Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for High-Risk Vulnerabil ...

 Firewall Daily

Zyxel Networks has recently issued a critical alert regarding several high-risk vulnerabilities affecting their firewall products. This warning comes as part of a broader security advisory that highlights multiple vulnerabilities in Zyxel firewalls, with a particular emphasis on those deemed high-risk. For   show more ...

administrators and security professionals, swift action is crucial to safeguard their systems. The vulnerabilities in Zyxel Firewalls could expose networks to significant security risks. Zyxel's security bulletin details several issues, the most concerning being a command injection vulnerability within the IPSec VPN feature.  This flaw, cataloged as CVE-2024-42057, allows attackers to inject malicious commands via manipulated usernames. If a device is configured with user-based PSK authentication and has a username longer than 28 characters, attackers could exploit this vulnerability to execute arbitrary commands on the system. Understanding the Vulnerabilities in Zyxel Firewalls In addition to CVE-2024-42057, the advisory highlights several other severe vulnerabilities in Zyxel firewalls. One such vulnerability, CVE-2024-42058, involves null pointer dereferencing. This flaw can be exploited by unauthenticated attackers who send specially crafted network packets, potentially causing a crash of the vulnerable Zyxel firewall. [caption id="attachment_88965" align="alignnone" width="1478"] Source: Zyxel[/caption] The advisory also notes CVE-2024-42059 and CVE-2024-42060, which are post-authentication command injection vulnerabilities. After gaining admin-level access, attackers can exploit these flaws by uploading manipulated files via FTP or internal user agreements, allowing them to execute commands on the operating system. Another issue is CVE-2024-7203, a post-authentication command injection vulnerability similar to the previously mentioned ones, but involving a different method of exploitation. Additionally, CVE-2024-42061 represents a reflected cross-site scripting (XSS) vulnerability found in the CGI program "dynamic_script.cgi." This flaw can trick users into executing malicious scripts on their browsers. Regarding the affected versions of Zyxel firewalls, several releases across the ATP, USG FLEX, and USG FLEX 50(W)/USG20(W) VPN series are vulnerable. Specifically, ATP series versions from ZLD V4.32 to V5.38 are affected, with the patch ZLD V5.39 available to address these issues. For the USG FLEX series, versions from ZLD V4.50 to V5.38 are impacted, and the ZLD V5.39 update provides the necessary fixes. Although most versions of the USG FLEX 50(W)/USG20(W) VPN from ZLD V4.16 to V5.38 are affected, these models are also covered by the ZLD V5.39 update. Zyxel's updates are designed to address these critical security flaws and ensure that affected devices are protected against potential threats. Administrators are advised to apply these patches promptly to protect their networks. Detailed Breakdown of Zyxel Vulnerabilities To provide a clearer picture, here’s a detailed breakdown of the vulnerabilities affecting Zyxel firewalls: CVE-2024-6343: A buffer overflow vulnerability in the CGI program of some firewall versions could lead to a denial of service (DoS) if an authenticated attacker sends a crafted HTTP request. CVE-2024-42057: Command injection through the IPSec VPN could enable unauthenticated attackers to execute OS commands, provided the firewall is configured with a long username in user-based PSK mode. CVE-2024-42058: Null pointer dereference vulnerabilities can cause a DoS when attacked with specific network packets. CVE-2024-42059: Command injection via FTP file upload allows attackers to execute commands on the OS with admin privileges. CVE-2024-42060: Similar to CVE-2024-42059 but involves uploading a crafted internal user agreement file. CVE-2024-42061: Reflected XSS vulnerability that could steal browser-based information if exploited. To mitigate these risks, Zyxel strongly advises all users to update their firewalls to the latest firmware version, ZLD V5.39, available through the usual update channels. For more details, affected users should consult Zyxel’s support resources or reach out to their local service representatives. The company acknowledges the contributions of security researchers Nanyu Zhong, Jinwei Dong, Alessandro Sgreccia, Manuel Roccon, and nella17 for their role in identifying these vulnerabilities.

image for FTX Collapse Exposes ...

