Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Low-code / no-code a ...

 Business

Low code, no code and zero code are buzzwords in the world of business apps in which tasks that once required programmers are done by ordinary users. The required functionality is assembled from ready-made templates, the interface is drawn in a WYSIWYG editor as necessary, and the program logic is described by way of   show more ...

simple diagrams or very short code snippets. All this can be handled by a competent PC user with no special training. Low code helps cut development time for a simple mobile app from six months to a couple of weeks, while a promo page for an online store or a new report can be delivered in a couple of hours. There are plenty of no-code platforms out there: Bubble for developing mobile apps, Webflow for designing websites, and Parabola and Airtable for analytics and data science. All of these systems help companies reduce IT costs and speed up the development of business functions. Sure, there are pitfalls – with cyber-risks being chief among them. To keep a companys data and processes secure, these risks need to be minimized as early as during implementation of the low-code platform. Heres what should be kept in mind the most. Privileged accounts A mini-app developed by your company on a low-code or no-code platform often needs access to various databases and computing resources. It usually runs with the privileges of its creator, and all subsequent users of the app perform actions with this level of access. From there its a short hop to privilege-escalation attacks, and figuring out from the logs whos responsible for malicious activity will be problematic. Risk mitigation Implement the principle of least privilege for all database and API connections from the no-code system. Use separate accounts for mini-app users (using the credentials of the app developer is unacceptable). Introduce special logging measures for tracking who actually uses the mini-apps when they query databases and APIs. Incorrect authorization Almost all low-code platforms use the connector/connection concept, allowing them to access databases and other applications within the company. The architecture of these systems gives a user no direct control over a connection after they grant permission to establish it. The connection can be reused to make other requests for the same data – including from a different mini-app or even a different user. Risk mitigation Frequently refresh authorization tokens in systems linked to the no-code platform. Monitor actively used connections. Rewrite incorrectly programmed mini-apps that use borrowed connections. Disable unnecessary connections. Again, use the principle of least privilege. Train business users to understand the risks of overly wide access to app data. Data leakage or modification With the no-code platforms having wide access to data, mini-apps programmed by non-specialists can return more data than the developer intended. And errors in data processing or synchronization between systems can lead to unintentional, widespread data corruption or unauthorized copying. Risk mitigation Restrict access to data, minimizing write and delete permissions. Minimize the list of employees authorized to create and modify connections, and configure access rules for them. Monitor data transferred by the no-code platform to identify excessive amounts thereof in a timely manner. Incorrect security settings Dangerous bugs and misconfigurations can occur in mini-app code, such as: access to file storage without encryption; storage of API keys or other secrets right in the code of the app; access to corporate systems without proper authentication. Since many low-code apps are easy to analyze, attackers can quickly exfiltrate all this information and use it for cyberattacks and further data theft. Risk mitigation Ensure compliance with industry best practices for configuring apps and keeping secrets. Train business users who build no-code apps to adhere to these practices. Introduce additional security measures at the infrastructure level. Restrict insecure access methods, and monitor anomalous requests from no-code systems. Poor input sanitization Most low-code apps have some kind of interface that allows you to input data; for example – contact details in a form on the newly built website. Verification of input forms is often insufficient or non-existent, leaving them open to classic SQL injection attacks. Risk mitigation Train business users: the mini-apps they create must verify and sanitize any incoming information, be it a text form, CSV file or anything else. Deploy additional data sanitization tools – for example when passing SQL queries from the low-code platform to a database. Vulnerabilities in modules Many no-code platforms have modular architecture with their own component stores for user projects. Vulnerabilities in these components are often very serious and made worse by the fact that they cannot be traced and quickly updated using standard tools. Such modules can even be trojanized if their developer gets hacked. Risk mitigation Regularly clean the platform. Unused plug-ins, modules and other components must be removed. Limit the list of components available to users. Inventorize all components in use, and monitor vulnerabilities and releases of new versions. Use protection systems specifically designed for your low-code platform (for example, Wordfence for WordPress). Illegal data processing Databases stored by mini-apps are sometimes subject to the general rules of a particular low-code platform, meaning that company administrators dont have full control over their location and content. This may lead to violations of local laws, such as GDPR, regarding storage of certain types of data. Risk mitigation Train business users in the basic rules of data processing. All apps that potentially have access to sensitive data must be checked by the infosec team. Forgotten apps By their very nature, no-code apps are easy to create and easy to leave running unnoticed. For example, if an employee leaves a company, their mini-app may continue to run and create daily reports. Or a colleague may carry on using it unbeknown to the IT and infosec teams. Risk mitigation Maintain a detailed catalog of mini-apps, their owners and end users. Delete unnecessary apps and connections. Check allowlists of users and remove any who no longer need the app.

image for Who’s Behind the D ...

