Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for What OSINT is, and w ...

 Business

One of the many dangerous tools in cybercriminals arsenals is OSINT. In this post, we explain what it is, the danger it poses, and how to guard your company against OSINT. What is OSINT? OSINT stands for open-source intelligence. That is, the collection and analysis of data obtained from publicly accessible   show more ...

information channels. Such sources can basically be anything: newspapers and magazines, television and radio, data published by official organizations, scientific research, conference reports, etc. Nowadays, of course, such intelligence is primarily based on information scraped from the internet. Over the past 10–15 years, online public communication platforms have become especially valuable as OSINT-gathering tools: chats, forums, social networks, and messengers. The range of people using OSINT is quite diverse: journalists, scientists, civil activists, government and business analysts, as well as intelligence officers themselves. In a nutshell, OSINT is an important and effective tool for collecting data. But perhaps the more significant question is how such information gets put to use. OSINT and information security OSINT can be used in planning a targeted attack on your company. After all, for a successful operation, cybercriminals need a huge amount of information about the victim organization. This is especially true in the case of attackers who rely less on hi-tech tools (costly zero-day exploits, sophisticated malware, etc.) and more on social engineering tricks. For this type of threat actor, OSINT is often the number-one tool. The most valuable source of open data in preparing an attack on an organization is employees activity on social networks. First and foremost, this means LinkedIn. There, its usually possible to find the full organizational structure of the company, with all names, positions, work histories, social connections, and lots of other extremely useful information about employees. You dont have to look far for examples of just how effective OSINT can be. Remember the infamous Twitter (now X) hack a couple of years back that targeted a whole bunch of people and companies, from Musk, Gates, and Apple to Obama and Biden)? It began with the hackers finding Twitter employees on LinkedIn who had access to Twitters internal account management system, and making contact with them. Then it was a simple matter of applying social engineering and good old phishing to dupe them into revealing the credentials needed to hijack the high-profile accounts. How to protect your company from OSINT Open-source intelligence is a predominantly passive method of information gathering, so theres no simple and universal way to counter it. Fortunately there are measures you can take on several fronts. Employee training and awareness As mentioned above, modern-day OSINT is largely based on social networks, and information gathered through OSINT is most effective for social-engineering attacks. Thus, the human factor comes to the fore here. Therefore, to counteract OSINT and the potential consequences of it, you need to work closely with your employees. Training is key here to increase awareness of potential threats and ways to protect against them. The focus should be on two aspects: first, on the dangers of posting sensitive information about your company on social networks. Second, employees should learn to be more wary of calls, emails, and text messages that prod them to take some potentially risky action (and to be able to define potentially risky action). It must be clear that even if an email uses real company details, that doesnt necessarily mean that the sender is a real colleague. The information could have been collected from open sources. As a rough guide, if a caller, introducing himself as, say, John Smith, tells you that he works in such-and-such a position and asks for a username and password, this is wholly insufficient authentication – even if a John Smith does indeed hold this position in the company. To raise awareness, you can develop and conduct your own in-house training program, or hire expert consultants. Another option is to use an interactive educational platform. For example, the Kaspersky Automated Security Awareness Platform. It would also be useful to establish an internal cybersecurity communication channel with employees to convey information about live threats effectively. Open-source counterintelligence Over the past decade, the world of cybercrime has become highly compartmentalized. Some actors create malware, others collect data – all of which gets bought on the dark web and used for specific attacks by others. The fact that information has been collected about your company is a surefire indicator of an impending attack. As such, monitoring activity of this kind will give you advance warning of the threat. For example, if someone puts data about your company up for sale, its very likely itll be used later to carry out an attack. So, by doing your own counterintelligence, you can take preemptive action: warn employees about what data the attackers have; put security analysts on high alert; and so on. But such monitoring doesnt necessarily have to be done in-house: there are ready-made services that you can subscribe to, such as Kaspersky Digital Footprint Intelligence. Note that our service offers far more than just the monitoring of mentions of your company on the dark web. It also tracks attacks on your suppliers and customers and, keeps tabs on APT campaigns that may affect your company or industry, provides vulnerability analysis, and much more. Segmentation, rights management and Zero Trust The third front is to mitigate the potential damage from attacks that deploy OSINT and social engineering. The primary goal here should be to limit spreading over the corporate network in the event of endpoint compromise. The first requirement here is proper network segmentation: dividing company resources into separate subnets; defining security policies and settings for each of them; and restricting data transfer among them. Also, pay attention to user access management. In particular, implement the principle of least privilege; that is, define and grant users only those accesses they need to perform their tasks. And review these rights regularly to reflect changes in their roles and responsibilities. The ideal option would be to adopt the Zero Trust concept, which assumes theres no secure perimeter, and so, by definition, no device or user is trusted, both inside and outside the corporate network. Wrap-up Open-source intelligence can be a powerful tool in criminals arsenals. Therefore, you need to be aware of the dangers and take steps to mitigate potential damage. Heres a summary of my thoughts on how to protect your company from OSINT: Be sure to train employees in the basics of information security. To do this, you can use our interactive Kaspersky Automated Security Awareness Platform. Establish an internal communications channel to inform employees about information security. Try to monitor the collection and sale of your companys data on the dark web. Our Kaspersky Digital Footprint Intelligence can help with that. Take measures in advance to minimize potential damage: manage user rights with maximum possible granularity; use network segmentation. And, ideally, embrace Zero Trust.

image for Why is .US Being Use ...

 A Little Sunshine

Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains   show more ...

are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States. .US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US. That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and found 30,000 .US phishing domains. .US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar. Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working. “The .US ‘nexus’ requirement theoretically limits registrations to parties with a national connection, but .US had very high numbers of phishing domains,” Interisle wrote. “This indicates a possible problem with the administration or application of the nexus requirements.” Dean Marks is executive director and legal counsel for a group called the Coalition for Online Accountability, which has been critical of the NTIA’s stewardship of .US. Marks says virtually all European Union member state ccTLDs that enforce nexus restrictions also have massively lower levels of abuse due to their policies and oversight. “Even very large ccTLDs, like .de for Germany — which has a far larger market share of domain name registrations than .US — have very low levels of abuse, including phishing and malware,” Marks told KrebsOnSecurity. “In my view, this situation with .US should not be acceptable to the U.S. government overall, nor to the US public.” Marks said there are very few phishing domains ever registered in other ccTLDs that also restrict registrations to their citizens, such as .HU (Hungary), .NZ (New Zealand), and .FI (Finland), where a connection to the country, a proof of identity, or evidence of incorporation are required. “Or .LK (Sri Lanka), where the acceptable use policy includes a ‘lock and suspend’ if domains are reported for suspicious activity,” Marks said. “These ccTLDs make a strong case for validating domain registrants in the interest of public safety.” Sadly, .US has been a cesspool of phishing activity for many years. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content. Back then, .US was being operated by a different contractor. In response to questions from KrebsOnSecurity, GoDaddy said all .US registrants must certify that they meet the NTIA’s nexus requirements. But this appears to be little more than an affirmative response that is already pre-selected for all new registrants. Attempting to register a .US domain through GoDaddy, for example, leads to a U.S. Registration Information page that auto-populates the nexus attestation field with the response, “I am a citizen of the United States.” Other options include, “I am a permanent resident of the US,” and “My primary domicile is in the US.” It currently costs just $4.99 to obtain a .US domain through GoDaddy. GoDaddy said it also conducts a scan of selected registration request information, and conducts “spot checks” on registrant information. “We conduct regular reviews, per policy, of registration data within the Registry database to determine Nexus compliance with ongoing communications to registrars and registrants,” the company said in a written statement. GoDaddy says it “is committed to supporting a safer online environment and proactively addressing this issue by assessing it against our own anti-abuse mitigation system.” “We stand against DNS abuse in any form and maintain multiple systems and protocols to protect all the TLDs we operate,” the statement continued. “We will continue to work with registrars, cybersecurity firms and other stakeholders to make progress with this complex challenge.” Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target. “Ironically, at least 109 of the .US domains in our data were used to attack the United States government, specifically the United States Postal Service and its customers,” Interisle wrote. “.US domains were also used to attack foreign government operations: six .US domains were used to attack Australian government services, six attacked Great’s Britain’s Royal Mail, one attacked Canada Post, and one attacked the Denmark Tax Authority.” The NTIA recently published a proposal that would allow GoDaddy to redact registrant data from WHOIS registration records. The current charter for .US specifies that all .US registration records be public. Interisle argues that without more stringent efforts to verify a United States nexus for new .US domain registrants, the NTIA’s proposal will make it even more difficult to identify phishers and verify registrants’ identities and nexus qualifications. The NTIA has not yet responded to requests for comment. Interisle sources its phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. For more phishing facts, see Interisle’s 2023 Phishing Landscape report (PDF).

 Malware and Vulnerabilities

The Remcos RAT utilizes complex obfuscation techniques to evade detection and deliver a sophisticated remote access payload. It has multiple stages of execution, including VBS and PowerShell scripts, to download and execute the final payload.

 Breaches and Incidents

Some customers of the network security company LogicMonitor have been hacked due to the use of default passwords, TechCrunch has learned. A LogicMonitor spokesperson confirmed “a security incident” affecting some of the company’s customers.

 Malware and Vulnerabilities

Also known as keygroup777, Key Group is a Russian-speaking cybercrime actor known for selling personally identifiable information (PII) and access to compromised devices, as well as extorting victims for money.

 Breaches and Incidents

According to the platform, the admin access token used in the attack was leaked in a July 14 commit that passed internal code analysis tools. The token “had broad privileges to view and modify account information on Sourcegraph.com”.

 Feed

Red Hat Security Advisory 2023-4920-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.5 on RHEL 9 serves as a replacement for Red   show more ...

Hat Single Sign-On 7.6.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2023-4924-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.5 serves as a replacement for Red Hat   show more ...

Single Sign-On 7.6.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a denial of service vulnerability.

 Feed

A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called SuperBear. The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs said in a new report. The LNK file, upon

 Feed

The Classiscam scam-as-a-service program has reaped the criminal actors $64.5 million in illicit earnings since its emergence in 2019. "Classiscam campaigns initially started out on classified sites, on which scammers placed fake advertisements and used social engineering techniques to convince users to pay for goods by transferring money to bank cards," Group-IB said in a new report. "Since

 Feed

Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Thursday disclosed details of a mobile malware strain targeting Android devices used by the Ukrainian military. The malicious software, dubbed Infamous Chisel and attributed to a Russian state-sponsored actor called Sandworm, has capabilities to “enable unauthorized access to compromised

 Feed

As cyber threats continue to evolve, adversaries are deploying a range of tools to breach security defenses and compromise sensitive data. Surprisingly, one of the most potent weapons in their arsenal is not malicious code but simply stolen or weak usernames and passwords. This article explores the seriousness of compromised credentials, the challenges they present to security solutions, and the

 Feed

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. Cybersecurity firm Securonix, which has dubbed the campaign DB#JAMMER, said it stands out for the way the toolset and infrastructure is employed. “Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software

2023-09
Aggregator history
Friday, September 01
FRI
SAT
SUN
MON
TUE
WED
THU
SeptemberOctoberNovember