Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Measures to protect ...

 Business

All large companies have formal processes for both onboarding and offboarding. These include granting access to corporate IT systems after hiring, and revoking said access during offboarding. In practice, the latter is far less effective — with departing employees often retaining access to work information. What are   show more ...

the risks involved, and how to avoid them? How access gets forgotten New employees are granted access to the systems they need for their jobs. Over time, these accesses accumulate, but theyre not always issued centrally, and the process itself is by no means always standardized. Direct management might give access to systems without notifying the IT department, while chats in messenger apps or document-exchange systems get created ad hoc within a department. Poorly controlled access of this kind is almost certain not to be revoked from an offboarded employee. Here are some typical scenarios in which IT staff may overlook access revocation: The company uses a SaaS system (Ariba, Concur, Salesforce, Slack… there are thousands of them) thats accessed by entering a username and password entered by the employee at first log in. And it isnt integrated with the corporate employee directory. Employees share a common password for a particular system. (The reason may be saving money by using just one subscription or lacking a full multi-user architecture in a system.) When one of them is offboarded, no one bothers to change the password. A corporate system allows login using a mobile phone number and a code sent by text. Problems arise if an offboarded employee keeps the phone number they used for this purpose. Access to some systems requires being bound to a personal account. For example, administrators of corporate pages on social media often get access by assigning the corresponding role to a personal account, so this access needs to be revoked in the social network as well. Last but not least is the problem of shadow IT. Any system that employees started using and run by themselves is bound to fall outside standard inventory, password control and other procedures. Most often, offboarded employees retain the ability to perform collaborative editing in Google Docs, manage tasks in Trello or Basecamp, share files via Dropbox and similar file-hosting services, as well as access work and semi-work chats in messenger apps. That said, pretty much any system could end up in the list. The danger of unrevoked access Depending on the role of the employee and the circumstances of their departure, unrevoked access can create the following risks: The offboarded employees accounts can be used by a third party for cyberattacks on the company. A variety of scenarios are possible here — from business email compromise to unauthorized entry to corporate systems and data theft. Since the departed employee no longer uses these accounts, such activity is likely to go unnoticed for a long time. Forgotten accounts may also use weak passwords and lack two-factor authentication, which simplifies their takeover. No surprise, then, that forgotten accounts are becoming very popular targets for cybercriminals. The offboarded employee might continue to use accounts for personal gain (accessing the customer base to get ahead in a new job; or using corporate subscriptions to third-party paid services). There could be a leak of confidential information (for example, if business documents are synchronized with a folder on the offboarded employees personal computer). Whether the employee deliberately retained this access to steal documents or it was just plain forgetfulness makes little difference. Either way, such a leak creates long-term risks for the company. If the departure was acrimonious, the offboarded employee may use their access to inflict damage. Additional headaches: staff turnover, freelancing, subcontractors Keeping track of SaaS systems and shadow IT is already a handful, but the situation is made worse by the fact that not all company offboarding processes are properly formalized. An additional risk factor is freelancers. If they were given some kind of access as part of a project, its extremely unlikely that IT will promptly revoke it — or even know about it — when the contract expires. Contracting companies likewise pose a danger. If a contractor fires one employee and hires another, often the old credentials are simply given to the new person, rather than deleted and replaced with new ones. Theres no way that your IT service will know about the change in personnel. In companies with seasonal employees or just a high turnover in certain positions, theres often no full-fledged centralized on/offboarding procedure — just to simplify the business operation. Therefore, you cant assume theyll perform an onboarding briefing or operate a comprehensive offboarding checklist. Employees in these jobs often use the same password to access internal systems, which can even be written on a Post-It right next to the computer or terminal. How to take control The administrative aspect is key. Below are a few measures that significantly mitigate the risk: Regular access audits. Carry out periodic audits to determine what employees have access to. The audit should identify accesses that are no longer current or were issued unintentionally or outside of standard procedures, and revoke them as necessary. For audits, a technical analysis of the infrastructure is not enough. In addition, surveys of employees and their managers should be carried out in one form or another. This will also help bring shadow IT out of the shadows and in line with company policies. Close cooperation between HR and IT during offboarding. Departing employees should be given an exit interview. Besides questions important for HR (satisfaction with the job and the company; feedback about colleagues), this should include IT issues (request a complete list of systems that the employee used on a daily basis; ensure that all work information is shared with colleagues and not left on personal devices, etc.). The offboarding process usually involves signing documents imposing responsibility on the departing employee for disclosure or misuse of such information. In addition to the employee, its advisable to interview their colleagues and management so that IT and InfoSec are fully briefed on all their accounts and accesses. Creation of standard roles in the company. This measure combines technical and organizational aspects. For each position and each type of work, you can draw up a template set of accesses to be issued during onboarding and revoked during offboarding. This lets you create a role-based access control (RBAC) system and greatly simplify the work of IT. Technical measures to facilitate access control and increase the overall level of information security: Implementing Identity and Access Management systems and Identity Security The keystone here would be a single sign-on (SSO) solution based on a centralized employee directory. Asset and Inventory Tracking to centrally track corporate devices, work mobile phone numbers, issued licenses, etc. Monitoring of outdated accounts. Information security tools can be used to introduce monitoring rules to flag accounts in corporate systems if they have been inactive for a long time. Such accounts must be periodically checked and disabled manually. Compensatory measures for shared passwords that have to be used (these need to be changed more often). Time-limited access for freelancers, contractors and seasonal employees. For them, its always best to issue short-term accesses, and to extend/change them only when necessary.

image for Tourists Give Themse ...

 Ransomware

In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and   show more ...

ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior. In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet. But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says. “One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.” Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network. It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold? The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets. These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network. This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed. “Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.” These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email. The Canary Tokens website from Thinkst Canary lists nearly two-dozen free customizable canaries. “Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.” Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris. “Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, we are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.” The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched. One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including: -a web bug / URL token, designed to alert when a particular URL is visited; -a DNS token, which alerts when a hostname is requested; -an AWS token, which alerts when a specific Amazon Web Services key is used; -a “custom exe” token, to alert when a specific Windows executable file or DLL is run; -a “sensitive command” token, to alert when a suspicious Windows command is run. -a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed. Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says. “If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.” Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses. “The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.” Thinkst makes money by selling Canary Tools, which is a paid version of Thinkst that is powered by a small hardware device designed to be installed on the local network as a canary token server. “If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but we obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.” Further reading: Dark Reading: Credential Canaries Create Minefield for Attackers NCC Group: Extending a Thinkst Canary to Become an Interactive Honeypot Cruise Automation’s experience deploying canary tokens

image for When Leadership Styl ...

 Feed

Risk-aware leaders can be a cybersecurity advantage. Their flexible leadership style and emphasis on security first help set the tone and demonstrate a commitment to avoiding risk.

 Incident Response, Learnings

An intelligence analyst working for police in the North West of England shared information about a major countrywide operation with a criminal contact, in what has been described as a “disgraceful” betrayal of her colleagues.

 Malware and Vulnerabilities

Discovered and reported by researchers at mnemonic, the critical vulnerability enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS).

 Breaches and Incidents

Wholesale energy software provider Energy One reported on Friday a cyberattack had affected "certain corporate systems" in Australia and the UK. In a statement, the company said analysis is underway to identify which systems have been affected.

 Trends, Reports, Analysis

According to a new advisory published by ESET security researchers, the campaign came to light when an advertisement on Facebook promoted the download of what seemed to be the latest version of Google’s authentic AI tool, “Bard.”

 Trends, Reports, Analysis

The U.S federal government is advocating for artificial intelligence developers to embrace security as a core requirement, warning that machine learning code is particularly difficult and expensive to fix after deployment.

 Malware and Vulnerabilities

Threat actors are reportedly exploiting APK files that employ unknown or unsupported compression methods to bypass malware analysis, warned cybersecurity firm Zimperium. The approach hinders decompilation efforts while still enabling installation on Android devices running OS versions above Android 9 Pie. Zimperium   show more ...

found 3,300 instances of this tactic in the wild, with 71 of them being compatible with the operating system

 Threat Actors

A fresh player in the realm of cyber threats has emerged under the moniker EVLF DEV, operating as a Malware-as-a-Service (MaaS) provider. Hailing from Syria and active for over eight years, this actor has developed the CypherRAT and CraxsRAT malware strains. To counteract such campaigns by malicious actors,   show more ...

individuals should practice caution while downloading applications, refrain from interacting with dubious links or attachments.

 Breaches and Incidents

The group claims to have stolen military contracts, internal call signs, and personal data, amounting to 1.6 TB. If the attack gets confirmed, the disclosure of confidential information poses a serious risk to organizations involved in the contracts.

 Feed

Ubuntu Security Notice 6303-2 - USN-6303-1 fixed a vulnerability in ClamAV. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. It was discovered that ClamAV incorrectly handled parsing HFS+ files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.

 Feed

Red Hat Security Advisory 2023-4699-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include information leakage, privilege escalation, and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2023-4698-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include an out of bounds write vulnerability.

 Feed

Red Hat Security Advisory 2023-4696-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include information leakage, privilege escalation, and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to   show more ...

write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2023-4692-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to   show more ...

write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include cross site request forgery, denial of service, and remote shell upload vulnerabilities.

 Feed

Software services provider Ivanti is warning of a new critical zero-day flaw impacting Ivanti Sentry (formerly MobileIron Sentry) that it said is being actively exploited in the wild, marking an escalation of its security woes. Tracked as CVE-2023-38035 (CVSS score: 9.8), the issue has been described as a case of authentication bypass impacting versions 9.18 and prior due to what it called an

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (

 Feed

A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote." "The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg,"   show more ...

SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application

 Feed

A new State of SaaS Security Posture Management Report from SaaS cybersecurity provider AppOmni indicates that Cybersecurity, IT, and business leaders alike recognize SaaS cybersecurity as an increasingly important part of the cyber threat landscape. And at first glance, respondents appear generally optimistic about their SaaS cybersecurity. Over 600 IT, cybersecurity, and business leaders at

 Feed

A previously undocumented threat cluster has been linked to a software supply chain attack targeting organizations primarily located in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under its insect-themed moniker Carderbee. The attacks, per the cybersecurity firm, leverage a trojanized version of a legitimate software called

2023-08
Aggregator history
Tuesday, August 22
TUE
WED
THU
FRI
SAT
SUN
MON
AugustSeptemberOctober