Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Virginia Elections D ...

 Cybersecurity News

After multiple claims that Virginia election candidates' data had been leaked surfaced in the past few weeks, the Virginia Department of Elections has finally dismissed the allegations, saying the details were scraped from the election department's official website. The Virginia Department of Elections   show more ...

is responsible for providing and overseeing open and secure elections for the citizens of the Commonwealth of Virginia. It is responsible for voter registration, absentee voting, ballot access for candidates, campaign finance disclosure and voting equipment certification in coordination with about 133 local election offices. Virginia Department of Elections Breach Claims On June 29, a threat actor under the moniker IntelBroker claimed a breach of the Virginia Department of Elections, which resulted in the siphoning of 65,000 election candidate records. The compromised data allegedly included sensitive information such as timestamps, usernames, election data, candidate information, and voting method details. [caption id="attachment_81842" align="aligncenter" width="1024"] Virginia Department of Elections data breach claim on an underground hacker forum[/caption] "This breach was previously being sold on the forum, but as the data is still online, I decided to leak it to prevent new accounts scamming and gatekeeping this database," the threat actor said. Prior to this, another threat actor on the same hacker forum under the moniker "pwns3c" claimed a breach of the Virginia Department of Elections, but said only 6,500 records were compromised. The hacker was selling the data set, which contained similar details as those advertised by IntelBroker, for just $30. “pwns3c” has also offered access and sale of a database purported to contain sensitive data and documents from a City of New York data breach. On Monday, another threat actor known as "LoveBeauty" exposed detailed information about election candidates and results, raising concerns over the integrity of the state’s electoral data and processes. The data, easily understandable to anyone, consisted of a 16.6MB CSV file with 65,548 lines of detailed election-related information. This dataset includes candidate IDs, names, total votes received, party affiliations, write-in votes, locality codes, precinct details, district information, office titles, and specific election details. Covering local governmental roles and legislative positions from Virginia's 2023 November General and Special Elections, the data’s scope is extensive. The allegedly leaked data includes unique identifiers and vote counts for candidates running for the house of delegates, commissioners, senators, directors, and members of the board of supervisors. An independent media agency that claimed to have investigated the data’s legitimacy by cross-referencing a sample of the leaked information with actual candidates and parties from the 2023 elections, confirmed the data's authenticity. Data Likely Scraped: Virginia Department of Elections However, the Virginia Department of Elections spokesperson told The Cyber Express that this is likely scraped data. "No breaches or data compromises have been detected." - Virginia Department of Elections The Department of Elections (ELECT) is aware of the social media post from a user purporting to expose a data breach of Department of Elections data. The message posted on X, formerly known as Twitter, references data that is already publicly available on the Department of Elections’ website under Election Reports/Results," the spokesperson said. Although election authorities dismissed the leak claims this time, the repercussions of such data breaches are potentially significant. Not only could they put the personal information of candidates at risk, but they could also undermine confidence in the electoral process. Public trust, already fragile in many places, could be further eroded by a significant breach. Election integrity is a cornerstone of democracy, and breach threats underscore the urgent need for enhanced cybersecurity measures to safeguard electoral processes. The Virginia Department of Elections pledged vigilance around any potential threats to its election infrastructure. It continues to work with local, state and federal partners to ensure the safety and security of the electoral process. State officials are involved in the MS-ISAC pilot project. The Department of Homeland Security and the Virginia Information Technologies Agency continue to provide various cyber services to the department, and any identified issues will be addressed appropriately, the department said.

image for Multiple Cryptocurre ...

 Cybersecurity News

Multiple firms managing their domain names through domain registrar Squarespace have reported instances of hijacking in the last week. The Squarespace domain hijacking was a result of security flaws following Squarespace's acquisition of Google Domains assets last year. Former customers of Google domains became   show more ...

victims of the hijack after they failed to open an account on the platform. Squarespace Domain Hijacking in Detail In June 2023, Squarespace, based in New York City, secured nearly 10 million domain names from Google Domains and has been gradually transferring these domains to its own service. The exploitation of domain hijacking primarily took place from July 9-12. The cyberattackers primarily targeted Bitcoin companies like Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. According to an article by KrebOnSecurity, the attackers were able to take control of Squarespace accounts that migrated without Google registration and instead used an email address linked to the domain. In a few cases, criminals redirected the hijacked domains to phishing websites that were designed to steal cryptocurrency funds from unsuspecting individuals. As of publication time, Squarespace has not responded to the hijack or issued a public statement on the matter. Security Experts Explain Loophole by Squarespace A study conducted by researchers at  Metamask and Paradigm speculates that the main reason for the hijacks could be that Squarespace assumed that all users would migrate from Google Domains and then select social login options such as "Continue with Google" or "Continue with Apple" instead of the "Continue with email" selection. [caption id="attachment_81979" align="alignnone" width="1094"] Source: X[/caption] Metamask's leading product manager, Taylor Monahan, emphasized that Squarespace did not consider the possibility that a threat actor could register an account with an email address connected to a recently-migrated domain before the real holder could access the account themselves. "As a result, there's nothing stopping them from attempting to log in with an email address," Monahan told KrebsOnSecurity. "Since there's no password set on the account, it simply redirects them to the 'create password for your new account' process. And because the account is partially initialized on the backend, they now have control over the domain in question." Moreover, Monahan disclosed that the registration of new accounts with emails did not require the emails to be verified either. The transfers of domains from Google to Squarespace are public records, Monahan said. "It's either public or readily obtainable knowledge regarding which email addresses have administrative control over a domain. If the email address has never been used to pull out a Squarespace account, it's possible that anyone who enters that email@domain combination in the Squarespace form now has full control over the domain.” A breach is possible when attackers manage to get the email addresses of lower-privilege accounts that are currently active users of the domain, such as the "domain manager," who, for example, is among the few people who can either transfer control of the domain or redirect it to another internet location. Users have few options for monitoring account activity, Monahan added. "You basically have no control over the access different folks have. You don’t have any audit logs. You don’t get email notifications for some actions. The owner doesn’t get email notification for actions taken by a ‘domain manager.’ This is absolutely insane if you’re used to and expecting the controls Google provides." Recommendations for Squarespace Users The researchers identified that some migrated Squarespace domains were also vulnerable to hijacking if attackers discovered email addresses for lower-privileged user accounts connected to the domain, such as "domain manager," which also has the capability to transfer a domain or redirect it to a different internet address. Monahan expressed concerns that the migration process has left domain owners with limited options to secure and monitor their accounts. "One of the first steps to complete is to carry out a test to see which people can access your new account on Squarespace," he advises. "The teams, in most cases, do not even know about the accounts' existence." The researchers' study includes a detailed guide on securing Squarespace user accounts, urging Squarespace users to enable multi-factor authentication, which was disabled during the migration process. The guide also mentions deleting the Squarespace user accounts that are no longer needed as well as removing reseller access in Google Workspace. If it was Google Domains you took Google Workspace from, Squarespace might also be your authorized reseller," the help document explains. "That means anyone with your Squarespace account can also access your Google Workspace through the backdoor unless you explicitly disable it following the instructions provided here, which are highly recommended. It's safer to protect one account rather than two."

