Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Cybercriminals Unlea ...

 Malware News

A new malware strain called Styx Stealer has emerged, posing a significant threat to online security.  Discovered in April 2024, Styx Stealer malware targets popular Chromium and Gecko-based browsers, including Chrome, Firefox, and their derivatives, to pilfer a treasure trove of data. This stolen information can   show more ...

include saved passwords, cookies, auto-fill data (including credit card information, cryptocurrency wallet information, system data (hardware information and external IP address) and screenshots. Beyond targeting browsers, Styx Stealer also sets its sights on popular instant messaging applications like Telegram and Discord. By compromising these platforms, attackers can gain access to chats of users, potentially exposing sensitive conversations and further compromising their online identity. Styx Stealer Malware Analysis in Detail Styx Stealer was designed by a Turkish cybercriminal who goes by the name “Sty1x” and is sold via Telegram or a dedicated website at prices ranging from $75 per month to $350 for unlimited access. [caption id="attachment_87335" align="alignnone" width="1093"] Styx Stealer price chart. Source: Check Point Research[/caption] Check Point Research claimed that it discovered the Styx Stealer thanks to a critical error committed by its developer. During the debugging process, the developer made a crucial mistake – they failed to implement proper operational security (OpSec) measures. This resulted in leaking sensitive data from their own computer directly to the researchers. This leaked information included details about Styx Stealer's capabilities, its potential targets, and even the developer's earnings. More importantly, it revealed a connection to the developer of another notorious malware strain – Agent Tesla. Forensic analysis further uncovered a link between Styx Stealer's developer (Sty1x) and a Nigerian actor operating under the aliases Fucosreal and Mack_Sant. This individual was previously involved in a campaign utilizing Agent Tesla malware, targeting Chinese firms in various sectors like metallurgy, transportation, and production. [caption id="attachment_87338" align="alignnone" width="1082"] Accounts and nicknames of the Styx Stealer developer and the Agent Tesla threat actor. Source: Check Point Research[/caption] This connection suggests a potential collaboration between cybercriminals, creating an even more formidable threat. Lineage of Theft: Styx Stealer's Ancestry The research identified Styx Stealer as a derivative of Phemedrone Stealer, a malware strain known for its browser-targeting capabilities. Styx Stealer inherits the core functionalities of Phemedrone, but it introduces some significant improvements. These improvements include: Auto-start functionality, allowing the malware to launch automatically upon system startup. Crypto-clipping functionality enables the theft of cryptocurrency wallet information. These enhanced features make Styx Stealer a more potent threat, capable of causing significant financial losses to unsuspecting victims. Potential Impact of Styx Stealer The information stolen by Styx Stealer can be used for various malicious purposes. Here are some of the potential consequences of an infection: Identity Theft: Stolen passwords and personal data can be used to impersonate you online, allowing attackers to access your accounts, make fraudulent purchases, or damage your reputation. Financial Loss: Cryptocurrency wallet information can be used to steal your digital currency holdings. Data Breaches: Compromised instant messaging conversations could reveal sensitive information that could be used for blackmail or other malicious purposes. Targeted Attacks: Stolen system data could be used to launch more targeted attacks against your device or network. The Future of Styx Stealer The discovery of Styx Stealer serves as a stark reminder of the constant threat posed by malware developers. While the leak of information by the developer has likely disrupted the initial operations of Styx Stealer, it's crucial to remain vigilant. Cybercriminals are known for adapting their tactics, and it's possible that Styx Stealer could resurface with improved functionalities or targeting strategies. By staying informed about the latest threats and implementing robust security measures, users can stay ahead of the curve and protect their valuable online data.

image for NUMOZYLOD Malware Di ...

 Cybersecurity News

The NUMOZYLOD malware family, also known as FakeBat, EugenLoader, and PaykLoader, has been linked to a surge in malware infections originating from malvertising campaigns. Researchers have analyzed the malware family to understand its infection methods and tailored variants to targeted victims. The Rise of NUMOZYLOD   show more ...

Since mid-2023, Mandiant Managed Defense has observed a surge in malware infections originating from malvertising campaigns. These attacks target users seeking popular business software through the use of a trojanized MSIX installers to execute PowerShell scripts and download an additional secondary payload. Researchers track this PowerShell script as NUMOZYLOD and attributes its distribution to the threat actor UNC4536, operating under the moniker 'eugenfest.' [caption id="attachment_87262" align="alignnone" width="998"] Source: https://www.googlecloudcommunity.com/gc[/caption] UNC4536 is part of a Malware-as-a-Service (MaaS) operation, distributing a variety of malware, including ICEDID, REDLINESTEALER, CARBANAK, LUMMASTEALER, and ARECHCLIENT2. Researchers note this as evidence of a surging underground economy, where threat actors actively collaborate to fulfill the supply and demand for specialized tools and services to carry out attack campaigns. Exploiting MSIX for Covert Malware Distribution A key feature of MSIX, the Windows application packaging format, is its ability to execute scripts with the help of the Package Support Framework (PSF). Threat actors have exploited this by bundling a malicious payload, such as NUMOZYLOD, within the MSIX package, which is then executed during the software installation process. Analysis of the trojanized MSIX file structure reveals how threat actors stage their resources and abuse MSIX features to gain initial access and evade detection. The structure consists of several key components, including: AppxManifest.xml: This XML file is the heart of the MSIX installer, specifying how the package is to be installed. It lists the languages supported by the application, which can offer insight into the malware author's origin or the intended target audience for the malware's distribution. Config.json: This configuration file is used by the Package Support Framework (PSF) to handle tasks that standard MSIX installations cannot directly support, such as launching specific processes alongside the main application. In the case of NUMOZYLOD, the config.json file instructs the MSIX installer to trigger the execution of the malicious PowerShell script during the installation of the software. StartingScriptWrapper.ps1: This file serves as a wrapper for executing PowerShell scripts specified in the config.json file. Virtual File System (VFS) folder: This virtual storage space within the MSIX package holds the application's files and folders, separating them from the main system. Delivering Tailored Payload Variants UNC4536 operates as a malware distributor, leveraging NUMOZYLOD to deliver various secondary payloads to its "business partners." The researchers have observed two NUMOZYLOD variants so far, each distributing different malware families. In one campaign, NUMOZYLOD was used to spread the CARBANAK backdoor, leveraging SEO poisoning tactics to direct victims to a malicious website mimicking the legitimate KeePass password manager. This NUMOZYLOD variant transmitted host information to attackers, subsequently downloading and executing the CARBANAK malware on infected systems. In another campaign, the researchers observed a heavily obfuscated NUMOZYLOD variant utilized to deliver the LUMMASTEALER infostealer payload. This variant employed multiple layers of obfuscation to impede analysis and evade security measures, including disabling the Antimalware Scan Interface (AMSI) to run undetected. The researchers have shared custom YARA-L rules to help protect against the campaign by detecting execution of the malicious Powershell scripts and executable file associated with the attacks.

