Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Void Banshee Targets ...

 Cybersecurity News

Researchers have uncovered a critical vulnerability (CVE-2024-38112) that the Void Banshee threat actor group has been actively exploiting in a recent campaign to deploy the Atlantida info-stealer through a disabled version of Internet Explorer. The campaign highlights the security risks introduced by the maintenance   show more ...

of legacy software on modern systems. Anatomy of Void Banshee Attack-Chain The Void Banshee group lures victims by disguising malicious files as e-books and sharing them through cloud services, Discord servers and online libraries. When a user opens one of these files – typically a zip archive masquerading as a PDF and containing malicious shortcut files, they trigger a chain of events that ultimately installs the Atlantida stealer. [caption id="attachment_82082" align="alignnone" width="1920"] Source: trendmicro.com[/caption] Researchers from Trend Micro stated that the the attack chain begins with a spearphishing email containing a zip archive with a malicious file disguised as a PDF. The file, named "Books_A0UJKO.pdf.url", uses the MHTML protocol handler and the x-usc! directive to exploit the CVE-2024-38112 vulnerability. This allows the attacker to access and execute files through the disabled IE process. The malicious file downloads an HTML file, which in turn downloads an HTA file that contains a Visual Basic Script (VBScript) that decrypts and executes a PowerShell script. [caption id="attachment_82084" align="alignnone" width="1101"] Legacy Internet Explorer version on Modern Systems (Source: trendmicro.com)[/caption] The PowerShell script downloads an additional script from a compromised web server and executes it, creating a new process for the downloaded script. This script is designed to download and execute a PowerShell trojan, which can be used to compromise the victim's system. The campaign ultimately exploits the vulnerability in the MHTML protocol handler to access and run files through the system in-built disabled instance of Internet Explorer. This technique bypasses normal security controls and allows the attackers to directly execute the Atlantida info-stealer malware on the victim's system. The researchers note that Atlantida is based on previous open-source stealers such as  NecroStealer and PredatorTheStealer, designed with many of the same capabilities as these stealers. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, cryptocurrency wallets and web browsers such as Chrome and Microsoft Edge to exfiltrate sensitive and important data, such as passwords and cookies. The malware allows attackers to capture victim's screens and exfiltrate information from cryptocurrency-associated browser extensions, registering each extension with a unique 'Extension ID.' Data exfiltrated from the attack is compressed within a ZIP archive file and transmitted via TCP. Microsoft Patched Vulnerability The researchers disclosed the vulnerability to Microsoft, which patched the vulnerability in its July 2024 update cycle, unregistering the MHTML handler from Internet Explorer. However, experts warn that many systems may remain unpatched and vulnerable. To protect against this and similar attacks, security professionals recommend: Promptly applying all available Windows security updates Implementing robust email filtering to block malicious attachments Educating users about the dangers of opening suspicious files or links Deploying endpoint protection software capable of detecting and blocking such attacks As cybercriminals continue to exploit overlooked vulnerabilities in legacy systems, the discovery of CVE-2024-38112 serves as a stark reminder of the importance of comprehensive security measures and timely patching.

image for Zero-Day Vulnerabili ...

 Firewall Daily

A new threat has emerged concerning the security of VirtualBox virtual machines (VMs). A threat actor known as Cas has surfaced on BreachForums, revealing a zero-day exploit that effectively allows for VM escape, potentially compromising host operating systems.  This VirtualBox exploit, targeted at version 7.0   show more ...

(18-15), has been demonstrated to work on both Linux host and guest systems, highlighting its versatile and potentially widespread impact. Understanding the VirtualBox Exploit and VM Escape Cas initially disclosed the VirtualBox exploit on July 15, 2024, accompanied by a video demonstration showcasing its execution capabilities. The VirtualBox exploit, priced initially at an exorbitant USD 1,000,069 and later increased to USD 1,690,069, gained attention within underground cybersecurity circles. [caption id="attachment_82113" align="alignnone" width="1887"] Source: Dark Web[/caption] This price escalation followed purported positive feedback from prominent forum members, indicating perceived efficacy and demand for such vulnerabilities. The exploit leverages a critical flaw within VirtualBox's architecture, enabling an attacker to breach the confines of a virtual machine and interact with the underlying host system. This capability, known as VM escape, poses severe security implications for organizations relying on VirtualBox to isolate environments for testing and operational purposes. Technical Details and Implications VirtualBox, developed by Oracle, is widely used across industries to create and manage virtual machines. It allows users to emulate multiple operating systems simultaneously on a single physical machine, facilitating software testing, development, and enhanced security through isolated environments. However, vulnerabilities such as the one exploited by Cas can undermine these benefits, potentially leading to unauthorized access and data breaches. The zero-day exploit, as detailed by Cas, involves a sophisticated technique that exploits an undisclosed vulnerability in VirtualBox's implementation. This method bypasses the virtualization boundaries normally enforced by the software, granting malicious actors access to resources and data on the host system. Such breaches can have far-reaching consequences, including data exfiltration, system compromise, and even disruption of critical operations depending on the affected organizations. Mitigating the Risks Immediate action is crucial to mitigate the risks posed by the VirtualBox VM escape exploit. Organizations using VirtualBox should prioritize several key steps. First, maintain a proactive approach to Update and Patch Management by promptly applying patches released by Oracle, particularly those addressing critical vulnerabilities like the one exploited by Cas.  Implementing Segmentation and Access Control measures is essential to limit the impact of potential VM escape scenarios, mitigating unauthorized access and data breaches. Deploying comprehensive Monitoring and Detection mechanisms is also critical; these tools can identify suspicious activities indicative of VM escape attempts, enabling swift response and containment.  Equally important is fostering Security Awareness and Training among users and administrators, emphasizing the risks associated with VM escape vulnerabilities and promoting secure virtualization practices.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Is Your Device Spyin ...

