BuzzSec

If you’ve never enacted your BCP, it’s hard to be confident that your plan will be sufficient. Testing helps to continuously improve your ability to successfully recover from various scenarios. Follow these steps to build a better BCP testing program and ensure you are prepared for any situation. from SBS CyberSecurity https://sbscyber.com/resources/four-steps-to-better-business-continuity-plan-testing

Chainalysis reports that worldwide ransomware payments were down in 2022. Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before. As always, we have to caveat these findings by noting that the true totals are much higher, as there are cryptocurrency addresses controlled by ransomware attackers that have yet to be identified on the blockchain and incorporated into our data. When we published last year’s version of this report, for example, we had only identified $602 million in ransomware payments in 2021 . Still, the trend is clear: Ransomware payments are significantly down. However, that doesn’t mean attacks are down, or at least not as much as the drastic drop-off in payments would suggest. Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers. from Schneier on Security https://www.schneier.com/blog/archives/2023/01/ransomware-payments-are-do

Let’s kick off this infosec year with the first cyber attacks timeline for January 2023. In this fortnight I have collected... from HACKMAGEDDON https://www.hackmageddon.com/2023/01/31/1-15-january-2023-cyber-attacks-timeline/

A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years. "TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically from The Hacker News https://thehackernews.com/2023/01/researchers-uncover-packer-that-helped.html

The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is "exclusive to this group." Gootkit, also called Gootloader, is spread through compromised websites that from The Hacker News https://thehackernews.com/2023/01/gootkit-malware-continues-to-evolve.html

Early in his career, Kevin Mitnick successfully hacked California law. He told me the story when he heard about my new book , which he partially recounts his 2012 book, Ghost in the Wires . The setup is that he just discovered that there’s warrant for his arrest by the California Youth Authority, and he’s trying to figure out if there’s any way out of it. As soon as I was settled, I looked in the Yellow Pages for the nearest law school, and spent the next few days and evenings there poring over the Welfare and Institutions Code, but without much hope. Still, hey, “Where there’s a will…” I found a provision that said that for a nonviolent crime, the jurisdiction of the Juvenile Court expired either when the defendant turned twenty-one or two years after the commitment date, whichever occurred later. For me, that would mean two years from February 1983, when I had been sentenced to the three years and eight months. Scratch, scratch. A little arithmetic told me that this would occur

Cybersecurity researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona "badbullzvenom." eSentire's Threat Response Unit (TRU), in an exhaustive report published following a 16-month-long investigation, said it "found multiple mentions of the badbullzvenom account being shared between two people." The from The Hacker News https://thehackernews.com/2023/01/experts-uncover-identity-of-mastermind.html

This is a good list of modern phishing techniques. from Schneier on Security https://www.schneier.com/blog/archives/2023/01/a-guide-to-phishing-attacks.html

Cybersecurity researchers have uncovered a PlugX sample that employs sneaky methods to infect attached removable USB media devices in order to propagate the malware to additional systems. "This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system," Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn  from The Hacker News https://thehackernews.com/2023/01/researchers-discover-new-plugx-malware.html

The U.K. National Cyber Security Centre (NCSC) on Thursday warned of spear-phishing attacks mounted by Russian and Iranian state-sponsored actors for information-gathering operations. "The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists and activists," the from The Hacker News https://thehackernews.com/2023/01/british-cyber-agency-warns-of-russian.html

Is alert fatigue getting to you? I found a guide that allows you some well-deserved personal downtime, and still has something to do with work so that you can justify getting away with taking some PTO and veg out. But sometimes there are 1,000 channels and it still looks like there is nothing to watch. This might help... from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/hackers-movie-guide-the-complete-list-of-hacker-and-cybersecurity-movies

I have read a lot of Sci-fi. Thousands of books actually. You can't help but start recognizing patterns. One of my favorite movies is Blade Runner. Main character Rick Deckard states: “ Replicants are like any other machine - they're either a benefit or a hazard. If they're a benefit, it's not my problem .” Blade Runner (1982) from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/stus-law-you-get-the-future-you-ignore