 A Little Sunshine

If you’ve ever owned a domain name, the chances are good that at some point you’ve received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don’t   show more ...

need, and probably will never receive. Here’s a look at the most recent incarnation of this scam — DomainNetworks — and some clues about who may be behind it. The DomainNetworks mailer may reference a domain that is or was at one point registered to your name and address. Although the letter includes the words “marketing services” in the upper right corner, the rest of the missive is deceptively designed to look like a bill for services already rendered. DomainNetworks claims that listing your domain with their promotion services will result in increased traffic to your site. This is a dubious claim for a company that appears to be a complete fabrication, as we’ll see in a moment.  But happily, the proprietors of this enterprise were not so difficult to track down. The website Domainnetworks[.]com says it is a business with a post office box in Hendersonville, N.C., and another address in Santa Fe, N.M. There are a few random, non-technology businesses tied to the phone number listed for the Hendersonville address, and the New Mexico address was used by several no-name web hosting companies. However, there is little connected to these addresses and phone numbers that get us any closer to finding out who’s running Domainnetworks[.]com. And neither entity appears to be an active, official company in their supposed state of residence, at least according to each state’s Secretary of State database. The Better Business Bureau listing for DomainNetworks gives it an “F” rating, and includes more than 100 reviews by people angry at receiving one of these scams via snail mail. Helpfully, the BBB says DomainNetworks previously operated under a different name: US Domain Authority LLC. DomainNetworks has an “F” reputation with the Better Business Bureau. Copies of snail mail scam letters from US Domain Authority posted online show that this entity used the domain usdomainauthority[.]com, registered in May 2022. The Usdomainauthority mailer also featured a Henderson, NC address, albeit at a different post office box. Usdomainauthority[.]com is no longer online, and the site seems to have blocked its pages from being indexed by the Wayback Machine at archive.org. But searching on a long snippet of text from DomainNetworks[.]com about refund requests shows that this text was found on just one other active website, according to publicwww.com, a service that indexes the HTML code of existing websites and makes it searchable. A deceptive snail mail solicitation from DomainNetwork’s previous iteration — US Domain Authority. Image: Joerussori.com That other website is a domain registered in January 2023 called thedomainsvault[.]com, and its registration details are likewise hidden behind privacy services. Thedomainsvault’s “Frequently Asked Questions” page is quite similar to the one on the DomainNetworks website; both begin with the question of why the company is sending a mailer that looks like a bill for domain services. Thedomainsvault[.]com includes no useful information about the entity or people who operate it; clicking the “Contact-us” link on the site brings up a page with placeholder Lorem Ipsum text, a contact form, and a phone number of 123456789. However, searching passive DNS records at DomainTools.com for thedomainsvault[.]com shows that at some point whoever owns the domain instructed incoming email to be sent to ubsagency@gmail.com. The first result that currently pops up when searching for “ubsagency” in Google is ubsagency[.]com, which says it belongs to a Las Vegas-based Search Engine Optimization (SEO) and digital marketing concern generically named both United Business Service and United Business Services. UBSagency’s website is hosted at the same Ann Arbor, Mich. based hosting firm (A2 Hosting Inc) as thedomainsvault[.]com. UBSagency’s LinkedIn page says the company has offices in Vegas, Half Moon Bay, Calif., and Renton, Wash. But once again, none of the addresses listed for these offices reveal any obvious clues about who runs UBSagency. And once again, none of these entities appear to exist as official businesses in their claimed state of residence. Searching on ubsagency@gmail.com in Constella Intelligence shows the address was used sometime before February 2019 to create an account under the name “SammySam_Alon” at the interior decorating site Houzz.com. In January 2019, Houzz acknowledged that a data breach exposed account information on an undisclosed number of customers, including user IDs, one-way encrypted passwords, IP addresses, city and ZIP codes, as well as Facebook information. SammySam_Alon registered at Houzz using an Internet address in Huntsville, Ala. (68.35.149.206). Constella says this address was associated with the email tropicglobal@gmail.com, which also is tied to several other “Sammy” accounts at different stores online. Constella also says a highly unique password re-used by tropicglobal@gmail.com across numerous sites was used in connection with just a few other email accounts, including shenhavgroup@gmail.com, and distributorinvoice@mail.com. The shenhavgroup@gmail.com address was used to register a Twitter account for a Sam Orit Alon in 2013, whose account says they are affiliated with the Shenhav Group. According to DomainTools, shenhavgroup@gmail.com was responsible for registering roughly two dozen domains, including the now-defunct unitedbusinessservice[.]com. Constella further finds that the address distributorinvoice@mail.com was used to register an account at whmcs.com, a web hosting platform that suffered a breach of its user database several years back. The name on the WHMCS account was Shmuel Orit Alon, from Kidron, Israel. UBSagency also has a Facebook page, or maybe “had” is the operative word because someone appears to have defaced it. Loading the Facebook page for UBSagency shows several of the images have been overlaid or replaced with a message from someone who is really disappointed with Sam Alon. “Sam Alon is a LIAR, THIEF, COWARD AND HAS A VERY SMALL D*CK,” reads one of the messages: The current Facebook profile page for UBSagency includes a logo that is similar to the DomainNetworks logo. The logo in the UBSagency profile photo includes a graphic of what appears to be a magnifying glass with a line that zig-zags through bullet points inside and outside the circle, a unique pattern that is remarkably similar to the logo for DomainNetworks: The logos for DomainNetworks (left) and UBSagency. Constella also found that the same Huntsville IP address used by Sam Alon at Houzz was associated with yet another Houzz account, this one for someone named “Eliran.” The UBSagency Facebook page features several messages from an Eliran “Dani” Benz, who is referred to by commenters as an employee or partner with UBSagency. The last check-in on Benz’s profile is from a beach at Rishon Letziyon in Israel earlier this year. Neither Mr. Alon nor Mr. Benz responded to multiple requests for comment. It may be difficult to believe that anyone would pay an invoice for a domain name or SEO service they never ordered. However, there is plenty of evidence that these phony bills often get processed by administrative personnel at organizations that end up paying the requested amount because they assume it was owed for some services already provided. In 2018, KrebsOnSecurity published How Internet Savvy are Your Leaders?, which examined public records to show that dozens of cities, towns, school districts and even political campaigns across the United States got snookered into paying these scam domain invoices from a similar scam company called WebListings Inc. In 2020, KrebsOnSecurity featured a deep dive into who was likely behind the WebListings scam, which had been sending out these snail mail scam letters for over a decade. That investigation revealed the scam’s connection to a multi-level marketing operation run out of the U.K., and to two brothers living in Scotland.

 Malware and Vulnerabilities

Iranian threat actor Charming Kitten introduced the new version of its PowerStar backdoor malware. The updated malware utilizes the InterPlanetary File System (IPFS) and publicly accessible cloud hosting for its decryption function and configuration details. The latest iteration of the backdoor unveils enhanced   show more ...

operational security measures, rendering the malware even more challenging to analyze and gather intelligence on.

 Trends, Reports, Analysis

The early adoption of generative AI or any nascent technology, particularly LLMs, requires comprehensive risk assessment and adherence to robust security practices throughout the entire software development life cycle (SDLC).

 Malware and Vulnerabilities

CISA, in an advisory issued Thursday, said the deserialization of untrusted data vulnerability identified in Medtronic's Paceart Optima, versions 1.11 and earlier, is exploitable remotely and has a low attack complexity.

 Govt., Critical Infrastructure

Cait Conley, a senior adviser to CISA Director Jen Easterly, will assume “additional responsibilities,” including supervising election security and protecting voters from disinformation campaigns.

 Malware and Vulnerabilities

The GuLoader malware campaign utilizes a multi-stage infection chain, including a PDF lure, a GuLoader VBScript, and obfuscated Powershell scripts, to deliver the Remcos RAT.

 Incident Response, Learnings

A multi-national policing operation has led to the arrest of dozens of suspects including the alleged boss of an organized crime operation that targeted elderly victims with scam phone calls, according to Europol.

 Feed

Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application. "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers said in an analysis published last week. "In this case, the distribution

 Feed

In yet another sign of a lucrative crimeware-as-a-service (CaaS) ecosystem, cybersecurity researchers have discovered a new Windows-based information stealer called Meduza Stealer that's actively being developed by its author to evade detection by software solutions. "The Meduza Stealer has a singular   show more ...

objective: comprehensive data theft," Uptycs said in a new report. "It pilfers users' browsing

 Feed

Every website owner or webmaster grapples with the issue of spam on their website forms. The volume of spam can be so overwhelming that finding useful information within it becomes quite challenging. What exacerbates this issue is that spam can populate your public pages, appearing in comments and reviews. You likely understand how this can damage your website's reputation, affect search results

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a set of eight flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. This includes six shortcomings affecting Samsung smartphones and two vulnerabilities impacting D-Link devices. All the flaws have been patched as of 2021. CVE-2021-25394 (CVSS score: 6.4) - Samsung mobile

 Feed

A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using HTML smuggling techniques to deliver the PlugX remote access trojan on compromised systems. Cybersecurity firm Check Point said the activity, dubbed SmugX, has been ongoing since at least December 2022. "The campaign uses new delivery methods to deploy (most notably – HTML Smuggling)

2023-07
Aggregator history
Monday, July 03
SAT
SUN
MON
TUE
WED
THU
FRI
JulyAugustSeptember