Trend Micro carried out a field test to shed light on the potential security risks involved with implementing Private 5G. Following are the highlights of the test:
1. An open Private 5G system has four possible penetration routes.
2. There are three signal interception points in the core network.
3. The core network can be used as a springboard to attack the manufacturing site.
Penetration routes: (i) Core Network (CN) hosting server vulnerabilities (ii) VM/Container attack such as ‘Container Escape’ (iii) Network infrastructure vulnerabilities (iv) Insecure base station
Signal interception points: (i) Link between CN and Internet (ii) The point between serving gateway (SGW) and packet gateway (PGW) (iii) The point between the base station and the core network
Six attack methods:
(i) MQTT Hijacking – Product damage, manufacturing process impairment
(ii) Modbus/TCP Hijacking – Product damage, manufacturing process impairment
(iii) PLC firmware reset – Product damage, manufacturing process impairment
(iv) DNS Hijacking – Stealing confidential information, malware infection
(v) Remote desktop exploits – Stealing confidential information, lateral movement
(vi) SIM swapping – Stealing confidential information, lateral movement
Recommended safety measures:
(i) Enforcing encryption and authentication/permissions in the core network
(ii) Verifying security at the PoC phase
(iii) Building a structure to detect abnormalities swiftly
Authentication Security: Crafting a Bulletproof Password Reset Process
In today’s fast-paced business environment, employees forgetting passwords or becoming locked out of devices is a headache for both users and IT teams alike. In addition, cyber-attackers are increasingly using the password reset process to gain unauthorized access to organizations’ network.
This webinar will highlight the common methods used by attackers to gain access to employees’ accounts, and the scale of the damage caused by these compromises.
The panelists will then share insights how to strengthen your password reset process to keep your data secure and free up your IT team to focus on more pressing matters. They will also highlight the importance of regular password vulnerability audits and how to protect your organization when credentials are compromised.
In this session you will learn:
1) An understanding of the current state of password security
2) How to create a password reset process that is secure, efficient and user-friendly
3) How to implement a rounded password security strategy
Researchers have issued a warning to customers to be on the lookout for scams that use phishing emails and vishing fraud to take their money.
Refund and invoice fraud increased by 14% between October and November 2022, according to Avast, and then by another 22% in December.
In order to swindle the victim, the former operates similarly to traditional tech support scams that frequently mix email and phone routes.
Refund fraud involves a wide range of potential situations, according to the Avast research, including phony emails warning users that they have been charged twice for the same service or good. These emails also include links for customers to request refunds, or users can call a bogus phone number provided in the email instead.
Car companies massively exposed to web vulnerabilities
one thing that caught my attention about this article was how many automobile companies have weakness in their systems
Security researchers warn that the web applications and APIs of significant automakers, telematics (vehicle monitoring and logging technology) providers, and fleet operators were rife with security flaws.
Security researcher Sam Curry outlined vulnerabilities in a thorough analysis that include everything from data theft to account takeover, remote code execution (RCE), and even stealing physical actions like starting and stopping car engines. The results are a worrying sign that the car sector is neglecting to secure its online ecosystem in its rush to introduce digital and online services.
A Catastrophic Mutating Event Will Strike the World in 2 Years, Report Says (msn.com)
In summary, the article discusses that business leaders believe that a catastrophic cyber event will happen within the next 2 years. The cyber criminals are financially motivated and will grow to a $10 trillion dollar industry by 2025. “The presentation highlighting the WEF Global Security Outlook Report 2023, is that 93% of cyber leaders believe that a catastrophic cyber event is likely in the next 2 year. This far exceeds anything that we’ve seen in previous surveys.” It’s also mentioned in the article that global challenges are only growing and cites the cyber-attack aimed at shutting down Ukrainian military abilities.
The presentation called for a global response and coordinated actions. The world leaders need to work together to prevent cyber-attacks and make new sophisticated tools a priority. An interesting fact in the article is that if cybercrime was a state, it would be the third largest global economy after the U.S. and China.
Hackers use fake crypto job offers to push info-stealing malware
Researchers have recently uncovered an active campaign that targets Eastern Europeans in the cryptocurrency industry to install information-stealing programs under the pretext of false employment. In this campaign, suspected Russian threat actors infected people in the cryptocurrency industry by using a number of highly obfuscated and incompletely developed custom add-ons to launch the Enigma stealer program (Enigma is a modified version of the Stealerium information stealer). In addition to these loaders, the attackers also exploited Intel driver vulnerability CVE-2015-2291 to load malicious drivers with the aim of degrading Microsoft Defender’s token integrity. This case highlights the evolving nature of modular malware that employs highly obfuscated and evasive techniques and leverages continuous integration and continuous delivery principles for ongoing malware development.
A new DDoS-as-a-Service platform names Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United Stated and Europe. This attack is when threat actors send many requests and garbage traffic to a target server and cause it to stop responding to legitimate requests. The origin is unknown but that is has distinctive ties with other well known Russian hacking groups. The Passion Botnet was leveraged during the attacks on January 27th, targeting medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway and other European countries. They began promoting their service at the beginning of January 2023 performing several defacements on Japanese and south African organizations. The service operates as a subscription where customers can purchase a desirable attacks vectors, duration, and intensity. As for the cost of the service, a seven-day subscription costs $30, a month costs $120, while a full year sets back threat actors $1,440. Passion uses the Dstat.cc measurement service to showcase its L4 and L7 attack capabilities and effectiveness against DDoS mitigation providers like CloudFlare and Google Shield. Passion is added to an already flourishing DDoS ecosystem, increasing the problem for organizations worldwide that are the recipients of these attacks.
Cloudflare blocks record-breaking 71 million RPS DDoS attack https://www.bleepingcomputer.com/news/security/cloudflare-blocks-record-breaking-71-million-rps-ddos-attack/
Cloudflare, a cybersecurity company that provides internet infrastructure and security services, successfully mitigated a record-breaking Distributed Denial of Service (DDoS) attack that reached 71 million requests per second (RPS). The attack was carried out by an unknown attacker and targeted one of Cloudflare’s customers. Cloudflare’s DDoS protection systems were able to handle the massive traffic, and the attack was mitigated within minutes. The company noted that the attack was several times larger than any other DDoS attack it had seen before. Cloudflare’s ability to handle such a massive attack is a evidenct to its infrastructure and the effectiveness of its DDoS protection systems.
Cloudflare was able to mitigate the record-breaking DDoS attack by utilizing a combination of techniques and technologies. Some of these techniques include rate limiting, filtering, and routing traffic through its global network of data centers. Cloudflare also employs machine learning and behavioral analysis to detect and block malicious traffic. In this specific attack, Cloudflare was able to leverage its DDoS protection systems to handle the massive traffic volume and block the attack within minutes. Additionally, Cloudflare continuously monitors and adjusts its defense systems to stay ahead of emerging threats.
North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations
The article I have chosen to highlight this week speaks to North Korean nation state actors attempting to encrypt healthcare data. As previously seen, in order to restore your files, you must pay a ransom in the form of crypto. Both South Korea and the US have joined together to warn hospitals of the ever-growing threat. The article highlights mitigating controls in order to help reduce likelihood of failing prey to these ransomware attacks. “The agencies recommend organizations to implement the principle of least privilege, disable unnecessary network device management interfaces, enforce multi-layer network segmentation, require phishing-resistant authentication controls, and maintain periodic data backups.”
Potential cyber-attack hits Victoria’s peak fire response agency.
Fire Rescue Victoria (FRV) was forced to shut down their system after it suffered a mystery outage which brought down crucial dispatch systems.
The shutdown means firefighters are reverting to radios and mobile phones to receive information, and it also impacted the organization’s internal email system and website. This is a very good example of DDOS attack it’s interesting to note that there is no industry or agency that is immune to this attack, and it could lead to financial loss and operational mishap.
On February 5, Reddit was hit by a cyber attack. Its internal systems were hit by a “sophisticated” and “highly targeted” phishing attack that compromised employee credentials.
“The attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens. After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”
However, Reddit said there was “no indication” that the company’s main production system, where most of its data is stored, had been breached. The exposed data is the limited contact information for company contacts and employees. https://www.infosecurity-magazine.com/news/reddit-hit-phishing-attack-source/
Lumen research reveals latest DDoS stats, trends, predictions and costs
The report includes 2023 predictions, a DDoS cost breakdown, and 2022 Q4 and full-year data from the Lumen DDoS mitigation service. Nearly 90% of Q4 DDoS attacks were potentially ‘hit and run” style probing attacks (smaller attacks can be effective tools for gathering valuable intelligence about a target’s defenses, response capabilities, and potential payload which eventually can be utilized to plan a large attack). According to Q4 2022 number, the largest attacks targeted the Telecoms, Software & Technology and Gaming industries. Whereas most common attack methods were Domain Name System (DNS) Amplification and TCP-SYN Flooding.
The vulnerability, tracked as CVE-2023-0669, was disclosed by GoAnywhere developer Fortra on February 1, after the company became aware of in-the-wild exploitation. Mitigations and indicators of compromise (IoCs) were released immediately, but a patch was only made available a week later. Community Health Systems (CHS), one of the largest healthcare services providers in the United States, revealed that a “security breach experienced by Fortra” resulted in the exposure of personal and protected health information (PHI) belonging to patients of CHS affiliates.The organization is conducting an investigation, but it currently estimates that roughly one million individuals may have been impacted by the incident. CHS said the breach does not appear to have had any impact on its own information systems and business operation, including the delivery of patient care.
Cybersecurity firm Huntress reported last week that it had investigated an attack apparently exploiting CVE-2023-0669 and managed to link it to a Russian-speaking threat actor named Silence. This group has also been tied to TA505, a threat group known for distributing the Cl0p ransomware.
The world’s leading forum for debating international security policy known as Munich Security Conference (MSC) assembles more than 450 senior decision-makers to debate pressing issues of international security policy. The 59th Munich Security Conference (MSC) will take place from February 17 to 19, 2023, at the Hotel Bayerischer Hof in Munich, Germany.
A major concern for stakeholders and participants is Huawei 5G technology. And related security risks. The article mentions Huawei is considered a “high-risk vendor” in certain strategic geographic areas in Europe.
Maximilian Funke-Kaiser, a liberal member of the German Bundestag and digital policy speaker for the government party Free Democratic Party (FDP) claims “The use of Huawei technology in the mobile network runs counter to Germany’s security policy goals,” and calls it “a mistake in view of the Chinese company’s closeness to the state.”
A lot of complexities and uncertainties surround this meeting and I am anticipating seeing the outcome.
Trend Micro carried out a field test to shed light on the potential security risks involved with implementing Private 5G. Following are the highlights of the test:
1. An open Private 5G system has four possible penetration routes.
2. There are three signal interception points in the core network.
3. The core network can be used as a springboard to attack the manufacturing site.
Penetration routes: (i) Core Network (CN) hosting server vulnerabilities (ii) VM/Container attack such as ‘Container Escape’ (iii) Network infrastructure vulnerabilities (iv) Insecure base station
Signal interception points: (i) Link between CN and Internet (ii) The point between serving gateway (SGW) and packet gateway (PGW) (iii) The point between the base station and the core network
Six attack methods:
(i) MQTT Hijacking – Product damage, manufacturing process impairment
(ii) Modbus/TCP Hijacking – Product damage, manufacturing process impairment
(iii) PLC firmware reset – Product damage, manufacturing process impairment
(iv) DNS Hijacking – Stealing confidential information, malware infection
(v) Remote desktop exploits – Stealing confidential information, lateral movement
(vi) SIM swapping – Stealing confidential information, lateral movement
Recommended safety measures:
(i) Enforcing encryption and authentication/permissions in the core network
(ii) Verifying security at the PoC phase
(iii) Building a structure to detect abnormalities swiftly
https://www.trendmicro.com/en_us/research/21/j/security-risks-with-private-5g-Networks-in-manufacturing-part-3.html
https://www.trendmicro.com/en_us/research/21/k/private-5g-security-risks-in-manufacturing-part-4.html
Authentication Security: Crafting a Bulletproof Password Reset Process
In today’s fast-paced business environment, employees forgetting passwords or becoming locked out of devices is a headache for both users and IT teams alike. In addition, cyber-attackers are increasingly using the password reset process to gain unauthorized access to organizations’ network.
This webinar will highlight the common methods used by attackers to gain access to employees’ accounts, and the scale of the damage caused by these compromises.
The panelists will then share insights how to strengthen your password reset process to keep your data secure and free up your IT team to focus on more pressing matters. They will also highlight the importance of regular password vulnerability audits and how to protect your organization when credentials are compromised.
In this session you will learn:
1) An understanding of the current state of password security
2) How to create a password reset process that is secure, efficient and user-friendly
3) How to implement a rounded password security strategy
https://www.infosecurity-magazine.com/webinars/authentication-security-password/
Refund and Invoice Scams Surge in Q4:
https://www.infosecurity-magazine.com/news/refund-and-invoice-scams-surge-in/
Researchers have issued a warning to customers to be on the lookout for scams that use phishing emails and vishing fraud to take their money.
Refund and invoice fraud increased by 14% between October and November 2022, according to Avast, and then by another 22% in December.
In order to swindle the victim, the former operates similarly to traditional tech support scams that frequently mix email and phone routes.
Refund fraud involves a wide range of potential situations, according to the Avast research, including phony emails warning users that they have been charged twice for the same service or good. These emails also include links for customers to request refunds, or users can call a bogus phone number provided in the email instead.
Car companies massively exposed to web vulnerabilities
one thing that caught my attention about this article was how many automobile companies have weakness in their systems
Security researchers warn that the web applications and APIs of significant automakers, telematics (vehicle monitoring and logging technology) providers, and fleet operators were rife with security flaws.
Security researcher Sam Curry outlined vulnerabilities in a thorough analysis that include everything from data theft to account takeover, remote code execution (RCE), and even stealing physical actions like starting and stopping car engines. The results are a worrying sign that the car sector is neglecting to secure its online ecosystem in its rush to introduce digital and online services.
https://portswigger.net/daily-swig/car-companies-massively-exposed-to-web-vulnerabilities
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/a-catastrophic-mutating-event-will-strike-the-world-in-2-years-report-says/ar-AA16OFT3
A Catastrophic Mutating Event Will Strike the World in 2 Years, Report Says (msn.com)
In summary, the article discusses that business leaders believe that a catastrophic cyber event will happen within the next 2 years. The cyber criminals are financially motivated and will grow to a $10 trillion dollar industry by 2025. “The presentation highlighting the WEF Global Security Outlook Report 2023, is that 93% of cyber leaders believe that a catastrophic cyber event is likely in the next 2 year. This far exceeds anything that we’ve seen in previous surveys.” It’s also mentioned in the article that global challenges are only growing and cites the cyber-attack aimed at shutting down Ukrainian military abilities.
The presentation called for a global response and coordinated actions. The world leaders need to work together to prevent cyber-attacks and make new sophisticated tools a priority. An interesting fact in the article is that if cybercrime was a state, it would be the third largest global economy after the U.S. and China.
Hackers use fake crypto job offers to push info-stealing malware
Researchers have recently uncovered an active campaign that targets Eastern Europeans in the cryptocurrency industry to install information-stealing programs under the pretext of false employment. In this campaign, suspected Russian threat actors infected people in the cryptocurrency industry by using a number of highly obfuscated and incompletely developed custom add-ons to launch the Enigma stealer program (Enigma is a modified version of the Stealerium information stealer). In addition to these loaders, the attackers also exploited Intel driver vulnerability CVE-2015-2291 to load malicious drivers with the aim of degrading Microsoft Defender’s token integrity. This case highlights the evolving nature of modular malware that employs highly obfuscated and evasive techniques and leverages continuous integration and continuous delivery principles for ongoing malware development.
https://www.bleepingcomputer.com/news/security/hackers-use-fake-crypto-job-offers-to-push-info-stealing-malware/
A new DDoS-as-a-Service platform names Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United Stated and Europe. This attack is when threat actors send many requests and garbage traffic to a target server and cause it to stop responding to legitimate requests. The origin is unknown but that is has distinctive ties with other well known Russian hacking groups. The Passion Botnet was leveraged during the attacks on January 27th, targeting medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway and other European countries. They began promoting their service at the beginning of January 2023 performing several defacements on Japanese and south African organizations. The service operates as a subscription where customers can purchase a desirable attacks vectors, duration, and intensity. As for the cost of the service, a seven-day subscription costs $30, a month costs $120, while a full year sets back threat actors $1,440. Passion uses the Dstat.cc measurement service to showcase its L4 and L7 attack capabilities and effectiveness against DDoS mitigation providers like CloudFlare and Google Shield. Passion is added to an already flourishing DDoS ecosystem, increasing the problem for organizations worldwide that are the recipients of these attacks.
https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platform-used-in-recent-attacks-on-hospitals/
Cloudflare blocks record-breaking 71 million RPS DDoS attack
https://www.bleepingcomputer.com/news/security/cloudflare-blocks-record-breaking-71-million-rps-ddos-attack/
Cloudflare, a cybersecurity company that provides internet infrastructure and security services, successfully mitigated a record-breaking Distributed Denial of Service (DDoS) attack that reached 71 million requests per second (RPS). The attack was carried out by an unknown attacker and targeted one of Cloudflare’s customers. Cloudflare’s DDoS protection systems were able to handle the massive traffic, and the attack was mitigated within minutes. The company noted that the attack was several times larger than any other DDoS attack it had seen before. Cloudflare’s ability to handle such a massive attack is a evidenct to its infrastructure and the effectiveness of its DDoS protection systems.
Cloudflare was able to mitigate the record-breaking DDoS attack by utilizing a combination of techniques and technologies. Some of these techniques include rate limiting, filtering, and routing traffic through its global network of data centers. Cloudflare also employs machine learning and behavioral analysis to detect and block malicious traffic. In this specific attack, Cloudflare was able to leverage its DDoS protection systems to handle the massive traffic volume and block the attack within minutes. Additionally, Cloudflare continuously monitors and adjusts its defense systems to stay ahead of emerging threats.
North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations
The article I have chosen to highlight this week speaks to North Korean nation state actors attempting to encrypt healthcare data. As previously seen, in order to restore your files, you must pay a ransom in the form of crypto. Both South Korea and the US have joined together to warn hospitals of the ever-growing threat. The article highlights mitigating controls in order to help reduce likelihood of failing prey to these ransomware attacks. “The agencies recommend organizations to implement the principle of least privilege, disable unnecessary network device management interfaces, enforce multi-layer network segmentation, require phishing-resistant authentication controls, and maintain periodic data backups.”
https://thehackernews.com/2023/02/north-korean-hackers-targeting.html
Potential cyber-attack hits Victoria’s peak fire response agency.
Fire Rescue Victoria (FRV) was forced to shut down their system after it suffered a mystery outage which brought down crucial dispatch systems.
The shutdown means firefighters are reverting to radios and mobile phones to receive information, and it also impacted the organization’s internal email system and website. This is a very good example of DDOS attack it’s interesting to note that there is no industry or agency that is immune to this attack, and it could lead to financial loss and operational mishap.
https://www.9news.com.au/national/fire-rescue-victoria-potential-cyber-attack-manual-operation/1f86f247-d761-4fc0-afef-8e9fab821a38
On February 5, Reddit was hit by a cyber attack. Its internal systems were hit by a “sophisticated” and “highly targeted” phishing attack that compromised employee credentials.
“The attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens. After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”
However, Reddit said there was “no indication” that the company’s main production system, where most of its data is stored, had been breached. The exposed data is the limited contact information for company contacts and employees.
https://www.infosecurity-magazine.com/news/reddit-hit-phishing-attack-source/
Lumen research reveals latest DDoS stats, trends, predictions and costs
The report includes 2023 predictions, a DDoS cost breakdown, and 2022 Q4 and full-year data from the Lumen DDoS mitigation service. Nearly 90% of Q4 DDoS attacks were potentially ‘hit and run” style probing attacks (smaller attacks can be effective tools for gathering valuable intelligence about a target’s defenses, response capabilities, and potential payload which eventually can be utilized to plan a large attack). According to Q4 2022 number, the largest attacks targeted the Telecoms, Software & Technology and Gaming industries. Whereas most common attack methods were Domain Name System (DNS) Amplification and TCP-SYN Flooding.
https://www.yahoo.com/lifestyle/lumen-research-reveals-latest-ddos-125700360.html
https://assets.lumen.com/is/content/Lumen/lumen-quarterly-ddos-report-q-4-22
GoAnywhere Zero-Day Attack Victims Start Disclosing Significant Impact
The vulnerability, tracked as CVE-2023-0669, was disclosed by GoAnywhere developer Fortra on February 1, after the company became aware of in-the-wild exploitation. Mitigations and indicators of compromise (IoCs) were released immediately, but a patch was only made available a week later. Community Health Systems (CHS), one of the largest healthcare services providers in the United States, revealed that a “security breach experienced by Fortra” resulted in the exposure of personal and protected health information (PHI) belonging to patients of CHS affiliates.The organization is conducting an investigation, but it currently estimates that roughly one million individuals may have been impacted by the incident. CHS said the breach does not appear to have had any impact on its own information systems and business operation, including the delivery of patient care.
Cybersecurity firm Huntress reported last week that it had investigated an attack apparently exploiting CVE-2023-0669 and managed to link it to a Russian-speaking threat actor named Silence. This group has also been tied to TA505, a threat group known for distributing the Cl0p ransomware.
https://www.securityweek.com/goanywhere-zero-day-attack-victims-start-disclosing-significant-impact/
The world’s leading forum for debating international security policy known as Munich Security Conference (MSC) assembles more than 450 senior decision-makers to debate pressing issues of international security policy. The 59th Munich Security Conference (MSC) will take place from February 17 to 19, 2023, at the Hotel Bayerischer Hof in Munich, Germany.
A major concern for stakeholders and participants is Huawei 5G technology. And related security risks. The article mentions Huawei is considered a “high-risk vendor” in certain strategic geographic areas in Europe.
Maximilian Funke-Kaiser, a liberal member of the German Bundestag and digital policy speaker for the government party Free Democratic Party (FDP) claims “The use of Huawei technology in the mobile network runs counter to Germany’s security policy goals,” and calls it “a mistake in view of the Chinese company’s closeness to the state.”
A lot of complexities and uncertainties surround this meeting and I am anticipating seeing the outcome.
https://www.politico.eu/article/munich-security-conference-huawei-mast-5g-germany/