BuzzSec

Nice excerpt from Martin Wallin’s book Squid . As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2021/04/friday-squid-blogging-on-squid-coloration.html

An 81-page report details how ransomware has evolved, along with recommendations on how to deter attacks and disrupt its business model. from Dark Reading: https://www.darkreading.com/threat-intelligence/ransomware-task-force-publishes-framework-to-fight-global-threat/d/d-id/1340889?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Version 9 of the popular threat matrix will improve support for a variety of platforms, including cloud infrastructure. from Dark Reading: https://www.darkreading.com/threat-intelligence/mitre-adds-macos-more-data-types-to-attandck-framework/d/d-id/1340870?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

UNC2447 observed targeting now-patched vulnerability in SonicWall VPN. from Dark Reading: https://www.darkreading.com/attacks-breaches/new-threat-group-carrying-out-aggressive-ransomware-campaign/d/d-id/1340887?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The stealthy backdoor is likely being used by Chinese APTs, researchers said. from Threatpost https://threatpost.com/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/165770/

Version 9 of the popular threat matrix will improve support for a variety of platforms, including cloud infrastructure. from Dark Reading: https://www.darkreading.com/threat-intelligence/mitre-adds-macos-linux-more-data-types-to-attandck-framework/d/d-id/1340870?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/04/30/cisa-updates-alert-pulse-connect-secure

The developer of the WeSteal cryptocurrency stealer can’t be bothered with fancy talk: they say flat-out that it’s “the leading way to make money in 2021”. from Threatpost https://threatpost.com/westeal-cryptocurrency-stealing-tool/165762/

Most IT and cybersecurity professionals think security is important enough to delay deployment of applications, survey data shows. from Dark Reading: https://www.darkreading.com/application-security/survey-finds-broad-concern-over-third-party-app-providers-post-solarwinds/d/d-id/1340868?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Operations shell Operations and management software make popular targets due to their users typically having elevated privileges across a network. Our own wvu contributed the VMware vRealize Operations (vROps) Manager SSRF RCE exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The exploit/linux/http/vmware_vrops_mgr_ssrf_rce module achieves remote code execution (RCE) as the admin Unix user by chaining the two vulnerabilities. First, CVE-2021-21975 pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the /casa/nodes/thumbprints endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit CVE-2021-21983 via the /casa/private/config/slice/ha/certificate endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions: 7.0.0 7.5.0

Join our Incident Master BanjoCrashland as we play another round of Backdoors & Breaches (B&B) session using our new Tabletop Simulator (TTS) version! If you have STEAM / TABLETOP SIMULATOR / BACKDOORS & BREACHES WORKSHOP, you can play using the same version of the game. https:/steamcommunity.com/sharedfiles/filedetails/?id=2401033477 Incident Master: Jason Blanchard | BanjoCrashland Defenders: Matt Thomas […] The post Backdoors & Breaches LIVE – 4/28/2021 appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/backdoors-breaches-live-4-28-2021/

Oliver Tavakoli, CTO of Vectra AI, discusses the massive supply-chain hack's legacy and ramifications for security professionals. from Threatpost https://threatpost.com/solarwinds-hack-seismic-shift/165758/

With 54% of organizations unable to stop a ransomware attack before data is encrypted and operations are impacted, the increasing cost of ransomware remediation is troubling. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/the-cost-of-remediating-a-ransomware-attack-more-than-doubles-and-is-quickly-approaching-2-million

New data from CheckPoint highlights how scammers are using simple shipping-related social engineering scams to trick victims into giving up personal information and credit card details. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/u.k.-royal-mail-related-phishing-scams-are-up-645

Millions of office buildings and campuses were rapidly abandoned during the pandemic. Now it's a year later - what happened in those office parks and downtown ghost towns? What security dangers lurk there now, waiting to ambush returning businesses? from Dark Reading: https://www.darkreading.com/edge/theedge/ghost-town-security-what-threats-lurk-in-abandoned-offices/b/d-id/1340866?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/04/30/codecov-releases-new-detections-supply-chain-compromise

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/04/30/samba-releases-security-updates

Security pros may be working with a false sense of security. We explore seven places where old methods and techniques have to change to keep their organizations safe. from Dark Reading: https://www.darkreading.com/cloud/7-modern-day-cybersecurity-realities/d/d-id/1340826?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Developers must weigh the benefits and risks of using third-party code in Web apps. from Dark Reading: https://www.darkreading.com/application-security/the-ticking-time-bomb-in-every-companys-code/a/d-id/1340815?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

This blog post covers key takeaways from our 2021 Industry Cyber-Exposure Report (ICER): Fortune 500 . The vast majority of the interactions an average person has with technology is through some form of a web application, but what constitutes a “web app” can be considered quite nebulous, and the security controls for hardening these applications are equally broad. APIs, distributed authentication schemes, single-page applications, and static websites all might fall under the general category of “web application.” There are very few security measures that should be applied to all web applications across the board without further subdividing what specific type of application we are referring to. However, there are a couple that we will examine here. All web applications should require strong encryption, with a vanishingly small number of exceptions. While this is most critical for applications serving up critical or sensitive information–such as personally identifiable information (P

Apple just patched a MacOS vulnerability that bypassed malware checks. The flaw is akin to a front entrance that’s barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific attributes. Owens discovered that if he made an application that was really just a script—code that tells another program what do rather than doing it itself—and didn’t include a standard application metadata file called “info.plist,” he could silently run the app on any Mac. The operating system wouldn’t even give its most basic prompt: “This is an application downloaded from the Internet. Are you sure you want to open it?” More . from Schneier on Security https://www.schneier.com/blog/archives/2021/04/serous-macos-vulnerability-patched.html

Azure Defender security team discovers that memory allocation is a systemic problem that can allow threat actors to execute malicious code remotely or cause entire systems to crash. from Threatpost https://threatpost.com/microsoft-warns-25-critical-iot-industrial-devices/165752/

Sorry, we’ve upchucked your COVID test results and other medical and personal data into public GitHub storage buckets, the Wyoming Department of Health said. from Threatpost https://threatpost.com/covid-19-results-accidentally-exposed/165709/

Non-people identities, which can act intelligently and make decisions on behalf of a person's identity, are a growing cybersecurity risk. from Dark Reading: https://www.darkreading.com/operations/the-challenge-of-securing-non-people-identities/a/d-id/1340782?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Darkside ransomware operators are now offering to tip off unscrupulous stock traders before they post the names of publicly traded victim companies, the Record reports. The criminals believe this will put more pressure on the victims to pay up. Recorded Future’s Dmitry Smilyanets told the Record that this is the first time a ransomware crew has explicitly made this part of their strategy. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/ransomware-operators-threaten-to-short-victims-stocks

I am not sure what is going on these days, but for several weeks, I have received far more SMS-based phishing (i.e., smishing) attacks than usual. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/why-should-we-care-about-personal-smishing-attacks

Cybercriminal groups are increasing their automated and tactical ransomware attacks. Unfortunately, that also means they have an increase in greed. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/ransomware-demands-spike-by-43-already-in-2021

Analysis by threat intelligence group Analyst1 recently uncovered that the bad guys are responsible for forming a ransomware cartel. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/heads-up-ransomware-gangs-are-creating-ransomware-cartels

Scammers are targeting Rogers customers with text messages offering $50 refunds, according to BleepingComputer. The Canadian telecommunications provider suffered a widespread outage last week, and subsequently announced on Twitter that affected customers would receive a refund in the form of a credit equivalent of a full day of service on their next bill. Scammers took advantage of this by sending SMS messages that purported to come from Rogers. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/scammers-target-rogers-customers-with-sms-messages

Fears of a resurgence of COVID-19 and increased cyberattacks are mentioned as top risks that can materially impact the finance sector and the economy, by Jerome Powell in a recent interview. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/federal-reserve-chairman-jerome-powell-cites-cyberthreats-as-current-biggest-concern-to-financial-institutions

In the Industry Benchmark section of the 2021 Security Culture Report , we describe the security culture scores of each industry sector in detail. This section of the report can be used to get a deep dive into specific industries, and as a benchmark to compare your own scores against those of different industry sectors. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/security-culture-influenced-by-the-global-effects-of-covid-19

Cybercriminals are using a new malicious document builder dubbed “EtterSilent,” according to researchers at Intel 471. The builder is used to craft Microsoft Office documents with macros that install malware. Intel 471 says EtterSilent has been used by many well-known malware strains, including Trickbot, Bazar, BokBot, Gozi ISFB, and QBot. The latter three campaigns rely on bulletproof hosting, making them resilient to takedowns. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/researchers-warn-of-ettersilent-facilitating-risky-malware-delivery

North Korea’s Lazarus group is using an interesting method to evade security measures, according to researchers at Malwarebytes . The threat actor is sending phishing emails with malicious macros which, when run, will execute an image file with embedded JavaScript code that will install malware. Once the malware is installed, it can execute commands or exfiltrate data. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/lazarus-group-uses-new-technique-to-avoid-detection

The cybercriminal group linked to over $100 Million in financial damages has pivoted their execution strategy to bypass sanctions that prevent U.S. companies from paying them ransom. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/evil-corp-tries-to-work-around-u.s.-treasury-sanctions-using-hades-ransomware

The Ransomware Task Force, a public-party coalition of more than 50 experts, has shared a framework of actions to disrupt the ransomware business model. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/new-ransomware-task-force-shares-actions-to-disrupt-ransomware-cyber-crime

Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply slapped up scam QR codes on top to redirect users to an anti-vaccination website, according to local police. He now faces two counts of “obstructing operations carried out relative to COVID-19 under the Emergency Management Act,” the South Australia […] from Threatpost https://threatpost.com/anti-vaxxer-hijacks-qr-codes-covid19/165701/

Attackers are abusing websites’ contact forms to send malicious emails to the websites’ owners, according to researchers at Microsoft. The emails contain bogus copyright claims with a link to a sites.google.com page. Clicking the link will result in the installation of the IcedID banking Trojan. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/phishing-campaign-abuses-contact-forms

Editor’s Note : The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF. The report aims to provide insight into Iran-linked MABNA Institute campaign activity that was reported on by Insikt Group throughout 2020, as well as by the broader cyber research community. The report is most likely to be of use to scientific organizations, academic institutions, and software groups that service the academic sector. This report will be of interest to blue team defenders working to secure academic and scientific organization’s networks, as well as CTI groups that research Iran-nexus cyber activity. The Recorded Future® Platform, Insikt Group threat research, and that from Proofpoint, RiskIQ, and Malwarebytes are referenced. Data sources used to conduct this analysis include the Recorded Future® Platform, Farsight DNSDB, DomainTools and other common open-source tools and techniques. Executive Summary The MABNA Institute, a thre

When I founded TrustedSec in 2012, I knew exactly the type of person that I wanted to work alongside: talented, passionate about their corner of the security industry, and genuinely interested in helping anyone with the desire to learn more. After nearly a decade, I’m thrilled that TrustedSec is still able to add new people to the team that share these exact qualities. Art “Coop” Cooper will be joining the TrustedSec PCI Practice team as a Principal Security Consultant. Coop has over 40 years of experience in the IT and Information Security industry with a focus on e-Commerce, the PCI-Data Security Standard (DSS), payment application assessments, forensics investigations, compliance security assessments, development of secure network architectures, risk management programs, security governance initiatives, and managing regulatory compliance. Coop was named the 2019 ISSA Security Professional of the Year and has been a consultant to some of the largest retail companies and financial

There is a way to protect users from deceptive OAuth apps, misconfigurations and misappropriated user permissions. SaaS Security Posture Management (SSPM) takes an automated approach to tracking, and even remediating, the exploitable misconfigurations in organizations’ SaaS apps. from Threatpost https://threatpost.com/lessons-from-real-life-misconfiguration-exploitations/165659/

Everything from applications, social apps, OS vulnerabilities and even mobile device management acted as initial attack vectors troubling nearly every single organization globally. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/mobile-is-a-problem-97-of-organizations-experienced-mobile-attacks-in-2020

Some of the world’s top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes. In a 50-page report delivered to the Biden administration this week, top executives from Amazon , Cisco , FireEye , McAfee , Microsoft and dozens of other firms joined the U.S. Department of Justice (DOJ), Europol and the U.K. National Crime Agency in calling for an international coalition to combat ransomware criminals, and for a global network of ransomware investigation hubs. The Ransomware Task Force urged the White House to make finding, frustrating and apprehending ransomware crooks a priority within the U.S. intelligence community, and to designate the current scourge of digital extortion as a national security threat. The formation of the industry partnership comes just days after The Wall Street Journal broke the news

Information stolen in April 10 ransomware attack was posted on a dark web portal and includes private documents not published as part of public records. from Threatpost https://threatpost.com/doppelpaymer-leaks-illinois-ag/165694/

In this entertaining story of French serial criminal Rédoine Faïd and his jailbreaking ways, there’s this bit about cell phone surveillance: After Faïd’s helicopter breakout, 3,000 police officers took part in the manhunt. According to the 2019 documentary La Traque de Rédoine Faïd , detective units scoured records of cell phones used during his escape, isolating a handful of numbers active at the time that went silent shortly thereafter. from Schneier on Security https://www.schneier.com/blog/archives/2021/04/identifying-people-through-lack-of-cell-phone-use.html

At least 10,000 UK citizens have been targeted by nation-state actors via fake LinkedIn accounts over the past five years, the BBC reports. Ken McCallum, Director-General of MI5, said these fake profiles are being used on “an industrial scale” to launch social engineering attacks. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cybercriminals-use-job-specific-social-media-platforms-to-target-uk-citizens-with-fake-accounts

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau. Bill Demirkapi , an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology , said he discovered the data exposure while shopping around for student loan vendors online. Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scor

The FluBot Android malware has spread throughout several European countries through an SMS package delivery scam. from Dark Reading: https://www.darkreading.com/threat-intelligence/flubot-malwares-rapid-spread-may-soon-hit-us-phones/d/d-id/1340851?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In this episode of Security Nation, we are joined by Marina Ciavatta and int80 to talk about Hacking ESports , their “quarantine project that got out of control.” The duo talk about how they came up with the idea for the Twitch livestream , what they’ve learned along the way, and future plans for the games. We also speak with int80 about his “hacker rapper” gig, Dual Core Music . This episode's Rapid Rundown comes with a rare content warning: We're discussing the life, impact, and passing of Dan Kaminsky. It gets pretty emotional, as you might expect. As Matt Blaze said , may his memory be a blessing. Want More Inspiring Stories From the Security Community? Subscribe to Security Nation Today from Rapid7 Blog https://blog.rapid7.com/2021/04/28/security-nation/

Financial losses have also increased among organizations in the last year, with the average cost reaching $720,000. from Dark Reading: https://www.darkreading.com/attacks-breaches/74--of-financial-institutions-see-spike-in-covid-related-threats/d/d-id/1340850?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

SharePoint servers are being picked at with high-risk, legitimate-looking, branded phish messages and preyed on by a ransomware gang using an old bug. from Threatpost https://threatpost.com/sharepoint-phish-ransomware-attacks/165671/

Officials shared 4.3 million email addresses with the HIBP website to help inform companies and individuals if Emotet compromised their accounts. from Dark Reading: https://www.darkreading.com/threat-intelligence/fbi-works-with-have-i-been-pwned-to-notify-emotet-victims/d/d-id/1340847?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The internet behemoth rolled out the Chrome 90 stable channel release to address this and eight other security vulnerabilities. from Threatpost https://threatpost.com/google-chrome-v8-bug-remote-code-execution/165662/

Businesses must ensure their remote workers' Wi-Fi networks don't risk exposing business data or secrets due to fixable vulnerabilities. from Dark Reading: https://www.darkreading.com/endpoint/how-to-secure-employees-home-wi-fi-networks/a/d-id/1340764?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

And the winner of The Edge's April cartoon caption contest is ... from Dark Reading: https://www.darkreading.com/edge/theedge/cartoon-caption-winner-rough-patch/b/d-id/1340844?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Originally Aired on April 26, 2021 Articles discussed in this episode: https://ift.tt/3u2oM5k https://ift.tt/3n83bFX https://ift.tt/3tMsHmF https://youtu.be/G0gOAvpGoJg The post Talkin’ About Infosec News – 4/26/2021 appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/talkin-about-infosec-news-4-26-2021/

Two phishing attacks elude Exchange security protections and spoof real-life account scenarios in an attempt to fool victims. from Threatpost https://threatpost.com/chase-bank-phish-sexchange-email-protections/165653/

Learn common Kubernetes vulnerabilities and ways to avoid them. from Dark Reading: https://www.darkreading.com/cloud/is-your-cloud-raining-sensitive-data/a/d-id/1340754?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

For a complete understanding of the threats to their organizations, all intelligence analysts must consider how geopolitical events — such as a global pandemic, terrorist attack, or natural disaster — will impact their organization, supply chain, and industry. They need to respond swiftly to these threats, to mitigate disruptions to operations and protect their assets, but organizations are still susceptible to being blindsided at the most inopportune times because intelligence often lags. Relying on disparate data sources and manual processes means insights are often incomplete or outdated. Most analysts spend too much time manually collecting, analyzing, and visualizing a vast amount of intelligence — not to mention translating information from news sources in these regions’ local languages. To monitor and respond to geopolitical threats in real time, teams need a more efficient and collaborative way to report on relevant insights that drive more informed decision-making. A Compr

New research shows how threat actors can steal and decrypt signing certificates so SAML tokens can be forged. from Dark Reading: https://www.darkreading.com/threat-intelligence/attacks-targeting-adfs-token-signing-certificates-could-become-next-big-threat/d/d-id/1340843?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security researchers uncover a marketing campaign that takes a page from the cybercriminal phishing handbook to “trick” pensioners to have an introductory call with their fund expert. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/phishing-tactics-help-legitimate-pension-fund-to-secure-meetings-with-prospective-customers

Looking beyond the “older” RaaS threat groups like Ryuk, DoppelPaymer, and Revil, today’s modern ransomware -as-a-service operator is far more business-like and specific in execution. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/the-darkside-ransomware-group-is-the-dangerous-poster-child-for-todays-ransomware-as-a-service

Scammers are impersonating philanthropist Mackenzie Scott, the billionaire ex-wife of Jeff Bezos, the New York Times reports. Scott prefers to give money directly and contacts charities and other organizations unexpectedly, which has the unintended side effect of making it easier for scammers to pose as her. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/a-legitimate-charity-prompts-scam-imitators

For a limited time, I am selling signed copies of Click Here to Kill Everybody in hardcover for just $6, plus shipping. I have 600 copies of the book available. When they’re gone, the sale is over and the price will revert to normal. Order here . Please be patient on delivery. It’s a lot of work to sign and mail hundreds of books. I try to do some each day, but sometimes I can’t. And the pandemic can cause mail slowdowns all over the world. from Schneier on Security https://www.schneier.com/blog/archives/2021/04/second-click-here-to-kill-everybody-sale.html

A law enforcement update deployed to compromised machines in January has been pushed, effectively removing the malware. from Dark Reading: https://www.darkreading.com/threat-intelligence/emotet-malware-uninstalled-from-infected-devices/d/d-id/1340838?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The information-disclosure flaw allows KASLR bypass and the discovery of additional, unpatched vulnerabilities in ARM devices. from Threatpost https://threatpost.com/linux-kernel-bug-wider-cyberattacks/165640/

Hack the Planet's Cyber Apocalypse capture-the-flag contest attracts 10,000 competitors from across the globe. from Dark Reading: https://www.darkreading.com/edge/theedge/10k-hackers-defend-the-planet-against-extraterrestrials/b/d-id/1340813?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The cost of recovering from a ransomware attack has more than doubled in one year, Sophos researchers report. from Dark Reading: https://www.darkreading.com/attacks-breaches/ransomware-recovery-costs-near-$2m/d/d-id/1340837?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Your server could have been compromised and the FBI was trying to mitigate the issue without you even knowing it yet. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/fbi-obtains-authorization-to-access-us-servers-to-remove-webshells-due-to-exchange-vulnerability