Completion percentages on compliance and security training campaigns have become a popular topic of discussion. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/good-completion-percentage-for-security-compliance-training

We recently learned that Alec Baldwin is being charged with involuntary manslaughter for his accidental shooting on a movie set. I don’t know the details of the case, nor the intricacies of the law, but I have a question about movie props. Why was an actual gun used on the set? And why were actual bullets used on the set? Why wasn’t it a fake gun: plastic, or metal without a working barrel? Why does it have to fire blanks? Why can’t everyone just pretend, and let someone add the bang and the muzzle flash in post-production? Movies are filled with fakery. The light sabers in Star Wars weren’t real; the lighting effects and “wooj-wooj” noises were add afterwards. The phasers in Star Trek weren’t real either. Jar Jar Binks was 100% computer generated. So were a gazillion “props” from the Harry Potter movies. Even regular, non-SF non-magical movies have special effects. They’re easy. Why are guns different? from Schneier on Security https://www.schneier.com/blog/archives/2023/01/o

Cybersecurity researchers have unearthed a new Python-based attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022. "This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report shared with The Hacker from The Hacker News https://thehackernews.com/2023/01/pyration-new-python-based-rat-utilizes.html

At least two federal agencies in the U.S. fell victim to a "widespread cyber campaign" that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam. "Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which the actors used in a from The Hacker News https://thehackernews.com/2023/01/us-federal-agencies-fall-victim-to.html

The head of both US Cyber Command and the NSA, Gen. Paul Nakasone, broadly discussed that first organization’s offensive cyber operations during the runup to the 2022 midterm elections. He didn’t name names, of course: We did conduct operations persistently to make sure that our foreign adversaries couldn’t utilize infrastructure to impact us,” said Nakasone. “We understood how foreign adversaries utilize infrastructure throughout the world. We had that mapped pretty well. And we wanted to make sure that we took it down at key times.” Nakasone noted that Cybercom’s national mission force, aided by NSA, followed a “campaign plan” to deprive the hackers of their tools and networks. “Rest assured,” he said. “We were doing operations well before the midterms began, and we were doing operations likely on the day of the midterms.” And they continued until the elections were certified, he said. We know Cybercom did similar things in 2018 and 2020, and presumably will again in two years.

A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy. The state-aligned threat actor is being tracked by Proofpoint under the name TA444, and by the larger cybersecurity community as from The Hacker News https://thehackernews.com/2023/01/north-korean-hackers-turn-to-credential.html

VMware on Tuesday released software to remediate four security vulnerabilities affecting vRealize Log Insight (aka Aria Operations for Logs) that could expose users to remote code execution attacks. Two of the flaws are critical, carrying a severity rating of 9.8 out of a maximum of 10, the virtualization services provider noted in its first security bulletin for 2023. Tracked as CVE-2022-31706 from The Hacker News https://thehackernews.com/2023/01/vmware-releases-patches-for-critical.html

KnowBe4's latest reports on top-clicked phishing email subjects have been released for 2022 and Q4 2022. We analyze 'in the wild' attacks reported via our Phish Alert Button , top subjects globally clicked on in  phishing tests , top attack vector types, and holiday email phishing subjects. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/2022-report-confirms-business-related-phishing-emails-trend-infographic

And finally I have aggregated all the data collected in 2022 from the cyber attacks timelines. In the past year I have collected 3074 events... from HACKMAGEDDON https://www.hackmageddon.com/2023/01/24/2022-cyber-attacks-statistics/

Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content. While it was originally addressed by the company on November from The Hacker News https://thehackernews.com/2023/01/apple-issues-updates-for-older-devices.html