image for North Korean Hackers ...

 Cybersecurity News

Researchers have uncovered a new remote access trojan (RAT) family, dubbed 'MoonPeak,' that is being actively developed by a North Korean threat actor cluster known as 'UAT-5394.' The researchers' analysis of the threat actor's infrastructure reveals a complex web of command-and-control (C2)   show more ...

servers, staging servers, and test machines used to develop and deploy the malware. Mapping North Korean APT UAT-5394's Infrastructure Talos' investigation has led to the discovery of numerous servers owned, operated and administered by UAT-5394. This infrastructure includes C2 servers, payload-hosting sites, and virtual machines used to test their MoonPeak implants before distribution. The researchers observed a distinct shift in the actor's tactics in June 2024, as they moved from hosting malicious payloads on legitimate cloud storage providers to systems and servers they now owned and controlled. This was likely done to preserve their infections from potential shutdowns by cloud service providers. [caption id="attachment_87393" align="alignnone" width="1428"] Source: Talos[/caption] The campaign involved the use of multiple C2 servers, payload-hosting sites, and test virtual machines to test MoonPeak implants before distributing them to potential targets. The threat actors have also been observed accessing their infrastructure from VPN nodes, highlighting their ability to adapt and evolve. Another key server in UAT-5394's infrastructure was 167.88.173.173, a high-flux server that had been observed changing operating systems and web servers multiple times in a span of less than two months. While this server was initially linked to the Gamaredon APT, a threat group allegedly associated with the Russian FSB, the researcher's analysis found a window of time in late June and early July 2024 where the researchers assess with high confidence that the IP was under UAT-5394's control. During this period, the server was running Windows Server 2022 and was used by UAT-5394 to compile MoonPeak v2 malware samples pointing to its port 9966 as the C2 server. The researchers also observed two other IP addresses, 45.87.153.79 and 45.95.11.52, accessing this server over ports 9936 and 9966 – the same C2 ports used by MoonPeak malware. The investigation also revealed that 167.88.173.173 resolved to and hosted an SSL certificate for the malicious domain pumaria.store, which was later found to resolve to 104.194.152.251 on July 11, 2024. On the same day, one of UAT-5394's test machines, 80.71.157.55, communicated with 104.194.152.251 over port 443, indicating that this system was being used to test MoonPeak infections. Further analysis of 104.194.152.251 showed that it resolved to other domains attributed to UAT-5394, such as yoiroyse.store, and was used to host MoonPeak malware and set up a new C2 server at 91.194.161.109. Testing And Evolving MoonPeak The researchers observed the use of several virtual machines on the servers 45.87.153.79, 45.95.11.52, and 80.71.157.55, used by UAT-5394 to test MoonPeak infections over various C2 ports since at least July 2, 2024. The researchers noted that the test timings over these ports matched the compilation times of the various MoonPeak samples they had noted, further observing an evolution in the malware and its corresponding C2 components, with each new increment differing from the previous one in terms of evasion techniques and infrastructure changes. This constant evolution suggests that the threat actors are actively developing and refining MoonPeak to evade detection. The threat actors have been observed deploying their implant variants several times on their test machines, demonstrating capability as well as the resources for adaptability. Potential indicators of compromise (IOCs) from MoonPeak's campaigns and attack operations were shared over GitHub.

image for Nigeria Leads Africa ...

 Firewall Daily

Nigeria has announced its latest cybersecurity plan by transitioning from Internet Protocol version 4 (IPv4) to the more advanced Internet Protocol version 6 (IPv6). This major upgrade is expected to upgrade internet service in African countries. The Nigeria IPv6 transition reflects the country’s commitment to   show more ...