image for Philippine Departmen ...

 Cybersecurity News

The Philippine Department of Migrant Workers (DMW) has taken swift action to protect the personal data of overseas Filipino workers (OFWs) after a ransomware attack prompted the agency to shut down its online systems. While the attack may have caused inconvenience, the DMW has activated new protocols to cater to the   show more ...

daily transaction needs of OFWs to ensure that their information remains safe and secure. Manual Processing at Department of Migrant Workers Offices In a statement on Tuesday, the DMW said OFW data remains secure despite the cyber incident. The agency took its Management Information Technology System offline as a precautionary measure to protect worker information. To minimize disruption from the attack, the DMW activated manual processing of Overseas Employment Certificates and OFW passes at its national and regional offices, one-stop shops, and Migrant Workers Assistance Centers. The DMW stated, “As a result of a ransomware attack on DMW online systems, the Department through its Management Information Technology System had to take pre-emptive measures to protect OFW data and information, such as taking the systems offline. OFWs can visit these locations to obtain necessary documents while online systems are unavailable. The DMW has also established an email-based system for OFWs requiring access to information sheets. Rather than physically visiting DMW offices, workers can send requests to infosheet@dmw.gov.ph. The agency will then email QR-coded information sheets directly to the requesting OFW. Alternatively, OFWs can submit requests via the DMW's Facebook page Messenger. By taking these measures, the DMW said it is ensuring that OFWs can continue to access the services they need while it works to restore its systems online. The agency is also coordinating with the Bureau of Immigration and airport authorities to facilitate the smooth departure of OFWs. The DMW has apologized for any inconvenience caused by the attack and is working to restore its online systems and implement stronger measures to protect the information of OFWs. In a statement on social media, the DMW said, "Rest assured, DMW databases containing OFW data were not affected by the attack, and that the DMW is currently working with the Department of Information and Communications Technology to restore online systems and ensure continued protection of the data and information of OFWs." Philippines Cyber Attacks The Philippines has observed an increased number of cyber attacks in recent times, prompting a call for increased government measures to strengthen the nation’s digital infrastructure to reduce such campaigns. A recent bill - House Bill 8199 - would implement the Department of Information and Communications Technology to bolster the Philippine National Cyber Security Plan, or NCSP. Rep. Brian Raymund Yamsuan pushed for approval within the House of Representatives for the new bill earlier this year. He stated, “This measure complements the NCSP and is a good jump-off point in accomplishing one of its primary objectives, which is to ensure convergence among all government agencies in protecting our country from cyber attacks.” Brian offered support for reports that the Philippines President Marcos, U.S. President Joe Biden and Japan Prime Minister Fumio Kishida were establishing joint plans to establish a cyber defense framework during an earlier trilateral summit. Several government agencies have also discussed measures to bolster their cybersecurity capabilities, including a unified system for setting up minimum security standards, monitoring of systems, and detection and mitigation of threats.

image for New Jellyfish Loader ...

 Firewall Daily

Cyble Research and Intelligence Labs (CRIL) has recently unearthed a sophisticated shellcode loader named Jellyfish Loader, marking a new development in cyber threat detection. This new. NET-based malware exhibits advanced capabilities, including the collection of system information and establishment of secure Command   show more ...