Meta Platforms on Monday announced that it has started to expand global testing of end-to-end encryption (E2EE) in Messenger chats by default. "Over the next few months, more people will continue to see some of their chats gradually being upgraded with an extra layer of protection provided by end-to-end encryption," Meta's Melissa Miranda said. The social media behemoth said it intends to notify from The Hacker News https://thehackernews.com/2023/01/facebook-introduces-new-features-for.html

Two security flaws have been disclosed in Samsung's Galaxy Store app for Android that could be exploited by a local attacker to stealthily install arbitrary apps or direct prospective victims to fraudulent landing pages on the web. The issues, tracked as CVE-2023-21433 and CVE-2023-21434, were discovered by NCC Group and notified to the South Korean chaebol in November and December 2022. Samsung from The Hacker News https://thehackernews.com/2023/01/samsung-galaxy-store-app-found.html

The move to SaaS and other cloud tools has put an emphasis on Identity & Access Management (IAM). After all, user identity is one of the only barriers standing between sensitive corporate data and any unauthorized access.  The tools used to define IAM make up its identity fabric. The stronger the fabric, the more resistant identities are to pressure from threat actors. However, those pressures from The Hacker News https://thehackernews.com/2023/01/saas-security-posture-management-sspm.html

Cybersecurity Ventures released a new report that showed cybercrime is going to cost the world $8 trillion USD in 2023. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cybercrime-the-worlds-third-largest-economy-after-the-u.s.-and-china

Publisher’s Weekly reviewed A Hacker’s Mind —and it’s a starred review! “Hacking is something that the rich and powerful do, something that reinforces existing power structures,” contends security technologist Schneier ( Click Here to Kill Everybody ) in this excellent survey of exploitation. Taking a broad understanding of hacking as an “activity allowed by the system that subverts the… system,” Schneier draws on his background analyzing weaknesses in cybersecurity to examine how those with power take advantage of financial, legal, political, and cognitive systems. He decries how venture capitalists “hack” market dynamics by subverting the pressures of supply and demand, noting that venture capital has kept Uber afloat despite the company having not yet turned a profit. Legal loopholes constitute another form of hacking, Schneier suggests, discussing how the inability of tribal courts to try non-Native individuals means that many sexual assaults of Native American women go unprose

Here’s a new video of a giant squid, filmed in the Sea of Japan. I believe it’s injured. It’s so close to the surface, and not really moving very much. “We didn’t see the kinds of agile movements that many fish and marine creatures normally show,” he said. “Its tentacles and fins were moving very slowly.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2023/01/friday-squid-blogging-another-giant-squid-captured-on-video.html

An unusual phishing technique has surfaced this week. Avanan, a Check Point Software company, released a blog Thursday morning detailing a new attack in which hackers hide malicious content inside a blank image within an HTML attachment in phishing emails claiming to be from DocuSign. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/blank-image-attacks-impersonate-docusign

The Irish Data Protection Commission (DPC) on Thursday imposed fresh fines of €5.5 million against Meta's WhatsApp for violating data protection laws when processing users' personal information. At the heart of the ruling is an update to the messaging platform's Terms of Service that was enforced in the days leading to the enforcement of the General Data Protection Regulation (GDPR) in May 2018, from The Hacker News https://thehackernews.com/2023/01/whatsapp-hit-with-55-million-fine-for.html

From an article about Zheng Xiaoqing, an American convicted of spying for China: According to a Department of Justice (DOJ) indictment, the US citizen hid confidential files stolen from his employers in the binary code of a digital photograph of a sunset, which Mr Zheng then mailed to himself. from Schneier on Security https://www.schneier.com/blog/archives/2023/01/real-world-steganography.html

Finally some good news from the ransomware front!   Despite bad actors launching a number of ransomware campaigns throughout 2022, organizations refused to submit and paid criminals an estimated $456.8 million - 40% less than the astounding total of $765 million in ransom payments from 2020 and 2021. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/eye-popper-ransomware-victims-refused-to-pay-last-year

A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa. Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were from The Hacker News https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts. Image: customink.com In a filing today with the U.S. Securities and Exchange Commission , T-Mobile said a “bad actor” abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data harvested included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information the number of customer lines and plan features. APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information

Mandiant has published a report describing phishing emails that have breached organizations in the industrial sector. Mandiant explains that the majority of phishing attacks are untargeted and opportunistic. Most attackers wait to see which organizations they can compromise, and then decide how to monetize their successful attacks. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/phishing-for-industrial-control-systems

A group of Swiss researchers have published an impressive security analysis of Threema. We provide an extensive cryptographic analysis of Threema, a Swiss-based encrypted messaging application with more than 10 million users and 7000 corporate customers. We present seven different attacks against the protocol in three different threat models. As one example, we present a cross-protocol attack which breaks authentication in Threema and which exploits the lack of proper key separation between different sub-protocols. As another, we demonstrate a compression-based side-channel attack that recovers users’ long-term private keys through observation of the size of Threema encrypted back-ups. We discuss remediations for our attacks and draw three wider lessons for developers of secure protocols. From a news article : Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema d

An organization’s sensitive information is under constant threat. Identifying those security risks is critical to protecting that information. But some risks are bigger than others. Some mitigation options are more expensive than others. How do you make the right decision? Adopting a formal risk assessment process gives you the information you need to set priorities. There are many ways to from The Hacker News https://thehackernews.com/2023/01/6-types-of-risk-assessment.html

The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of Anatoly Legkodymov (aka Gandalf and Tolik), the cofounder of Hong Kong-registered cryptocurrency exchange Bitzlato for allegedly processing $700 million in illicit funds. The 40-year-old Russian national, who was arrested in Miami, was charged in a U.S. federal court with "conducting a money transmitting business that from The Hacker News https://thehackernews.com/2023/01/bitzlato-crypto-exchange-founder.html

I have aggregated the statistics created from the cyber attacks timelines published during Q4 2022) In total I collected... from HACKMAGEDDON https://www.hackmageddon.com/2023/01/19/q4-2022-cyber-attacks-statistics/

Popular email marketing and newsletter service Mailchimp has disclosed yet another security breach that enabled threat actors to access an internal support and account admin tool to obtain information about 133 customers. "The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee from The Hacker News https://thehackernews.com/2023/01/mailchimp-suffers-another-security.html

Compliance services are emerging as one of the hottest areas of cybersecurity.  While compliance used to be mainly the province of large enterprises, times have changed, and it is now a day-to-day concern for a growing number of small and medium businesses.  Even when these organizations are not regulated, SMEs often aim to follow compliance and/or security frameworks either for their own risk from The Hacker News https://thehackernews.com/2023/01/guide-how-mssps-and-vcisos-can-extend.html

The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0. from The Hacker News https://thehackernews.com/2023/01/git-users-urged-to-update-software-to.html

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9) from The Hacker News https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html

Exciting news! We just released our full conference agenda for KB4-CON 2023, happening April 24-26 in Orlando, Florida. We’ve brought back some of your favorite sessions and have some new and exciting topics and speakers. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/kb4-con-2023-agenda-is-now-available

After the cyber attacks timelines, it’s time to publish the statistics of December 2022 where I have collected and analyzed... from HACKMAGEDDON https://www.hackmageddon.com/2023/01/17/december-2022-cyber-attacks-statistics/

A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems. The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12) – by the author between January 7, 2023, and January 12, 2023. They have since been from The Hacker News https://thehackernews.com/2023/01/researchers-uncover-3-pypi-packages.html

     In The Wild - CyberSecurity Newsletter Welcome to the 310 th  issue of In The Wild, SBS' weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!            Hacker Hour: Responding to Common Cyber Incidents SBS Educational Resources Date:  January 25, 2023 Time:  2:00-3:00 pm CT Join us as we chat through a few real-life incidents and d