 Firewall Daily

Spyware presents a serious threat by infiltrating devices, accessing sensitive data, and transmitting it without consent. This form of attack underscores the importance of recognizing warning signs to detect and prevent infections, especially when browsing or accessing emails. If your device is somehow infected by   show more ...

spyware and any previous protections you may have put up have been compromised, then here are some of the warnings that can help you tell. 10 Indicators Your Device May Have Been Compromised with Spyware Frequent System Crashes System crashes stem from malicious programs being poorly written and causing system instability. One of the first and most obvious signs is that system crashes can be detected when your device turns off and is unable to function without struggle. Malware in these devices runs processes that are not authorized and consume system resources, thus leading to confusion and crashes. Other than being a consequence of infection, attacks like ransomware can deliberately crash systems to create chaos and force the user to pay a ransom to return it back to normal. These crashes can corrupt system files and data, which makes it difficult for legitimate applications to function correctly. Persistent crashes could also be a sign of malware trying to disable or bypass security by disrupting their operations. Pop-Up Messages and Ads Pop-up messages and ads are often forms of adware which is a form of malware that constantly sends users unwanted advertisements. This type of malware pop-up works to distribute more malicious software by tricking users into clicking on deceptive links. These pop-ups often appear even when the browser is not open, and pop-ups can carry malicious scripts that execute automatically and infect the system further. User privacy can be compromised on top of device security as browsing habits and personal information are tracked and sold to third parties. The bombarding nature and intrusive impact of these pop-ups can stop normal browsing activities and reduce system performance, thus being a significant sign of malware being present. Excessive Buffering and Slow Processing Excessive buffering could be an indicator of malware running background processes that consume significant system resources. Malware often uses the infected system's processing power and memory for its purposes like data mining or sending spam emails and distributed denial-of-service (DDoS) attacks. All of these activities require heavy computational power and interfere with system processes and services, which results in systems slowing down and lagging. This is particularly noticeable when trying to run applications or perform tasks that were previously executed smoothly. The attack causes malware operations to be prioritized over legitimate user activities. Slow processing can also be a result of malware downloading or uploading data without the user's knowledge, further straining the system's resources. Internet Traffic Increases An increase in internet traffic is a common sign of malware due to malicious programs relying on network communication to achieve their goals. The process of sending out large volumes of personal information and financial data to remote servers can cause this slowing down. Some types of malware like botnets, use infected devices to carry out large-scale attacks through spam emails therefore increasing network traffic. Malware also tends to download malicious payloads or updates from control servers which leads to increased internet usage. The presence of unusual or unauthorized connections in network traffic logs can indicate that the system is communicating with malicious domains along with legitimate browsing and online activities being slowed down, all of it making the malware more noticeable. Overheating Overheating can be a sign of malware due to increased CPU and GPU activity from all the running processes and systems. Malware like cryptocurrency miners or botnets exploit the infected system's processing power for illicit gains, causing components to work harder and generate more heat. Overheating can be particularly concerning for mobile devices and laptops as they have more limited cooling capabilities compared to desktops and prolonged high temperatures can damage hardware components and reduce the system's lifespan. Malware can also interfere with the normal operation of cooling systems, such as by manipulating fan speeds, further exacerbating overheating issues. Additionally, overheating can cause system instability and crashes which means unexplained overheating can act as a sign of malware. Being Redirected to Strange Websites Being redirected to strange websites is a strong indicator of malware, specifically browser hijackers or adware. This type of malware is different from pop-up ads as it alters browser settings and redirects users to malicious websites (which could be advertisement-filled) without their consent. These redirects can be dangerous as they can occur when clicking on legitimate links or even during regular browsing sessions. Additionally, being redirected to phishing websites can compromise personal information, such as login credentials and financial details. This type of malware can also inject malicious scripts into web pages, further spreading the infection. Unfamiliar Files or Apps The presence of unfamiliar files or apps on a system is an obvious sign of malware infection. Malware often installs additional malicious programs or files without the user's knowledge, and these can include files, scripts, or applications that can be executed and perform unauthorized activities. Some malware may disguise itself as legitimate software, making it difficult for users to identify any malicious activity. Unfamiliar files or apps may be hidden or located in obscure directories to evade detection and attempt to self-replicate or download additional payloads. Regularly checking for unknown or suspicious files and applications can help in identifying and removing malware from the system. Suspicious Data Usage Increase An unexpected increase in data usage can be a sign of malware, as data exfiltration can result in unusually high data usage, even when the system is not actively being used. Additionally, data disruptions can occur from malware downloading additional malicious payloads, updates, or instructions from their servers. Malware, such as adware or spyware, generates high levels of network activity by loading ads, tracking user behavior, or sending periodic reports. Monitoring data usage for unexplained spikes or patterns can help in detecting malware that operates covertly over the internet. Anti-Virus Software Either Sending Alerts or Completely Disabled When anti-virus software sends frequent alerts or becomes completely disabled, it is a strong indication of malware presence. Malware often disables security programs that aim to block them thus allowing the infection to persist and spread undetected. If anti-virus software is suddenly disabled without the user's intervention, malware has likely tampered with it. Frequent alerts from anti-virus software can indicate ongoing attempts by malware to perform unauthorized actions or modify system settings and make it difficult to detect and remove the infection. Regularly checking the status of anti-virus software and responding promptly to alerts is crucial in maintaining system security and detecting potential malware infections. Check For Unaccounted for E-mails or Notifications Unaccounted-for emails or notifications, specifically those designed to send spam or phishing emails from the infected system, can be a sign of malware. Malware can gain access to email accounts and send messages to contacts, spreading the infection further or attempting to steal sensitive information. These emails often contain malicious links or attachments that can compromise recipients' systems. Monitoring email accounts and notification settings for unusual activity can help in identifying malware that exploits these channels for malicious purposes. It is important to act quickly if spam emails or notifications are detected, as they can indicate a compromised system and ongoing malicious activities. Although some of these may occur randomly and mean nothing, like excessive buffering or system crashes, when combined with other abnormal activity, these are signs of infected devices. Now that you are aware of these symptoms, you are safer in a world where hacking is becoming more and more prevalent. Protecting your personal information and sensitive data is essential with how much we store on our devices, and ensuring we can stop ourselves from falling prey to attackers is essential. And if we do somehow fall prey, it’s important to know what can be done to minimize as much damage as possible. We hope everyone feels safer with the warning signs we have mentioned to look out for.

image for Inside Q2 2024’s R ...

 Firewall Daily

The second quarter of 2024 witnessed significant developments in the ransomware landscape, characterized by challenges and adaptations within the RaaS (Ransomware-as-a-Service) ecosystem. According to data compiled by ReliaQuest's threat researchers, there was a 20% increase in the number of organizations   show more ...

identified on ransomware data-leak sites compared to Q1 2024. May emerged as a pivotal month with 43% of organizations appearing on data-leak sites, driven largely by groups aiming to recover from earlier law enforcement actions. LockBit, in particular, featured prominently with 179 organizations affected in May alone, highlighting efforts to sustain operations amidst adversities. Newer entrants like RansomHub and BlackSuit capitalized on the void left by defunct groups such as ALPHV, leveraging innovative operational models and attractive affiliate programs. RansomHub introduced a novel payment structure offering upfront payments to affiliates, resulting in a significant uptick in affected organizations compared to previous quarters. This shift signifies a strategic pivot in affiliate recruitment strategies within the ransomware community. The geographical distribution of ransomware attacks remained concentrated in Western countries, particularly the US, due to perceived financial capabilities and stringent regulatory environments. The professional, scientific, and technical services (PSTS) sector emerged as a focal point for ransomware activities, driven by its high impact potential and vulnerabilities within technology supply chains. Emerging Trends and Tactics in Ransomware Landscape Another significant trend observed during this ransomware landscape period was the heightened exploitation of exposed credentials and the proliferation of social engineering tactics among ransomware groups. Forum discussions revealed an increase in recommendations for exploiting internet-facing application vulnerabilities, such as unpatched VPNs and Remote Desktop Protocol (RDP) tools. These tactics enabled threat actors to gain initial access to systems, highlighting the critical need for organizations to prioritize robust phishing training and timely software updates. In terms of tactics, the emergence of single-extortion campaigns marked a departure from traditional double- and triple-extortion methods observed in previous quarters. Notably, a rare single-extortion campaign affected approximately 165 customers of the cloud computing-based data cloud company Snowflake.  Analysts anticipate continued innovation in the ransomware landscape, with a focus on exploiting vulnerabilities in software supply chains and leveraging social engineering tactics to gain unauthorized access.  Key Players and Strategies in the Ransomware Landscape RansomHub's innovative affiliate program, which offers upfront payments rather than traditional commission structures, has garnered significant attention within the cybercriminal community. This approach resulted in a rapid increase in the number of affected organizations listed on their data-leak sites, positioning RansomHub as a formidable player in the ransomware ecosystem. Similarly, BlackSuit has distinguished itself with sophisticated malware deployment methods and advanced encryption techniques. The group's activities have seen a surge in affected organizations, particularly in the manufacturing and PSTS sectors, reflecting their focus on high-value targets and operational efficiency. In terms of operational strategies, RansomHub's affiliation with the hacking group "Scattered Spider" has been noted, suggesting collaborative efforts to enhance operational capabilities and expand their victim base. This alliance contributed to a 243% rise in organizations named on RansomHub's data-leak site quarter-over-quarter, underscoring the group's aggressive expansion tactics. Analysts predict a continuation of competitive recruitment strategies among ransomware groups, with a potential increase in commission rates and the adoption of "big game hunting" tactics to target high-profile organizations.  Future Projections and Strategies Against Ransomware Threats ReliaQuest analysts anticipate a sustained increase in ransomware incidents as emerging groups consolidate operations and established players adapt strategies. However, the efficacy of ongoing law enforcement efforts and the availability of decryption keys are expected to temper overall growth rates in the medium term. The shift towards single-extortion campaigns and the increasing exploitation of exposed credentials highlight emerging tactics within ransomware operations. These developments highlight the imperative for organizations to adopt proactive cybersecurity measures, including robust incident response protocols, digital risk protection (DRP) solutions, and comprehensive employee training on phishing prevention. The ransomware landscape in Q2 2024 has highlighted the need for organizations to prioritize cybersecurity as a strategic imperative. By implementing proactive defenses, conducting regular vulnerability assessments, and enhancing endpoint protection, organizations can mitigate the risks posed by ransomware and cyber extortion threats.

image for MFA, Backups & More: ...

 Firewall Daily

Phishing attacks represent the most prevalent cyber threat today, and their frequency is only rising. While this may be concerning, there are effective measures to protect yourself. Understanding the signs of phishing is crucial in safeguarding against these attacks. Knowing how to detect phishing attempts is   show more ...

essential to avoid falling victim. By recognizing suspicious activity and refraining from engaging, you can prevent potential attacks altogether. While security systems and software are beneficial, it's also important to be vigilant and able to identify phishing attempts independently. Even if you're unable to detect every attack, being well-informed allows you to mitigate their impact effectively. Continue reading to learn how you can best prepare yourself against the growing threat of phishing attacks.   Anti-Phishing Software and Email Filtering Systems  Email filtering systems like spam are the first line of defense against phishing attacks. Usually present as a default in e-mail services, these systems detect incoming emails for known phishing indicators, such as suspicious sender addresses, malicious links, or attachments.   Machine learning algorithms and threat intelligence in anti-phishing software recognize patterns and compare them with a database of known threats.  They then deploy advanced email security solutions that block phishing emails before they reach the user's inbox, therefore mitigating any chances of attacks succeeding.   Cybersecurity Training and Phishing Awareness  When it comes to our part in mitigating phishing attacks, educating users about how to detect them is crucial. Training regarding this may include how to recognize patterns of features present in phishing emails, as well as understanding the dangers of clicking on unknown links.   Phishing simulations could be one way to help users identify fake sender identities and other features present to mitigate potential phishing attempts. Part of this training may include a process for reporting suspicious emails which allows for them to be promptly investigated and removed. Building a culture of security awareness would reduce the chances of successful phishing attacks.  Ensuring Backup Strategies Are Present  Backups serve as a safeguard against data loss when phishing attacks occur and are necessary to mitigate fallout. Regularly scheduled backups mean that any compromised data can be replaced with an older and cleaner version. This also reduces the impact that attackers wish to have if they use data encryption or deletion as a form of attack.  Additionally, having a reliable backup system means ongoing phishing attacks can be detected. As the system compares recent backup data with current data, patterns of attacks can be identified. This detection mechanism can result in a swift investigation and response thus mitigating the extent of potential damage.  Multi-Factor Authentication (MFA)  Multi-factor authentication adds an extra layer of security on top of password protection by asking users to provide two or more verification types to gain access to anything. This may be codes email verifications, or even facial recognition. So, even if a phishing attack gains access to a user’s login information, the attacker would still need the second factor- which tends to be something only the user has access to, for example, a device.   This significantly reduces the risk of unauthorized access from phishing attacks. It's important to remember which MFA methods are strongest and that things like SMS-based authentication should be avoided in favor of more secure methods of authentication apps.  Ensuring Secure Browsing Practices  Encouraging secure browsing habits can help users recognize phishing sites through things like checking the URL for HTTPS or other signs of a legitimate website and being wary of prompts asking for personal information. Other than this education, systems of browser extensions that warn users about suspicious websites are also helpful in aiding detection.  Updating browsers regularly and enabling built-in security features, helps mitigate these phishing risks. Web filtering solutions that block access to infamous or known phishing sites and thus provide around-the-clock protection against malicious links are crucial for mitigation as well.  Regular Security Audits and Updates  Conducting regular security audits helps in detecting vulnerabilities that could be used by phishing attackers. Regular security audits mean reviewing email security configurations, user access controls, etc. Most importantly ensuring that system and software updates are up to date with the latest security patches is crucial for mitigation.   Addressing and fixing any vulnerabilities identified during these security audits is essential in reducing the risk of phishing attacks. Regular audits could also include refining security policies and practices to fit evolving industry practices.  Enforcing IP Regulations  Enforcing IP restrictions works by controlling access to network resources based on IP addresses. This method ensures that only authorized IP addresses can access sensitive systems, reducing the risk of unauthorized access typically associated with phishing attacks. IP restrictions help in creating a secure perimeter around critical assets.   This is particularly effective in mitigating attacks where phishing aims to harvest login credentials to infiltrate the network. Any attempt to access the network from an unauthorized IP address can trigger alerts, indicating potential phishing activity. This allows for quick detection and response to suspicious activities, thus reducing the time attackers have to exploit any compromised credentials.  Unfortunately, phishing attacks are growing more and more common. However, with these steps, we are sure that everyone will feel more equipped to handle any possible malicious activity if ever encountered.   All of these steps, when combined, work great in dealing with ensuring no attacks can occur in the first place. Putting up lines of defense is essential in making sure your or your organization's devices are the best prepared for any breaches.  Protecting your information and data is becoming harder and harder as attacks are becoming more common and more accessible to perform. However, ensuring you stay updated on the latest cybersecurity tips and security methods is a necessity in our current digital world.  

image for Kaspersky Bids Farew ...

 Business News

In a heartfelt letter titled "To our Lovely you," Kaspersky Lab, the Russian cybersecurity firm, has announced its departure from the United States market. Addressing its American customers directly, Kaspersky expressed gratitude for their loyalty and trust over the years. The Kaspersky goodbye letter   show more ...

reflects the company's deep appreciation for the support received during these challenging times. Kaspersky Goodbye Letter: Farewell Message and Gratitude "Thank you for choosing and trusting Kaspersky throughout the years. We're deeply moved with all the kind words and supportive messages received in these difficult times," the Kaspersky goodbye letter begins. It continues, "We've always strived and remain committed to provide the best cybersecurity there is — independent, transparent, and expertly managed. Unfortunately, for now, you have one less choice in defending yourself against online threats." To show appreciation, Kaspersky is offering its American customers a selection of its security solutions for free for six months. These can be accessed through the "My Kaspersky" portal. However, this gesture is constrained by the Department of Commerce's Bureau of Industry and Security (BIS) ban on the sale and distribution of Kaspersky products, including updates, in the United States, effective September 29. Post-ban, U.S. users will not receive automatic updates or antivirus definitions, which they will need to manually download from Kaspersky's site, if available. [caption id="attachment_82105" align="aligncenter" width="903"] Source: Kaspersky[/caption] Kaspersky Operational Wind-Down and Layoffs The company also confirmed the closure of its U.S. operations and the layoff of its entire American workforce, consisting of fewer than 50 employees. This move follows the U.S. government's decision to add Kaspersky to the Entity List, which includes foreign individuals, companies, and organizations deemed a national security concern. In a statement to The Cyber Express, Kaspersky said, "Starting from July 20, 2024, Kaspersky will gradually wind down its U.S. operations and eliminate U.S.-based positions. The decision and process follow the Final Determination by the U.S. Department of Commerce, prohibiting the sales and distribution of Kaspersky products in the U.S." Impact and Future Prospects The U.S. ban represents a significant blow to Kaspersky. While U.S. sales comprised roughly 10% of their global revenue and only about 3% of American antivirus users utilized Kaspersky software before the government ban in June, losing access to the U.S. market damages the company's brand reputation and may influence other nations to follow suit. Despite the setbacks, Kaspersky remains optimistic about its future. The company emphasized its resilience and commitment to customer protection worldwide. "Kaspersky’s business remains resilient, and our key priority remains the same – to protect our customers in any country from cyberthreats. Being a global cybersecurity vendor, the company will continue investing in strategic markets and remain committed to serving its customers and partners and ensuring their protection." Kaspersky aims to adapt its sales pipeline and maintain its global presence by focusing on markets with the most potential for business development, such as Asia and South America. "As a global company operating in more than 200 territories and countries, Kaspersky will be able to adapt its sales pipeline and maintain its global presence by focusing on the markets where it sees the most potential for its business development," the company told TCE. Security Tips for Users In the farewell letter, Kaspersky offered several security tips for users to follow: Always back up your data. Be cautious of links and verify their source before clicking. Protect your identity online by changing passwords regularly and keeping them long and complex. Ongoing Scrutiny and Vulnerability Market While the U.S. has banned Kaspersky, the company's products remain widely used. Critical vulnerabilities in these products are in high demand. For instance, SSD Secure Disclosure, a vulnerability disclosure outfit headquartered in South Korea, has announced "BIG payouts" for pre-authentication remote code/command execution in Kaspersky Security Center, a security management solution for businesses. With the U.S. market now off-limits and pressure from the European Parliament to exclude the use of products from vendors in China and Russia in vital and sensitive sectors, Kaspersky is redirecting its focus to other regions. This strategic shift underscores the company's determination to sustain its global operations amidst increasing geopolitical challenges. Kaspersky Lab's farewell to its American customers marks the end of an era for the company in the U.S. market. As the firm navigates through these turbulent times, its commitment to cybersecurity and customer protection remains steadfast. The departure from the U.S. signifies not just a loss of a significant market but also a pivotal moment that will shape the future direction of Kaspersky's global operations.

image for API Security: A Prio ...

 Cyber Essentials

By Venkatesh Sundar, Founder and President, Americas, Indusface Application programming interfaces or APIs are crucial for exchanging data between various software systems. However, as reliance on APIs increases, robust security measures are needed to protect against unauthorized access, data breaches, and cyber   show more ...

threats. API security, encompassing authentication, encryption, input validation, rate limiting, monitoring, and secure coding practices, has emerged as an important aspect of cybersecurity in the interconnected tech world. API security covers three key areas: ensuring data confidentiality, guaranteeing content integrity, and enabling secure exchanges among applications, users, and servers with proper permissions. API Security Complexities in Interconnected Tech The rapid growth of digital transformation initiatives and the widespread adoption of APIs have let to interconnected systems and services, presenting unique security challenges. - Here are some key challenges: Integration Demands: Seamless integration is important for businesses undergoing digital transformation. APIs facilitate this integration but expose sensitive data, necessitating robust security measures. Dependency on APIs: Cloud-based applications heavily rely on APIs for data exchange, making security vulnerabilities in these APIs a significant concern. Unique API Vulnerabilities: APIs introduce distinctive security challenges, and traditional solutions may fall short in addressing them adequately. Complex Ecosystems: Microservices architectures further complicate API security, creating an intricate web of potential vulnerabilities. Exposure to Threats: Expanded API usage broadens the attack surface for cybercriminals, necessitating vigilant monitoring and protection. Diverse Implementations: Lack of standardized practices in API development leads to inconsistencies in security implementations. External Risks: Organizations often rely on third-party APIs, introducing external factors beyond their direct control. API Risks and Consequences While APIs are not inherently insecure, the sheer volume of deployed APIs poses challenges for security teams. Insufficient skills in API development and failure to adhere to web and cloud API security rules may lead to vulnerability. Attackers exploit these vulnerabilities, leading to data exposures, denial of service, authorization flaws, and security misconfigurations. OWASP's top 10 API risks list outlines potential vulnerabilities, including broken object-level authorization, broken authentication, unrestricted resource consumption, and security misconfigurations. API security breaches can have severe consequences, exposing sensitive data and compromising an organization's software systems. For instance, a significant security breach occurred when a public API without authentication was exposed, leading to the compromise of data associated with 92% of LinkedIn's users. This enabled a malicious actor to scrape the platform for information on approximately 700 million users, including their email addresses and phone numbers. Similarly, the personal information of over 530 million Facebook users was recently compromised. This breach was an outcome of vulnerabilities in third-party Facebook applications' APIs, resulting in the exposure of two datasets. Exploiting these vulnerabilities, the attacker acquired access tokens and escalated privileges to compromise the affected accounts. These examples underscore the critical importance of robust API security measures to prevent unauthorized access and data breaches in interconnected tech environments. Challenges in API protection API security presents unique challenges beyond traditional web security. They are designed to be accessible by third-party applications, exposing them to a wider range of potential attackers. Flexibility and customization in APIs make them vulnerable to attacks, while authentication and access control mechanisms face risks of token theft or compromise. The sheer number of APIs used in modern software systems further complicates monitoring and protection efforts. API discovery poses significant challenges due to the proliferation of shadow and rogue APIs, which operate without proper oversight or documentation. These unauthorized APIs can create security vulnerabilities, as they often bypass standard protective measures. The difficulty in identifying and managing all active APIs within an organization complicates API protection efforts. Without comprehensive visibility, businesses are at risk of data breaches and cyberattacks. Ensuring robust API governance and continuous monitoring is crucial to mitigate these risks and protect sensitive information from exploitation by unauthorized or malicious actors. Is an API Gateway enough? While API gateways provide essential security features like rate limiting, authorization, access management, and authentication, they alone are insufficient. These gateways lack visibility and control over the entire API architecture, fail to detect misconfigured or rogue APIs, and struggle against advanced DDoS attacks and API-specific bot attacks. As attackers exploit weaknesses, it is imperative to implement robust security measures. Web Application and API Protection (WAAP) solutions address the limitations of traditional security tools by offering comprehensive protection for web and mobile app APIs. WAAP combines DDoS protection, Web Application Firewall, Bot Management, and API protection, employing a managed, risk-based approach. It monitors traffic to detect and mitigate abnormal and malicious activities in real-time, enhancing cyber defense. WAAP reduces operational complexity by streamlining security rules and leveraging AI for automated rule suggestions. This holistic approach ensures robust protection against sophisticated and automated attacks, supplementing traditional firewalls and API gateways. Key best practices As attackers increasingly exploit API vulnerabilities, enhancing API security is critical. Here is a checklist to strengthen your API security posture. API Discovery and Inventorying: Ensure an updated list of all APIs with details like names, versions, and endpoints. Use tools to automatically scan networks and code repositories. Maintain comprehensive, standardized documentation and monitor API activities for suspicious behavior. Implement a Zero Trust Philosophy: Apply Zero Trust to all API endpoints, authenticated clients, and unauthorized entities. Ensure HTTPS for data in transit, analyze requests for threats, follow secure cloud deployment practices, and use encryption and access controls. Identify API Vulnerabilities and Associated Risks: Employ behavioral analysis and multi-layered security measures. Use AI and automation for proactive protection and maintain real-time visibility. Encrypt data, deploy virtual patches, and conduct continuous security testing. Enforce Strong Authentication and Authorization: Securely verify API users and manage data access. Use modern protocols, implement strong passwords, and use multifactor authentication. Limit session duration and regularly expire tokens. Expose Only Limited Data: Minimize data exposure in API operations. Conduct audits, conceal sensitive information, and protect passwords and keys. Regularly review security to refine access controls. Implement Rate Limits: Enforce limits on API requests to prevent DDoS attacks and abusive actions. Monitor usage, adjust limits based on needs, and ensure API availability. API Design and Development: Integrate security from the design stage. Use secure frameworks and conduct thorough code reviews. Restrict access to source code and include security checks. API Logging and Monitoring: Log all relevant data to establish a baseline and detect anomalies. Track performance metrics and regularly review logs for improvements. Incident Response: Develop a robust plan covering response, investigation, and compliance. Test the plan, ensure clear communication, and analyze incidents to implement preventive measures. Implement Web Application and API Protection (WAAP): Use WAAP for comprehensive protection, including DDoS protection, Web Application Firewall, Bot Management, and API security. Traditional tools like firewalls and API gateways are insufficient for advanced threats. By adhering to best practices and deploying comprehensive security solutions, organizations can bolster their API security posture and safeguard their digital assets effectively. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

image for 23andMe Reaches Sett ...

 Cybersecurity News

Genetic testing company 23andMe has reached a settlement in principle for class actions stemming from a 2023 data breach, lawyers announced during a San Francisco court hearing on Tuesday. The breach compromised the personal information of nearly 7 million users, including sensitive genetic profiles. While the   show more ...

settlement details remain undisclosed, U.S. District Judge Edward Chen of the Northern District of California scheduled a July 30 hearing to review the status of the term sheet. A motion for preliminary approval is expected within 30 to 45 days. 23andMe Settlement Negotiations and Terms [caption id="attachment_82304" align="alignnone" width="1672"] Source: blog.23andme.com[/caption] Co-lead plaintiffs' counsel Cari Laufenberg of Keller Rohrback told Judge Chen that the parties accepted a proposal from mediator Randall Wulff following a June 26 meeting. The agreement in principle comes after a swift resolution process, with some plaintiffs' lawyers initially disagreeing in early settlement talks. Earlier in January, some plaintiffs' counsels met with 23andMe representatives to discuss settlement, but disagreements over the best approach for breach victims led to a battle over leadership of the cases. U.S. District Judge Edward Chen of the Northern District of California intervened last month, appointing co-lead counsels to oversee the cases. At a hearing last month, lawyers expressed concerns that 23andMe was in imminent danger of filing bankruptcy, suggesting that injunctive relief, including a fund to compensate class members for psychological or physical harm, would be a key focus of any settlement. The settlement is expected to encompass the multidistrict litigation, state court cases, and thousands of arbitration demands. While specific terms are not yet public, previous discussions suggested a potential 'steep discount' in monetary relief for class members in a case that faced up to $3 billion in damages under the Illinois Genetic Information Privacy Act. The terms in the settlement may include Injunctive relief from 23andMe (requiring a certain party to act in a certain way) and to provide options such as dark web monitoring to victims. Financial Implications and Company Response [caption id="attachment_82306" align="alignnone" width="2018"] Source: 23andme.com[/caption] 23andMe's annual report revealed $216 million in cash, which could impact the settlement amount. The company's attorney, Ian Ballon of Greenberg Traurig, expressed a focus on settlement and approval moving forward. A 23andMe spokesperson stated that the agreement is "in the best interest of 23andMe customers," and the company looks forward to finalizing the settlement. This resolution comes as a relief to the company, which faced potential bankruptcy concerns raised by lawyers during previous hearings. The settlement marks a significant step in addressing the fallout from the data breach, relieving some fears that had been stoked earlier after the genetic information of specific ethnic groups had been compromised. This specific data had been advertised earlier on a hacking forum as a list of Ashkenazi Jews, while another had been described as another as a list of people of Chinese descent. As the case progresses, the final terms of the settlement will provide insight into how 23andMe plans to compensate affected users and improve its data security measures.

image for Hidden dangers of fr ...

 Threats

Regarding VPNs, a popular refrain these days goes something like: Why bother paying for a VPN when there are tons of free ones out there? But are free VPN services truly free? This post explains why thinking they are is misguided, and offers the optimal solution: one of the fastest and most secure VPN apps on the   show more ...

planet. First there was: Theres no such thing as a free lunch — dating back to the 1930s. In this century, that old adage was updated and adapted for the digital age: If youre not paying for the product, you are the product. Today this new axiom applies to many internet services — but especially to VPNs. After all, maintaining a network of servers across the globe, and handling encrypted traffic for thousands, if not millions of users comes at a significant cost. And if the user isnt explicitly asked to pay for such services, theres bound to be a catch somewhere. And that somewhere was recently vividly demonstrated by a couple of major incidents… Freebie VPN and a botnet of 19 million IP addresses In May 2024, the FBI, together with law enforcement partners, dismantled a botnet known as 911 S5. This malicious network spanned 19 million unique IP addresses across over 190 countries worldwide, making it possibly the largest botnet ever created. But what does a gargantuan botnet have to do with free VPNs? Quite a lot actually, since the creators of 911 S5 used several free VPN services to build their brainchild; namely: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. Users who installed these apps had their devices transformed into proxy servers channeling someone elses traffic. In turn, these proxy servers were used for various illicit activities by the real clients of the botnet — cybercriminals who paid the organizers of 911 S5 for access to it. As a result, users of these free VPN services became unwitting accomplices in a whole host of crimes — cyberattacks, money laundering, mass fraud, and much more — because their devices were sucked into the botnet without their knowledge. 911 S5 botnet proxy rental prices Source The 911 S5 botnet began its nefarious operations way back in May 2014. Disturbingly, the free VPN apps it was built upon had been circulating since 2011. In 2022, law enforcers managed to take it down for a while, but it resurfaced a mere few months later under a new alias: CloudRouter. Finally, in May 2024, the FBI succeeded in not only dismantling the botnet infrastructure but also apprehending the masterminds, on which note the 911 S5 saga will likely end. During its operation, the botnet is estimated to have earned its creators a cool $99 million. As for the losses to victims — at least, just the confirmed ones — they amount to several billion dollars. The FBI seized the website of PaladinVPN —one of the free VPN apps used to build the 911 S5 botnet Infected VPN apps on Google Play While the 911 S5 case is undoubtedly one of the largest botnet, its far from an isolated incident. Literally a couple of months before, in March 2024, a similar scheme was uncovered involving several dozen apps published on Google Play. Though among them there were other apps too (such as alternative keyboards and launchers), free VPNs constituted the bulk of the infected ones. Heres the full list: Lite VPN Byte Blade VPN BlazeStride FastFly VPN FastFox VPN FastLine VPN Oko VPN Quick Flow VPN Sample VPN Secure Thunder ShineSecure VPN SpeedSurf SwiftShield VPN TurboTrack VPN TurboTunnel VPN YellowFlash VPN VPN Ultra Run VPN Oko VPN and Run VPN before being removed from Google Play Source There were two modes of infection. Earlier versions of the apps utilized the ProxyLib library to transform devices on which the infected apps were installed into proxy servers. More recent versions employed an SDK called LumiApps, offering developers monetization by showing hidden pages on the device, but in reality doing the exact same thing — turning devices into proxy servers. Just like in the previous case, the organizers of this malicious campaign sold access to proxy servers installed on user devices with the infected apps to other cybercriminals. After the report was published, the infected VPN apps were, of course, removed from Google Play. However, they continue to circulate in other places; for example, theyre sometimes published in several different incarnations under different developer names in the popular alternative app store APKPure (which was infected with a Trojan a few years ago). Oko VPN, one of the infected VPN apps booted out of Google Play, exists in multiple versions on the alternative platform What to do if you really need a VPN If youre in dire need of a VPN service to protect your connection but dont want to pay for one, consider using the free version of [placeholder ksec]. Free mode wont allow you to select a server, plus theres a traffic limit of 300 MB per day, but both your traffic and your device are fully secure. The better option of course is to buy a subscription; after all a reliable VPN is a must-have app for absolutely everyone — and has been for some time. Premium access to Kaspersky VPN Secure Connection, available as a standalone purchase or as part of our Kaspersky Plus and Kaspersky Premium subscriptions, grants you access to one of the fastest VPNs in the world across all your devices, along with top-rated protection against phishing and other threats, as verified by independent researchers. Best of all, you can enjoy a 30-day free trial of these subscriptions and experience the full functionality of our protection and VPN; that way, you can see for yourself how our VPN is one of the worlds speediest.

 Threat Actors

Researchers have uncovered a well-established cybercriminal ecosystem connected to a Telegram bot, with over 90,000 Arabic messages dating back to 2022, enabling a sophisticated network offering social media manipulation and financial theft services.

 Trends, Reports, Analysis

Real-world attacks have been observed where attackers target the Kubelet API to steal secrets and gain control over clusters. Various techniques, such as environment discovery, network scanning, and secrets collection, have been utilized by hackers.

 Innovation and Research

A team of researchers from the University of California San Diego has developed a firmware update to hide a smartphone's unique Bluetooth fingerprint, which can be used to track the user.

 Trends, Reports, Analysis

Paris 2024 Olympics are expected to face a significant increase in cyber threats, with IDC predicting the Games will encounter a complex threat landscape and a large ecosystem of threat actors.

 Trends, Reports, Analysis

According to Reliaquest, ransomware incidents surged in Q2, with 1,237 organizations listed on data leak sites, a 20% increase from Q1. U.S. businesses were hit the hardest, accounting for over half of the victims.

 Companies to Watch

Kaspersky, the Russian cybersecurity vendor, is winding down its operations in the US due to a Commerce Department decision prohibiting the sale of its products and services in the country.

 Feed

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

 Feed

Debian Linux Security Advisory 5731-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

 Feed

It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the netfilter connection tracker for netlink in the   show more ...

Linux kernel did not properly perform reference counting in some error conditions. A local attacker could possibly use this to cause a denial of service (memory exhaustion). Various other issues were also addressed.

 Feed

Red Hat Security Advisory 2024-4591-03 - Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.16.0 on Red Hat Enterprise Linux 9. Issues addressed include denial of service, memory leak, and resource exhaustion vulnerabilities.

 Feed

Ubuntu Security Notice 6896-3 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Atheros 802.11ac wireless   show more ...

driver did not properly validate certain data structures, leading to a NULL pointer dereference. An attacker could possibly use this to cause a denial of service.

 Feed

Red Hat Security Advisory 2024-4581-03 - An update for podman is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a memory leak vulnerability.

 Feed

Ubuntu Security Notice 6900-1 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the HugeTLB file system   show more ...

component of the Linux Kernel contained a NULL pointer dereference vulnerability. A privileged attacker could possibly use this to to cause a denial of service.

 Feed

Red Hat Security Advisory 2024-4573-03 - An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9. Issues addressed include an out of bounds access vulnerability.

 Feed

Ubuntu Security Notice 6898-2 - Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Gui-Dong Han discovered that the software   show more ...

RAID driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. A privileged attacker could possibly use this to cause a denial of service.

 Feed

The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed. Scattered Spider is the designation given to a threat actor that's known for its sophisticated social engineering schemes to breach targets and establish persistence for follow-on exploitation and data theft. It also has a history of

 Feed

Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks. Tracked as CVE-2024-27348 (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API. "Users are

 Feed

A China-linked threat actor called APT17 has been observed targeting Italian companies and government entities using a variant of a known malware referred to as 9002 RAT. The two targeted attacks took place on June 24 and July 2, 2024, Italian cybersecurity company TG Soft said in an analysis published last week. "The first campaign on June 24, 2024 used an Office document, while the second

 Feed

Attacks on your network are often meticulously planned operations launched by sophisticated threats. Sometimes your technical fortifications provide a formidable challenge, and the attack requires assistance from the inside to succeed. For example, in 2022, the FBI issued a warning1 that SIM swap attacks are growing: gain control of the phone and earn a gateway to email, bank accounts, stocks,

 Feed

The financially motivated threat actor known as FIN7 has been observed using multiple pseudonyms across several underground forums to likely advertise a tool known to be used by ransomware groups like Black Basta. "AvNeutralizer (aka AuKill), a highly specialized tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple

 Feed

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers. The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name,

 Guest blog

A new strain of the HardBit ransomware has emerged in the wild, which contains a protection mechanism in an attempt to prevent analysis from security researchers. Read more in my article on the Tripwire State of Security blog.

 Change

Source: www.databreachtoday.com – Author: 1 Breach Notification , Healthcare , Industry Specific Costs Have Already Hit $2 Billion, Parent Company UnitedHealth Group Reports Mathew J. Schwartz (euroinfosec) • July 17, 2024     Image: Shutterstock The cost of the Change Healthcare breach has reached $2   show more ...

billion, parent company UnitedHealth Group told investors. See Also: NHS […] La entrada Change Healthcare’s Breach Costs Could Reach $2.5 Billion – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Next-Generation Technologies & Secure Development , Security Information & Event Management (SIEM) , Security Operations World’s Largest Pure-Play SecOps Vendor Will Have Leading On-Prem, Cloud SIEM Tools Michael Novinson (MichaelNovinson) • July 17,   show more ...

2024     Chris O’Malley, CEO, Exabeam (Image: Exabeam) Two SIEM stalwarts completed a merger Wednesday that […] La entrada CEO Chris O’Malley on Why LogRhythm, Exabeam Opted to Merge – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Government , Industry Specific , Professional Certifications & Continuous Training New Report Reveals Industry’s Reluctance to Use Coast Guard Cybersecurity Services Chris Riotta (@chrisriotta) • July 16, 2024     A Coast Guard ship docked in the port   show more ...

of Key West, Florida (Image: Shutterstock) Private sector stakeholders in the marine […] La entrada Coast Guard Battles Cyberthreats Amid Industry Resistance – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime Custom Malware Backdoor BugSleep Has Evasion Capabilities, Checkpoint Says Akshaya Asokan (asokan_akshaya) • July 16, 2024     Image: Shutterstock Hackers with links to Iranian intelligence   show more ...

agencies are deploying a new malware backdoor that has advanced evasion capabilities to target Middle […] La entrada Iranian State Hackers Are Deploying a New Malware Backdoor – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Thank you for registering with ISMG Complete your profile and stay up to date Need help registering? Contact Support Original Post url: https://www.databreachtoday.com/webinars/live-webinar-every-transaction-counts-how-to-improve-your-payment-w-5731 Category &   show more ...

Tags: – Views: 0 La entrada Live Webinar | Every Transaction Counts: How to Improve Your Payment Performance—and Your Bottom Line – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Accelerate

Source: www.databreachtoday.com – Author: 1 Jennifer Ellard Sr Director, Product Marketing at Elastic Jennifer Ellard is a seasoned marketing executive specializing in cybersecurity. With a strong track record of managing global marketing teams and programs, Jennifer leads product marketing and demand   show more ...

generation teams in high-growth companies. She is known for delivering buyer-focused content and effectively […] La entrada Webinar | Accelerate your SOC with AI-driven security analytics with Elastic and Google Cloud – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Governance & Risk Management , Healthcare , Healthcare Information Exchange (HIE) A Former CISO’s Perspective on What Is Needed Jackie Mattingly, CHPS, HCISPP, CHISL, CISSP, Senior Director of Consulting Services, Clearwater • July 16, 2024     Like   show more ...

many across the healthcare industry, I found that the recent announcement of […] La entrada Cybersecurity Support for Rural Hospitals – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-07
Aggregator history
Wednesday, July 17
MON
TUE
WED
THU
FRI
SAT
SUN
JulyAugustSeptember