aligning with global standards and harnessing the vast economic opportunities presented by IPv6 adoption. Dr. Bosun Tijani, the Minister of Communications, Innovations, and Digital Economy, announced this upgrade in Nigeria's cybersecurity posture, highlighting that Nigeria is set to become the first African nation to fully embrace IPv6. This transition is not just a technical upgrade but a strategic step towards improved cybersecurity and enhanced digital infrastructure. Minister of Communications Announces Nigeria IPv6 Transition At the IPv6 Driven Digital Infrastructure Summit held at the Digital Economy Complex in Mbora, Abuja, Dr. Tijani emphasized the importance of this transition. The summit, organized by the National Information Technology Development Agency (NITDA), was themed “Bring Net 5.5G into Reality, Inspire New Growth.” It aimed to provide a comprehensive roadmap for Nigeria IPv6 transition. Dr. Tijani noted that several countries, including the United States, France, Saudi Arabia, China, and the United Arab Emirates, have already adopted IPv6. Nigeria’s proactive approach places it at the forefront of this global shift, positioning it as a leader in Africa’s digital transformation. He lauded President Bola Tinubu’s administration for its dedication to digital empowerment and infrastructure development, The Sun Nigeria reported.  "By 2050, our goal should be to achieve 100 percent adoption of IPv6," Dr. Tijani stated. We should not only consume internet technologies but also export them. Thanks to President Tinubu’s focus on digital transformation, Nigeria is on the path to becoming a global leader in this space." IPv6 offers advantages over its predecessor. It allows for a virtually limitless number of IP addresses, a crucial factor given the growing number of connected devices globally. This expanded address space enhances the ability to track and secure internet traffic, making online transactions more reliable and safer. The protocol is designed to address the limitations of IPv4, including its vulnerability to cyber threats. The Nigeria IPv6 transition is expected to have a profound impact on the nation’s internet service sector. Providers will benefit from improved network efficiency and security, ensuring that their systems are less susceptible to hacking and downtime. IPv6's advanced features will also help identify traffic sources more accurately, which is crucial for effective cybersecurity measures. Nigeria Cybersecurity Plan: The Need to Transition from IPv4 to IPv6 Kashifu Inuwa Abdullahi, Director General of NITDA, highlighted the economic potential of Nigeria IPv6 transition. He pointed out that the global market for IPv6 deployment is valued at approximately $10 trillion. This opens up significant opportunities for Nigeria to tap into new markets and drive economic growth. Abdullahi also noted that while most modern devices are already compatible with IPv6, the challenge lies in backward compatibility. Existing IPv4 devices may not interact seamlessly with IPv6 infrastructure. However, the shift is manageable as newer devices are built with IPv6 in mind, minimizing the need for extensive modifications. "Investing in IPv6 does not require enormous expenditure," Abdullahi explained. "The main challenge is developing a clear strategy and policy direction to guide the migration process. Many operators are hesitant to change due to the complexities involved in reconfiguring their systems." The Nigeria IPv6 transition also addresses broader cybersecurity concerns. As Abdullahi explained, the protocol’s ability to uniquely identify devices connected to the internet enhances the tracking of network traffic and helps mitigate cyber threats. With the current scarcity of IPv6, many devices are masked, making them harder to identify and secure. IPv6 resolves this issue by providing an almost unlimited number of IP addresses, which strengthens overall cybersecurity. Abdullahi illustrated this with a personal anecdote: “For instance, I have multiple devices—two mobile phones, a smartwatch, laptops, and more—all connected to the internet. With IPv6, each device can be uniquely identified, improving our ability to address cybersecurity challenges.”

image for Microchip Technology ...

 Compliance

Microchip Technology, a semiconductor company in the US, has disclosed that it experienced a cyberattack that disrupted some of its operations. The company made a SEC Filing on Tuesday which mentioned that on August 17, 2024, it "detected potentially suspicious activity involving its information technology systems.   show more ...

" During the investigation, it was revealed that an unknown threat actor had gained access to its systems and had “disrupted the Company’s use of certain servers and some business operations.” The company then disclosed the breach on August 20, 2024, stating that it had taken immediate steps to isolate the affected systems and shut down others as a precaution. Details of Microchip Technology Cyberattack In its SEC Filing, Microchip stated, “As a result of the incident, certain of the Company's manufacturing facilities are operating at less than normal levels, and the Company's ability to fulfill orders is currently impacted." The company also promised that it would work to fix things up soon. While the exact nature of the cyberattack remains unclear, Microchip Technology has indicated that it is working with external cybersecurity experts to investigate the incident and assess the full extent of the damage. The company has not disclosed any specific details about the type of attack or the data that may have been compromised. [caption id="attachment_87318" align="alignnone" width="1882"] Summary of SEC Filing by Microchip Technology[/caption] The incident has raised concerns about the potential impact on the global supply chain for semiconductors, as Microchip Technology is a major supplier of microcontrollers, mixed-signal, analog, and Flash-IP solutions used in various electronic devices. A disruption to Microchip's operations could have far-reaching consequences for automotive, consumer electronics, and industrial automation industries. Potential Impact of the Cyberattack Supply chain disruptions: The attack could lead to delays in producing and delivering Microchip Technology's products, impacting various industries that rely on their components. Financial losses: The incident may result in financial losses for Microchip Technology due to business interruptions, legal costs, and potential damage to its reputation. Data breaches: If sensitive customer or business data is compromised, the company could face legal and regulatory consequences. Competitive advantage: The attack could give competitors an advantage if they can exploit vulnerabilities exposed by the breach. Microchip Cyberattack: A Threat to National Security? The cyberattack on Microchip Technology is particularly troubling given that in January 2024, the Biden administration granted the company $162 million to expand its manufacturing facilities where it produces its leading microcontrollers, as reported by Reuters. The government described the funding as a stimulus for the United States automotive, defense, and aerospace sectors, emphasizing Microchip's significance as a supplier to the military. Microchip products are designed for critical applications, typically in devices that move quickly, such as cars, airplanes, and missiles, or operate in harsh remote environments like space, where NASA plans to utilize its chips in its upcoming High-Performance Spaceflight Computer (HPSC). The company also provides foundry services, and if this incident has disrupted that process, it will likely cause difficulties in the silicon supply chain. As the investigation continues, Microchip Technology has assured its customers and partners that it is working diligently to restore normal operations and minimize any disruptions caused by the cyberattack. The company has also emphasized its commitment to protecting customer data and maintaining the integrity of its systems. While the specific details of the cyberattack are still emerging, the incident serves as a reminder of the increasing sophistication and frequency of cyber threats facing businesses of all sizes. The attack on Microchip Technology highlights the importance of robust cybersecurity measures to protect critical infrastructure and prevent disruptions to essential services.

image for Kentucky Man Sentenc ...

 Cybersecurity News

A Kentucky man's elaborate plot to fake his own death and escape his child support obligations has landed him in federal prison. On Monday, U.S. District Judge Robert Wier sentenced Jesse Kipf, 39, of Somerset, to 81 months behind bars following a plea agreement for computer fraud and aggravated identity theft.   show more ...

Kipf had a previous record of criminal history and had been described by his attorney as a troubled Iraq war veteran. Kipf's Cyber Scheme to Dodge Child Support Kipf's scheme began in January 2023, when he hacked into the Hawaii Death Registry System using a stolen username and password. He created a fake death certificate, listing himself as the medical certifier and using a doctor's digital signature. This malicious act resulted in Kipf being registered as a deceased person in numerous government databases. But Kipf's crimes went beyond faking his own death. He also infiltrated other states' death registry systems, private business networks, and governmental and corporate networks, using stolen credentials. He then attempted to sell access to these networks on the dark web, an underground internet platform notorious for illicit activities. Kipf's actions were motivated, in part, by a desire to avoid paying his outstanding child support obligations. According to court documents, he owed over $116,000 to his daughter and her mother. By faking his own death, Kipf hoped to escape his financial responsibilities. "This scheme was a cynical and destructive effort, based in part on the inexcusable goal of avoiding his child support obligations," said U.S. Attorney Carlton S. Shier, IV. Troubling Criminal History and Consequences Kipf's sentencing memo painted a picture of a serial offender with a concerning criminal history. In 2010, he was convicted in Nebraska on charges that included criminal possession of financial transaction devices. He also has pending charges in Kentucky related to using stolen credit card information to pay for food deliveries. According to his attorney, Tommy Miceli, Kipf's criminal behavior stemmed from a struggle with drug addiction that worsened after his military service in the Iraq War from 2007-2008. Miceli argued this history should be taken into account, but the judge ultimately sided with prosecutors' recommendation of an 81-month sentence. In a joint statement, law enforcement officials said Kipf's case serves as a stark reminder of the damage that can be done by criminals exploiting technology. "Working in collaboration with our law enforcement partners, this defendant who hacked a variety of computer systems and maliciously stole the identity of others for his own personal gain, will now pay the price," said Michael E. Stansbury, Special Agent in Charge of the FBI's Louisville Field Office. The investigation into Kipf's crimes was a collaborative effort involving the FBI, the Kentucky Attorney General's Office, the Department of the Attorney General in Hawaii, and the Pulaski County Sheriff's Office. Assistant U.S. Attorney Kate Dieruf led the prosecution, focusing on Kipf's concerning criminal history and his "classic recidivist profile." Along with the 81 months in prison, Kipf's sentence, which he will serve 85% of, includes three years of supervised release. He must also pay $195,758.65 to cover the damages to government and corporate computer systems, as well as his outstanding child support obligations. Earlier in 2022, after six years of being on the run, an Iowa man who had faked his own death and removed his ankle monitor had been found and arrested over a thousand miles away from his grandmother’s home. The individual had been wanted by authorities for trial on charges associated with child sexual abuse imagery. According to nydefensecouncil.com, there are no specific laws against faking one's own death within the United States. However, individuals and those involved in aiding such schemes could potentially face charges of identity theft, life insurance fraud, tax evasion, conspiracy and false reporting.

image for Iranian Threat Actor ...

 Cybersecurity News

A recent malicious campaign by the Iranian threat actor TA453 has come to attention after the group had targeted a prominent Jewish religious figure (whose identity has been hidden for protection) with a fake podcast interview invitation. The attack chain, which began in July 2024, employed a series of emails   show more ...

referring to a supposed podcast about 'Exploring Jewish life in the Muslim World', from a representative of the American non-profit think thank Institute for the Study of War, a legitimate organization dedicated to research under the topics of military defense and foreign affairs. TA453 Deploys PowerShell Trojan Through Podcast Invite The campaign began on July 22, 2024, when TA453 contacted multiple email addresses for the target figure, under the guise of representing the Research Director for the Institute for the Study of War (ISW). The lure was a podcast invitation, which the target responded to, and TA453 followed up with a DocSend URL that led to a password-protected text file containing a legitimate ISW podcast URL. [caption id="attachment_87244" align="alignnone" width="926"] Source: https://proofpoint.com/us/blog/[/caption] The researchers from Proofpoint believe this was likely an attempt to normalize the target's behavior, making them more susceptible to clicking on malicious links in the future. The attackers then sent a Google Drive URL leading to a ZIP archive containing a malicious LNK file, which delivered the BlackSmith toolset, including the AnvilEcho PowerShell trojan. [caption id="attachment_87245" align="aligncenter" width="434"] Source: https://proofpoint.com/us/blog/[/caption] The AnvilEcho malware is a PowerShell trojan that contains extensive functionality, including intelligence gathering and exfiltration capabilities. It uses encryption and network communication techniques similar to previously observed TA453 samples. The malware is designed to evade detection by bundling multiple capabilities into a single PowerShell script, rather than using a modular approach. AnvilEcho uses a series of functions to encrypt, encode, and exfiltrate information, including Send-ReqPacket, FromEncrypt, From-Save, Encode, ToEncrypt, and Get-Rand. The malware also includes code for downloading and uploading files, as well as capturing screenshots and audio. The malware's C2 infrastructure is hosted on the domain deepspaceocean[.]info, which bears similarities to historical TA453 infrastructure. The AnvilEcho C2 server is designed to run continuously, periodically fetching commands from the remote server and executing them via the Do-It function. The Do-It function executes different sections of code based on the received command, including capabilities for network connectivity, file handling, screenshot capture, and audio exfiltration. Along with the Do-it function, at the end of the 2200 lines of malware code, the Redo-It function serves as orchestration and management for all of the PowerShell commands within the malware. The Redo-It function also handles many other components of the malware such as key encryption, system reconnaissance upon the first run to collect  antivirus information, Operating System information, Public IP Address, InstallationPath, Manufacturer, ComputerName, and UserName. This data exfiltrated and encrypted by the Redo-It function is then sent to the TA453 attacker-controlled infrastructure. This function is designed for persistent execution, for periodically retrieving commands from the remote server, decrypting them, and executing them via Do-It. Iranian Islamic Revolutionary Guard Corps Connection These efforts of TA453 are likely in support of intelligence collection for the Iranian government, particularly  the Islamic Revolutionary Guard Corps' Intelligence Organization, according to the researchers. [caption id="attachment_87241" align="aligncenter" width="316"] Source: https://www.ifmat.org/03/02/intelligence-organization-of-the-irgc/[/caption] While there is no direct link to individual members of the IRGC, the malware's TTPs are consistent with previous reports of TA453 campaigns, including overlaps in unit numbering and targeting priorities. They believe the group also shares several similarities with the Charming Kitten APT group. These tactics are an example of multi-persona impersonation, where threat actors send legitimate links to users to build upon trust from victims for later exploit.