 Cybersecurity News

The Securities and Exchange Commission (SEC) announced that it has reached a settlement with Galois Capital Management LLC, a Florida-based former registered investment adviser, over charges related to the mishandling of client assets and misleading investors. Galois Capital managed a private fund primarily invested   show more ...

in crypto assets. The SEC found that the firm failed to adhere to critical requirements designed to safeguard client assets, including those offered and sold as securities. This failure, coupled with misleading statements to investors about the notice period required for redemptions, has led to Galois Capital agreeing to a settlement, which includes a civil penalty of $225,000. Custody Rule Violations and the FTX Collapse Beginning in July 2022, Galois Capital did not ensure that certain crypto assets held by its advised private fund were maintained with a qualified custodian. The Custody Rule is a crucial regulatory measure that requires investment advisers to keep client assets with a qualified custodian to protect them from loss, misuse, or misappropriation. Galois Capital, however, held these assets in online trading accounts on various crypto asset trading platforms, including the now-infamous FTX Trading Ltd., which were not qualified custodians. This oversight proved costly. In November 2022, approximately half of the fund’s assets under management were lost following the collapse of FTX. The SEC’s order indicates that this significant loss was directly linked to Galois Capital’s failure to comply with the Custody Rule, thus exposing its investors to unnecessary risks. In addition to the custody-related violations, the SEC found that Galois Capital misled its investors about the required notice period for redemptions. The firm had represented to certain investors that redemptions required at least five business days’ notice before the month-end. However, it was discovered that Galois Capital allowed other investors to redeem with fewer days’ notice, a practice that was not disclosed to all investors. This discrepancy in redemption policies created an uneven playing field and breached the trust of the investors who were misled. SEC’s Response and Enforcement Actions Corey Schuster, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, commented on the case, stating, “By failing to comply with Custody Rule provisions, Galois Capital exposed investors to risks that fund assets, including crypto assets, could be lost, misused, or misappropriated.” He further emphasized the SEC’s commitment to holding investment advisers accountable for violating their fundamental investor protection obligations. Without admitting or denying the findings, Galois Capital consented to the SEC’s order, which requires the firm to cease and desist from further violations of the Advisers Act. The order also includes a censure of Galois Capital and the imposition of a $225,000 civil penalty. This penalty will be distributed to the fund’s harmed investors, providing some restitution for the losses incurred due to the firm’s regulatory lapses. The investigation leading to these charges was a collaborative effort by members of the SEC’s Division of Enforcement’s Asset Management Unit. Implications for the Crypto Asset Management Sector The SEC’s action against Galois Capital Management LLC is a significant development in the regulation of crypto asset management. It sends a strong message to investment advisers in the crypto space that the SEC will rigorously enforce compliance with the Investment Advisers Act and other regulatory frameworks designed to protect investors. Crypto assets, by their nature, present unique challenges and risks, making adherence to regulatory safeguards even more critical. As the crypto market continues to evolve, firms involved in managing crypto investments must remain vigilant and ensure that they meet all regulatory requirements. This includes maintaining assets with qualified custodians and providing transparent and fair treatment to all investors. The collapse of FTX and the subsequent losses faced by Galois Capital’s investors highlight the vulnerabilities in the crypto market and the need for robust regulatory oversight. The SEC’s enforcement actions are a step toward ensuring that investor protection remains a priority, even as the financial landscape becomes increasingly digital and complex.

image for Veteran Cybersecurit ...

 Appointments

Sami Khoury, a veteran cybersecurity leader and the head of the Canadian Centre for Cyber Security (CCCS), has announced his departure from the agency to take on a new role as the Canadian government’s Senior Official for Cybersecurity. Khoury, who has spent over 30 years at the Communications Security   show more ...

