Google Says Chrome Cookie Replacement Plan Making Progress
The company gave an update Monday on its work to remove from its Chrome browser so-called third-party cookies used by a website’s advertisers or partners and can be used to track a user’s internet browsing habits.
Google said it was releasing new data on one proposed technology, which does away with “individual identifiers” and instead groups users into large demographic flocks.
Woodland Trust is the UK’s largest woodland conversation charity who was the victim of a cyber security incident back on December 14th, 2020. The details of the incident have not been released yet as Woodland Trust is working with the authorities to investigate the breach. However, the charity is still experiencing disruption to their business because many of their systems are still offline. There are half a million members of the charity and the investigate will help determine if any personal data has be stolen as a result of the breach. The article mentions the affected systems have been taken offline to prevent unauthorized access.
I think this scenario shows the important of having a disaster recovery plan. If the main infrastructure is affected, an organization can failover to the disaster site and resume business operations. Additionally, it is important to have alternative business processes. For example, if a manual paper process has been migrated to a fully electronic process, an organization should keep the manual process in case their electronic process is taken offline.
President-elect Joe Biden has proposed a 9 billion funding injection to shore up the US’S cyber security capabilities, enhancing the work of the country’s cyber security and information security agency, alongside a wider security upgrade across the deferral government. The proposals are designed to help remediate the impact of the December 2020 SolarWinds Solorigate/Sunburst breach – a long-running cyber espionage campaign probably conducted at Moscow’s behest, which has impacted multiple agencies of the federal government, as well as tech companies – as well as to bolster the US’s defenses around the Covid-19 vaccine process, which has itself attracted the attention of malicious actors. Also, Biden is proposing to invest a total of $300m to build new secure technology programs at the GSA, $200m to surge the recruitment of new cyber security technology and engineering expertise, and $690m to improve security monitoring and incident response across the government. https://www.computerweekly.com/news/252494895/US-cyber-security-agencies-get-9bn-in-Biden-plan
Tiki Wiki authentication bypass flaw gives attackers full control of websites, intranets
A security researcher has detailed how Tiki Wiki, an open source wiki-based content management system allowed unauthenticated attacker bypass login to gain remote access as admin. The vulnerability in the platform could allow full control of target account in Tiki Wiki versions prior 21.2. After 50 invalid login attempts, the account locks and it is then that an attacker can use an empty password to authenticate as admin gaining full control of the whole content management system.
The vulnerability (CVE-2020-15906) was assigned a score of 9.3/10 and was patched immediately, with users were asked to upgrade to the latest version.
SocialArk is a social media management company that solves the problems of brand building, marketing, social customer management in China’s foreign trade sector.”On January 12, 2021, the start up company suffered a massive data breach, exposing more than 400GB of personal data, including several high-profile celebrities and social media influencers, SocialArks’ owns a database called ElasticSearch, and this misconfigured database contained personally identifiable information of users from social media platforms.The database server got exposed on the internet without any security key, encryption, or passwords has all the data saved in segmented indices to save all the information from different social media sources. Out of 318 million total records exposed, around 11 Million user profiles were collected from Instagram, while 6 million profiles came from LinkedIn users. Almost 8 Million profiles were from Facebook users. All of this data included biographies, phone numbers, email addresses, the total number of followers, comments, most used hashtags, etc. Whatever activity these users were doing on their social platforms, some of that information was present in this database. Being that this was a company responsible for the security of social media accounts. Which inevitable contains some sort of PII. The security of the database server should have been a number one priority. Not only is the company responsible for the security of their clients social media accounts. The social media users are also responsible for being careful about their information and the apps and sites that they allow to gather their data for ad targeting or other marketing purposes.
DDoS attacks: Big rise in threats to overload business networks
Distributed Denial of Service (DDoS) attacks have more than doubled in the past year, along with a significant jump in attempts by attackers to threaten such attacks unless a ransom is paid. And the Analysis of cyber threats and criminal activity by security researchers at Neustar found that the number of DDoS attacks (DDoS) grew by 154% between 2019 and 2020. Financial services, telecommunications and government agencies are some of the sectors most targeted by attackers.
One of the reasons DDoS attacks are increasing in popularity is because they’re relatively simple to carry out, even for low-level cyber criminals.
Rather than having to rely on ransomware or other malware to hold a network hostage, Criminals will often present a taster of what could come with a short-lived DDoS attack in an effort to coerce the victim into paying. All the DDoS attacker needs is a botnet to overload the target systems with traffic and the ability to threaten organizations with the prospect of an attack over email.
How do we stop the DDoS attacks? 1. Organizations should avoid paying these ransoms and reported any attack to the nearest law enforcement field office. 2. organizations can prepare by setting up a robust DDoS mitigation strategy, including assessing the risks, evaluating available solutions, considering mitigation strategies, and keeping their plan and provider up to date. https://www.zdnet.com/article/ddos-attacks-big-rise-in-threats-to-overload-business-networks/?&web_view=true
UScellular is one of the largest wireless carriers in the United States — it claims to have nearly 5 million customers across 20 states.
Hackers use an undisclosed method to lure uscellular employees working in retail stores to download malware. The malware then allows the attacker to remotely access the infected store computer and the customer Retail Management (CRM) system running on it. Because the employee has logged in to the CRM system, the attacker can access CRM with employee credentials and access wireless customer accounts and phone numbers.
Uscellular said the attacker may have obtained the name, address, pin code, phone number and information about wireless service, usage and billing (CPNI).
In response to this event, uscellular has removed the infected computer from the store, changed the compromised employee credentials, and modified the pin code and security questions / answers of the customer and its authorized contacts. Law enforcement has also been informed.
Chinese company BGI Group approached six different states offering to construct/operate coronavirus testing labs and made an offer to make additional donations to these states. Former director of the US National counterintelligence and Security center, Bill Evanina warned these states to not accept BGI’s proposal. There is heavy suspicion on what will be done with the information collected. It is estimated that 80% of American adults have had PII/PHI exposed to the Chinese government. The PRC has also made bold statements to control humanity’s biodata and control healthcare’s future. Having access to confidential PHI can make China the dominant leader in healthcare and in turn cause further dependence on China for not only PPE and face masks, but also on drugs, vaccines, and other forms of healthcare.
In the news recently, Google researchers reported a North Korean government-backed hacking group is using social networks, such as Twitter and YouTube, to target security researchers with the goal of infecting their computers with a custom backdoor malware.
The hacking group creates a fake persona and writes articles analyzing existing vulnerabilities or creates videos showing off PoCs they allegedly developed.
They would then reach out to the security research firms and ask if they could work together on vulnerability research. They would then send a Visual Studio project to the researcher that contained their PoC exploit, as well as a malicious hidden DLL named ‘vcxproj.suo.’
This DLL is a custom backdoor that is injected into the target’s memory. Once it’s installed, it calls back to a command and control server for commands to execute.
Google states that some researchers didn’t need to be sent the VS package to become exploited. Some were also infected simply by visiting an exploit writeup at the threat actor’s blog.br0vvnn[.]io site. These researchers were using fully patched Windows 10 devices with the latest Google Chrome. This means the threat actors were using zero-day vulnerabilities to infect their visitors.
The advice from the Google Threat Analysis Groups is:
“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”
Ford Motor Co announced that would use Google cloud computing service to improve its in-car service and factory-floor efficiencies. They will focus on interweaving online computing with on-road vehicles in new ways. Two years ago, Ford and Lincoln had developed artificial intelligence use into Maps navigation apps and services. Now, Ford’s business will be transformed through Google’s AI, data analysis, computing, and cloud platforms, so it can protect people’s safety and connect on the road. This technology is not limited to Google’s software, and the users can use Apple’s CarPlay or Amazon, Alexa. In order to implement Ford’s manufacturing modernizing, Google’s AI and data center skills will improve its employee training, product development, and supply chain management.
There has been a co-ordinated multinational takedown effort against the network infrastructure used by the Emotet gang. According to an announcement by Europol, the operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine. According to the Dutch police, Emotet had caused hundreds of millions of dollars in total damages, while Ukrainian law enforcement put the number at $2.5 billion.
The botnet had spread mainly through spam containing malicious links and documents infected with tainted Microsoft Office macros, and had become notorious for delivering everything from banking Trojans to ransomware to victims’ machines. Many times the attackers would They used compromised mail servers to send their mass email lures, and spread laterally within an organization’s network to gain a larger foothold on multiple machines after a victim took the bait. Emotet’s operators partnered with other cyber criminal gangs, selling access to those focused on theft and ransomware.
To take down Emotet, police and a large group of security industry professionals worked together to simultaneously hijack hundreds of Emotet command-and-control servers, according to one security researcher in an industry working group focused on tracking and disrupting the botnet, who asked not to be named. To cut the strings of the botnet’s puppeteers, they silently placed their own machines at the IP addresses of those command-and-control computers—many of which had been hacked PCs the Emotet gang used to manage the botnet and send instructions to victim computers. Authorities added a second step as well, if a victim machine reaches out to one of the newly confiscated C2 servers, they’re going to get a payload that’s inert and prevents further communication with the botnet. Emotet doesn’t work and the infected machine doesn’t do anything anymore.
Authorities also disrupted the Emotet backup process as well. They monitored the hackers’ backup processes to ensure that there were no unknown, hidden recovery techniques, and they believe that all backups were disrupted. This takedown effort could represent a serious blow to ransomware operators worldwide who have caused billions of dollars in damage and even endangered lives inside hospitals targeted by their extortion attempts.
66% of Workers Risk Breaching GDPR by Printing Work-Related Docs at Home
The confidential shredding and records management company discovered that 66% of home workers have printed work-related documents since they began working from home, averaging five documents every week. Except to general work documents, such as meeting notes/agendas (42%), internal documents, 20% of home workers admitted to printing confidential employee information including payroll, addresses and medical information, with 13% having printed CVs or application forms.
The issue is that, to comply with the General Data Protection Regulation (GDPR), all companies that store or process personal information about EU citizens within EU states are required to have an effective, documented, auditable process in place for the collection, storage and destruction of personal information. However, when asked whether they have disposed of any printed documents since working from home, 24% of respondents said they haven’t disposed of them yet as they plan to take them back to the office and a further 24% said they used a home shredding machine but disposed of the documents in their own waste. Most concerning of all, 8% of those polled said they have no plans to dispose of the work-related documents they have printed at home, with 7% saying they haven’t done so because they do not know how to.
A Cayman Islands-based investment fund has exposed its entire backups to the internet after failing to properly configure a secure Microsoft Azure blob.
This small fund has insufficient IT expertise, leading them to not know how azure operates and how the files are exposed to the outside.
Compared with the AWS S3 buckets, Azure Blob misconfigurations are much less concerned, but like Amazon, Microsoft has introduced tools to check the security of personal storage. Such tools are only useful when they are actually used.
Although many companies choose to use cloud service providers to store their internal information, they still have to measure the risk of information.
Social Media Oversharing Exposes 80% of Office Workers
According to this research, over 80% of British and American employees overshare on social media potentially exposing themselves and their organization to online fraud, phishing and other cyber-threats. This poll revealed that most people have social media accounts with their personal photos, birthdays etc. and post regularly. This information can be used by scammers to target individuals. While we may think it’s only posting a birthday post or a job update but these hackers stitch all this information together to create a complete picture of their targets and make scams as believable as possible. It makes their job so much easier. There needs to be more awareness to secure your data and how personal information can be used against individuals.
I’m having issues with humans being considered the “weakest-link” in the cybersecurity chain. So when I came across this article, I really got into it. The article highlights that the IS “chain” is compiled of technical, physical, or similar synthetic links. If humans were considered the weakest link then by definition every other link in the chain is a robust security measure. Which is decidedly untrue. Ciarán Mc Mahon, Ph.D., a faculty member at University College Dublin and director of the Institute of Cyber Security, gives the example that Apple release approximately 20 security updates between the Jan 1 and Dec 31 in 2019. to its mobile OS. If the technology is so robust then why the need for so many patches?
The article emphasizes that humans “instead of being the weakest links, may be the most vital link when it comes to attacks that are always morphing, in particular those aimed directly at humans.”
Tech Republic’s article on shifting the focus of monitoring away from Indicators of Compromise (IOC) and toward Indicators of Behavior (IOB) is an interesting take on security monitoring focus. As organizations shift from brick and mortar data centers to cloud and shift their workforce from offices to work from home, the organization’s perimeter changes the risk shifts from servers to workers. This focus allows the security monitoring team to spend less time focusing on activities without context that could be a compromise to worker behavior history and when worker activity changed from the norm. It also allows security teams to evaluate workers based on their risk to the organization and place parameters around their behavior based on their activity history adding context to the monitoring that does not exist without behavior history. Rather than sounding an alert multiple times in a day for a worker whose job is to deploy code every day, tracking behavior allows the security team to focus on activity that is high risk for the worker.
The article talks about the impact of insider threats and how they’ve increased by 47% over the past 2 years. They explain that insider threats are the biggest risk to any company. This is because whether on purpose or accidentally, they can cause a serious breach if they are not properly trained. The difficult part is that these are authorized access users that ends up turning into a compromise. Most of the time these issues arise from poor cybersecurity practices as well as a lack of general cyber hygiene. The article recommends intelligent threat detection and cites, “IT teams need to think beyond prevention”. In the day and age we are at its a matter of when not if an insider threat will be tested. Using Intelligent threat detection monitors employees and their usage patterns. This gives the IT team another step in trying to close the gap on the weakest link.
This week in the news, a piece of malware was found to be infecting supercomputers used in academia and the sciences. The malware dubbed Kobalos attacks Linux and Windows machines alike (including older Windows OSes like 3.11 and 95!) This malware “contains generic commands to read from and write to the file system and spawn a terminal to execute arbitrary commands.” To gain entry, the nefarious malware used OpenSSH credentials. Specifically, the “/usr/bin/ssh file was replaced with a modified executable that recorded username, password and target hostname, and wrote them to an encrypted file,” In the future, the users of the supercomputers are advised to use multi-factored authentication practices.
This article cites a study that found that only 23% of organizations prioritize the alignment of security with key business initiatives. The article also mentions the three key recommendations to face this core challenge. This includes adding a business information security officer (BISO) whose role is to improvise business security alignment. Building a topdown, measurable program to help the CISOs communicate with their boards. And changing the reporting structures so the CISOs report direct to their CEO. one of the key issues is that security is still viewed as a primary technology area.
How To Develop & Implement A Network Security Plan
“Protecting your business and its data from today’s threats and adversaries is a challenging endeavor requiring expertise and professionally managed resources.You also need a strategic security plan that outlines how to protect your network from cyber attacks.The end users in your organization require guidance on the appropriate use of email, mobile devices, the internet, and other aspects of your company’s network.This plan should support the business model and not be too restrictive, but somewhat painless for your employees to adopt and follow… Due to the growing threat of hackers continuously probing the Internet for networks to exploit, a Network Security Plan is important to protect the infrastructure from unauthorized access, misuse, destruction, or loss of corporate reputation.”
Six Keys to Sound IT Management “Policy and Procedure”
“IT management policies, and related procedures, are often used to limit and control technology utilization, lower operating costs, and limit risk exposure (financial, security, and otherwise). From this perspective, policies and procedures are a necessary, and at times, intrusive, means to an end. However, the story does not have to end there. When used effectively, “policy and procedure” can also be to achieve value added productivity and results. Value added policies and procedures can promote productivity, minimize redundant work effort, and deliver consistency in performance and results.”
Google Says Chrome Cookie Replacement Plan Making Progress
The company gave an update Monday on its work to remove from its Chrome browser so-called third-party cookies used by a website’s advertisers or partners and can be used to track a user’s internet browsing habits.
Google said it was releasing new data on one proposed technology, which does away with “individual identifiers” and instead groups users into large demographic flocks.
https://www.securityweek.com/google-says-chrome-cookie-replacement-plan-making-progress?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29
Woodland Trust is the UK’s largest woodland conversation charity who was the victim of a cyber security incident back on December 14th, 2020. The details of the incident have not been released yet as Woodland Trust is working with the authorities to investigate the breach. However, the charity is still experiencing disruption to their business because many of their systems are still offline. There are half a million members of the charity and the investigate will help determine if any personal data has be stolen as a result of the breach. The article mentions the affected systems have been taken offline to prevent unauthorized access.
I think this scenario shows the important of having a disaster recovery plan. If the main infrastructure is affected, an organization can failover to the disaster site and resume business operations. Additionally, it is important to have alternative business processes. For example, if a manual paper process has been migrated to a fully electronic process, an organization should keep the manual process in case their electronic process is taken offline.
https://www.zdnet.com/article/a-month-after-a-high-level-cyberattack-charity-says-many-it-systems-are-still-offline/
President-elect Joe Biden has proposed a 9 billion funding injection to shore up the US’S cyber security capabilities, enhancing the work of the country’s cyber security and information security agency, alongside a wider security upgrade across the deferral government. The proposals are designed to help remediate the impact of the December 2020 SolarWinds Solorigate/Sunburst breach – a long-running cyber espionage campaign probably conducted at Moscow’s behest, which has impacted multiple agencies of the federal government, as well as tech companies – as well as to bolster the US’s defenses around the Covid-19 vaccine process, which has itself attracted the attention of malicious actors. Also, Biden is proposing to invest a total of $300m to build new secure technology programs at the GSA, $200m to surge the recruitment of new cyber security technology and engineering expertise, and $690m to improve security monitoring and incident response across the government.
https://www.computerweekly.com/news/252494895/US-cyber-security-agencies-get-9bn-in-Biden-plan
Tiki Wiki authentication bypass flaw gives attackers full control of websites, intranets
A security researcher has detailed how Tiki Wiki, an open source wiki-based content management system allowed unauthenticated attacker bypass login to gain remote access as admin. The vulnerability in the platform could allow full control of target account in Tiki Wiki versions prior 21.2. After 50 invalid login attempts, the account locks and it is then that an attacker can use an empty password to authenticate as admin gaining full control of the whole content management system.
The vulnerability (CVE-2020-15906) was assigned a score of 9.3/10 and was patched immediately, with users were asked to upgrade to the latest version.
https://portswigger.net/daily-swig/tiki-wiki-authentication-bypass-flaw-gives-attackers-full-control-of-websites-intranets
SocialArk is a social media management company that solves the problems of brand building, marketing, social customer management in China’s foreign trade sector.”On January 12, 2021, the start up company suffered a massive data breach, exposing more than 400GB of personal data, including several high-profile celebrities and social media influencers, SocialArks’ owns a database called ElasticSearch, and this misconfigured database contained personally identifiable information of users from social media platforms.The database server got exposed on the internet without any security key, encryption, or passwords has all the data saved in segmented indices to save all the information from different social media sources. Out of 318 million total records exposed, around 11 Million user profiles were collected from Instagram, while 6 million profiles came from LinkedIn users. Almost 8 Million profiles were from Facebook users. All of this data included biographies, phone numbers, email addresses, the total number of followers, comments, most used hashtags, etc. Whatever activity these users were doing on their social platforms, some of that information was present in this database. Being that this was a company responsible for the security of social media accounts. Which inevitable contains some sort of PII. The security of the database server should have been a number one priority. Not only is the company responsible for the security of their clients social media accounts. The social media users are also responsible for being careful about their information and the apps and sites that they allow to gather their data for ad targeting or other marketing purposes.
https://www.securitymagazine.com/articles/94327-million-facebook-instagram-and-linkedin-users-scraped-data-exposed
DDoS attacks: Big rise in threats to overload business networks
Distributed Denial of Service (DDoS) attacks have more than doubled in the past year, along with a significant jump in attempts by attackers to threaten such attacks unless a ransom is paid. And the Analysis of cyber threats and criminal activity by security researchers at Neustar found that the number of DDoS attacks (DDoS) grew by 154% between 2019 and 2020. Financial services, telecommunications and government agencies are some of the sectors most targeted by attackers.
One of the reasons DDoS attacks are increasing in popularity is because they’re relatively simple to carry out, even for low-level cyber criminals.
Rather than having to rely on ransomware or other malware to hold a network hostage, Criminals will often present a taster of what could come with a short-lived DDoS attack in an effort to coerce the victim into paying. All the DDoS attacker needs is a botnet to overload the target systems with traffic and the ability to threaten organizations with the prospect of an attack over email.
How do we stop the DDoS attacks? 1. Organizations should avoid paying these ransoms and reported any attack to the nearest law enforcement field office. 2. organizations can prepare by setting up a robust DDoS mitigation strategy, including assessing the risks, evaluating available solutions, considering mitigation strategies, and keeping their plan and provider up to date.
https://www.zdnet.com/article/ddos-attacks-big-rise-in-threats-to-overload-business-networks/?&web_view=true
https://community.mis.temple.edu/mis5214sec701spring2021/category/03-planning-and-policy/
https://www.securityweek.com/uscellular-breach-allowed-hackers-port-customer-phone-numbers
UScellular is one of the largest wireless carriers in the United States — it claims to have nearly 5 million customers across 20 states.
Hackers use an undisclosed method to lure uscellular employees working in retail stores to download malware. The malware then allows the attacker to remotely access the infected store computer and the customer Retail Management (CRM) system running on it. Because the employee has logged in to the CRM system, the attacker can access CRM with employee credentials and access wireless customer accounts and phone numbers.
Uscellular said the attacker may have obtained the name, address, pin code, phone number and information about wireless service, usage and billing (CPNI).
In response to this event, uscellular has removed the infected computer from the store, changed the compromised employee credentials, and modified the pin code and security questions / answers of the customer and its authorized contacts. Law enforcement has also been informed.
Chinese company BGI Group approached six different states offering to construct/operate coronavirus testing labs and made an offer to make additional donations to these states. Former director of the US National counterintelligence and Security center, Bill Evanina warned these states to not accept BGI’s proposal. There is heavy suspicion on what will be done with the information collected. It is estimated that 80% of American adults have had PII/PHI exposed to the Chinese government. The PRC has also made bold statements to control humanity’s biodata and control healthcare’s future. Having access to confidential PHI can make China the dominant leader in healthcare and in turn cause further dependence on China for not only PPE and face masks, but also on drugs, vaccines, and other forms of healthcare.
https://www.infosecurity-magazine.com/news/china-steals-personal-data-of-80/
In the news recently, Google researchers reported a North Korean government-backed hacking group is using social networks, such as Twitter and YouTube, to target security researchers with the goal of infecting their computers with a custom backdoor malware.
The hacking group creates a fake persona and writes articles analyzing existing vulnerabilities or creates videos showing off PoCs they allegedly developed.
They would then reach out to the security research firms and ask if they could work together on vulnerability research. They would then send a Visual Studio project to the researcher that contained their PoC exploit, as well as a malicious hidden DLL named ‘vcxproj.suo.’
This DLL is a custom backdoor that is injected into the target’s memory. Once it’s installed, it calls back to a command and control server for commands to execute.
Google states that some researchers didn’t need to be sent the VS package to become exploited. Some were also infected simply by visiting an exploit writeup at the threat actor’s blog.br0vvnn[.]io site. These researchers were using fully patched Windows 10 devices with the latest Google Chrome. This means the threat actors were using zero-day vulnerabilities to infect their visitors.
The advice from the Google Threat Analysis Groups is:
“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”
https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-targeting-security-researchers-with-malware-0-days/
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
Ford Motor Co announced that would use Google cloud computing service to improve its in-car service and factory-floor efficiencies. They will focus on interweaving online computing with on-road vehicles in new ways. Two years ago, Ford and Lincoln had developed artificial intelligence use into Maps navigation apps and services. Now, Ford’s business will be transformed through Google’s AI, data analysis, computing, and cloud platforms, so it can protect people’s safety and connect on the road. This technology is not limited to Google’s software, and the users can use Apple’s CarPlay or Amazon, Alexa. In order to implement Ford’s manufacturing modernizing, Google’s AI and data center skills will improve its employee training, product development, and supply chain management.
https://techxplore.com/news/2021-02-ford-google-cloud-cars-factories.html
There has been a co-ordinated multinational takedown effort against the network infrastructure used by the Emotet gang. According to an announcement by Europol, the operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine. According to the Dutch police, Emotet had caused hundreds of millions of dollars in total damages, while Ukrainian law enforcement put the number at $2.5 billion.
The botnet had spread mainly through spam containing malicious links and documents infected with tainted Microsoft Office macros, and had become notorious for delivering everything from banking Trojans to ransomware to victims’ machines. Many times the attackers would They used compromised mail servers to send their mass email lures, and spread laterally within an organization’s network to gain a larger foothold on multiple machines after a victim took the bait. Emotet’s operators partnered with other cyber criminal gangs, selling access to those focused on theft and ransomware.
To take down Emotet, police and a large group of security industry professionals worked together to simultaneously hijack hundreds of Emotet command-and-control servers, according to one security researcher in an industry working group focused on tracking and disrupting the botnet, who asked not to be named. To cut the strings of the botnet’s puppeteers, they silently placed their own machines at the IP addresses of those command-and-control computers—many of which had been hacked PCs the Emotet gang used to manage the botnet and send instructions to victim computers. Authorities added a second step as well, if a victim machine reaches out to one of the newly confiscated C2 servers, they’re going to get a payload that’s inert and prevents further communication with the botnet. Emotet doesn’t work and the infected machine doesn’t do anything anymore.
Authorities also disrupted the Emotet backup process as well. They monitored the hackers’ backup processes to ensure that there were no unknown, hidden recovery techniques, and they believe that all backups were disrupted. This takedown effort could represent a serious blow to ransomware operators worldwide who have caused billions of dollars in damage and even endangered lives inside hospitals targeted by their extortion attempts.
https://www.wired.com/story/emotet-botnet-takedown/
66% of Workers Risk Breaching GDPR by Printing Work-Related Docs at Home
The confidential shredding and records management company discovered that 66% of home workers have printed work-related documents since they began working from home, averaging five documents every week. Except to general work documents, such as meeting notes/agendas (42%), internal documents, 20% of home workers admitted to printing confidential employee information including payroll, addresses and medical information, with 13% having printed CVs or application forms.
The issue is that, to comply with the General Data Protection Regulation (GDPR), all companies that store or process personal information about EU citizens within EU states are required to have an effective, documented, auditable process in place for the collection, storage and destruction of personal information. However, when asked whether they have disposed of any printed documents since working from home, 24% of respondents said they haven’t disposed of them yet as they plan to take them back to the office and a further 24% said they used a home shredding machine but disposed of the documents in their own waste. Most concerning of all, 8% of those polled said they have no plans to dispose of the work-related documents they have printed at home, with 7% saying they haven’t done so because they do not know how to.
https://www.infosecurity-magazine.com/news/workers-printing-docs-home/
https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp
A Cayman Islands-based investment fund has exposed its entire backups to the internet after failing to properly configure a secure Microsoft Azure blob.
This small fund has insufficient IT expertise, leading them to not know how azure operates and how the files are exposed to the outside.
Compared with the AWS S3 buckets, Azure Blob misconfigurations are much less concerned, but like Amazon, Microsoft has introduced tools to check the security of personal storage. Such tools are only useful when they are actually used.
Although many companies choose to use cloud service providers to store their internal information, they still have to measure the risk of information.
https://www.theregister.com/2020/12/01/investment_fund_data_breach/
Social Media Oversharing Exposes 80% of Office Workers
According to this research, over 80% of British and American employees overshare on social media potentially exposing themselves and their organization to online fraud, phishing and other cyber-threats. This poll revealed that most people have social media accounts with their personal photos, birthdays etc. and post regularly. This information can be used by scammers to target individuals. While we may think it’s only posting a birthday post or a job update but these hackers stitch all this information together to create a complete picture of their targets and make scams as believable as possible. It makes their job so much easier. There needs to be more awareness to secure your data and how personal information can be used against individuals.
https://www.infosecurity-magazine.com/news/social-media-expose-80-oversharing/
I’m having issues with humans being considered the “weakest-link” in the cybersecurity chain. So when I came across this article, I really got into it. The article highlights that the IS “chain” is compiled of technical, physical, or similar synthetic links. If humans were considered the weakest link then by definition every other link in the chain is a robust security measure. Which is decidedly untrue. Ciarán Mc Mahon, Ph.D., a faculty member at University College Dublin and director of the Institute of Cyber Security, gives the example that Apple release approximately 20 security updates between the Jan 1 and Dec 31 in 2019. to its mobile OS. If the technology is so robust then why the need for so many patches?
The article emphasizes that humans “instead of being the weakest links, may be the most vital link when it comes to attacks that are always morphing, in particular those aimed directly at humans.”
https://www.techrepublic.com/article/cybersecurity-pros-are-humans-really-the-weakest-link/
https://www.techrepublic.com/article/cybersecurity-pros-should-switch-from-indicators-of-compromise-to-indicators-of-behavior/
Tech Republic’s article on shifting the focus of monitoring away from Indicators of Compromise (IOC) and toward Indicators of Behavior (IOB) is an interesting take on security monitoring focus. As organizations shift from brick and mortar data centers to cloud and shift their workforce from offices to work from home, the organization’s perimeter changes the risk shifts from servers to workers. This focus allows the security monitoring team to spend less time focusing on activities without context that could be a compromise to worker behavior history and when worker activity changed from the norm. It also allows security teams to evaluate workers based on their risk to the organization and place parameters around their behavior based on their activity history adding context to the monitoring that does not exist without behavior history. Rather than sounding an alert multiple times in a day for a worker whose job is to deploy code every day, tracking behavior allows the security team to focus on activity that is high risk for the worker.
The article talks about the impact of insider threats and how they’ve increased by 47% over the past 2 years. They explain that insider threats are the biggest risk to any company. This is because whether on purpose or accidentally, they can cause a serious breach if they are not properly trained. The difficult part is that these are authorized access users that ends up turning into a compromise. Most of the time these issues arise from poor cybersecurity practices as well as a lack of general cyber hygiene. The article recommends intelligent threat detection and cites, “IT teams need to think beyond prevention”. In the day and age we are at its a matter of when not if an insider threat will be tested. Using Intelligent threat detection monitors employees and their usage patterns. This gives the IT team another step in trying to close the gap on the weakest link.
https://www.infosecurity-magazine.com/next-gen-infosec/create-protocol-insider-threats/
This week in the news, a piece of malware was found to be infecting supercomputers used in academia and the sciences. The malware dubbed Kobalos attacks Linux and Windows machines alike (including older Windows OSes like 3.11 and 95!) This malware “contains generic commands to read from and write to the file system and spawn a terminal to execute arbitrary commands.” To gain entry, the nefarious malware used OpenSSH credentials. Specifically, the “/usr/bin/ssh file was replaced with a modified executable that recorded username, password and target hostname, and wrote them to an encrypted file,” In the future, the users of the supercomputers are advised to use multi-factored authentication practices.
https://threatpost.com/kobalos-malware-supercomputers-logins/163604/
Board members aren’t taking cybersecurity as seriously as they should
https://www.helpnetsecurity.com/2021/02/01/board-members-cybersecurity/
This article cites a study that found that only 23% of organizations prioritize the alignment of security with key business initiatives. The article also mentions the three key recommendations to face this core challenge. This includes adding a business information security officer (BISO) whose role is to improvise business security alignment. Building a topdown, measurable program to help the CISOs communicate with their boards. And changing the reporting structures so the CISOs report direct to their CEO. one of the key issues is that security is still viewed as a primary technology area.
How To Develop & Implement A Network Security Plan
“Protecting your business and its data from today’s threats and adversaries is a challenging endeavor requiring expertise and professionally managed resources.You also need a strategic security plan that outlines how to protect your network from cyber attacks.The end users in your organization require guidance on the appropriate use of email, mobile devices, the internet, and other aspects of your company’s network.This plan should support the business model and not be too restrictive, but somewhat painless for your employees to adopt and follow… Due to the growing threat of hackers continuously probing the Internet for networks to exploit, a Network Security Plan is important to protect the infrastructure from unauthorized access, misuse, destruction, or loss of corporate reputation.”
https://purplesec.us/network-security-plan/
Six Keys to Sound IT Management “Policy and Procedure”
“IT management policies, and related procedures, are often used to limit and control technology utilization, lower operating costs, and limit risk exposure (financial, security, and otherwise). From this perspective, policies and procedures are a necessary, and at times, intrusive, means to an end. However, the story does not have to end there. When used effectively, “policy and procedure” can also be to achieve value added productivity and results. Value added policies and procedures can promote productivity, minimize redundant work effort, and deliver consistency in performance and results.”
https://www.ittoolkit.com/articles/planning-IT-policies