Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
No SOCKS, No Shoes, No Malware Proxy Services!
https://krebsonsecurity.com/2022/08/no-socks-no-shoes-no-malware-proxy-services/
With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.
Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.
The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses.
Tomi Engdahl says:
Aviation Safety and Cybersecurity: Learning from Incidents
https://www.tripwire.com/state-of-security/featured/aviation-safety-cybersecurity-learning-from-incidents/
The aviation safety sector is the study and practice of managing aviation risks. It is a solid concentration of regulations, legal documents, investigations of accidents and near-miss aviation incidents. On top of them lie lessons learned and shared knowledge; reports, facts and stats forming a cognitive super vitamin, that the aviation community uses to keep their business healthy and safe.
The above concept is successful. People trust the aviation sector and consider it the safest transportation. Sadly, when it comes to cybersecurity the community feels quite exposed and vulnerable. Stats that are not available, dark corners, and a lack of lessons learned from cyber incidents are some of the aspects that blur its reputation. Wouldn’t it be better if businesses and organizations adopt the successful “how-to” of the aviation safety sector to increase their cybersecurity level and the confidence of the community?
Tomi Engdahl says:
https://www.uusiteknologia.fi/2022/08/04/ukrainan-sodalla-dramaattinen-vaikutus-kyberymparistoon/
Tomi Engdahl says:
Mirai-koodiin perustuva haitta murtaa voimalla Linux-palvelimia
https://etn.fi/index.php/13-news/13835-mirai-koodiin-perustuva-haitta-murtaa-voimalla-linux-palvelimia
Tietoturvayritys Fortinet löysi kesäkuun puolivälissä uuden haittaohjelman, joka perustuu lähdekoodiltaan pääosin Mirai-bottiin. RapperBot-nimen saanut koodi yrittää murtaa Linux-palvelimien SSH-salausta ja päästä käsiksi palvelimien käyttäjätietoihin.
Fortinetin mukaan uudemmat versiot viittaavat siihen, että bottiin on lisätty sen pysyvyyttä parantavia osia. RapperBot siis vastustaa suojausyrityksiä paremmin kuin Telnet-yhteyksiin murtautunut Mirai.
Lisäanalyysin jälkeen Fortinetin tutkijat havaitsivat, että RapperBot-haittaohjelmaperhe on suunniteltu toimimaan ensisijaisesti SSH:n brute force -tyyppisessä murtamisessa rajoitetuilla DDoS-ominaisuuksilla. Kuten useimmille IoT-haittaohjelmille on tyypillistä, se kohdistuu Arm-, MIPS-, SPARC- ja x86-arkkitehtuureihin.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/13857-emotet-edelleen-suurin-riesa
Tomi Engdahl says:
Understanding the Evolution of Cybercrime to Predict its Future
https://www.securityweek.com/understanding-evolution-cybercrime-predict-its-future
An analysis of the evolution of cybercrime from its beginnings in the 1990s to its billion-dollar presence today has one overriding theme: the development of cybercrime as a business closely mimics the evolution of legitimate business, and will continue to evolve to improve its own ROI.
In the early days, hacking was more about personal prestige and kudos than about making money – but the dotcom made people realize there’s money to be made on the internet. This first phase of cybercrime loosely fits the period from 1990 to 2006.
From this simple realization, HP Wolf Security’s study of The Evolution of Cybercrime (PDF report) shows an underground business that follows and mimics the overground business ecosystem – digital transformation included. “Digital transformation has supercharged both sides of the attack-defense divide – shown, for instance, by the increasing popularity of ‘as a service’ offerings,” said Alex Holland, senior malware analyst and author of the report. “This has democratized malicious activity to the point where complex attacks requiring high levels of knowledge and resources – once the preserve of advanced persistent threat (APT) groups – are now far more accessible to a wider group of threat actors.”
Malware has become commoditized – typified perhaps during the era Zeus. Zeus originally cost $8,000, but competition with the lower priced SpyEye brought the price down to around $500. In 2011 the source code was leaked, and it effectively became free.
At the same time, criminal gangs were consolidating and moving towards an ‘as a service’ operation.
https://threatresearch.ext.hp.com/evolution-of-cybercrime-report/
Tomi Engdahl says:
The Ever-Increasing Issue of Cyber Threats – and the Zero Trust Answer
https://www.securityweek.com/ever-increasing-issue-cyber-threats-and-zero-trust-answer
Tomi Engdahl says:
The Secret to Automation? Eat the Elephant in Chunks.
https://www.securityweek.com/secret-automation-eat-elephant-chunks
Tomi Engdahl says:
Securing Smart Cities from the Ground Up
https://www.securityweek.com/securing-smart-cities-ground
Tomi Engdahl says:
RiskRecon Program Impact: A Forrester Total Economic ImpactTM Study
https://www.riskrecon.com/forrester-riskrecon-total-economic-impact-study
RiskRecon, a Mastercard company, commissioned Forrester Research to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying RiskRecon as part of a third-party cyber risk program. The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of RiskRecon on their organizations.
Tomi Engdahl says:
Amazon Web Services Core Assessment Playbook & Questionnaire
A toolkit for assessing the security quality of third-party AWS environments and operations
https://www.riskrecon.com/aws-security-assessment-toolkit
Tomi Engdahl says:
HYAS Unveils New Tool for Continuous DNS Monitoring
https://www.securityweek.com/hyas-unveils-new-tool-continuous-dns-monitoring
Canadian security firm HYAS Infosec has released a new DNS protection tool dubbed HYAS Confront that was designed to provide clear visibility into DNS transactions into production networks. While there are existing corporate network DNS products available, Confront is claimed to be the first solution to continuously cover the entire production network regardless of its cloud location.
HYAS Confront provides continuous and complete passive DNS monitoring. It does not attempt to examine the content of communications, but merely determines the source and destination of the communication. If internal communication is deemed suspicious, or if external communication is deemed dangerous, Confront reports this to the customer’s SIEM, SOAR or SOC.
It takes no automatic action against the communication beyond reporting. The concern over false positives weighs heavy on production networks. “All systems are vulnerable to an occasional false positive,” comments HYAS CEO David Ratner; “and a false positive in the production environment could be disastrous from a revenue perspective. So, Confront is passive. It uniquely sees every single communication, and we can uniquely understand whether that communication is good, bad or ugly.”
https://www.hyas.com/hyas-confront
Tomi Engdahl says:
https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-linux-malware-brute-forces-ssh-servers-to-breach-networks/
Tomi Engdahl says:
USCYBERCOM Releases IoCs for Malware Targeting Ukraine
https://www.securityweek.com/uscybercom-releases-iocs-malware-targeting-ukraine
The United States Cyber Command (USCYBERCOM) this week released indicators of compromise (IoCs) associated with malware families identified in recent attacks targeting Ukraine.
The malware samples were found by the Security Service of Ukraine on various compromised networks in the country, which has seen an increase in cyber activity since before the beginning of the Russian invasion in February 2022.
USCYBERCOM has released 20 novel indicators in various formats representing IoCs identified during the analysis of recently identified malware samples, but has not shared further information on the attacks.
“Our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cyber security, just as we are sharing with them. We continue to have a strong partnership in cybersecurity between our two nations,” USCYBERCOM notes.
https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/
Tomi Engdahl says:
Protecting Government Systems: Addressing Growing CyberSecurity Threats With Hardware-Level Security
https://go.rambus.com/protecting-government-systems?utm_source=Endeavor&utm_medium=personifai&utm_campaign=2022+Endeavor+Personif.ai
Tomi Engdahl says:
Google Introduces DNS-over-HTTP/3 in Android
https://www.securityweek.com/google-introduces-dns-over-http3-android
Google this week announced the rollout of DNS-over-HTTP/3 (DoH3) for Android 11 and newer devices.
An encrypted DNS protocol, DoH3 is expected to provide performance and safety improvements compared to alternatives, mainly through the QUIC transport layer network protocol.
By default, even for encrypted connections, DNS lookups are not private – the base DNS protocol does not have encryption – something that has been resolved through solutions such as DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH).
Support for DoT was introduced in Android 9, but Google says that the protocol incurs overhead on any DNS request. Although it enjoys wide adoption and has already been deployed by numerous public DNS operators, DoH doesn’t reduce overhead, the internet giant says.
DoH3, which should provide both performance and safety improvements courtesy of its use of QUIC, has been rolled out as part of a Google Play system update and will replace the use of DoT for well-known DNS servers that already support it.
Tomi Engdahl says:
Kiinalaispaikannin päästää hakkerit suoraan auton tietokoneelle
https://etn.fi/index.php?option=com_content&view=article&id=13788&via=n&datum=2022-07-20_09:29:27&mottagare=31202
Reikäinen paikannusmoduuli on MiCODUS-yhtiön valmistama ja nimeltään MV720 GPS Tracker. Sitä käytetään ympäri maailmaa varkaussuojaukseen ja sijainninhallintaan, ja monet organisaatiot käyttävät sitä ajoneuvokannan hallintaan. Haavoittuvuuksien avulla hyökkääjät voivat paitsi päästä käsiksi ja hallita paikannusmokkulaan, he voivat mahdollisesti katkaista polttoaineen, pysäyttää ajoneuvot fyysisesti tai valvoa niiden ajoneuvojen liikettä, joihin laite on asennettu.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/13830-githubiin-ujutettiin-valtavat-maeaeraet-haittakoodia
Tomi Engdahl says:
Haktivismi vahvassa nousussa
https://etn.fi/index.php/13-news/13827-haktivismi-vahvassa-nousussa
Tietoturvayhtiön Check Point Software Technologiesin tutkimusosasto on julkaissut vuoden ensimmäistä puolikasta koskevan tietoturvaraporttinsa. Sen mukaan kyberhyökkäykset aiheuttavat huomattavaa haittaa jokapäiväiselle elämälle myös vuoden toisella puolikkaalla. Yritysten ykkösuhkana ovat kiristysohjelmat.
Kasvussa ovat myös toimitusketjuhyökkäykset pilvessä. Kyberhyökkäykset ovat vakiinnuttaneet asemansa valtiollisen tason aseina, mukaan lukien uusi kiristysmenetelmä “Country Extortion” ja valtioihin liittyvä haktivismi. Kaikkiaan kyberhyökkäyksien määrä on viime vuodesta kasvanut 42 prosenttia.
Raportin mukaan kiristyshaittaohjelmien ekosysteemi on pirstoutumassa. Kiristystä harjoittavista ryhmistä on tullut entistä jäsentyneempiä ja niillä on ennalta asetetut tavoitteet kuten tavallisilla yrityksillä. Check Pointin tutkijat uskovat, että jatkossa muutaman suuren sijaan tulee olemaan monia pieniä ja keskisuuria ryhmiä, jotka pystyvät piiloutumaan tehokkaammin.
Myös tartuntojen levittämisen tavat monipuolistuvat. Koska Internet-makrojen käyttöönotto on oletusarvoisesti estetty Microsoft Officessa, haittaohjelmaperheet alkavat nopeasti levitä uusilla, entistä vaikeammin havaittavilla tavoilla, kuten salasanalla suojattujen tiedostojen mukana.
Tomi Engdahl says:
https://www.analyticsinsight.net/top-10-cybersecurity-startups-to-providing-the-best-digital-security-solutions/
Tomi Engdahl says:
https://bepractical.tech/kali-linux-tool-list-for-bug-bounty-and-cybersecurity/
Tomi Engdahl says:
https://www.securecybersimplified.com/how-to-secure-your-network/
Tomi Engdahl says:
https://www.kitploit.com/2022/08/smap-drop-in-replacement-for-nmap.html?m=1
Tomi Engdahl says:
https://techcrunch.com/2022/08/09/how-an-armenian-startup-plans-to-use-a-new-innovation-to-tackle-the-billion-dollar-phishing-industry/
Tomi Engdahl says:
https://pentestmag.com/when-the-gdpr-meets-public-blockchains-looking-through-the-lens-of-public-communications-to-users/
Tomi Engdahl says:
https://www.socinvestigation.com/hackers-opted-for-new-techniques-after-microsoft-disables-excel-4-0-macros/
Tomi Engdahl says:
https://techcrunch.com/2022/08/02/cybersecurity-could-offer-a-way-for-underrepresented-groups-to-break-into-tech/
Tomi Engdahl says:
https://hackersonlineclub.com/how-to-manipulate-web-application-logs/
Tomi Engdahl says:
https://www.socinvestigation.com/hackers-use-new-static-expressway-phishing-technique-on-lucidchart/
Tomi Engdahl says:
Securing the cloud (by design *and* by default) https://www.ncsc.gov.uk/blog-post/securing-the-cloud-by-design-and-by-default
In any conversation about cloud security, it wont take long before someone will mention the shared responsibility model. It ultimately comes down to the fact that the cloud service itself needs to be designed and operated securely by the cloud provider, and their customers need to configure and use it in a way that appropriately secures their data. We know that doing security well can be hard, whether thats getting architectures and configurations right, or the more routine things such as patching. It can feel like a never-ending battle, which means that its easy to forget to do all of the things that are important.
Tomi Engdahl says:
July 2022s Most Wanted Malware: Emotet Takes Summer Vacation but Definitely Not Out-of-Office https://blog.checkpoint.com/2022/08/10/july-2022s-most-wanted-malware-emotet-takes-summer-vacation-but-definitely-not-out-of-office/
After a peak in Emotets global impact last month, Emotet is back to its global impact numbers and continues as the most widespread malware. Possibly the peak ended, due to summer vacations as was seen in the past. Nevertheless, new features and improvements in Emotets capabilities are constantly discovered, such as its latest credit card stealer module developed, and adjustments done in its spreading systems.
Tomi Engdahl says:
Making Linux Kernel Exploit Cooking Harder https://security.googleblog.com/2022/08/making-linux-kernel-exploit-cooking.html
The Linux kernel is a key component for the security of the Internet.
Google uses Linux in almost everything, from the computers our employees use, to the products people around the world use daily like Chromebooks, Android on phones, cars, and TVs, and workloads on Google Cloud.. Because of this, we have heavily invested in Linuxs security – and today, were announcing how were building on those investments and increasing our rewards.
Tomi Engdahl says:
VileRAT: DeathStalkers continuous strike at foreign and cryptocurrency exchanges https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/
In late August 2020, we published an overview of DeathStalkers profile and malicious activities, including their Janicab, Evilnum and PowerSing campaigns (PowerPepper was later documented in 2020).
Notably, we exposed why we believe the threat actor may fit a group of mercenaries, offering hack-for-hire services, or acting as an information broker to support competitive and financial intelligence efforts.
Tomi Engdahl says:
This company didn’t spot the flaw in their network. But three ransomware gangs did https://www.zdnet.com/article/this-company-didnt-spot-the-flaw-in-their-network-but-three-ransomware-gangs-did/
If you thought being hit by one ransomware attack was bad, try getting hit by three different ransomware gangs at the same time and each one encrypting files, sometimes multiple times over.. That’s what happened to one organisation, as detailed by cybersecurity researchers at Sophos, which fell victim to multiple different ransomware attacks within a short period of time. The unspecified target fell victim to three prominent forms of ransomware LockBit, Hive and BlackCat with each cyber criminal gang encrypting files and leaving their own ransom demand for a decryption key.
Tomi Engdahl says:
And Here They Come Again: DNS Reflection Attacks
https://isc.sans.edu/diary/And+Here+They+Come+Again%3A+DNS+Reflection+Attacks/28928
I know I have written about this same attack before [see here]. But well, it just doesn’t stop. There has been a continuous stream of these requests to our sensors ever since. Some of the currently preferred queries used:. ANY? peacecorps.gov. (the irony… but look at the record. It is asking for amplification. It seems like they built it to max out EDNS0). ANY? sl.. Current targets appear to be a couple of networks in Brazil. I am not aware of any particular valuable sites being hosted by them.
Tomi Engdahl says:
Q1 2022 Lumen DDoS Quarterly Report
https://blog.lumen.com/q1-2022-lumen-ddos-quarterly-report/?utm_source=rss&utm_medium=rss&utm_campaign=q1-2022-lumen-ddos-quarterly-report
We hope that you have had a great start to your 2022. The start of a new year is always exciting and brimming with possibilities: you have new budgets, new plans, new strategies, etc. The same can be true of bad actors. As cybercriminals operate more like legitimate organizations, they are going through the same things we all are, thinking about what ambitious projects they want to take on this year, where they are going to reinvest their revenue from 2021, and how they can expand their footprint. As you are thinking about what you need to accomplish this year, it is important to have the latest security trends at your fingertips to help determine areas of focus.
Tomi Engdahl says:
One of 5Gs Biggest Features Is a Security Minefield https://www.wired.com/story/5g-api-flaws/
TRUE 5G WIRELESS data, with its ultrafast speeds and enhanced security protections, has been slow to roll out around the world. As the mobile technology proliferatescombining expanded speed and bandwidth with low-latency connectionsone of its most touted features is starting to come in to focus. But the upgrade comes with its own raft of potential security exposures. A massive new population of 5G-capable devices, from smart-city sensors to agriculture robots and beyond, are gaining the ability to connect to the internet in places where Wi-Fi isn’t practical or available. Individuals may even elect to trade their fiber-optic internet connection for a home 5G receiver. But the interfaces that carriers have set up to manage internet-of-things data are riddled with security vulnerabilities, according to research that will be presented on Wednesday at the Black Hat security conference in Las Vegas.
Tomi Engdahl says:
Kim S. Nash / Wall Street Journal:
AWS, Splunk, IBM, CrowdStrike, Rapid7, Cloudflare, Salesforce, Okta, and 10 others launch the Open Cybersecurity Schema Framework to monitor hacking attempts
Tech, Cyber Companies Launch Security Standard to Monitor Hacking Attempts
Amazon’s AWS, Splunk, IBM and others cooperate on format for cyber alerts
https://www.wsj.com/articles/tech-cyber-companies-launch-security-standard-to-monitor-hacking-attempts-11660123802?mod=djemalertNEWS
A group of 18 tech and cyber companies said Wednesday they are building a common data standard for sharing cybersecurity information. They aim to fix a problem for corporate security chiefs who say that cyber products often don’t integrate, making it hard to fully assess hacking threats.
Amazon. com Inc.’s AWS cloud business, cybersecurity company Splunk Inc. and International Business Machines Corp.’s security unit, among others, launched the Open Cybersecurity Schema Framework, or OCSF, Wednesday at the Black Hat USA cybersecurity conference in Las Vegas.
Products and services that support the OCSF specifications would be able to collate and standardize alerts from different cyber monitoring tools, network loggers and other software, to simplify and speed up the interpretation of that data, said Patrick Coughlin, Splunk’s group vice president of the security market. “Folks expect us to figure this out. They’re saying, ‘We’re tired of complaining about the same challenges.’”
Other companies involved in the initiative are CrowdStrike Holdings Inc., Rapid7 Inc., Palo Alto Networks Inc., Cloudflare Inc., DTEX Systems Inc., IronNet Inc., JupiterOne Inc., Okta Inc., Salesforce Inc., Securonix Inc., Sumo Logic Inc., Tanium Inc., Zscaler Inc. and Trend Micro Inc.
Often, cyber teams build several dashboards to monitor items such as attempted logins and unusual network activity. To get a full picture of events, they frequently have to write custom code to reformat data for one dashboard or analysis tool or another, said Mark Ryland, director of the office of the CISO at AWS. “There’s a lot of custom software out there in the security world,” he said.
Products that support OCSF would be able to share information in one dashboard without that manual labor, Mr. Ryland said. “We’ll benefit from this,” he said of AWS’s internal security teams.
Tech providers writing the initial version of OCSF expect to incorporate it into their products in the coming months
Internally, Okta uses cloud services from Alphabet Inc.’s Google, human resources company Workday Inc., communications tool Slack Inc. and others, Mr. Niggel said. “Our incident response team has to normalize all that information so they can see what’s happening,” he said.
With data about potential hacking activity in one format, internal teams will be able to recognize attacks earlier, he said. Plus, companies will be able to share incident data with each other faster, he added.
The OCSF standard and documentation will be on the GitHub open-source repository.
Tomi Engdahl says:
Cyberattack Victims Often Attacked by Multiple Adversaries: Research
https://www.securityweek.com/cyberattack-victims-often-attacked-multiple-adversaries-research
It’s not if, but when and how often you get attacked
Sophos research for its Active Adversary Playbook 2022 revealed that victims are often attacked by multiple adversaries – usually, in rapid succession but sometimes simultaneously. Further analysis now suggests the aphorism ‘it’s not if, but when you are attacked’ should be expanded with the extension, ‘and how often’.
Multiple attacks are not new, but historically they tend to be separated by months or years. “Now,” John Shier, senior security advisor at Sophos told SecurityWeek, “we’re talking days, weeks or months – in one case just hours.” A new analysis from Sophos looks at the possible reasons for this evolution in attack frequency.
The report, Multiple attackers: A clear and present danger (PDF), provides several specific multiple-attack case studies.
Multiple attackers: A clear and present danger
Competition has always been fierce among cryptominers and RATs, but ransomware bucks the trend.
https://assets.sophos.com/X24WTUEQ/at/q6r6n3x43mnrfchn5tfh3qmw/sophos-x-ops-active-adversary-multiple-attackers-wp.pdf
Tomi Engdahl says:
How Bot and Fraud Mitigation Can Work Together to Reduce Risk
https://www.securityweek.com/how-bot-and-fraud-mitigation-can-work-together-reduce-risk
Onions are great for analogies, as are buckets full of stuff from the beach. In this piece, I’d like to take a look at how both of these analogies can help us understand how bot and fraud mitigation can work together to help enterprises both improve their security postures and lower their fraud losses.
The obvious analogy when it comes to an onion is that of peeling away different layers. When we look at the digital channels (web and mobile) of online applications, we find a whole host of different activities. Some of it is desired, while much of it may be undesired. Yet, more often than not, we try to defend our online applications as a whole, without trying to peel away individual layers of activity that might help us see and understand what is actually going on a whole lot better.
Similarly, say I give you a bucket of water, sand, and rocks from the beach, and I ask you to pull out all of the rocks. You could certainly put your hands in the bucket and attempt to pull out all of the rocks one by one. Or, you might run and get some sort of a strainer, pour the contents of the bucket through the strainer, and find yourself left with all of the rocks. The first method is a brute force of sorts – diving right in without considering whether tools may help complete the job more efficiently. It is equivalent to looking at the onion without peeling away any of the layers. The second method, on the other hand, uses tools to more efficiently complete the work. That is akin to peeling away layers of the onion to better understand it.
When looking to detect security breaches and fraud events within our online applications, we must first understand that we most likely have a combination of automated traffic (bots), manual fraud (fraudsters), and legitimate customer traffic (what we want). Having all three of these mixed together creates a large volume of data, much of it noise. It is extremely difficult to identify, analyze, and investigate any traffic of interest when looking across the entirety of the traffic, noise included.
Tomi Engdahl says:
Number of Ransomware Attacks on Industrial Orgs Drops Following Conti Shutdown
https://www.securityweek.com/number-ransomware-attacks-industrial-orgs-drops-following-conti-shutdown
The number of ransomware attacks on industrial organizations decreased from 158 in the first quarter of 2022 to 125 in the second quarter, and it may be — at least partially — a result of the Conti operation shutting down.
According to data collected by industrial cybersecurity firm Dragos, Conti accounted for a significant chunk of the ransomware attacks on industrial organizations and infrastructure in the previous quarters and the threat actor’s decision to pull the plug on the operation in May could have led to the drop in the number of attacks in the second quarter.
Experts believe the Conti operation, which had been a highly profitable business, was shut down after the brand became toxic following some of the group’s members openly expressing support for Russia after it launched its invasion of Ukraine.
The Conti brand may have been terminated, but experts believe its leaders are still active, continuing their work through several smaller ransomware operations, including Karakurt, Black Basta, BlackByte, AlphV (BlackCat), HIVE, HelloKitty (FiveHands), and AvosLocker.
According to Dragos, 33% of the ransomware attacks in Q2 were launched by the LockBit group, followed by Conti (13%), Black Basta (12%), Quantum (7%), AlphV (4%) and Hive (4%).
Tomi Engdahl says:
https://pentestmag.com/exploiting-remote-file-inclusion-with-smb/
Tomi Engdahl says:
Ex-CISA chief Krebs calls for US to get serious on security
Black Hat kicks off with call for single infosec agency with real clout and less confused crossover
https://www.theregister.com/2022/08/10/krebs_black_hat/
BLACK HAT It’s time to reorganize the US government and create a new agency focused solely on on digital risk management services, according to former CISA director Chris Krebs.
“And I’m ready to lead that charge,” he said, during the Black Hat USA infosec conference’s opening keynote on Wednesday.
Or, if that’s too ambitious for Uncle Sam, Krebs proposed to at least pull CISA out of the Department of Homeland Security and make it a sub-cabinet agency that’s allowed to operate independently.
Krebs, of course, served as the first director of the CISA, which was created in 2018 largely as a response to Russia and other nation states from interfering in US elections. He was famously fired in 2020 via tweet by President Donald Trump for disputing the lame-duck president’s Big Lie over the 2020 US election results.
“I’m ready to make the argument that the digital environment around us has changed so dramatically in the last 25 years, while our government hasn’t kept up,” he said on stage in Las Vegas. “It’s time to rethink the way government interacts with technology.”
The Aspen Institute, a homeland security policy think-tank where Krebs is a commissioner, will tackle this issue, too. Krebs said it will examine different ways in which the government could do a better job at managing digital risk.
“We could see, from a far end of the spectrum: a heavy package of establishing a US digital agency that could take elements of CISA, elements of NIST and NTIA, the Department of Energy and the National Labs, maybe bits and pieces of the FTC and the FCC,” Krebs said.
This risk-management agency’s scope would extend beyond cybersecurity, he added. “I’m not just talking about cyber, I’m talking about privacy, talking about trust and safety issues,” Krebs said. “We’re not where we need to be. We’re falling behind and Americans are suffering as a result.”
However, he also acknowledged that US lawmakers’ leadership on this issue is – ahem – sorely lacking.
“So we’re gonna have to look at different possible outcomes,” Krebs said, noting that making CISA’s its own sub-cabinet agency is one such possibility. But this effort also requires private security company buy-in, plus the larger researcher community that has descended on Vegas this week for summer camp.
Ransomware: industry, government’s ‘biggest collective fail’
Krebs also chastised both government and the private sector for the rise of ransomware over the past couple of years, which he said represents the “biggest collective falling down of government, of industry.”
“What is ransomware? It is a bad guy that’s figured out how to monetize a vulnerability or misconfigured system,” Krebs said.
In other words: overly complex and interconnected software and security environments makes it easier for the criminals to find holes to exploit, and the rise of cryptocurrency makes it easier for them to launder their gains without fear of prosecution from safe-harbor nations like Russia, China and North Korea, among others.
“What that’s done in the meantime, is distracting our intelligence community, our national security community that was five years ago focused on the highest sort of threat,” such as Russia’s GRU, China’s MSS and other nation-state cyber threats, Krebs said. “Now they have to broaden their view of threat actors to include cyber criminals.”
“My take here is that we’ve kind of fetishized the advanced persistent threat,” instead of considering the opportunistic nature of most cybercriminals
“Companies that are shipping products are shipping targets,” Krebs said, quoting his business partner Stamos.
“If you’re hosting a service, you’re the target,” he added, referring to the supply chain attacks (like SolarWinds) against internet and managed services providers that allow miscreants to find one vulnerability and use it to breach multiple organizations.
Criminals “understand the dependencies and the trust connections that we have on our software services and technology providers,” Krebs said. “And they’re working up the ladder through the supply chain.”
Plus, when organizations are hit by ransomware or another cyberattack, the government doesn’t make it easy for them to get help from the Feds — or even to know which agency should be their starting point for their reporting and recovery efforts.
“Is it the FBI? Is it CISA? Is the Department of Energy? Is it Treasury. It’s still just too hard to work with government, and the value prop isn’t as clear as it needs to be,”
Tomi Engdahl says:
The SEC’s cyberattack reporting rules are seeing fierce opposition. CISA is poised to do better.
https://www.protocol.com/enterprise/sec-cisa-cyberattack-incident-reporting
CISA’s initiative to regulate critical infrastructure on incident reporting is just beginning. The focus on industry engagement by CISA and its director, Jen Easterly, could be about to pay off.
As the chief information security officer of a large, publicly traded tech company, Drew Simonis has been keeping a close eye on the SEC’s proposed rules to require reporting of major cyberattacks.
Simonis, who works at Juniper Networks, has some serious concerns shared by many executives in U.S. private industry. Some of the proposed cyber incident reporting rules seem like they’d be counterproductive to the goal of creating transparency, and would likely just increase confusion for corporate shareholders, he said. Overall, by requiring public disclosure of major cyber incidents within four business days, the approach seems to lack a basic understanding of the “fluid nature of security events,” Simonis said.
“Often, you just don’t know within four days what the real facts are,”
As written, the proposed SEC rules essentially require companies to “make very important decisions with very little information.”
Meanwhile, another federal agency — which has its own set of cyber incident reporting regulations in the works, separate from the SEC’s — has been carrying itself much differently,
The Cybersecurity and Infrastructure Security Agency has brought a welcome change in approach compared to the way most federal agencies have engaged with companies around security issues in the past, security professionals told Protocol.
As a result, when comparing the two major federal efforts that are currently seeking to ramp up cyber incident reporting in the U.S., the difference between the approaches taken by CISA and the SEC becomes clear.
Security executives believe the efforts of CISA director Jen Easterly and the rest of the agency’s leadership team have helped bring the public-private cybersecurity partnership to an all-time high in the U.S.
With the CISA-led rule-making process now set to kick off around cyber incident reporting for critical infrastructure providers, however, the strength of that partnership could be put to the test.
Improving threat tracking
Information sharing is pivotal in the cybersecurity space given the fast-changing nature of threats. The amount of data a security team has about the latest attacker tactics can make or break its defense strategy, and that information also helps government agencies decide how to respond.
Until now, CISA has had very little regulatory authority. Under the leadership of original director Chris Krebs, and now Easterly, much of the emphasis has been on getting government and industry more comfortable working together, but on a voluntary basis.
The government is still hearing about only a “tiny fraction” of the ransomware breaches and other cyberattacks that are hitting businesses, which weakens threat-tracking efforts, a CISA official reportedly said in June.
That’s what the forthcoming regulations seek to address. The Cyber Incident Reporting for Critical Infrastructure Act was passed by Congress and signed by President Biden in March. It paves the way for mandatory reporting of major cyber incidents by companies in 16 critical infrastructure sectors within 72 hours.
Ransomware payments made by covered companies would need to be reported within 24 hours. Crucially though, unlike in the SEC proposal, details on cyberattacks disclosed to CISA would be anonymized before any public disclosure.
“You’ve got all these challenges around, ‘How much do I want to share? What is risky for me to share? Is there a chance that a competitor could find out about this? Is there a chance that this could cause further brand damage or loss of confidence in us?’” Rogers said.
With the rule-making process just getting underway, critical infrastructure providers that would be subject to the regulations appear to be in “wait-and-see mode,
In late June, a coalition of 34 industry groups signed a letter to the SEC sharply criticizing the proposed incident reporting rules
“Many in the business community strongly believe that the Commission’s proposal should not be finalized in its current form,” the groups — which include the Chamber of Commerce, the American Gas Association and USTelecom — wrote in the letter.
Sen. Rob Portman wrote in comments submitted to the SEC that the agency should reconsider or “revise substantially” its proposal. Congress has intended the Critical Infrastructure Act to be “the primary mechanism for companies to report cyber incidents,” Portman, who co-authored the act, wrote.
Tomi Engdahl says:
“I think that the government would even admit that there are a lot of challenges around the patchwork of cyber incident reporting requirements that are being imposed on industry,”
On the whole, CISA is focused on “not overly burdening the private sector” around incident reporting, Easterly said during a panel at the RSA Conference in June. The agency wants to avoid making things worse for businesses “when they’re trying to deal with an incident under duress,” she said.
Cybersecurity executives say that the launch of the Joint Cyber Defense Collaborative shortly after the start of Easterly’s tenure has been instrumental in improving relations between the public and private sectors. The group brings together 21 major cybersecurity vendors with the FBI, NSA, DOJ, DOD and other federal agencies.
The trust has grown as the JCDC participants have spent more time with each other, said Splunk’s Wright. “And along with the trust, I think that you move a little closer, you do a little bit more.”
“There’s a really broad recognition nowadays that the government has really helped close that gap,” MacMillan said. “They’re clearing information [for distribution] that’s actionable and useful.”
For instance, with the disclosure of the critical Log4Shell vulnerability in December 2021, CISA rapidly distributed practical information for defenders
Finding the balance
Wales, the CISA executive director, said in a statement provided to Protocol that the agency will focus on striking the right balance while implementing the legislation. “We will balance the need for information to be shared quickly, letting victims respond to an attack without imposing onerous requirements, and getting accurate information that enables CISA to protect the broader cyber ecosystem,” he said.
“We’ve heard this a lot from the government over the years: ‘How can we collaborate better?’ That’s been a pretty consistent theme,” said Juniper Networks’ Simonis, who’s had a two-decade career in information security. But “CISA seems to be able to bring that collaborative spirit to life in a way that other agencies didn’t quite accomplish.”
https://www.protocol.com/enterprise/sec-cisa-cyberattack-incident-reporting
Tomi Engdahl says:
How to Compromise a Modern-Day Network
https://securityintelligence.com/posts/how-to-compromise-modern-day-network/
An insidious issue has been slowly growing under the noses of IT admins and security professionals for the past twenty years. As companies evolved to meet the technological demands of the early 2000s, they became increasingly dependent on vulnerable technology deployed within their internal network stack. While security evolved to patch known vulnerabilities, many companies have been unable to implement released patches due to a dependence on legacy technology.
In just 2022 alone, X-Force Red found that 90% of all on-prem Active Directory deployments that were tested were vulnerable to attacks due to the existence of these legacy technologies. Furthermore, the complexity of enterprise networks has grown exponentially, leading to a sprawling landscape of misconfigurations. These misconfigurations are used in a significant number of attacks, which we highlighted in our X-Force Threat Intelligence Index 2022.
Tomi Engdahl says:
Conti Cybercrime Cartel Using ‘BazarCall’ Phishing Attacks as Initial Attack Vector https://thehackernews.com/2022/08/conti-cybercrime-cartel-using-bazarcall.html
Three different offshoots of the notorious Conti cybercrime cartel have resorted to the technique of call-back phishing as an initial access vector to breach targeted networks. “Three autonomous threat groups have since adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology, ” cybersecurity firm AdvIntel said in a Wednesday report.
These targeted campaigns “substantially increased” attacks against entities in finance, technology, legal, and insurance sectors, the company added.
Tomi Engdahl says:
How Adversaries Use Spear Phishing to Target Engineering Staff https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/
Spear phishing is one of the most commonly used initial access vectors adversaries leverage to gain a foothold into a network. However, sometimes when we think about phishing, we focus too much on generalist lures and themes not pointed at a specific target. Theming such as fake invoices, third-party supplier masquerading, and impersonation of key business personnel such as C-level executives immediately come to mind. Typically, these campaigns are aimed at a broad recipient group across an organization or industry vertical.
However, some recent spear-phishing campaigns have used a more refined approach and specifically have targeted engineering staff or staff involved with critical operations. If the user clicks on the link in the spear-phished email, and subsequently the malicious payload executes and captures credentials, the adversary may directly access the operational technology (OT) network. Getting access in this way is faster than traditional methods of spear phishing a wide net of victims, getting execution, then pivoting through the informational technology (IT) environment into the OT environment. If they can refine the theming of the phishing lure to be specific to engineering, which may result in a higher click rate, then they can obtain access to machines that have dual access to both the IT and OT networks or the victim’s credentials for both network environments.
Tomi Engdahl says:
The Hacking of Starlink Terminals Has Begun https://www.wired.com/story/starlink-internet-dish-hack/
SINCE 2018, ELON Musk’s Starlink has launched more than 3, 000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia’s war in Ukraine. Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink’s user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people’s homes and buildings. To access the satellite dish’s software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attacktemporarily shorting the systemto help bypass Starlink’s security protections. This “glitch” allows Wouters to get into previously locked parts of the Starlink system.