Establishment (CSE), Canada’s premier cyber and signals intelligence agency, revealed his career move in a LinkedIn post on Tuesday, marking the end of his tenure as head of the CCCS and the beginning of a new chapter in his distinguished career. "Yesterday marked my last day as Head of the Canadian Centre for Cybersecurity and today I start a new role as Gov. of Canada Senior Official for Cybersecurity. The last 1114 days have been nothing short of remarkable," reads Khoury's LinkedIn Post. Sami Khoury, Legacy of Leadership at CCCS Khoury’s departure from the CCCS marks the conclusion of an impactful tenure that began in August 2021. During his time leading the CCCS, Khoury was at the forefront of Canada's cybersecurity defenses, steering the agency through a period marked by increasingly sophisticated cyber threats. Reflecting on his time at the CCCS, Khoury described the experience as "nothing short of remarkable," highlighting the challenges faced and the lessons learned during his 1,114 days in the role. "We dealt with many incidents, some with devastating impacts on communities. Each taught us something about the threats but also on how to do better next time," Khoury shared in his LinkedIn post. Under Khoury’s leadership, the CCCS responded to numerous cyber incidents, demonstrating the agency’s critical role in safeguarding Canada's digital infrastructure. In the past year alone, the CCCS has been involved in several high-profile investigations, including a suspected state-sponsored hack of government systems in British Columbia. This breach is believed to have compromised 22 email inboxes containing sensitive information about 19 individuals. In February, the Royal Canadian Mounted Police (RCMP) announced an investigation into an "alarming" cyberattack that targeted its networks, further highlighting the severity of cyber threats against national security agencies. This was followed by Canada’s foreign ministry discovering "malicious cyber activity" on its network, which allowed hackers to access personal information. The origin of this breach—whether criminal or state-sponsored—remains unclear, adding to the complexity of the cyber threat landscape. Additionally, a separate and previous incident saw data on current and former members of Canada’s armed forces and the RCMP compromised after a contractor providing relocation services for government personnel was hacked. Building Strong Partnerships Sami Khoury’s approach to cybersecurity has been rooted in the belief that strong and trusted partnerships are essential for success. "To be successful, building strong and trusted partnerships at every level of society, domestically but equally as important internationally, was and remains important. We can’t do it alone … no one can," Sami Khoury emphasized. His tenure at the CCCS was marked by efforts to foster collaboration not only within Canada but also with international partners, recognizing that cybersecurity is a global challenge that requires collective action. Sami Khoury’s commitment to partnership-building was evident in his interactions with a wide range of stakeholders, from government agencies to private sector entities. He expressed gratitude to those who supported his efforts, stating, "I met very passionate people dedicated to making a positive difference, developed new partnerships, and along the way made new friends. Thank you to everyone who invited me into their space to share knowledge, lent a helping hand, reported an incident, or just reached out to say Hi." As Sami Khoury steps into his new role as the Canadian government’s Senior Official for Cybersecurity, he brings with him a wealth of experience and a deep understanding of the cybersecurity landscape. In his LinkedIn post, Khoury expressed his eagerness to continue contributing to the field of cybersecurity, stating, "Looking forward to staying active in this space, and adding my voice to that of others who continue to promote a strong and resilient cyber agenda." His new role will likely involve shaping national cybersecurity policies, coordinating responses to cyber threats, and ensuring that Canada remains resilient against the ever-evolving cyber landscape. Sami Khoury’s extensive background at the CSE, where he began as a research engineer in 1992, positions him well to take on these responsibilities at a time when cybersecurity has never been more critical to national security.

image for Malaysia’s Data Pr ...

 Cybersecurity News

Malaysia is taking significant steps to enhance data privacy protections for its citizens with the Personal Data Protection (Amendment) Bill 2024. Following Malaysia’s Data Protection Bill passage by Parliament in July 2024, public consultations are currently underway to gather feedback on key implementation aspects.   show more ...

Notably, the deadline for submissions regarding data breach notification, data protection officer (DPO) appointment, and the right to data portability concludes this week on September 6. Data Protection Bill: Aligning with Global Standards The Bill introduces several crucial changes to the existing Personal Data Protection Act 2010 (PDPA). These amendments aim to bring Malaysia's data privacy framework in line with international best practices, such as the General Data Protection Regulation (GDPR) of the European Union. