In what is one of the bigger news items of the week, the FBI has had one of their servers compromised and fake emails sent out from it. Since the emails were sent from one of the FBI’s servers they appeared legitimate in nature, as they actually came from their domain. The emails that were sent out were a false warning that the FBI had detected a chain attack and that the company’s virtual servers had been exfiltrated. It also laid blame for the attack at Vinny Troia’s feet, who is the founder of infosec firms Shadow Byte Cyber and Night Lion Security. It does not appear that this is the case. In total about 100,000 of these emails were able to be sent out before the campaign was stopped.
https://www.theregister.com/2021/11/15/fbi_fake_emails/
I found this article about Vice President Cybersecurity Advisor Network – Peter Coroneos explains the “Zero day vulnerabilities are flaws in software or systems code that leaves end users open to attack.
“They are called ‘zero day’ because they are either unknown to the vendor who produced the product, or are known but no patch has yet been made available.
“The period between when the zero day is first discovered by an attacker and when the patch is installed by the end user is the attack window in which a compromise can occur. The consequences can be vast and most serious attacks these days involve zero day exploits.”
“The first famous zero day attack was Stuxnet in 2009 against the Iranian uranium enrichment program. More recent attacks include WannaCry, NotPeyta, SolarWinds, MS Exchange Server hacks of 2021 and the infamous Colonial Pipeline ransomware attack.”
“‘White hat’ zero day researchers form a critical piece in the remediation of exploitable connected systems. They uncover the existence of unpatched vulnerabilities and report them to vendors of the relevant products they can be fixed. Regrettably, they face legal threats from some vendors sensitive to the discovery of flaws in their products.
Most digital security incidents are caused by malicious actors (e.g. cybercriminals and state-sponsored groups) exploiting vulnerabilities in organisations’ digital ecosystems. Addressing vulnerabilities before attackers take advantage of them is an effective means of reducing the probability of cybersecurity incidents. This article discusses vulnerabilities in products’ code such as software and firmware, and in how products are implemented in information systems. It shows that the technical community has progressed in developing good practice for treating vulnerabilities, including through co-ordinated vulnerability disclosure (CVD). However, significant economic and social challenges prevent stakeholders from adopting good practice, such as legal frameworks that do not sufficiently protect “ethical hackers” from legal proceedings. The paper stresses that public policies aimed at removing obstacles and encouraging vulnerability treatment could significantly reduce digital security risk for all.
https://itwire.com/security/video-interview-cyan-vp-peter-coroneos-explains-why-laws-are-needed-to-protect-ethical-zero-day-cyber-research.html