image for SEBI’s Cybersecuri ...

 Firewall Daily

The Securities and Exchange Board of India (SEBI) has announced a new Cybersecurity and Cyber Resilience Framework (CSCRF) aimed at fortifying the cybersecurity posture of regulated entities across the Indian financial markets. This new framework is set to be implemented in a phased approach starting January 2025,   show more ...

signaling a significant shift from the existing cybersecurity guidelines. The CSCRF is a comprehensive set of guidelines designed to enhance both cybersecurity and cyber resilience among entities regulated by SEBI. This new framework comes at a crucial time as cyber threats continue to escalate, threatening the integrity and stability of financial systems. It represents a significant evolution from previous cybersecurity directives, integrating advanced measures to address emerging threats and vulnerabilities. Introduction to Cybersecurity and Cyber Resilience Framework (CSCRF) The new Cybersecurity and Cyber Resilience Framework (CSCRF) will be implemented in a structured, phased manner. Regulated entities are required to achieve compliance by January 1, 2025, or by April 1, 2025, depending on their classification. This phased approach is designed to facilitate a smooth transition and enable entities to adapt gradually to the new requirements. A significant feature of the CSCRF is the introduction of a Cyber Capability Index (CCI), which will be used to regularly assess and monitor the cybersecurity maturity and resilience of market infrastructure institutions and qualified regulated entities. The CCI is intended to serve as a benchmark for evaluating cybersecurity effectiveness and guiding necessary improvements. To support smaller regulated entities, SEBI has mandated the establishment of Market Security Operation Centres (SOCs) by major stock exchanges, NSE and BSE. These SOCs will provide tailored cybersecurity solutions, helping smaller entities meet the framework's requirements and enhance their cyber resilience. Additionally, regulated entities will be required to undergo regular cybersecurity audits under the CSCRF. These audits will cover IT services, Software as a Service (SaaS) solutions, and hosted services, and will be conducted periodically. Reports from these audits must be submitted to the relevant authorities, ensuring ongoing compliance and oversight. Detailed Compliance Requirements Under the new Cybersecurity and Cyber Resilience Framework (CSCRF), regulated entities are required to submit compliance reports to SEBI or other relevant authorities according to established periodic standards. These reports must include both half-yearly and annual reviews, which cover various critical aspects of cybersecurity. This includes evaluations of Cyber Resilience, Vulnerability Assessment and Penetration Testing (VAPT), and cybersecurity training, ensuring a comprehensive approach to maintaining security practices. Furthermore, within one year of the CSCRF's issuance, Market Infrastructure Institutions (MIIs) and Qualified Regulated Entities are mandated to obtain ISO 27001 certification. This certification must be accompanied by evidence submitted alongside cyber audit reports to demonstrate adherence to internationally recognized standards for information security management. Entities are also required to adhere to specific frequencies for conducting Vulnerability Assessment and Penetration Testing (VAPT) on their protected systems and other IT infrastructure. Reports from these assessments must be submitted within one month of their approval, with any identified findings addressed within three months and revalidated within five months to ensure ongoing security. In addition, comprehensive cyber audits must be conducted to cover both critical and a sample of non-critical systems. These audits require reports to be submitted within a month of completion, with any issues identified needing resolution within three months and follow-on audits conducted within five months. To facilitate compliance with the CSCRF, NSE and BSE will establish Market Security Operation Centres (SOCs) by January 1, 2025. These SOCs will provide crucial cybersecurity support, particularly for smaller entities. Additionally, other organizations such as NSDL and CDSL may also establish similar facilities to support the framework's implementation. Operational Guidelines and Standards Entities are required to maintain an up-to-date inventory of authorized devices and utilize automated tools for effective network management. Security protocols must include robust perimeter defenses for servers involved in algorithmic trading, as well as the implementation of a zero-trust security model. Access control must adhere to a zero-trust framework, necessitating regular reviews of delegated access, the enforcement of strong password policies, and the prompt removal of unused user credentials. In terms of log management, entities must diligently collect and monitor all pertinent logs, such as those from systems, applications, and networks. They are also required to implement a rigorous log retention policy and actively monitor for any unusual patterns to ensure comprehensive oversight. Physical security measures demand restricted access to critical systems, bolstered by stringent controls and surveillance for sensitive equipment. For remote support and access, services must be well-governed and logged, incorporating multi-factor authentication and limiting access to whitelisted IP addresses. Data management practices must include secure data retention and disposal policies to ensure that all data and media are handled with appropriate security measures. Endpoint and network security require the deployment of endpoint protection solutions and continuous network monitoring, with administrative rights disabled for any unnecessary functions. Security protocols for applications and mobile systems must adhere to OWASP guidelines and ensure secure storage practices. Additionally, regular cybersecurity training is essential for employees, including updates to training materials as needed to reflect the latest security practices. Entities must also establish mechanisms for reporting fraudulent transactions and educating customers about cybersecurity risks, thereby enhancing overall customer and investor security. Implementation and Oversight The implementation of the CSCRF will be closely monitored by SEBI, with entities expected to adhere to the established timelines and compliance requirements. The phased implementation and structured compliance reporting are designed to ensure a smooth transition to the new framework and enhance the overall cybersecurity landscape. The SEBI cybersecurity framework represents a significant advancement in the regulation of cybersecurity practices within India's financial markets. By establishing clear guidelines, regular assessments, and providing support to smaller entities, SEBI aims to strengthen the resilience of the financial sector against cyber threats. This comprehensive approach to cybersecurity and resilience underscores SEBI's commitment to safeguarding the integrity of financial markets and protecting stakeholders from cyber risks. As the framework is rolled out, it will be crucial for all regulated entities to stay informed and compliant with the new requirements to ensure cybersecurity and resilience.

image for Shield Your Organiza ...

