Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,204 Comments
Tomi Engdahl says:
Poliisi tunnisti kasvoja ohjelmalla, jonka tietoturvariskejä ei selvitetty riittävän hyvin KRP sai huomautuksen tietosuojavaltuutetulta
https://yle.fi/uutiset/3-12118726
Poliisin tulee nyt ilmoittaa kuvien käytöstä niille, joiden henkilöllisyys on tiedossa. KRP ei käytä enää Clearview AI
- -kasvojentunnistusohjelmaa. Poliisi kertoo ottavansa huomautuksen vakavasti.
Tomi Engdahl says:
NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/
The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet today detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely. . full report https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF
Tomi Engdahl says:
New Microsoft Exchange service mitigates high-risk bugs automatically https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-service-mitigates-high-risk-bugs-automatically/
Microsoft has added a new Exchange Server feature that automatically applies interim mitigations for high-risk (and likely actively
exploited) security flaws to secure on-premises servers against incoming attacks and give admins more time to apply security updates.
Tomi Engdahl says:
Tokenization vs. Encryption for Data Protection Compliance
https://www.securityweek.com/tokenization-vs-encryption-data-protection-compliance
Tokenization is a branch of cryptography, but should not be confused with encryption. Encryption is used to hide strings of text based on mathematics. Tokenization replaces individual characters with a different character based on randomness. If you can reverse the encryption mathematics, you get access to the entire string of encrypted text. If you can reverse the token randomness, you get access to a single character.
In this sense, tokenization mirrors the current movement within cybersecurity towards granularity. Zero Trust is another good example – it is generally considered more secure to separately protect every individual asset than to rely on a wall around the entire data center. Similarly, tokenization individually changes every single character (rather than entire strings of text) in a way that has no mathematical reversibility.
In simple terms, tokenization cannot be cracked. Encryption can be cracked. For these reasons alone, tokenization deserves a closer examination for its potential role in data security and in ensuring compliance with data protection regulations, such as PCI DSS, GDPR and CCPA/CPRA.
Tomi Engdahl says:
A Deeper Dive Into Zero-Trust and Biden’s Cybersecurity Executive Order
https://www.securityweek.com/deeper-dive-zero-trust-and-bidens-cybersecurity-executive-order
On May 12, 2021, President Biden signed an Executive Order (EO) on Improving the Nation’s Cybersecurity. It is a detailed overview of the Federal government’s plan to better secure America – and it calls out zero-trust as a major pillar of that process.
Tomi Engdahl says:
COVID-19′s Healthcare Feeding Frenzy for Cybercriminals
https://www.securityweek.com/covid-19s-healthcare-feeding-frenzy-cybercriminals
The COVID-19 pandemic has enlarged the threat landscape for all industry sectors; but none more so than healthcare. The primary areas of concern include insecure working from home, and stress related lax behavior at the office.
The vast increase in staff from all industries working from home, outside of their corporate network defenses and often on poorly protected home computers, has been a treasure trove for hackers. Two common attack methodologies have been phishing (where the pandemic has provided the opportunity to add two of the most compelling social engineering triggers: fear and urgency), and home router compromise (where brute forcing passwords that have often not been changed from the default) is common.
Once a home computer is compromised, attackers are looking for any method to gain access to the user’s company network. Healthcare institutions, from hospitals and clinics to pharmaceutical companies and medical equipment manufacturers are especially valued for two primary reasons. Firstly, any stored PII that includes protected health information (PHI) is more valuable to the criminal than PII alone for identity theft and financial fraud purposes. Secondly, healthcare institutions are under enormous pandemic-related stress and pressure to work at full capacity with no downtime. The fine points of cybersecurity hygiene are often omitted in favor of continuity — and that same need for continuity makes criminals believe that healthcare institutions will be more open to pay ransom demands.
Threat intelligence firm IntSights notes in its 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report (PDF) that healthcare breach reports have been running at two per day between March and July 2021. Ransomware attacks against healthcare, particularly hospitals, have also continued to increase “due to their perceived and actual vulnerability to compromise and extortion”.
https://wow.intsights.com/rs/071-ZWD-900/images/Building%20Immunity-Healthcare-Pharma%20Report-2021.pdf
Tomi Engdahl says:
NSA, CISA Issue Guidance on Selecting and Securing VPNs
https://www.securityweek.com/nsa-cisa-issue-guidance-selecting-and-securing-vpns
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) this week published a new document to help government organizations select and secure virtual private network (VPN) solutions.
In fact, nation-state advanced persistent threat (APT) actors are known to target vulnerabilities in VPN appliances for credential harvesting, remote code execution, traffic hijacking, data leakage, or to weaken the security of encrypted traffic sessions.
Tomi Engdahl says:
Google Announces Rewards for Tsunami Security Scanner Plugins
https://www.securityweek.com/google-announces-rewards-tsunami-security-scanner-plugins
Google this week announced that it is offering monetary payouts to individuals who help expand the detection capabilities of the Tsunami security scanner.
Two types of contributions are currently accepted in the experimental reward program, namely vulnerability detection plugins and web application fingerprints.
An open-source general purpose network security scanner, Tsunami is meant to help organizations identify vulnerabilities and misconfigurations in their networks in an automated manner.
Designed as an extensible network scanning engine and easy to implement, the scanner heavily relies on plugins for the discovery of high-severity security bugs, and supports a curated set of vulnerabilities.
https://github.com/google/tsunami-security-scanner
Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
Tomi Engdahl says:
Microsoft, CISA and NSA offer security tools and advice, but will you take it?
https://blog.malwarebytes.com/opinion/2021/09/microsoft-cisa-and-nsa-offer-orgs-security-tools-and-advice-but-will-those-that-need-it-the-most-be-the-ones-that-use-it/
Microsoft offers to help you with patching Exchange servers, CISA offers an insider threat tool, and together with the NSA they offer advice on how to choose and harden your VPN.
Tomi Engdahl says:
CISA RELEASES NEW TOOL TO HELP ORGANIZATIONS GUARD AGAINST INSIDER THREATS https://www.cisa.gov/news/2021/09/28/cisa-releases-new-tool-help-organizations-guard-against-insider-threats
The Cybersecurity and Infrastructure Security Agency (CISA) released an Insider Risk Mitigation Self-Assessment Tool today, which assists public and private sector organizations in assessing their vulnerability to an insider threat.
Tomi Engdahl says:
Story of the creds-leaking Exchange Autodiscover flaw the one Microsoft wouldn’t fix even after 5 years https://www.theregister.com/2021/09/27/microsoft_exchange_autodiscover/
Microsoft Exchange clients like Outlook have been supplying unprotected user credentials if you ask in a particular way since at least 2016. Though aware of this, Microsoft’s advice continues to be that customers should communicate only with servers they trust.
Tomi Engdahl says:
The Rise of One-Time Password Interception Bots https://krebsonsecurity.com/2021/09/the-rise-of-one-time-password-interception-bots/
In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords.. That service quickly went offline, but new research reveals a number of competitors have since launched bot-based services that make it relatively easy for crooks to phish OTPs from targets.
Tomi Engdahl says:
Cybercriminals top LOLBins
https://www.kaspersky.com/blog/most-used-lolbins/42180/
Cybercriminals have long used legitimate programs and operating system components to attack Microsoft Windows users, a tactic known as Living off the Land. . In doing so, theyre attempting to kill several birds with one cyberstone, reducing the cost of developing a malware toolkit, minimizing their operating system footprint, and disguising their activity among legitimate IT actions.
Tomi Engdahl says:
Facebook open-sources internal tool used to detect security bugs in Android apps https://therecord.media/facebook-open-sources-internal-tool-used-to-detect-security-bugs-in-android-apps/
Facebook has open-sourced Mariana Trench, one of its internal security tools, used by its security teams for finding and fixing bugs in Android and Java applications.
Facebook Open-Sources ‘Mariana Trench’ Code Analysis Tool
https://www.securityweek.com/facebook-open-sources-mariana-trench-code-analysis-tool
Facebook’s security team on Wednesday pulled the curtain on Mariana Trench, an open-source tool that it has been using internally to identify vulnerabilities in Android and Java applications.
Named after the deepest oceanic trench on Earth, Facebook built Mariana Trench internally to handle the analysis of applications at scale, to help significantly reduce the risk of delivering security and privacy errors in production.
Designed to automate code analysis, this is the third static and dynamic analysis tool that Facebook has made public, following the release of Zoncolan and Pysa in 2019 and 2021.
The tool (available on Github) can scan large mobile codebases to identify potential flaws on pull requests and has already been trained by Facebook’s security and software engineers.
https://github.com/facebook/mariana-trench
Tomi Engdahl says:
How to Spot an Ineffective Security Practitioner
https://www.securityweek.com/how-spot-ineffective-security-practitioner
Root out ineffective security practitioners to keep your security teams protected and engaged in a productive manner
I was recently introduced to someone professionally by a mutual contact. We set up an initial phone call to discuss a few things, and it seemed to go very well. After that, while exchanging a few text messages around security topics, all of a sudden, the person began answering very curtly and abruptly. After that, the person stopped answering entirely.
While this interaction was strange, it is not unheard of or unknown. I’m guessing that many of us have experienced something like this, either personally or professionally, in the past. In my experience, this type of behavior is one of a number of different indicators that the person may not be an effective security practitioner.
Tomi Engdahl says:
Cyberespionage Implant Delivered via Targeted Government DNS Hijacking
https://www.securityweek.com/cyberespionage-implant-delivered-targeted-government-dns-hijacking
Threat hunters at Kaspersky have intercepted a new cyberespionage implant being delivered via targeted DNS hijacking of government zones in Eastern Europe and published a new report Wednesday with clues linking the malware to the SolarWinds attackers.
The Russian security vendor said the newly discovered malware — called Tomiris — contains technical artifacts that suggest the possibility of common authorship or shared development practices with the group that executed the SolarWinds supply chain compromise.
The company documented the findings in a research paper that provides evidence of an advanced DNS hijacking technique used to surgically replace webmail login pages on the fly to hijack government usernames and passwords.
The DNS hijacking was observed on several government zones of an unidentified CIS member state — guesses are Kyrgyzstan or Kazakhstan — and allowed the threat actor to redirect traffic from government mail servers to attacker-controlled machines during specific time periods.
https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/
Tomi Engdahl says:
5,4 miljoonaa DDoS-hyökkäystä alkuvuonna
https://etn.fi/index.php/13-news/12635-5-4-miljoonaa-ddos-hyoekkaeystae-alkuvuonna
Atlas VPN -tiimin esittämien tietojen mukaan tietoverkkorikolliset aloittivat lähes 5,4 miljoonaa hajautettua palvelunestohyökkäystä vuoden 2021 ensimmäisellä puoliskolla. Määrä on 11 prosenttia enemmän kuin vuoden 2020 ensimmäisellä puoliskolla.
Yli puolet (2,8 miljoonaa) hyökkäyksistä käytti vaarantuneita tietokonejärjestelmiä tai toisin sanoen botnet -verkkoja hyökkäysliikenteen lähteinä. DDoS -hyökkäyksen suorittamiseksi hakkerit tartuttavat useita laitteita, muuttavat ne botteiksi ja ohjaavat ne kohdistettuun IP -osoitteeseen. Kohdistettu verkkosivusto tai palvelu ei voi enää hyväksyä todellisia kävijöitä koskevia kelvollisia pyyntöjä, koska se on täynnä vilpillistä pyyntöä.
Eniten DDoS-hyökkäyksiä nähtiin tammikuussa, kaikkiaan 972 000. Helmikuussa hyökkäykset laskivat hieman ja nousivat jälleen maaliskuussa 968 000:een.
Tomi Engdahl says:
https://www.facebook.com/groups/electronicfrontierfinland/permalink/10160022966768982/
Eikö näitä “vahinkokatseluita” voisi myös estää teknisesti? Esimerkiksi sillä, että jokaiselle työntekijälle olisi määritelty omat asiakkaat, joiden tietoja voi katsella. Jos muita yrittää, niin saa ruudun, joka pyytää perustelua sille, miksi tiedot pitää nähdä ja ruudusta ei pääse eteenpäin ennen kuin syy on kirjoitettu. Syy menee vielä hyväksyttäväksi esimiehelle tms. ennen kuin sivu aukeaa.
Yksi klikkaus maksoi sosiaalialan työntekijöille 4800 euroa – tutkivat vieraan perheenäidin tietoja, kun tämä istui kampaajalla
https://yle.fi/uutiset/3-12120748?utm_source=facebook&utm_campaign=yleuutiset&utm_medium=social
Jokaisella on oikeus tietää omien sosiaali- ja terveystietojensa käsittelystä. Perheenäiti tilasi lokitiedot ja huomasi, että tietoja on tarkasteltu luvatta. Rikos on sosiaalialalla uuden tietosuojalain ennakkotapaus.
Kaksi Kymenlaakson sote-yhtymä Kymsoten työntekijää on saanut tuomion tietosuojarikoksesta. Työntekijät olivat tarkastelleet asiakkaan tietoja Kymsoten rekisteristä ilman perusteita.
Poikkeuksellisen tuomiosta tekee se, että kyseessä on sosiaalialalla ennakkotapaus vuodesta 2019 lähtien voimassa olleen tietosuojalain aikana.
Rikos paljastui perheen äidille, kun hän teki Kymsotelle lokitietopyynnön.
Selitystä ei löytynyt
Työntekijät olivat katsoneet sekä äidin että lapsen päiväkirjaksi kutsuttua rekisterin sivua. “Päiväkirja” on käytännössä selonteko henkilön asiakkuudesta sosiaalihuollossa.
Äiti teki asian huomattuaan Kymsotelle selvityspyynnön siitä, miksi nämä työntekijät ovat katsoneet hänen ja hänen lapsensa tietoja.
Suoraa selitystä sivuvierailuihin ei löytynyt. Äiti teki rikosilmoituksen, mutta poliisi jätti asian tutkimatta. Äiti tarjosi työntekijöille mahdollisuutta asian sovittelemiseen, mutta päätti lopulta viedä asian eteenpäin itse.
– Päädyin tekemään siviilinä rikoskanteen käräoikeuteen. Tein itse esitutkinnan ja juristi teki syyttäjän osuuden. Me teimme käytännössä oikeiden viranomaisten työn, äiti kertoo.
Syytä sille, miksi juuri hänen tietojaan on tahdottu tonkia, on naiselle mysteeri.
– Pakko sanoa, että luotto on nyt mennyt. En tule käyttämään enää millään muotoa Kymsoten sosiaalipuolen palveluita.
Vahinko ja työtehtävä
Tuomion saaneet työntekijät kiistivät rikoksen ja sen, että he edes tuntisivat toisensa. Toinen heistä kertoi, että uhrin päiväkirjasivun avaaminen järjestelmässä oli vahinko.
Toinen sanoi, että oli saanut työvuoronsa aikana puhelun sosiaali- ja kriisipäivystykseen juuri kyseiseltä äidiltä tai äidiksi esittäytyneeltä henkilöltä. Hän oli kertomansa mukaan tarkastanut äitiin ja hänen lapseensa liittyviä tietoja työtehtäviensä vuoksi.
Äiti oli tekohetken aikaan todistetusti kampaajalla, eikä hän ollut soittanut sosiaali- ja kriisipäivystykseen. Työntekijät eivät olleet kirjanneet sivuvierailunsa syytä.
“Toivottavasti yksittäistapauksia”
Sosiaali- ja terveydenhuollon palvelujen asiakkaalla on oikeus pyytää tiedot siitä, kuka hänen tietojaan on käsitellyt. Yleensä asia tulee tietosuojavaltuutetun pöydälle, jos tapauksesta pyydetään lausunto.
Apulaistietosuojavaltuutettu Heljä-Tuulia Pihamaa tietosuojavaltuutetun toimistosta kertoo, että samankaltaisia rikoksia ei tule vastaan kovin usein, mutta silti säännöllisesti.
Pihamaa muistuttaa, että toimialan harjoittajan velvollisuus on seurata sitä, että tietoja käsitellään vain työtehtävien edellyttämällä laajuudella.
Uteliaisuus toi tuomion
Kymenlaakson käräjäoikeus katsoi, että sosiaalityöntekijät olivat katsoneet asiakastietoja silkkaa uteliaisuuttaan. Molemmille määrättiin maksettavaksi tietosuojarikoksesta kymmenen päiväsakkoa. Tuomiosta kertoi ensin Kouvolan Sanomat(siirryt toiseen palveluun).
Työntekijät määrättiin myös maksamaan äidille yhteensä 600 euroa korvausta kärsimyksestä ja korvaamaan oikeudenkäyntikuluja noin 4 200 euron edestä.
Tuomio saatiin vasta kaksi vuotta rikoksen jälkeen, mutta äiti on tyytyväinen lopputulokseen.
https://www.kouvolansanomat.fi/paikalliset/4309627
Tomi Engdahl says:
How nation-state attackers like NOBELIUM are changing cybersecurity https://www.microsoft.com/security/blog/2021/09/28/how-nation-state-attackers-like-nobelium-are-changing-cybersecurity/
This is the first post in a four-part series on the NOBELIUM nation-state cyberattack. Microsoft started telling the industry about this extremely advanced cyberattack in December 2020. The NOBELIUM blog series – which mirrors Microsoft’s four-part video series “Decoding NOBELIUM”will pull the curtain back on the world of threat detection and showcase insights from cybersecurity professionals on the front lines, both Microsoft defenders and other industry experts.
also: Decoding NOBELIUM: The Docuseries – https://www.microsoft.com/en-us/security/business/nation-state-attacks
Tomi Engdahl says:
A wolf in sheep’s clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html
Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.
Tomi Engdahl says:
All your hashes are belong to us: An overview of malware hashing algorithms https://www.gdatasoftware.com/blog/2021/09/an-overview-of-malware-hashing-algorithms
VirusTotal’s “Basic Properties” tab alone lists eight different hashes and supports even more to use them for queries and hunt signatures.
Hashes are important for malware analysis, as well as identification, description and detection. But why do so many of them exist and when should you use which hash function?
Tomi Engdahl says:
50% of Servers Have Weak Security Long After Patches Are Released https://www.darkreading.com/vulnerabilities-threats/50-of-servers-have-weak-security-long-after-patches-are-released
Many servers remain vulnerable to high-severity flaws in Microsoft Exchange Server, VMware vCenter, Oracle WebLogic, and other popular products and services.
Tomi Engdahl says:
The New Security Basics: 10 Most Common Defensive Actions https://www.darkreading.com/application-security/the-new-security-basics-10-most-common-defensive-actions
Companies now commonly collect security metrics from their software development life cycle, implement basic security measures, and define their obligations to protect user data as part of a basic security strategy.
Tomi Engdahl says:
Digituki on edelleen tuntematon käsite monelle https://www.epressi.com/tiedotteet/sosiaaliset-kysymykset/digituki-on-edelleen-tuntematon-kasite-monelle.html
Ärsyttääkö digilaitteet? Tuntuuko, ettei ne tottele lainkaan?
Harmittaako, kun ei saa apua niiden kanssa? Nyt on ilo kertoa, että olet todennäköisesti väärässä. Digitukea nimittäin on tarjolla monella paikkakunnalla, usein ihan maksutta.
Tomi Engdahl says:
Ranion Ransomware – Quiet and Persistent RaaS https://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas
Ranion is a Ransom-as-a-Service (RaaS) that has enjoyed unusual longevity as it has been active since at least February 2017. In this blog, FortiGuard Labs will explain how Ranion RaaS works.
Russian hacker Q&A: An Interview With REvil-Affiliated Ransomware Contractor https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/
A threat actor who claims to work with REvil and other sophisticated ransomware collectivesrecently spoke with Russian-language website Lenta[.]ru on the condition of anonymity.
Tomi Engdahl says:
Does your country have a national CERT (Computer Emergency Response Team)?
If you want to get message through to help them, the companies are usually more responsive when they are contacted by country official cyber security organization than by random hacker. CERT peoplr can that tell the company boneheads that they had received a vulnerability report, made their checks that it was valid and tell the risks of not acting on it. And they usually try to get through high enough in organization, like chief information security officer or CEO etc..
CERTs have international co-operation.
Tomi Engdahl says:
https://www.exploit-db.com/google-hacking-database
Tomi Engdahl says:
Red Team Dominance: Canary In The Coal Mine For Ransomware Vulnerability?
https://www.forbes.com/sites/forbestechcouncil/2021/09/29/red-team-dominance-canary-in-the-coal-mine-for-ransomware-vulnerability/
Tomi Engdahl says:
Why organizations are slow to patch even high-profile vulnerabilities
by Lance Whitney in Security on September 29, 2021, 10:22
https://www.techrepublic.com/article/why-organizations-are-slow-to-patch-even-high-profile-vulnerabilities/
Not all organizations have a team or even staffers who can focus solely on vulnerability management, says Trustwave.
One of the most common ways cybercriminals hit an organization is by exploiting a known security vulnerability. For that reason, regularly patching your software and other products is a vital way to protect yourself from cyberattack.
But many organizations fail to keep up with the proper patching, thus exposing themselves to great risk. A report released Wednesday by cybersecurity firm Trustwave looks at why security flaws often go unpatched and how organizations can beef up their patch management.
For its 2021 Trustwave SpiderLabs Telemetry Report, Trustwave examined high-profile vulnerabilities from the past year. The report found that despite the high severity of some of the security flaws that popped up, more than 50% of the servers were unprotected weeks and even months after an update had been released.
Tomi Engdahl says:
These systems are facing billions of attacks every month as hackers try to guess passwords
Cyber criminals are becoming more aggressive in their attempts to break into RDP services with efforts to exploit weak passwords used in enterprise networks, warn researchers.
https://www.zdnet.com/article/these-systems-are-facing-billions-of-attacks-every-month-as-hackers-try-to-guess-passwords/
Tomi Engdahl says:
Ransomware gangs are complaining that other crooks are stealing their ransoms
Ransomware gangs are shocked to find out that cyber crooks will scam other criminals if they can.
https://www.zdnet.com/article/these-ransomware-crooks-are-complaining-they-are-getting-ripped-off-by-other-ransomware-crooks/
Tomi Engdahl says:
New Tomiris Backdoor Found Linked to Hackers Behind SolarWinds Cyberattack
https://thehackernews.com/2021/09/new-tomiris-backdoor-found-linked-to.html
Tomi Engdahl says:
Electromagnetic warfare emerging to destroy or disable critical enemy electronics without collateral damage
Sept. 28, 2021
This approach uses aimed electrical energy to destroy or disable critical enemy electronics for navigation, computing, communications, and sensors.
https://www.militaryaerospace.com/blogs/article/14211193/electromagnetic-warfare-enemy-electronics-collateral-damage
Tomi Engdahl says:
https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html
Tomi Engdahl says:
https://www.kaspersky.com/blog/digitalwellbeing/
Tomi Engdahl says:
https://www.zdnet.com/article/how-to-get-a-job-in-cybersecurity-top-paying-jobs-in-cybersecurity/
Tomi Engdahl says:
https://elisa.fi/ideat/epailetko-saaneesi-huijausviestin-4-keinoa-tunnistaa-kalastelu/
Tomi Engdahl says:
5 Steps to Securing Your Network Perimeter
https://threatpost.com/securing-network-perimeter/175043/
Tomi Engdahl says:
Ex Hacker Explains Why You Should Never Leave Your Keycards Lying Around
https://www.ladbible.com/news/news-ex-hacker-explains-why-you-shouldnt-leave-your-hotel-card-unattended-20210926
Tomi Engdahl says:
https://www.analyticsinsight.net/everything-you-must-know-about-unhackable-quantum-internet/
Tomi Engdahl says:
How malware gets into the App Store and why Apple can’t stop that
https://habr.com/en/post/580272/
Tomi Engdahl says:
https://pentestmag.com/exploiting-remote-file-inclusion-with-smb/
Tomi Engdahl says:
How Washington hustled up the foundations of a global electronic kraken
https://www.rt.com/op-ed/535870-big-tech-freedoms-microsoft/
Tomi Engdahl says:
Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires https://www.zdnet.com/article/fortinet-shopify-others-report-issues-after-root-ca-certificate-from-lets-encrypt-expires/
Experts had been warning for weeks that there would be issues resulting from the expiration of root CA certificates provided by Lets Encrypt.
Tomi Engdahl says:
ESET Threat Report T2 2021
https://www.welivesecurity.com/2021/09/30/eset-threat-report-t22021/
A view of the T2 2021 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts.
Report (PDF):
https://www.welivesecurity.com/wp-content/uploads/2021/09/eset_threat_report_t22021.pdf
Tomi Engdahl says:
WatchGuard Threat Lab Reports 91.5% of Malware Arrived over Encrypted Connections in Q2 2021 https://www.watchguard.com/wgrd-news/press-releases/watchguard-threat-lab-reports-915-malware-arrived-over-encrypted
New research also shows dramatic increases in fileless malware, malware detections per appliance, and booming network and ransomware attacks
Tomi Engdahl says:
New Tool to Add to Your LOLBAS List: cvtres.exe
https://isc.sans.edu/diary/rss/27892
LOLBAS (“Living Off the Land Binaries And Scripts”) is a list of tools that are present on any Windows system because they are provided by Microsoft as useful tools to perform system maintenance, updates, etc.
This list is maintained and upgraded regularly. This is a good starting point when you need to investigate suspicious processes activity on a system (proactively or in forensics investigation).
What’s the purpose of this tool? CvtRes stands for “Convert Resource Files To COFF Objects”. It converts “.res” resource files into Common Object File Format (COFF) “.obj” object files that the linker can link into a finished “.exe” PE application file.
Tomi Engdahl says:
Introducing the Secure Open Source Pilot Program https://security.googleblog.com/2021/10/introducing-secure-open-source-pilot.html
Today, we are excited to announce our sponsorship for the Secure Open Source (SOS) pilot program run by the Linux Foundation. This program financially rewards developers for enhancing the security of critical open source projects that we all depend on. We are starting with a $1 million investment and plan to expand the scope of the program based on community feedback.
Tomi Engdahl says:
Kyberuhkaan tulee varautua ajoissa “voidaan tarvittaessa rinnastaa aseelliseen hyökkäykseen”
https://www.tivi.fi/uutiset/tv/7e3c01f8-fb5c-4988-9e06-5fa34728425c
Laajamittainen kyberhyökkäys Suomea vastaan voidaan rinnastaa vaikutuksiltaan vastaavanlaiseen aseelliseen hyökkäykseen, sanoo Catharina Candolin. Silloin meillä pitäisi olla valmius vastatoimiin.
Tomi Engdahl says:
Why the cybersecurity industry should treat civil society as critical infrastructure https://therecord.media/why-the-cybersecurity-industry-should-treat-civil-society-as-critical-infrastructure/
Cybersecurity risks now affect everyone, but those risks aren’t the same everywhere. The Record spoke with Access Now’s Asia Policy Director and Senior International Counsel Raman Jit Singh Chima about how the human rights organization helps secure activists and journalists around the world. Chima, who also serves as the organization’s global security lead, shared details about risks facing human rights defenders in the Asia-Pacific regionfrom spyware and social media monitoring to disrupting access to certain apps or the entire Internet. Protecting civil society from these threats must be a key part of cybersecurity policy discussions, Chima told The Record, much like we think about how we need to protect power grids and other utilities that keep society functioning.