking’ and ‘new tracking.’ It’s not either-or. Instead of re-inventing the tracking wheel, we should imagine a better world without the myriad problems of targeted ads.”

    Chrome has some controls for this built into the browser now. Just go to the Chrome Settings, then “Privacy and Security,” then “Ad privacy” (alternatively, paste “chrome://settings/adPrivacy” into the address bar). From there, you can click through to each of the three individual pages and turn off the top checkbox, and in a mere six clicks, you can presumably turn off the ad platform. If you leave it on for a while, you can check out the “Ad topics” page, where Google will show you what ads Chrome thinks you would like to see. This list gets sent to advertisers when you visit a page.

    Google says it will block third-party cookies in the second half of 2024—presumably after it makes sure the “Privacy Sandbox” will allow it to keep its profits up

    Reply
  25. Tomi Engdahl says:

    Kampanja tunnisti ja korjasi toimitusketjuihin liittyviä kyberriskejä https://www.huoltovarmuuskeskus.fi/a/kampanja-tunnisti-ja-korjasi-toimitusketjuihin-liittyvia-kyberriskeja

    Traficomin Kyberturvallisuuskeskuksen Ketjutonttu-kampanja paransi suomalaisen yrityskentän tietoturvaa tunnistamalla ja korjaamalla riskejä niiden toimitusketjuissa. Huoltovarmuuskeskuksen Digitaalinen turvallisuus 2030 -ohjelmasta rahoitettuun kampanjaan osallistui 150 organisaatiota ja yritystä.
    Kampanja osoitti, että kyberturvallisuutta voidaan parantaa keveilläkin menetelmillä. Kampanjaan osallistuneiden organisaatioiden toimittajat saavat maksuttoman, avoimiin tietolähteisiin perustuvan tietoturvan tarkastuksen ja lisäksi apua korjausten tekemiseen.

    Yksittäistä osallistujaa kohtaan tunnistettiin keskimäärin 35 toimittajaa.
    Yhteensä kampanjan aikana tarkastettiin 2 312 toimittajaa, joille tarjottiin haavaraportit sekä apua korjauksiin. Kampanjan aikana raportoitiin 856 tietoturvahavaintoa. Avoimiin tietolähteisiin perustuvan lähestymistavan ansiosta tarkastus voitiin suorittaa laajalle toimittajajoukolle ilman erillistä sopimista. Avunannossa keskityttiin niihin toimittajiin, joilta tietoturvaongelmia löytyi.

    Reply
  26. Tomi Engdahl says:

    Cybercrime gangs now deploying ransomware within 24 hours of hacking victims https://therecord.media/ransomware-deployment-dwell-time-decreasing

    Cybercriminals are now deploying ransomware within the first day of initially compromising their targets, a dramatic drop on the 4.5 days that the task had been taking last year, according to a new threat report. Cybersecurity company Secureworks warns that “2023 may be the most prolific year for ransomware attacks to date” with three times as many victims listed on leak sites in May this year as there were in the same month a year ago.

    Leak sites are a poor metric for assessing the size of the ransomware problem, the company’s report notes, pointing out that the leak site for Hive — which was disrupted by law enforcement earlier this year — listed only around 10% of the total victims law enforcement knew about.

    Reply
  27. Tomi Engdahl says:

    Operation Jacana: Foundling hobbits in Guyana https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/

    In February 2023, ESET researchers detected a spearphishing campaign targeting a governmental entity in Guyana. While we haven’t been able to link the campaign, which we named Operation Jacana, to any specific APT group, we believe with medium confidence that a China-aligned threat group is behind this incident.

    In the attack, the operators used a previously undocumented C++ backdoor that can exfiltrate files, manipulate Windows registry keys, execute CMD commands, and more. We named the backdoor DinodasRAT based on the victim identifier it sends to its C&C: the string always begins with Din, which reminded us of the hobbit Dinodas from the Lord of the Rings.

    Reply
  28. Tomi Engdahl says:

    Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities https://any.run/cybersecurity-blog/lu0bot-analysis/

    In this article, we’ll examine a Lu0Bot malware sample we stumbled upon while tracking malicious activity in ANY.RUN’s public tasks. What caught our interest is that the sample is written in Node.js. While initially, it appeared to be a regular bot for DDOS attacks, things turned out to be a lot more complex.

    Node.js malware is intriguing because it targets a runtime environment commonly used in modern web applications. The runtime’s platform-agnostic nature depends on the specific code and libraries used, but it often allows for greater versatility. Typically, this kind of malware employs multi-layer obfuscation techniques using JavaScript. It combines traditional malware characteristics with web technologies, making it a unique challenge for detection and analysis.

    Reply
  29. Tomi Engdahl says:

    NSA and CISA reveal top 10 cybersecurity misconfigurations https://www.bleepingcomputer.com/news/security/nsa-and-cisa-reveal-top-10-cybersecurity-misconfigurations/

    The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed today the top ten most common cybersecurity misconfigurations discovered by their red and blue teams in the networks of large organizations. Today’s advisory also details what tactics, techniques, and procedures (TTPs) threat actors use to successfully exploit these misconfigurations with various goals, including gaining access to, moving laterally, and targeting sensitive information or systems.

    The information included in the report was collected by the two agencies’ Red and Blue teams during assessments and during incident response activities.
    “These teams have assessed the security posture of many networks across the Department of Defense (DoD), Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) governments, and the private sector,”
    the NSA said.

    Reply
  30. Tomi Engdahl says:

    The evolutionary tale of a persistent Python threat https://checkmarx.com/blog/the-evolutionary-tale-of-a-persistent-python-threat/

    Since early April 2023, an attacker has been relentlessly deploying hundreds of malicious packages through various usernames, accumulating nearly 75,000 downloads. The attacker’s evolution is evident, with transitions from plain-text to encryption and subsequently to multilayered obfuscation and secondary disassembly payloads.

    The malicious package casts a wide net, aiming to steal extensive amounts of sensitive data including from the target system, applications, browsers, and user. Additionally, they target cryptocurrency users by modifying cryptocurrency addresses to redirect transactions to the attacker. The threat actors’ most recent packages adeptly dismantle system defenses, leaving it exposed and vulnerable.

    The malicious code is explicitly designed to run on Windows systems. The evidence of the attackers success is palpable, with one of their crypto wallet addresses showing incoming transactions (funds directed into the attacker’s
    account) amounting to six figures during the period the malicious packages were active.

    Reply
  31. Tomi Engdahl says:

    BLUE OLEX 2023: Getting Ready for the Next Cybersecurity Crisis in the EU https://www.enisa.europa.eu/news/blue-olex-2023-getting-ready-for-the-next-cybersecurity-crisis-in-the-eu

    Together with the European Commission under the Spanish Presidency of the EU Council, the European Union Agency for Cybersecurity (ENISA) co-organised and co-hosted the Blue Olex table-top cyber exercise in the Hague, Netherlands.
    With the upcoming EU elections and cyber threats spreading widely, the EU needs to strengthen its capacities. This was precisely the objective of the Blue Olex exercise to test the preparedness of the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe), the cooperation network for Member States national authorities in charge of cyber crisis management.

    BlueOlex ‘23 tested the EU preparedness in the event of a cyber-related crisis affecting the EU Member States and to strengthen the cooperation between the national cybersecurity authorities, the European Commission and ENISA. The aim of the exercise is to build a stronger relationship among the cybersecurity community participating in the exercise, increase the situational awareness and share best practices. Finally, it sets the scene for a high-level political discussion, on strategic cyber policy issues, in particular, shaping a coherent framework for crisis management at EU level.

    Reply
  32. Tomi Engdahl says:

    BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html

    Cybersecurity experts have discovered yet another malware-as-a-service (MaaS) threat called BunnyLoader that’s being advertised for sale on the cybercrime underground. “BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more,” Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh said in an analysis published last week.

    Among its other capabilities include running remote commands on the infected machine, a keylogger to capture keystrokes, and a clipper functionality to monitor the victim’s clipboard and replace content matching cryptocurrency wallet addresses with actor-controlled addresses. A C/C++-based loader offered for $250 for a lifetime license, the malware is said to have been under continuous development since its debut on September 4, 2023, with new features and enhancements that incorporate anti-sandbox and antivirus evasion techniques.

    Reply
  33. Tomi Engdahl says:

    FBI warns of surge in ‘phantom hacker’ scams impacting elderly https://www.bleepingcomputer.com/news/security/fbi-warns-of-surge-in-phantom-hacker-scams-impacting-elderly/

    The FBI issued a public service announcement warning of a significant increase in ‘phantom hacker’ scams targeting senior citizens across the United States.
    “This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target,” the FBI said.

    “Victims often suffer the loss of entire banking, savings, retirement, or investment accounts under the guise of ‘protecting’ their assets.” In such scams, multiple fraudsters masquerading as bank representatives are contacting unsuspecting victims, falsely alleging that their accounts have fallen victim to hacking attempts.

    Reply
  34. Tomi Engdahl says:

    Clorox Crisis Shows Cyber Risk’s Harsh Business Downside https://www.forbes.com/sites/noahbarsky/2023/10/06/clorox-crisis-shows-cyber-risks-harsh-business-downside/

    The Clorox cyberattack crisis warrants every board’s attention. The consumer-products giant spent over $500 million on IT upgrades and earned a spot on the 2023 Forbes Most Cybersecure Companies list. Nonetheless, an August breach halted its operations with devastating supply chain and business consequences.

    While the cybercrime details remain unclear, Clorox disclosed that it was forced back to manual processes, as automation systems took nearly six weeks to normalize. That left retailers and consumers scrambling for merchandise. In terms of the financial aftermath, its preliminary FY2024 Q1 results suffered significantly.

    Reply
  35. Tomi Engdahl says:

    Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform https://unit42.paloaltonetworks.com/hooking-framework-in-sandbox-to-analyze-android-apk/

    One of the biggest challenges we face in analyzing Android application package
    (APK) samples at scale is the diversity of Android platform versions that malware authors use. When trying to utilize static and dynamic analysis techniques in the malware detection space, the sheer variety of platform versions can feel overwhelming.

    In this article, we will discuss this issue of how malware authors use obfuscation to make analyzing their Android malware more challenging. We will review two such case studies to illustrate those obfuscation techniques in action. Finally, we’ll cover some overall techniques researchers can use to address these obstacles.

    Reply
  36. Tomi Engdahl says:

    BELGIAN INTELLIGENCE SERVICE VSSE ACCUSED ALIBABA OF ‘POSSIBLE ESPIONAGE’ AT EUROPEAN HUB IN LIEGE https://securityaffairs.com/152039/intelligence/belgian-intelligence-service-vsse-accused-alibaba.html

    The Belgian intelligence service VSSE revealed that is investigating potential cyber espionage activities carried out by Chinese firms, including the Alibaba Group Holding, at a cargo airport in Liege.

    Reply
  37. Tomi Engdahl says:

    Ukraine, Israel, South Korea top list of most-targeted countries for cyberattacks https://therecord.media/microsoft-2023-report-countries-most-targeted-cyberattacks

    More than 120 countries faced cyberattacks over the last year, with Ukraine, Israel, South Korea and Taiwan topping the list of the most targeted countries, according to a new report from Microsoft.

    The findings are part of Microsoft’s Digital Defense Report 2023 — which used troves of the company’s data to track cybersecurity trends between July 2022 and June 2023.

    Reply
  38. Tomi Engdahl says:

    To Schnorr and beyond (Part 1)
    https://blog.cryptographyengineering.com/2023/10/06/to-schnorr-and-beyond-part-1/

    In this post I’m going to talk about signature schemes, and specifically the Schnorr signature, as well as some related schemes like ECDSA. These signature schemes have a handful of unique properties that make them quite special among cryptographic constructions. Moreover, understanding the motivation of Schnorr signatures can help understand a number of more recent proposals, including post-quantum schemes like Dilithium — which we’ll discuss in the second part of this series.

    Reply
  39. Tomi Engdahl says:

    Mielipidekirjoitus / Yangon asiakastietokohun taustalla kehitys, joka pakottaa yritykset toimimaan – Miten oikeus hallita omia tietoja toteutuu?
    https://www.talouselama.fi/uutiset/yangon-asiakastietokohun-taustalla-kehitys-joka-pakottaa-yritykset-toimimaan-miten-oikeus-hallita-omia-tietoja-toteutuu/5015fac4-8e1a-409b-a49c-4a8fcc3f0615

    Digitaalista suvereniteettia ei voi sivuuttaa liiketoimintastrategiassa, toteaa mielipidekirjoittaja.

    Reply
  40. Tomi Engdahl says:

    Puhelinnumero, sähkö­posti­osoite, kirjautumis­tiedot, luottokortti… Näin tarkistat, ovatko tietosi vuotaneet nettiin https://www.is.fi/digitoday/tietoturva/art-2000009872043.html

    Koska olet viimeksi tarkistanut, onko tietojasi kuten salasanasi vaarantunut esimerkiksi tietovuodossa? Siihen ei mene paljoa aikaa. Tietoturvayhtiö F-Securen kyberuhkatiedustelupäällikkö Laura Kankaala kertoo, miten sinun kannattaa toimia. IS Digitoday täydensi ohjeita paikoin.

    Reply
  41. Tomi Engdahl says:

    In our ever-evolving digital landscape, the fusion of artificial intelligence (AI) and machine learning (ML) technologies has ushered in a new era of innovation and efficiency. However, as we step into 2024, we must also prepare for the darker side of this technological advancement — the looming cybersecurity threats posed by both AI and ML

    Reply
  42. Tomi Engdahl says:

    Microsoft Releases New Report on Cybercrime, State-Sponsored Cyber Operations
    https://www.securityweek.com/microsoft-releases-new-report-on-cybercrime-state-sponsored-cyber-operations/

    US, Ukraine, and Israel remain the most heavily attacked by cyberespionage and cybercrime threat actors, Microsoft says.

    Reply
  43. Tomi Engdahl says:

    Network Security
    Organizations Warned of Top 10 Cybersecurity Misconfigurations Seen by CISA, NSA
    https://www.securityweek.com/organizations-warned-of-top-10-cybersecurity-misconfigurations-seen-by-cisa-nsa/

    CISA and the NSA are urging network defenders and software developers to address the top ten cybersecurity misconfigurations.

    The US cybersecurity agency CISA and the NSA have issued new guidance on addressing the most common cybersecurity misconfigurations in large organizations.

    Impacting many organizations, including those that have achieved a mature security posture, these misconfigurations illustrate a trend of systemic weaknesses and underline the importance of adopting secure-by-design principles during the software development process, CISA and the NSA note.

    The ten most common network misconfigurations, the two agencies say, include default software configurations, improper separation of privileges, lack of network segmentation, insufficient network monitoring, poor patch management, bypass of access controls, poor credential hygiene, improper multi-factor authentication (MFA) methods, insufficient access control lists (ACLs) on network shares, and unrestricted code execution.

    These misconfigurations, CISA and the NSA note, were identified after years of assessing the security posture of more than 1,000 network enclaves within the Department of Defense (DoD), federal agencies, and US government agencies.

    NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

    The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

    Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

    Default configurations of software and applications
    Improper separation of user/administrator privilege
    Insufficient internal network monitoring
    Lack of network segmentation
    Poor patch management
    Bypass of system access controls
    Weak or misconfigured multifactor authentication (MFA) methods
    Insufficient access control lists (ACLs) on network shares and services
    Poor credential hygiene
    Unrestricted code execution

    Reply
  44. Tomi Engdahl says:

    Addressing the People Problem in Cybersecurity
    https://www.securityweek.com/addressing-the-people-problem-in-cybersecurity/

    Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into a position where they must work harder.

    The people problem is two-fold: a lack of security awareness among users and a lack of cybersecurity talent. Let’s start with the first challenge, what organizations can do to raise security awareness among users.

    Support for security awareness programs: According to the SANS 2023 Security Awareness Report: Managing Human Risk (PDF), maturity levels for security awareness programs are improving when compared to last year. However, organizations are struggling with the fundamentals of program development including lack of budget, limits on training time for employees, and lack of staffing and time for program management. It comes as no surprise that the most effective programs are backed by strong leadership support, have dedicated full-time employees, and promote a strong security culture where incident reporting is encouraged and made easy which helps mitigate risk.
    User training: Also not surprising, the SANS report finds that phishing/smishing/vishing tops the list of human risks, followed by passwords/authentication, detection/reporting, and IT admin misconfiguration. Training should focus on these four areas and go beyond annual computer-based training to include continuous training so that key concepts are reinforced year-round. Involving security teams in the development of human-focused security training helps ensure content remains highly relevant to the organization. Partnering with other departments such as communications and human resources and bringing on third-party training consultants will also help drive program effectiveness while optimizing resources.

    Looking at the second component of the people problem – a lack of cybersecurity talent – a combination of training and technology can help close the gap currently estimated at 663,600 in the U.S. alone. For example:

    Cybersecurity professionals training: Cybersecurity itself is a continuous learning experience, something that is often overlooked. New research by Enterprise Strategy Group (ESG) finds that 40% of cybersecurity professionals believe their organization should increase its commitment to cybersecurity training to help address the skills shortage by enabling the organization to get more out of existing resources. Partnering with security technology vendors that offer product training and make it available in multiple formats and form factors, including instructor-led/in-person, instructor-led/virtual, and self-service, provides flexibility to select what works best for your business model and your security teams.
    Security automation: An important benefit of security automation is that the highly skilled human resources you have can work smarter, not harder. In research we commissioned recently, security leaders say the number one way to address a top challenge – high turnover rates – is with smarter tools that simplify work. Additionally, over 60% expect automation to positively affect employee satisfaction and retention. A balanced approach to automation where repetitive, low-risk, time-consuming tasks are automated so that analysts are freed-up to take the lead on irregular, high-impact, time-sensitive work can improve retention and utilization while driving better security outcomes. And a data-driven approach to automation ensures that actions remain relevant for greater focus, accuracy and confidence in the outcomes. Additionally, security automation platforms that support low-code/no-code interfaces can make automation accessible to a range of users with varying skill sets.
    Additional, new technologies: Approaches and technologies like AI are already helping to drive efficiencies. Specifically, natural language processing is being used to identify and extract threat data, such as indicators of compromise, malware and adversaries, from unstructured text in data feed sources and intelligence reports so that analysts spend less time on manual tasks and more time proactively addressing risks. Machine learning (ML) techniques are being applied to make sense of all this data in order to get the right data to the right systems and teams at the right time to accelerate detection, investigation and response. And a closed loop model with feedback, ensures AI capable security operations platforms can continue to learn and improve over time.

    Addressing the people problem with effective approaches and tools for users and security practitioners to strengthen defenses will enable us to work smarter, and force attackers into a position where they must work harder.

    Reply
  45. Tomi Engdahl says:

    https://www.securityweek.com/in-other-news-funding-increase-abuse-of-smartphone-location-data-legal-matters/

    Experts respond to EU’s Cyber Resilience Act

    Experts have written a joint letter in response to the proposed EU Cyber Resilience Act (CRA), warning that “the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them”.

    Joint Letter of Experts on CRA and Vulnerability Disclosure
    https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-of-experts-on-cra-and-vulnerability-disclosure

    As concerned cybersecurity experts who have dedicated our lives to improving the security of the online environment, we urge you to reconsider the vulnerability disclosure requirements under the proposed EU Cyber Resilience Act (CRA). While we appreciate the CRA’s aim to enhance cybersecurity in Europe and beyond, we believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them.

    “Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors. There are several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities.”

    “While the intention behind disclosing vulnerabilities promptly may be to facilitate mitigation, CRA already requires software publishers to mitigate vulnerabilities without delay in a separate provision. We support this obligation, but also advocate for a responsible and coordinated disclosure process that balances the need for transparency with the need for security. We recommend that the CRA adopt a risk-based approach to vulnerability disclosure, taking into account factors such as the severity of the vulnerability, the availability of mitigations, the potential impact on users, and the likelihood of broader exploitation. With that in mind and to avoid unintentionally exposing consumers and organisations in Europe and beyond to new cybersecurity risks”

    Reply
  46. Tomi Engdahl says:

    Kyberhaitakkeiden top 10: Troijalaiset tekevät tuhoa Suomessa ja maailmalla, viestintäala kyberhyökkäysten suosituin kohde Pohjoismaissa
    https://www.epressi.com/tiedotteet/tietotekniikka/kyberhaitakkeiden-top-10-troijalaiset-tekevat-tuhoa-suomessa-ja-maailmalla-viestintaala-kyberhyokkaysten-suosituin-kohde-pohjoismaissa.html

    Check Point Software kertoo syyskuun haittaohjelmakatsauksessaan, että Formbook nousi maailman yleisimmäksi haitakkeeksi Qbotin alasajon jälkeen, ja myös Suomen listahuipulla puhalsivat uudet tuulet. Tutkijat havaitsivat syyskuussa laajan tietojenkalastelukampanjan, jonka takana on Remcos-etäkäyttötroijalainen. Hyökkäysten kohteena oli Pohjoismaissa useimmin viestintäala, maailman ja Euroopan laajuisesti koulutus- ja tutkimusala.

    Reply
  47. Tomi Engdahl says:

    IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits

    In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits.
    Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.

    Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ranging from the thousands to even tens of thousands. This highlights the campaign’s capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs.

    In this article, we will elaborate on how this threat leverages new vulnerabilities to control affected devices, along with the details of IZ1H9.

    Reply
  48. Tomi Engdahl says:

    HelloKitty ransomware source code leaked on hacking forum https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source-code-leaked-on-hacking-forum/

    A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.

    HelloKity is a human-operated ransomware operation active since November 2020 when a victim posted to the BleepingComputer forums, with the FBI later releasing a PIN (private industry notification) on the group in January 2021.

    The gang is known for hacking corporate networks, stealing data, and encrypting systems. The encrypted files and stolen data are then utilized as leverage in double-extortion machines, where the threat actors threaten to leak data if a ransom is not paid.

    Reply
  49. Tomi Engdahl says:

    R2R STOMPING – ARE YOU READY TO RUN?
    https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/

    This research introduces a new method for running hidden implanted code in ReadyToRun (R2R) compiled .NET binaries. The method focuses on the possibility of altering R2R compiled binaries in such a way that the original IL code of the assembly differs from the pre-compiled native code, which is a part of the produced binary too. Because of the .NET optimization, the pre-compiled native code will be prioritized and run, ignoring the original IL code.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*