 Business News

As organizations become more digitized and connected, their attack surface grows as well and they become increasingly vulnerable to cyberattacks. Businesses are seeking innovative strategies to protect their sensitive data and maintain operational continuity in the face of an evolving threat landscape. One such   show more ...

strategy gaining prominence is the use of take-down services. These services are designed to identify and remove harmful content - such as malware, phishing and spoofing websites, and intellectual property infringements - from the internet. CEOs are at the forefront of implementing strategic defense measures to safeguard their organizations. They increasingly recognize the importance of take-down services as a critical component of their overall cybersecurity strategy. By leveraging these services, CEOs can: Proactively address threats: Take-down services can help identify and mitigate emerging threats before they cause significant damage. Protect brand reputation: By removing harmful or imposter content that tarnishes their brand's image, CEOs can maintain customer trust and confidence. Safeguard intellectual property: Take-down services can be used to protect valuable intellectual property from unauthorized use or distribution. Reduce legal risks: By promptly addressing copyright infringement or other legal issues, CEOs can minimize their organization's exposure to litigation. Strategic Defense CEO Insights CEOs from various industries have shared their insights on the effectiveness of take-down services in protecting their organizations. Many have highlighted the following benefits: Timely response: Take-down services can provide a rapid response to online threats, reducing the potential impact on their business. Expertise and resources: These services often have access to specialized tools and expertise that can be difficult for organizations to maintain in-house. Cost-effective solution: By outsourcing take-down services, CEOs can avoid the significant costs associated with building and maintaining an internal team to handle these tasks. Take-Down Services for CEOs CEOs considering implementing take-down services should carefully evaluate the following factors: Scope of services: Different providers offer varying levels of coverage, including takedowns for malware, phishing/spoofed websites, copyright infringement, and other online threats. Speed of response: The time it takes for a provider to remove harmful content is a critical factor to consider. Success rate: Look for providers with a proven track record of successfully removing harmful content. Cost: Compare pricing models and ensure that the cost aligns with your organization's budget. CEO Perspectives on Online Threats CEOs are increasingly aware of the diverse range of online threats that can target their organizations. These threats include: Malware: Malicious software designed to harm computer systems and steal data. Phishing: Attempts to trick individuals into revealing sensitive information. Intellectual property theft: Unauthorized use or distribution of copyrighted material. Cyberbullying and harassment: Online harassment and abuse targeting individuals or organizations. Data breaches: Unauthorized access to sensitive data. Strategic Cyber Defense: CEO Views CEOs are adopting a more proactive approach to cyber defense, recognizing that prevention is often better than a cure. They are investing in a range of security measures, including: Robust cybersecurity infrastructure: Implementing firewalls, intrusion detection systems, and other security technologies. Employee training and awareness: Educating employees about cybersecurity best practices and identifying potential threats. Incident response planning: Developing a comprehensive plan to respond to and recover from cyberattacks. Third-party risk management: Assessing the security practices of vendors and suppliers. Role of Take-Down Services in Modern Cybersecurity Take-down services have become an essential component of modern cybersecurity strategies. By proactively addressing online threats and protecting sensitive data, these services can help organizations mitigate risks, maintain their reputation, and ensure business continuity. As the threat landscape continues to evolve, CEOs must stay informed about emerging threats and adapt their security measures accordingly. CEO Take-Down Services Strategies Here are additional considerations for integrating a take-down service into your environment: Integration with existing security tools: Take-down services should be integrated with other cybersecurity tools to provide a comprehensive defense. Regulatory compliance: Ensure that take-down services align with relevant regulations and industry standards. Continuous monitoring: Regularly review the effectiveness of take-down services and make adjustments as needed. The Future of Take-Down Services As cyber threats become more sophisticated, the demand for effective take-down services is likely to increase. CEOs must stay informed about emerging trends and technologies to ensure their organizations are adequately protected. Key Takeaways Take-down services are a valuable tool for protecting organizations from online threats. CEOs should carefully evaluate take-down service providers to select the best option for their needs. A comprehensive cybersecurity strategy should include take-down services as a key component. By proactively addressing threats and protecting sensitive data, CEOs can mitigate risks and maintain their organization's reputation. By staying informed and taking proactive steps, CEOs can effectively leverage take-down services to protect their organizations in the face of evolving cyber threats. Summing Up As cyber threats become more sophisticated, integrating effective cybersecurity measures is crucial for protecting your organization. Take-down services are a vital tool in maintaining robust cyber hygiene, helping to eliminate harmful content and safeguard your brand’s reputation. For CEOs, leveraging these services is a strategic move to stay ahead of cybercriminals and ensure legal compliance, and at much lower cost than having your own team do the work. Protect your organization with Cyble’s cutting-edge cybersecurity solutions. From advanced threat detection to proactive content takedowns, Cyble’s AI-driven platform provides comprehensive protection. Contact Cyble today to see how next-gen cybersecurity solutions can fortify your defenses and keep your digital assets secure.   Schedule a free demo

image for CannonDesign Hit by ...