and Control (C&C) communications. Here’s a detailed exploration of what CRIL has uncovered about this emerging threat. The Jellyfish Loader utilizes intricate methodologies to execute its malicious agenda. CRIL researchers first encountered this threat within a ZIP file originating from Poland. Inside this archive, disguised as a harmless Windows shortcut (.lnk) file, lay a clean PDF document. Upon execution, however, the .lnk file initiates the download and execution of the Jellyfish Loader, a 64-bit .NET executable identified as "BinSvc.exe" (SHA-256: e654e97efb6214bea46874a49e173a3f8b40ef30fd0179b1797d14bcc2c2aa6c). Overview of the Jellyfish Loader Campaign The Jellyfish Loader, a newly identified threat analyzed by Cyble Research and Intelligence Labs (CRIL), employs advanced techniques to execute its malicious operations. It utilizes AsyncTaskMethodBuilder for asynchronous operations, ensuring efficient SSL certificate validation for secure communication with its Command and Control (C&C) server. This approach enhances its ability to manage interactions discreetly and securely. Embedded within the Jellyfish Loader are dependencies integrated using Fody and Costura, enhancing its stealth during deployment. These embedded resources facilitate its operation while evading detection. Upon infection, the loader extracts critical system information in JSON format, encoded with Base64 for obfuscation. This encoded data is then sent to its designated C&C server, facilitating further instructions and actions. For communication, the Jellyfish Loader utilizes HTTP POST requests to connect with its C&C server hosted at "hxxps://ping.connectivity-check[.]com". Despite encountering challenges in delivering shellcode payloads during testing, the loader demonstrates capabilities for downloading and executing additional malicious payloads. Interestingly, similarities between the Jellyfish Loader and the infamous Olympic Destroyer highlight shared coding styles and infrastructure, reminiscent of techniques attributed to the Hades threat actor group. This includes the use of PowerShell scripts for downloading encrypted payloads, as observed in previous cyber attacks documented by Kaspersky in 2018. The domain "connectivity-check[.]com", integral to Jellyfish Loader's operations, has been monitored since 2016 across various Autonomous System Numbers (ASNs), primarily ASN 16509 (AMAZON-02) since 2019. This domain hosts multiple subdomains crucial for potential C&C communications, underscoring its significance in malicious activities orchestrated by threat actors. Recommendations and Mitigations for Jellyfish Loader CRIL’s investigation has revealed compelling evidence suggesting that the Jellyfish Loader is involved in sophisticated cyber operations reminiscent of Olympic Destroyer, although direct attribution to the Hades group remains uncertain. Despite this ambiguity, organizations are advised to fortify their defenses against such online threats. Implementing robust security measures is crucial, including deploying advanced antivirus and anti-malware solutions capable of detecting and thwarting shellcode-based attacks. Network segmentation helps mitigate the spread of malware within organizational networks, minimizing potential damage in case of a security breach. Application whitelisting enhances security by restricting execution privileges to authorized applications, thereby preventing unauthorized execution of malicious shellcodes. Continuous monitoring of network activities using robust tools is essential to detect unusual patterns indicative of shellcode execution or Command and Control (C&C) communications. SSL/TLS inspection plays a critical role in scrutinizing encrypted traffic to uncover hidden malicious activities. As cyber threats evolve, ongoing vigilance and collaboration across security communities are essential in combating sophisticated malware variants like the Jellyfish Loader. CRIL remains dedicated to advancing research and collaboration efforts to heighten awareness and bolster defenses against emerging cyber threats. By staying proactive and informed, organizations can effectively safeguard their digital assets against the evolving landscape of cyber threats posed by entities such as the Jellyfish Loader and similar adversaries in the cyber realm.

image for Iranian Group MuddyW ...

 Cybersecurity News

MuddyWater, a notorious threat actor group linked to the Iranian intelligence service, has been operating a new malware campaign that targeted several Western and Middle Eastern entities. The malware, dubbed "MuddyRot," is a backdoor implant developed in C with a wide range of capabilities and was used   show more ...

primarily to attack various countries in the Middle East, such as Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel. MuddyRot Malware Researchers from Sekoia observed that the new MuddyRot malware is distributed through malicious PDF files and relies on public exploits to compromise internet-exposed servers, such as Exchange or SharePoint servers, moving laterally within the entire network after successful compromise. After this stage, the threat actors sent spear phishing emails from compromised email accounts to bypass security measures and increase the appearance of legitimacy in the recipient’s eyes. [caption id="attachment_82047" align="alignnone" width="1311"] Source: blog.sekoia.io[/caption] MuddyRot is a sophisticated malware that uses a combination of obfuscation and encryption to evade detection from security tools. Upon execution, the malware de-obfuscates strings, loads necessary functions, and creates a 'mutex' (lock-in program that prevents simultaneous access from other processes) to establish exclusive control over the program. It also uses dynamic import loading to reduce the potential digital footprint. [caption id="attachment_82050" align="alignnone" width="1551"] Source: blog.sekoia.io[/caption] The malware establishes persistence on the infected host by creating a scheduled task and copying itself to a system directory. It then communicates with its command and control (C2) server over a raw TCP socket. The MuddyRot malware supports various commands, including file upload and download, reverse shell, and process kill. The reverse shell capability allows the operator to connect to the victim host and execute commands remotely, capturing the results in real-time. The malware's C2 communication is obfuscated, using a fixed subtraction value to decode the incoming inputs and add three bytes to the output. The developer of this backdoor added the "terminate" command to stop the reverse shell. The MuddyRot backdoor implant is capable of executing the following commands: [caption id="attachment_82061" align="alignnone" width="1658"] Source: blog.sekoia.io[/caption] These commands are communicated with C2 servers over the TCP port 443, along with further obfuscation to avoid detection. Shifting Tactics The MuddyWater group altered its infection strategy from relying on off-the-shelf software remote monitoring tools such as Atera and SimpleHelp to the custom-built MuddyRot implant. While the exact reasons for this switch are unknown, the researchers speculate that the change could be due to the the increased scrutiny of these tools by security vendors, with the attackers possibly running into difficulties during deployment of the Atera tool on targets. These difficulties may have prompted the group to switch to something more custom. The researchers note the departure in the MuddyWater's group's recent campaigns from their traditional infection chain to the use of well-known exploits and distribution of spear phishing emails with PDF files embedded with links to load the MuddyRot validator. This new tactic allows the malware to evade detection and increases its chances of successful infection. The researchers have shared potential indicators of compromise (IOCs) over GitHub to protect against MuddyRot's deployment. Other cybersecurity firms such as Check Point and ClearSky recently conducted their own investigations into the new malware campaign from the Iranian threat actor.

image for Medius Names Fahmi M ...

 Appointments

Medius, a global leader in AP automation and spend management solutions, has announced the appointment of Fahmi Megdiche as its new Chief Information Security Officer (CISO). This strategic move comes as Medius continues its rapid expansion across Europe and America, aiming to enhance its security posture and   show more ...

safeguard its cutting-edge, AI-powered solutions. In a recent LinkedIn post, Fahmi Megdiche expressed his excitement about joining Medius, stating, “I’m thrilled to announce that I've taken on the role of Chief Information Security Officer (CISO) at Medius. Medius is a global leader in AP automation and spend management with cutting-edge technology transforming business financial management. It continues its swift expansion across Europe and America with fantastic business goals and ambition.” He also extended his gratitude to Yosra Hidri, Ahmed Fessi, Kristin Widjer, Branden Jenkins, and Karim Jouini for their trust and support in his new role. “This is an exciting time to join the team, and I'm honored to lead our cybersecurity strategies to sustain and protect our innovative, top-tier AI-powered solutions delivered around the globe,” he added. Based in France, Megdiche will be at the helm of Medius’ cybersecurity strategy, focusing on fortifying key areas such as product development, IT, and security operations. His appointment coincides with Medius’ recent acquisition of Expensya, an employee spend management solution, further solidifying the company's foothold in Europe. Fahmi Megdiche: A Wealth of Experience Megdiche’s extensive background in cybersecurity positions him as a valuable asset for Medius. He brings 17 years of experience in building security products and offering security consulting services. His career has been marked by leadership roles in various prominent companies, including Telnet, AUSY, and most recently, WYND, one of France’s fastest-growing SaaS companies. At WYND, he served as both CISO and Data Protection Officer (DPO), where he developed and implemented the company’s security and privacy programs from the ground up. Ahmed Fessi, CTIO of Medius, expressed his enthusiasm for Megdiche’s arrival, stating, “Fahmi will provide strategic insights and product-specific security knowledge, which will allow us to strengthen our internal defenses and improve our offerings to customers. We’re excited to welcome Fahmi’s expertise as a significant security leader to Medius as we work against an external environment where criminals are getting increasingly innovative with how they target companies.” Addressing Modern Business Challenges In his new role, Megdiche will focus on addressing the multifaceted challenges faced by businesses today, from the rise of AI to increasing fraud and data protection issues. “Businesses are facing multiple challenges; from the rise of AI to increasing fraud and data protection issues, new technologies are creating new challenges for organizations globally. To prepare for these challenges, carefully considered strategies are needed. Helping Medius enhance their security and privacy plans, along with examining our offerings to customers, will be core parts of my role. I look forward to working on the Medius product suite, which is already an essential solution for financial leaders looking for secure and innovative AP and spend management solutions,” he stated. Medius is well-known for its autonomous, AI-driven AP and spend management solutions designed to eliminate fraud and inefficiencies in business financial management. As Medius expands its geographical frontiers and broadens its product offerings, the appointment of a seasoned cybersecurity leader like Megdiche highlights the company’s dedication to maintaining the highest standards of security and privacy. His leadership is expected to drive significant advancements in Medius’ security strategies, benefiting both the company and its customers in navigating the complex cybersecurity challenges of today’s digital world.

image for EU and Ukraine Forge ...

 Partnerships

With Ukraine embroiled in a brutal war and formally seeking EU membership, the recent EU-Ukraine Cyber Dialogue in Brussels signaled a critical shift – cybersecurity is no longer just a technical concern, it's a cornerstone of national security and geopolitical strategy. The 3rd EU-Ukraine Cyber Dialogue that   show more ...

took place on Monday yielded a multi-pronged approach. Both parties reaffirmed their commitment to responsible state behavior in cyberspace, a crucial step in deterring future cyberattacks. Collaboration on cyber diplomacy in international forums will further amplify their voices and shape global norms. Harmonizing EU and Ukraine Cybersecurity Frameworks, Sharing Recognizing the evolving threat landscape, the EU and Ukraine will work together to harmonize their cybersecurity frameworks. Ukraine will align its legislation with the EU's Network and Information Security (NIS) 2 Directive, strengthening critical infrastructure and supply chain resilience. This harmonization, however, goes beyond technicalities. It fosters a unified approach to cyber defense, making it harder for attackers to exploit vulnerabilities across borders. The dialogue wasn't merely theoretical. The EU and Ukraine agreed to enhance information sharing on cyber threats, risks, and crisis management. This improved situational awareness will aid in understanding the cyber landscape in real-time and be crucial in countering ongoing and future Russian cyberattacks. The EU's commitment to Ukraine's cyber resilience is unwavering. The union has pledged continued support through initiatives like "CyberEast" and collaboration with member states through the Tallinn Mechanism, a platform for coordinating cyber defense efforts. [caption id="attachment_82058" align="aligncenter" width="1024"] Attendees of the 3rd EU Ukraine Cyber Dialogue, (Source: National Security and Defense Council of Ukraine)[/caption] Looking ahead, Ukraine may leverage the EU Cybersecurity Reserve, a pool of cybersecurity experts readily deployable in crisis situations. Additionally, the European Security and Defence College, EUAM Ukraine (European Union Advisory Mission), and EUMAM Ukraine (EU Military Assistance Mission) will provide targeted training for Ukrainian civilian and military personnel. The existing working arrangement with ENISA, the EU's cybersecurity agency, and operational agreement with Europol will continue to facilitate close cooperation between relevant authorities. This structured collaboration ensures a swift and coordinated response to cyber threats. U.S.-Ukraine Bilateral Cybersecurity Partnership Last month, a similar extension of a cybersecurity partnership between Washington and Kyiv was announced. The 10-year bilateral security agreement provides a framework for continued U.S. support for Ukraine’s defense and deterrence capabilities, as well as for Ukraine’s economic recovery and reconstruction. One of the key components of the Security Agreement signed by U.S. President Joe Biden and Ukrainian President Volodymyr Zelensky is cybersecurity and critical infrastructure protection. Biden committed to support Ukraine’s capacity to increase the cybersecurity and protection of its critical infrastructure and government information resources, including by strengthening its cyber defenses against malicious cyber activities by Russia and other hostile state and non-state actors. "Both sides commit to work together to improve Ukraine’s ability to detect and remediate intrusions by malicious actors, including through technical assistance from the United States," the Security Agreement said. "The United States intends to assist Ukraine to improve the cyber resilience of its critical infrastructure, especially energy facilities, against aerial strikes, and to support the quick restoration of destroyed infrastructure, including by providing material and technical assistance."

image for Talk Security, Not T ...

 Firewall Daily

A new study by Ivanti reveals a significant gap in understanding cybersecurity risks between IT professionals and non-IT leaders within organizations. The report, titled "Aligning Perspectives: Cyber Risk Management in the C‑Suite," underscores the critical importance of effective communication between Chief   show more ...

Information Security Officers (CISOs) and senior executives to mitigate cyber threats effectively. According to the research, a staggering 55% of IT and security professionals feel that leaders outside the IT realm do not possess a comprehensive understanding of vulnerability management. This sentiment is shared by 47% of non-IT leaders themselves, highlighting a mutual recognition of the knowledge gap. Mike Riemer, Field CISO at Ivanti, emphasizes the significance of this finding: "As the threat landscape evolves, CISOs play a pivotal role in balancing productivity with security. Key Takeaways from Aligning Perspectives: Cyber Risk Management in the C‑Suite Despite advancements in technology, the Aligning Perspectives: Cyber Risk Management in the C‑Suite study reveals that many organizations are ill-prepared for emerging cybersecurity threats exacerbated by artificial intelligence (AI). Shockingly, nearly one-third of IT professionals admit to lacking a documented strategy to address risks associated with generative AI. This oversight highlights the urgent need for CISOs not only to secure networks but also to educate stakeholders on online threats. The research also exposes a disparity in risk perception between IT professionals and non-IT executives. While 60% of leaders outside IT express high confidence in their organization's ability to thwart security incidents, only 46% of IT professionals share the same level of assurance. This disconnect suggests that non-IT leaders may underestimate the complexities and potential impacts of cyber threats on their organizations. Ivanti's Aligning Perspectives: Cyber Risk Management in the C‑Suite report calls for enhanced collaboration and communication between CISOs and C-suite executives to bridge the understanding gap regarding cybersecurity threats. As cybersecurity continues to be a paramount concern in organizational governance, the role of CISOs in articulating the business impacts of security incidents becomes increasingly crucial. The Impact of AI on Cybersecurity Strategy The study further highlights a concerning statistic: despite the growing risks posed by AI-driven threats, nearly one-third of IT professionals admit to having no documented strategy to address these risks. This oversight underscores the urgent need for organizations to enhance their cybersecurity frameworks to mitigate AI-related vulnerabilities effectively. Mike Riemer, Field CISO at Ivanti, comments on the findings: "As AI technologies advance, so do the sophistication of cyber threats. CISOs must lead efforts to integrate AI into existing security protocols while educating stakeholders on emerging risks." Furthermore, the report emphasizes the importance of continuous education and adaptation within cybersecurity teams to stay ahead of AI-driven threats. It suggests that CISOs play a pivotal role in not only securing networks but also in advocating for robust AI mitigation strategies across the organization. Bridging the Gap in Cyber Risk Perception According to the study, 55% of IT and security professionals believe that leaders outside IT lack a thorough understanding of vulnerability management. Correspondingly, 47% of non-IT leaders admit to having limited knowledge in this area. This mutual acknowledgment highlights a critical communication gap that CISOs must address to effectively manage cybersecurity risks. The research also reveals that while 60% of non-IT leaders express confidence in their organization's ability to prevent security incidents, only 46% of IT professionals share this sentiment. This discrepancy suggests that non-IT leaders may underestimate the complexities and potential impacts of cyber threats on their organizations. Mike Riemer, Field CISO at Ivanti, emphasizes the role of CISOs in bridging this gap: "CISOs play a crucial role in educating senior executives about cybersecurity risks and aligning organizational strategies to mitigate these risks effectively." Strategies for Effective Cyber Risk Management The research highlights the importance of vulnerability management as a cornerstone of modern cybersecurity strategy. According to the study, 55% of IT and security professionals believe that leaders outside IT do not fully grasp the complexities of vulnerability management. This underscores the critical need for CISOs to educate senior executives on the strategic implications of cybersecurity vulnerabilities. Furthermore, the report identifies AI-driven threats as a growing concern for cybersecurity professionals. Despite the heightened risks posed by AI technologies, nearly one-third of IT professionals lack a documented strategy to address these vulnerabilities. CISOs are urged to lead efforts in integrating AI into existing security frameworks while advocating for proactive mitigation strategies. Mike Riemer, Field CISO at Ivanti, emphasizes the proactive role of CISOs in driving cybersecurity agendas: "CISOs must quantify the business impacts of security incidents and communicate these risks effectively to senior executives."

image for Strengthening Austra ...

 Cyber Essentials

The Cyber & Infrastructure Security Centre (CISC) of Australia has recently announced that the Critical Infrastructure Risk Management Program (CIRMP) Annual Report filling period will begin from July 1 till September 28, 2024. Organizations must submit their cybersecurity reports using this designated form by   show more ...

August 17, 2024. They will be required to develop, implement, and maintain a cybersecurity framework under the Security of Critical Infrastructure (SOCI) CIRMP Rules. This project is part of the Australian Government's effort to promote confidence in digital products and services, not only by ensuring their security and integrity but also by demonstrating the government's commitment to trustworthiness. By this way, the country aims to not only strengthen the privacy of the citizens but also improve the identity of such products in the eyes of the people. Australia’s Global Collaboration Plan for Cybersecurity While technology evolves, some of the most problematic digital products are still deficient in data protection. Many digital products still lack basic security features. So, both individuals and companies who use them become easy targets for cybercriminals. The incursion of Advanced Persistent Threats (APT) in industry, as well as technology obsoleteness, makes it necessary to cooperate with other countries. For this reason, the Australian government is pushing for sustainable cooperation to address the problems of cybercrime by adhering to standards. This includes measures like information sharing, exchanging the best examples in terms of cybersecurity, and employing innovation across countries. However, questions remain as to how international treaties among nations can counter possible cyberattacks through public-private cooperation and how quickly can they react in the direction of the restoration of the cyberspace stable. Australia has several complementary mechanisms to ensure digital products are secure by design such as Protective Security Policy Framework (PSPF), and the Security of Critical Infrastructure Act 2013. With these mechanics, Australia aims to secure its digital products from the beginning. Work is currently being pursued under component three in the 2023-2030 National Security Strategy to address technology resilience and security by means of not only IT (Information Technology) but also in OT (Operational Technology) and ICS (Industrial Control System). Advantages of Learning & International Collaboration for Cybersecurity The Australian government is acquiring knowledge from the approaches of international partners and is using them to the fullest extent. "Australia and our international partners share a common goal: securing all technologies, including those employed in OT and ICS environments," said a representative from the Australian Department of Home Affairs to Industrial Cyber. Public and Private Sector Collaboration for Cybersecurity The next generation of the public-private partnership (PPP) is crucial for boosting Australia's cybersecurity position. Sharing information, the development of best practices, and response to cyber incidents in a coordinated manner are parts of the collaborative process, thus, keeping Australia's digital infrastructure on the same page. Australia gains additional benefits from its cooperations with foreign partners, and besides the sharing of cases and strategies, it helps and promotes each respective partnership. "Cybersecurity goes beyond borders," the Department of Home Affairs spokesperson explained in layman's terms. "Australia depends not only on the operational part of the agency but on the strong relationships with our foreign partners to deliver timely and necessary information to improve the responses to and mitigate cyber threats. The close international collaboration observed in aviation safety activities has served as a successful model for our efforts.” The spokesperson insisted that the trend of coordinated regulations and policies is intensifying, and thus, it requires a more comprehensive and inclusive approach. "Previously, the legislators had the freedom to modify the boundaries of the policy set up in a specific area since policy making was done according to the forms of each jurisdiction at that time. However, now we are observing cybersecurity go global through various technologies that are running a cross-border environment, largely avoiding the specific cases of the jurisdiction's law, economy, and cultural factors. Hence, the countries all around the world not only recognize new and unique problems but are also willing to find different ways of policy issues to bring about international agreement and transparency," the spokesperson concluded.

image for AI-Driven Incident R ...

 Features

By Neelesh Kripalani, Chief Technology Officer, Clover Infotech In today's digital landscape, the frequency and sophistication of cyber threats are escalating at an unprecedented pace. Attack volumes have surged, with cyber incidents becoming daily occurrences. Traditional methods of incident response are often   show more ...

too slow or ineffective in the face of evolving threats. In such a scenario, GenAI with its ability to simulate potential attack situations and generate real-time responses, can automate and enhance the overall threat incident defence mechanism. Timely and effective incident response is crucial in minimizing the damage caused by cyber threats, as it enables organizations to quickly identify, contain, and neutralize attacks before they can inflict significant harm. Here’s How GenAI Transforms The Incident Response System Automated Threat Detection and Analysis – The traditional approach to threat detection requires constant manual updates and vigilant monitoring, which can be labor-intensive and reactive. In contrast, GenAI revolutionizes this process by enabling continuous monitoring of network traffic, system logs, and user behavior to identify anomalies. Unlike static, rule-based systems, GenAI leverages historical data to recognize both known and unknown threat patterns, allowing for real-time detection of vulnerabilities and emerging threats. Real-Time Response Automation – The traditional incident response paradigm involves manual interventions to contain and mitigate security threats. This manual process is not only time-consuming but also susceptible to human errors. GenAI transforms this approach by enabling automated and immediate responses to detected threats. For instance, GenAI can autonomously isolate compromised systems, block malicious IP addresses, and deploy critical patches without requiring human oversight. Incident Simulation and Prediction – Earlier, cybersecurity readiness relied on manual audits and predefined scenarios based on historical data. While useful, these methods often fall short when it comes to preparing for new, sophisticated threats. GenAI changes this landscape by generating a wide array of attack scenarios, including those that have not been previously encountered. By leveraging predictive analytics, GenAI can forecast potential threats based on observed trends and patterns, enabling organizations to take pre-emptive measures. Adaptive Defence Mechanisms – In the traditional security framework, defence mechanisms are often static and outdated, requiring frequent manual updates and reconfigurations to remain effective. This static nature makes them vulnerable to evolving attack strategies. GenAI addresses this limitation by generating new defence rules and updating existing ones dynamically, based on the latest threat intelligence. This real-time adaptability allows GenAI to respond effectively to new tactics and techniques used by cybercriminals. The Future The future of GenAI in incident response is filled with both challenges and opportunities. Addressing challenges such as data privacy, bias, adversarial attacks, and integration hurdles is essential to unlock the full potential of GenAI in enhancing cybersecurity. The opportunities presented by GenAI, including proactive security, enhanced threat intelligence, task automation, continuous learning, and cost optimization, offer a transformative path forward for organizations seeking to strengthen their incident response capabilities. Conclusion GenAI is fundamentally reshaping the incident response landscape by automating critical processes, enhancing detection capabilities, and providing adaptive defence mechanisms. Its ability to learn from data, predict potential threats, and respond in real-time makes it an invaluable asset in the fight against cybercrime. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

image for Zero-day vulnerabili ...

 Business

As part of its latest Patch Tuesday, Microsoft has released patches for 142 vulnerabilities. Among them were four zero-day vulnerabilities. While two of them were already publicly known, the other two had been actively exploited by malicious actors. Interestingly, one of these zero-days, which supposedly had been used   show more ...

to steal passwords for the past 18 months, was found in Internet Explorer. Yes — that same browser that Microsoft stopped developing back in 2015 and promised to definitively, absolutely, for-sure bury in February 2023. Unfortunately, the patient proved to be stubborn — resisting its own funeral. Why Internet Explorer isnt nearly as dead as we would all like Last year, I wrote about what the latest attempt to kill off Internet Explorer actually entailed. Ill just give a brief version here; you can find the full story at the link. With the farewell update, Microsoft didnt remove the browser from the system but merely disabled it (and even then, not in all versions of Windows). In practice, this means that Internet Explorer is still lurking within the system; users just cant launch it as a standalone browser. Therefore, any new vulnerabilities found in this supposedly defunct browser can still pose a threat to Windows users — even those who havent touched Internet Explorer in years. CVE-2024-38112: vulnerability in Windows MSHTML Now lets talk about the discovered vulnerability CVE-2024-38112. This is a flaw in the MSHTML browser engine, which powers Internet Explorer. The vulnerability has a rating of 7.5 out of 10 on the CVSS 3 scale, and a high severity level. To exploit the vulnerability, attackers need to create a malicious file in an innocent-looking internet shortcut format (.url, Windows Internet Shortcut File), containing a link with the mhtml prefix. When a user opens this file, Internet Explorer — whose security mechanisms arent very good — is launched instead of the default browser. How attackers exploited CVE-2024-38112 To better understand how this vulnerability works, lets look at the attack in which it was discovered. It all starts with the user being sent an .url file with the icon used for PDFs and the double extension .pdf.url. Inside the malicious .url file, you can see a link with the vulnerable mhtml prefix. The last two lines are responsible for changing the icon to the one used for PDFs. Source Thus, to the user, this file looks like a shortcut to a PDF — something seemingly harmless. If the user clicks on the file, the CVE-2024-38112 vulnerability is exploited. Due to the mhtml prefix in the .url file, it opens in Internet Explorer rather than the systems default browser. Attempting to open the malicious file launches Internet Explorer. Source The problem is that in the corresponding dialog box, Internet Explorer shows the name of the same .url file pretending to be a PDF shortcut. So its logical to assume that after clicking Open, a PDF will be displayed. However, in reality, the shortcut opens a link that downloads and launches an HTA file. This is an HTML application, a program in one of the scripting languages invented by Microsoft. Unlike ordinary HTML web pages, such scripts run as full-fledged applications and can do a lot of things — for example, edit files or the Windows registry. In short, theyre very dangerous. When this file is launched, Internet Explorer displays a not-so-informative warning in a format familiar to Windows users, which many will simply dismiss. Instead of opening a PDF file, a malicious HTA (HTML Application) is launched, accompanied by an uninformative Internet Explorer warning. Source When the user clicks Allow, infostealer malware is launched on the users computer, collecting passwords, cookies, browsing history, crypto wallet keys, and other valuable information stored in the browser, and sending them to the attackers server. How to protect against CVE-2024-38112 Microsoft has already patched this vulnerability. Installing the update ensures that the trick with mhtml in .url files will no longer work, and such files will henceforth open in the more secure Edge browser. Nevertheless, this incident once again reminds us that the deceased browser will continue to haunt Windows users for the foreseeable future. In that regard, its advisable to promptly install all updates related to Internet Explorer and the MSHTML engine. As well as to use reliable security solutions on all Windows devices.

 Security Products & Services

Realm is an open-source adversary emulation framework focused on scalability, reliability, and automation. It features a custom interpreter in Rust, enabling the creation of complex TTPs as code.

 Malware and Vulnerabilities

The attackers target Turkish businesses with this ransomware campaign, distributing it via email addresses like Kurumsal[.]tasilat[@]internet[.]ru. The malware payload is hosted on a compromised GitHub account.

 Feed

Debian Linux Security Advisory 5730-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

 Feed

Ubuntu Security Notice 6896-2 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Atheros 802.11ac wireless   show more ...

driver did not properly validate certain data structures, leading to a NULL pointer dereference. An attacker could possibly use this to cause a denial of service.

 Feed

Ubuntu Security Notice 6895-2 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the HugeTLB file system   show more ...

component of the Linux Kernel contained a NULL pointer dereference vulnerability. A privileged attacker could possibly use this to to cause a denial of service.

 Feed

Ubuntu Security Notice 6893-2 - It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel when modifying certain settings values through debugfs. A privileged local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

 Feed

Red Hat Security Advisory 2024-4559-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include HTTP request smuggling, denial of service, and out of bounds read vulnerabilities.

 Feed

Red Hat Security Advisory 2024-4554-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include code execution and use-after-free vulnerabilities.

 Feed

Russian security vendor Kaspersky has said it's exiting the U.S. market nearly a month after the Commerce Department announced a ban on the sale of its software in the country citing a national security risk. News of the closure was first reported by journalist Kim Zetter. The company is expected to wind down its U.S. operations on July 20, 2024, the same day the ban comes into effect. It's also

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. It is the reference implementation of the Open

 Feed

An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack

 Feed

Identity-based threats on SaaS applications are a growing concern among security professionals, although few have the capabilities to detect and respond to them.  According to the US Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyberattacks begin with phishing, an identity-based threat. Throw in attacks that use stolen credentials, over-provisioned accounts, and

 Feed

Cybersecurity researchers have identified two malicious packages on the npm package registry that concealed backdoor code to execute malicious commands sent from a remote server. The packages in question – img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy – have been downloaded 190 and 48 times each. As of writing, they have been taken down by the npm security team. "They

 Feed

The Iranian nation-state actor known as MuddyWater has been observed using a never-before-seen backdoor as part of a recent attack campaign, shifting away from its well-known tactic of deploying legitimate remote monitoring and management (RMM) software for maintaining persistent access. That's according to independent findings from cybersecurity firms Check Point and Sekoia, which have

 Feed

Details have emerged about a "massive ad fraud operation" that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities. The campaign has been codenamed Konfety – the Russian word for Candy – owing to its abuse of a mobile advertising software development kit (SDK) associated with a Russia-based ad network called CaramelAds. "Konfety represents a new form of

 Podcast

In episode seven of The AI Fix, Alexa goes wild, Mark learns how to hang a towel on a Peloton for only $39.90 a month, Graham puts the news items in the wrong order, and a strawberry uses the internet. Graham explains to Mark what bats argue about, our hosts ponder whether AI should always write in Comic Sans, and   show more ...

Mark tells Graham why AIs are like dolphins that smoke pufferfish. All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management Disney’s Data Targeted for Using Artists’ Work in AI Systems, Hacking Group Says Chris Riotta (@chrisriotta) • July 15, 2024     Topiary of Disney’s Goofy character at   show more ...

Disney World theme park in Orlando (Image: Shutterstock) A hacking group […] La entrada Hacktivists Dump Disney Slack Data Online Over AI Projects – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Critical

Source: www.databreachtoday.com – Author: 1 Governance & Risk Management , Government , Industry Specific GAO: Department Lacks Cybersecurity Strategies for Major Business IT Programs Chris Riotta (@chrisriotta) • July 15, 2024     A global combat support system for the U.S. Marine Corps is one of the   show more ...

systems with gaps in cybersecurity, according to a […] La entrada DOD Failing to Fix Critical Cybersecurity Gaps, Report Says – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 attack

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Industry Specific Ransomware Hit on Pathology Firm Still Disrupting Organ Transplants, Blood Supply Marianne Kolbasuk McGee (HealthInfoSec) • July 15, 2024     King’s College Hospital in London is one of the   show more ...

NHS facilities still affected by the June ransomware attack on blood […] La entrada Synnovis Attack Halts 8,000 NHS Patient Procedures So Far – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development Complaint Seeks SEC Investigation of Whistleblower Practices, Financial Penalty Rashmi Ramesh (rashmiramesh_) • July 15, 2024   show more ...

    Image: Shutterstock Whistleblowers from OpenAI reportedly complained to the U.S. Securities and Exchange Commission that the […] La entrada Employees Say OpenAI Shields Whistleblowers From Regulators – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 cyber

Source: www.databreachtoday.com – Author: 1 With the rapidly evolving threat landscape, Security Operations Centers (SOCS) are faced with more challenges in keeping their organizations secure, especially with the shift from centralized to hyper-distributed environments. This is where organizations can look to   show more ...

modern cybersecurity solutions like XDR to help reduce response time and improve efficiencies. In […] La entrada Enhancing Cyber Defense with AI-Powered SOCs – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Businesses

Source: www.databreachtoday.com – Author: 1 CISO Trainings , Leadership & Executive Communication , Training & Security Leadership Andres Andreu Discusses How to Make an Organization Secure – and Successful CyberEdBoard • July 15, 2024     Andres Andreu, deputy CISO, Hearst, and CyberEdBoard   show more ...

member Many cybersecurity leaders tout the notion that cybersecurity is a business […] La entrada Cybersecurity Can Be a Businesses Enabler – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Allegedly

Source: www.databreachtoday.com – Author: 1 3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management Paying Criminals for a Promise to Delete Data Is Part of the Problem Mathew J. Schwartz (euroinfosec) • July 15, 2024     Image: Shutterstock What will it take for   show more ...

victims of ransomware, extortion and other […] La entrada AT&T Allegedly Pays Ransom After Snowflake Account Breach – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Cloud Security , Cloud-Native Application Protection Platform (CNAPP) , Security Operations Largest Deal in Cyber History Would Help Google Rival Microsoft, Limit Partnerships Michael Novinson (MichaelNovinson) • July 15, 2024     Despite all the platformization   show more ...

buzz, there are very few vendors with market-leading capabilities in at least three disparate […] La entrada Why Google Is Eyeing a $23B Buy of Cloud Security Phenom Wiz – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-07
Aggregator history
Tuesday, July 16
MON
TUE
WED
THU
FRI
SAT
SUN
JulyAugustSeptember