Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for What a threat-intell ...

 Business

Initially, SIEM systems were created as a tool to collect information about security events within infrastructure and analyze them using external data on known cyberthreats. And for a long time, they did their job just fine. However, as both threats and the information security industry evolve, more and more   show more ...

threat-intelligence feeds are appearing on the market. And whats more, their structures are significantly changing. It has become obvious to many experts that a new tool that allows navigating threat-intelligence flows is required for SIEMs to work effectively. Why did SIEM need an assistant? At first glance, it may seem that the more external cyberthreat data feeds you connect to your SIEM system, the more effectively it should do its job. But this is in fact not the case. First, the more indicators a system handles — the more alerts it generates. Even if we assume that theres a minimum number of false positives (as no one is immune to them), an analyst wont be able to quickly navigate through millions of duplicate notifications and prioritize the important ones. Second, existing SIEM systems are simply not designed to handle an infinite number of indicators. When you connect multiple feeds, the workload on the system increases significantly, which can have a negative impact on the incident detection rate. The same may happen if you try to implement a scenario of frequent TI-feed updates. Not that its completely impossible, but performance and detection rate may suffer. In addition, a SIEM system is not suitable for more detailed work with threat-intelligence feeds directly. For example, it cannot compare the quality and detection rate of feeds from different vendors or handle different types of masks from feeds with indicators of compromise represented as URLs, hosts or domains. If an analyst needs deeper context for any indicator, an additional tool is required (and it doesnt matter that in fact the context needed may exist in the feeds — SIEM may just not know how to access it). Finally, keep in mind the economic factor. Most SIEMs offer load-based licensing: the more indicators it processes, the more you have to pay. How a threat-intelligence platform can help In general, a threat-intelligence platform can resolve all the above disadvantages of SIEM systems. But to start off with, its an indispensable tool that allows you to navigate through a multitude of feeds from different vendors. You can connect several feeds (not necessarily in the same format) and compare them based on different parameters. For instance, you can detect indicator crossovers in different feeds, which should help to identify duplicate data flows and possibly reject some of them. You can also compare feeds based on statistical detection indices. Taking into account the fact that some vendors offer a test period to use their feeds, this might be a good way to assess their effectiveness before buying. A threat-intelligence platform also provides the SOC analyst with many additional capabilities that simply cannot be implemented in SIEM. For example, a retro-scan feature is available, allowing double-checking of previously saved historical logs and data with reference to new feeds. Another available feature is the enrichment of indicators from various third-party sources (such as VirusTotal). Finally, a decent threat intelligence platform, starting from a specific alert, allows finding and downloading an APT report detailing the tactics, techniques and procedures of the associated attackers, as well as practical advice on how to apply countermeasures. A threat-intelligence platform allows you to filter and download indicators, sort incidents, present all the above in a graphic interface for the convenience of the analyst, and much more. It depends on the functions of each specific platform. How a Threat Intelligence platform fits into an analysts work and SIEM By and large, a threat-intelligence platform installed on a companys internal network performs the process of analyzing and correlating incoming data, which significantly reduces the load on the SIEM system. It allows you to generate your own alerts when threats are detected. Whats more, it integrates with your existing monitoring and response processes through an API. Essentially, a threat Intelligence platform generates its own feed of data with detections, customized to the needs of your company. This is especially useful if you have multiple SIEM systems running in parallel on your infrastructure. Without a threat-intelligence platform, youd have to load raw feeds into each of them. A practical example Lets take a look at a fairly simple incident to see how a threat intelligence platform helps analysts. Imagine that a corporate user accessed a website from their work computer. In the threat-intelligence feed, the URL of that site is listed as malicious, so the platform identifies the incident, enriches it with context from feeds, and sends that detection to the SIEM system for registration. Next, this incident comes to the SOC analysts attention. The analyst sees the detection from the Malicious URL feed and decides to take a closer look at it, using a threat intelligence platform. Directly from the detections list, he can open contextual information available from the TI flow: IP address, malicious file hashes associated with this address, security solution verdicts, WHOIS service data, and so on. For clarity, it opens a graph interface — the most convenient way to analyze the attack chain. So far, theres not much information: it sees the detection itself, the malicious URL detected, and the internal IP address of the machine that someone used to access that URL. By clicking on the malicious URL icon, it asks for known indicators related to that address: IP addresses, additional URLs, and malicious file hashes that have been at some point downloaded from that site. The next step is to check whether other detections have been registered in the corporate infrastructure using the same indicators. The analyst clicks on any object (e.g., a malicious IP address) and displays additional detections in the graph. In other words, they can find out in a click which user went to which IP address (or on which machine a URL request from the DNS server returned the IP address). Similarly, it checks which users have downloaded the file whose hash is shown in the associated indicators. There may be thousands of detections in a single incident, and it would be quite hard to sort them out by hand without the TI platforms easy-to-use graph interface. All available context from cyberthreat data feeds is pulled to each point in the graph. The analyst can group or hide objects and apply automatic node grouping. If the analyst has any additional information sources, she can add an indicator manually and independently mark its correlations. Therefore, the expert can reconstruct a full chain of attack and understand the way everything started. For example, a user typed the URL of a malicious site, the DNS server returned the IP address, and this user downloaded a file with a known hash from the site. Conclusion A high-quality threat-intelligence platform serves as a kind of intermediate link, allowing to significantly reduce the load on the SIEM system without compromising the quality of detection on the one hand, and to ease the life of the analyst on the other.

image for How 1-Time Passcodes ...

 Data Breaches

Phishers are enjoying remarkable success using text messages to steal remote access credentials and one-time passcodes from employees at some of the world’s largest technology companies and customer support firms. A recent spate of SMS phishing attacks from one cybercriminal group has spawned a flurry of breach   show more ...

disclosures from affected companies, which are all struggling to combat the same lingering security threat: The ability of scammers to interact directly with employees through their mobile devices. In mid-June 2022, a flood of SMS phishing messages began targeting employees at commercial staffing firms that provide customer support and outsourcing to thousands of companies. The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. The phishers behind this scheme used newly-registered domains that often included the name of the target company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule. The phishing sites leveraged a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. But because of the way the bot was configured, it was possible for security researchers to capture the information being sent by victims to the public Telegram server. This data trove was first reported by security researchers at Singapore-based Group-IB, which dubbed the campaign “0ktapus” for the attackers targeting organizations using identity management tools from Okta.com. “This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” Group-IB wrote. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.” It’s not clear how many of these phishing text messages were sent out, but the Telegram bot data reviewed by KrebsOnSecurity shows they generated nearly 10,000 replies over approximately two months of sporadic SMS phishing attacks targeting more than a hundred companies. A great many responses came from those who were apparently wise to the scheme, as evidenced by the hundreds of hostile replies that included profanity or insults aimed at the phishers: The very first reply recorded in the Telegram bot data came from one such employee, who responded with the username “havefuninjail.” Still, thousands replied with what appear to be legitimate credentials — many of them including one-time codes needed for multi-factor authentication. On July 20, the attackers turned their sights on internet infrastructure giant Cloudflare.com, and the intercepted credentials show at least five employees fell for the scam (although only two employees also provided the crucial one-time MFA code). Image: Cloudflare.com In a blog post earlier this month, Cloudflare said it detected the account takeovers and that no Cloudflare systems were compromised. But Cloudflare said it wanted to call attention to the phishing attacks because they would probably work against most other companies. “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached,” Cloudflare CEO Matthew Prince wrote. “On July 20, 2022, the Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began at 2022-07-20 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employees family members.” On three separate occasions, the phishers targeted employees at Twilio.com, a San Francisco based company that provides services for making and receiving text messages and phone calls. It’s unclear how many Twilio employees received the SMS phishes, but the data suggest at least four Twilio employees responded to a spate of SMS phishing attempts on July 27, Aug. 2, and Aug. 7. On that last date, Twilio disclosed that on Aug. 4 it became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. “This broad based attack against our employee base succeeded in fooling some employees into providing their credentials,” Twilio said. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.” That “certain customer data” included information on roughly 1,900 users of the secure messaging app Signal, which relied on Twilio to provide phone number verification services. In its disclosure on the incident, Signal said that with their access to Twilio’s internal tools the attackers were able to re-register those users’ phone numbers to another device. On Aug. 25, food delivery service DoorDash disclosed that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. DoorDash said intruders stole information on a “small percentage” of users that have since been notified. TechCrunch reported last week that the incident was linked to the same phishing campaign that targeted Twilio. This phishing gang apparently had great success targeting employees of all the major mobile wireless providers, but most especially T-Mobile. Between July 10 and July 16, dozens of T-Mobile employees fell for the phishing messages and provided their remote access credentials. “Credential theft continues to be an ongoing issue in our industry as wireless providers are constantly battling bad actors that are focused on finding new ways to pursue illegal activities like this,” T-Mobile said in a statement. “Our tools and teams worked as designed to quickly identify and respond to this large-scale smishing attack earlier this year that targeted many companies. We continue to work to prevent these types of attacks and will continue to evolve and improve our approach.” This same group saw hundreds of responses from employees at some of the largest customer support and staffing firms, including Teleperformanceusa.com, Sitel.com and Sykes.com. Teleperformance did not respond to requests for comment. KrebsOnSecurity did hear from Christopher Knauer, global chief security officer at Sitel Group, the customer support giant that recently acquired Sykes. Knauer said the attacks leveraged newly-registered domains and asked employees to approve upcoming changes to their work schedules. Image: Group-IB. Knauer said the attackers set up the phishing domains just minutes in advance of spamming links to those domains in phony SMS alerts to targeted employees. He said such tactics largely sidestep automated alerts generated by companies that monitor brand names for signs of new phishing domains being registered. “They were using the domains as soon as they became available,” Knauer said. “The alerting services don’t often let you know until 24 hours after a domain has been registered.” On July 28 and again on Aug. 7, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to an Aug. 12 blog post, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance. On Aug. 15, the hosting company DigitalOcean published a blog post saying it had severed ties with MailChimp after its Mailchimp account was compromised. DigitalOcean said the MailChimp incident resulted in a “very small number” of DigitalOcean customers experiencing attempted compromises of their accounts through password resets. According to interviews with multiple companies hit by the group, the attackers are mostly interested in stealing access to cryptocurrency, and to companies that manage communications with people interested in cryptocurrency investing. In an Aug. 3 blog post from email and SMS marketing firm Klaviyo.com, the company’s CEO recounted how the phishers gained access to the company’s internal tools, and used that to download information on 38 crypto-related accounts. A flow chart of the attacks by the SMS phishing group known as 0ktapus and ScatterSwine. Image: Amitai Cohen twitter.com/amitaico. The ubiquity of mobile phones became a lifeline for many companies trying to manage their remote employees throughout the Coronavirus pandemic. But these same mobile devices are fast becoming a liability for organizations that use them for phishable forms of multi-factor authentication, such as one-time codes generated by a mobile app or delivered via SMS. Because as we can see from the success of this phishing group, this type of data extraction is now being massively automated, and employee authentication compromises can quickly lead to security and privacy risks for the employer’s partners or for anyone in their supply chain. Unfortunately, a great many companies still rely on SMS for employee multi-factor authentication. According to a report this year from Okta, 47 percent of workforce customers deploy SMS and voice factors for multi-factor authentication. That’s down from 53 percent that did so in 2018, Okta found. Some companies (like Knauer’s Sitel) have taken to requiring that all remote access to internal networks be managed through work-issued laptops and/or mobile devices, which are loaded with custom profiles that can’t be accessed through other devices. Others are moving away from SMS and one-time code apps and toward requiring employees to use physical FIDO multi-factor authentication devices such as security keys, which can neutralize phishing attacks because any stolen credentials can’t be used unless the phishers also have physical access to the user’s security key or mobile device. This came in handy for Twitter, which announced last year that it was moving all of its employees to using security keys, and/or biometric authentication via their mobile device. The phishers’ Telegram bot reported that on June 16, 2022, five employees at Twitter gave away their work credentials. In response to questions from KrebsOnSecurity, Twitter confirmed several employees were relieved of their employee usernames and passwords, but that its security key requirement prevented the phishers from abusing that information. Twitter accelerated its plans to improve employee authentication following the July 2020 security incident, wherein several employees were phished and relieved of credentials for Twitter’s internal tools. In that intrusion, the attackers used Twitter’s tools to hijack accounts for some of the world’s most recognizable public figures, executives and celebrities — forcing those accounts to tweet out links to bitcoin scams. “Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS 2FA or one-time password (OTP) verification codes would not,” Twitter said in an Oct. 2021 post about the change. “To deploy security keys internally at Twitter, we migrated from a variety of phishable 2FA methods to using security keys as our only supported 2FA method on internal systems.”

 Malware and Vulnerabilities

The new Borat RAT comes as a unique triple threat as it can facilitate credential stuffing, DDoS attacks, and ransomware attacks, as well as other malicious activities. The attack begins when an unsuspecting employee from the targeted organization clicks a malicious link or attachment, giving full access to the systems.

 Malware and Vulnerabilities

Cyber researchers uncovered an EvilCoder project on the dark web forums, dropping XWorm that can help cybercriminals in ransomware operations and executing HNVC modules. The malware can perform a variety of tasks, including keylogging, screen capture, auto-update, self-destruct, script execution, and ransomware operations.

 Malware and Vulnerabilities

Researchers found 241 malicious packages infiltrating PyPI and npm open-source registries. The packages deploy cryptominers after infecting Linux systems. A majority of these packages are typosquats of widely used libraries, and each one of them downloads a Bash script on Linux systems that runs cryptominers.

 Trends, Reports, Analysis

The wide variety of loaders in conjunction with the staged delivery of the miner and backdoor malware shows how determined the attackers are to successfully deliver their payloads.

 Trends, Reports, Analysis

Microsoft released its second edition of Cyber Signals, a regular cyber threat intelligence brief, that focuses on security trends and insights for RaaS operations. More than 80% of ransomware infections can be traced back to common configuration errors in software and devices. To tackle the cybersecurity   show more ...

challenges, the company recommends clarity, prioritization, and increased information sharing between the public and private sectors.

 Trends, Reports, Analysis

Ransomware and phishing attacks continue to climb in Singapore, hitting small and midsize businesses (SMBs) and social media platforms. Cybercriminals also are expected to turn their attention to IoT devices and crypto transactions.

 Breaches and Incidents

The updated breach report filed by OneTouchPoint to the Maine attorney general's office on August 26 says 2.65 million individuals - including nine Maine residents - were affected by an "external system breach hacking" incident detected on July 15.

 Trends, Reports, Analysis

According to the researchers, adversaries buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. Attackers were also observed impersonating benign plugin authors to distribute malware.

 Identity Theft, Fraud, Scams

The attackers send security-themed emails creating a false sense of urgency. The lure included informing targets that Google is executing a mandatory validation process on all packages.

 Threat Actors

The threat actor targeted South Korean think tanks, university professors, and government organizations. However, it’s not limited to that; it has targeted entities in the U.S. and Europe as well.

 Trends, Reports, Analysis

The most frequently exploited SaaS platforms include website builders, file sharing and hosting sites, note-taking and documentation writing platforms, form/survey builders, and personal portfolio builders.

 Companies to Watch

Cerberus Cyber Sentinel Corporation announced that it has completed the acquisition of CUATROi, a cloud-based managed services provider and cybersecurity company with headquarters in Santiago, Chile, and offices in Bogotá, Colombia, and Lima, Peru.

 Govt., Critical Infrastructure

According to the REDSPICE Blueprint, the purpose of the initiative is to build on Australia’s strong cybersecurity foundation by expanding the range and sophistication of the country’s intelligence and offensive and defensive cyber capabilities.

 Feed

Ubuntu Security Notice 5588-1 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code.

 Feed

Ubuntu Security Notice 5572-2 - Roger Pau Monné discovered that the Xen virtual block driver in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information. Roger Pau Monné discovered that the Xen   show more ...

paravirtualization frontend in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information.

 Feed

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged   show more ...

the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.

 Feed

Ubuntu Security Notice 5585-1 - It was discovered that Jupyter Notebook incorrectly handled certain notebooks. An attacker could possibly use this issue of lack of Content Security Policy in Nbconvert to perform cross-site scripting attacks on the notebook server. This issue only affected Ubuntu 18.04 LTS. It was   show more ...

discovered that Jupyter Notebook incorrectly handled certain SVG documents. An attacker could possibly use this issue to perform cross-site scripting attacks. This issue only affected Ubuntu 18.04 LTS.

 Feed

Red Hat Security Advisory 2022-6206-01 - The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. Issues addressed include a use-after-free vulnerability.

 Feed

Ubuntu Security Notice 5583-1 - It was discovered that systemd incorrectly handled certain DNS requests, which leads to user-after-free vulnerability. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

 Feed

Ubuntu Security Notice 5586-1 - It was discovered that SDL incorrectly handled memory. An attacker could potentially use this issue to cause a denial of service or other unexpected behavior.

 Feed

KVM instruction emulation can run while KVM_VCPU_PREEMPTED is set, which can lead other vcpus to skip sending TLB flush IPIs. As a consequence, KVM instruction emulation can access memory through stale translations when the guest kernel thinks it has flushed all cached translations. This could potentially be used by unprivileged userspace inside a guest to compromise the guest kernel.

 Feed

Aaron Adams discovered that the netfilter subsystem in the Linux kernel did not properly handle the removal of stateful expressions in some situations, leading to a use-after-free vulnerability. Ziming Zhang discovered that the netfilter subsystem in the Linux kernel did not properly validate sets with multiple ranged   show more ...

fields. It was discovered that the implementation of POSIX timers in the Linux kernel did not properly clean up timers in some situations. Various other vulnerabilities were also discovered.

 Feed

The U.S. Federal Bureau of Investigation (FBI) on Monday warned of cyber criminals increasingly exploiting flaws in decentralized finance (DeFi) platforms to plunder cryptocurrency. "The FBI has observed cyber criminals exploiting vulnerabilities in the smart contracts governing DeFi platforms to steal investors' cryptocurrency," the agency said in a notification. Attackers are said to have used

 Feed

The U.S. Federal Trade Commission (FTC) on Monday said it filed a lawsuit against Kochava, a location data broker, for collecting and selling precise geolocation data gathered from consumers' mobile devices. The complaint alleges that the U.S. company amasses a "wealth of information" about users by purchasing data from other data brokers to sell to its own clients. "Kochava then sells

 Feed

Akasa Air, India's newest commercial airline, exposed the personal data belonging to its customers that the company blamed on a technical configuration error. According to security researcher Ashutosh Barot, the issue is rooted in the account registration process, leading to the exposure of details such as names, gender, email addresses, and phone numbers. The bug was identified on August 7,

 Feed

As many as three disparate but related campaigns between March and Jun 2022 have been found to deliver a variety of malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners onto compromised systems. "The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and

 Feed

As threat complexity increases and the boundaries of an organization have all but disappeared, security teams are more challenged than ever to deliver consistent security outcomes. One company aiming to help security teams meet this challenge is Stellar Cyber.  Stellar Cyber claims to address the needs of MSSPs by providing capabilities typically found in NG-SIEM, NDR, and SOAR products in their

 Security threats

I must admit I was delighted to receive an email today from UK high street pharmacy Boots telling me I should enable two-factor authentication on my account. Boots customers would have benefited from two-factor authentication a couple of years ago, when hackers attempted to gain access to customers’ Boots   show more ...

Advantage Card accounts, and temporarily stopped … Continue reading "Boots lets down its customers, by only offering SMS-based 2FA"

2022-08
Aggregator history
Tuesday, August 30
MON
TUE
WED
THU
FRI
SAT
SUN
AugustSeptemberOctober