 Cybersecurity News

Cannon Corporation, operating under the brand CannonDesign, is notifying its clients about a data breach that occurred earlier this year. CannonDesign, a renowned architectural, engineering, and consulting firm based in the United States, is well-known for its work on high-profile projects such as academic buildings,   show more ...

hospitals, and sports arenas. This CannonDesign data breach, which has raised concerns about the security of sensitive information, primarily impacts current and former CannonDesign employees and their dependents. "The Cannon Corporation (“Cannon Design”) is announcing a recent event that impacts the security of information related to certain current or former Cannon Design employees and their dependents," reads the official notice. Details of CannonDesign Data Breach On January 25, 2023, CannonDesign detected suspicious activity within its computer network, triggering a swift response to secure its systems and minimize operational disruptions. An in-depth investigation was launched to determine the extent of the breach. It was discovered that an unauthorized third party had gained access to specific parts of CannonDesign's network between January 19, 2023, and January 25, 2023. The investigation revealed that sensitive information belonging to certain individuals had been accessed or acquired by an unauthorized party. CannonDesign completed a thorough review of the affected data by May 3, 2024. Although the company has not found any evidence that the compromised information has been used for identity theft or fraud, it is notifying all potentially impacted individuals as a precautionary measure. Information Compromised The information exposed in the CannonDesign data breach includes a combination of personal details, such as: Names Contact information Social Security or Social Insurance numbers Driver’s license or state identification numbers Passport numbers Dates of birth The compromised data is considered highly sensitive, potentially putting affected individuals at risk of identity theft or fraud. CannonDesign’s Response and Measures Taken CannonDesign has taken the data breach very seriously, immediately launching an investigation to assess the scope of the incident and securing its network. The company has also notified relevant state regulators, as required by law, and is working on implementing additional security measures to prevent future incidents. In its official notice, CannonDesign reassured clients and employees of its commitment to safeguarding personal information and emphasized that it is taking steps to enhance the security of its systems. Guidance for Affected Individuals CannonDesign is urging all potentially impacted individuals to take precautionary measures to protect their personal information. The company advises reviewing account statements and monitoring credit reports for any suspicious activity. Under U.S. law, consumers are entitled to one free credit report annually from each of the three major credit reporting agencies: Equifax, Experian, and TransUnion. Individuals can order their free credit report by visiting www.annualcreditreport.com or calling 1-877-322-8228. Placing Fraud Alerts and Credit Freezes To further safeguard their credit, individuals can place a fraud alert or a credit freeze on their credit files at no cost. A fraud alert notifies businesses to verify the identity of the consumer before extending new credit, which can help prevent identity theft. An initial fraud alert lasts for one year, while an extended fraud alert, available to identity theft victims, lasts for seven years. A credit freeze, on the other hand, restricts access to the consumer’s credit report without explicit authorization, making it difficult for identity thieves to open new accounts in the consumer’s name. While a credit freeze offers robust protection, it may also delay or interfere with the approval process for new loans or credit accounts. Under federal law, credit reporting agencies cannot charge consumers to place or lift a credit freeze. CannonDesign understands that affected individuals may have additional questions or concerns regarding the data breach. The company has set up a dedicated helpline at 833-918-4990, available Monday through Friday, from 8 am to 8 pm CST (excluding major U.S. holidays). Additionally, individuals can reach out to CannonDesign in writing at 50 Fountain Plaza, Suite 200, Buffalo, New York 14202.

 Trends, Reports, Analysis

The abuse of URL rewriting in phishing attacks has emerged as a new trend, allowing threat actors to hide malicious links behind trusted domains of security vendors. Exploiting these features enables bypassing detection mechanisms.

 Malware and Vulnerabilities

Canonical has released security fixes for multiple OpenJDK 8 vulnerabilities that could result in denial of service, information disclosure, or arbitrary code execution on certain Ubuntu releases.

 Feed

Debian Linux Security Advisory 5753-1 - An integer overflow was discovered in aom, the AV1 Video Codec Library, which could potentially result in the execution of arbitrary code if a malformed media file is processed.

 Feed

Debian Linux Security Advisory 5752-1 - Two vulnerabilities have been discovered in the IMAP implementation of large headers can result in high CPU usage, leading to denial of service.

 Feed

Ubuntu Security Notice 6965-1 - It was discovered that vim incorrectly handled parsing of filenames in its search functionality. If a user was tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service. It was discovered that vim incorrectly handled memory   show more ...

when opening and searching the contents of certain files. If a user was tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution with user privileges.

 Feed

Ubuntu Security Notice 6966-2 - USN-6966-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these   show more ...

to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. It was discovered that Firefox did not properly manage certain memory operations when processing graphics shared memory. An attacker could potentially exploit this issue to escape the sandbox. Nan Wang discovered that Firefox did not properly handle type check in WebAssembly. An attacker could potentially exploit this issue to execute arbitrary code. Irvan Kurniawan discovered that Firefox did not properly check an attribute value in the editor component, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. Rob Wu discovered that Firefox did not properly check permissions when creating a StreamFilter. An attacker could possibly use this issue to modify response body of requests on any site using a web extension.

 Feed

Ubuntu Security Notice 6944-2 - USN-6944-1 fixed CVE-2024-7264 for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. This update provides the corresponding fix for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Dov Murik discovered that curl incorrectly handled parsing ASN.1 Generalized Time fields.   show more ...

A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents.

 Feed

Ubuntu Security Notice 6970-1 - It was discovered that exfatprogs incorrectly handled certain memory operations. If a user or automated system were tricked into handling specially crafted exfat partitions, a remote attacker could use this issue to cause exfatprogs to crash, resulting in a denial of service, or possibly execute arbitrary code.

 Feed

Red Hat Security Advisory 2024-5692-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

 Feed

Red Hat Security Advisory 2024-5690-03 - An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include denial of service and heap overflow vulnerabilities.

 Feed

Red Hat Security Advisory 2024-5689-03 - An update for python3.9 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a traversal vulnerability.

 Feed

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new phishing attacks that aim to infect devices with malware. The activity has been attributed to a threat cluster it tracks as UAC-0020, which is also known as Vermin. The exact scale and scope of the attacks are presently unknown. The attack chains commence with phishing messages with photos of alleged prisoners of war (

 Feed

A maximum-severity security flaw has been disclosed in the WordPress GiveWP donation and fundraising plugin that exposes more than 100,000 websites to remote code execution attacks. The flaw, tracked as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher, who goes by the online alias villu164,

 Feed

It's no great revelation to say that SaaS applications have changed the way we operate, both in our personal and professional lives. We routinely rely on cloud-based and remote applications to conduct our basic functions, with the result that the only true perimeter of our networks has become the identities with which we log into these services. Unfortunately – as is so often the case – our

 Feed

In what's a case of an operational security (OPSEC) lapse, the operator behind a new information stealer called Styx Stealer leaked data from their own computer, including details related to the clients, profit information, nicknames, phone numbers, and email addresses. Styx Stealer, a derivative of the Phemedrone Stealer, is capable of stealing browser data, instant messenger sessions from

 Feed

Cybersecurity researchers have uncovered a new macOS malware strain dubbed TodoSwift that they say exhibits commonalities with known malicious software used by North Korean hacking groups. "This application shares several behaviors with malware we've seen that originated in North Korea (DPRK) — specifically the threat actor known as BlueNoroff — such as KANDYKORN and RustBucket," Kandji security

 Feed

Cybersecurity researchers have disclosed a critical security flaw impacting Microsoft's Copilot Studio that could be exploited to access sensitive information. Tracked as CVE-2024-38206 (CVSS score: 8.5), the vulnerability has been described as an information disclosure bug stemming from a server-side request forgery (SSRF) attack. "An authenticated attacker can bypass Server-Side Request

 Feed

A new remote access trojan called MoonPeak has been discovered as being used by a state-sponsored North Korean threat activity cluster as part of a new campaign. Cisco Talos attributed the malicious cyber campaign to a hacking group it tracks as UAT-5394, which it said exhibits some level of tactical overlaps with a known nation-state actor codenamed Kimsuky. MoonPeak, under active development

 AI

In episode 12 of The AI Fix, Mark and Graham meet an LLM having an existential crisis, ChatGPT speaks Welsh for no reason, Graham does an impression of a water spout, Eric Schmidt shares a new and unexpected take on "do no evil", and our hosts feel like David Attenborough as they witness herds of Waymo   show more ...

robotaxis honking their late-night mating calls at each other. Our hosts discover why it's OK to make AIs out of human brains, Mark takes Graham on an emotional roller coaster through the AI afterlife, and Graham comes last in a "who's the best Graham on the podcast?" competition. All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Black Hat , Events , Fraud Management & Cybercrime Robert Boyce on Accenture’s Strategy for Assessing the Behavior of Ransomware Gangs Michael Novinson (MichaelNovinson) • August 20, 2024     Robert Boyce, global cyber resilience lead, Accenture   show more ...

Organizations facing ransomware threats must evaluate the stability and credibility of the attacking […] La entrada How Ransomware Group Stability Affects Payment Decisions – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 California

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Government , Industry Specific New Version Aims to Ensure AI Safety While Keeping Its Builders Happy Rashmi Ramesh (rashmiramesh_) • August 20, 2024     The California State Capitol Building in an undated file   show more ...

photo (Image: Shutterstock) California state lawmakers watered down a bill […] La entrada California AI Catastrophe Bill Clears Committee – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management Patients Still Asked to Bring Paper Records to Appointments Post-Ransomware Attack Marianne Kolbasuk McGee (HealthInfoSec) • August 20, 2024   show more ...

    McLaren Health Care’s Karmanos cancer centers are among the entity’s medical facilities experiencing […] La entrada McLaren Health Expects IT Disruption to Last Through August – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Addressing

Source: www.databreachtoday.com – Author: 1 Black Hat , Endpoint Security , Events EY’s Piotr Ciepiela Discusses Key Challenges in Implementing, Maintaining OT SOCs Michael Novinson (MichaelNovinson) • August 20, 2024     Piotr Ciepiela, partner, EMEIA cybersecurity leader, EY Consulting OT security   show more ...

operations centers differ significantly from traditional IT SOCs because of the tight integration […] La entrada Addressing the OT SOC Challenges in Industrial Environments – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Dustin Hutchison Chief Information Security Officer, Pondurance Dustin has over 20 years of experience in information security, risk management and regulatory compliance. Prior to joining Pondurance, Dustin was a risk and compliance professional focusing on HIPAA, PCI   show more ...

and risk assessments for new technology acquisitions ranging from infrastructure solutions to patient […] La entrada Live Webinar | Demonstrating the Value of Your Cybersecurity Program – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Ransomware Crowded Leak Site May Be a Weakness and Fewer New Players a Sign of Higher Quality Mathew J. Schwartz (euroinfosec) • August 14, 2024     What’s up is now down. (Image: Shutterstock) How many ransomware victims   show more ...

pay their attackers to avoid the psychological […] La entrada The Upside-Down, Topsy-Turvy World of Ransomware – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 consulting

Source: www.databreachtoday.com – Author: 1 CISO Trainings , Professional Certifications & Continuous Training , Training & Security Leadership Explore the Wide Range of Categories and Services and What It Takes to Do the Job Brandy Harris • August 14, 2024     Image: Getty Images What is   show more ...

Cybersecurity Consulting? Cybersecurity consulting encompasses a wide array […] La entrada Cybersecurity Consulting: Is It the Right Career for You? – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-08
Aggregator history
Wednesday, August 21
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober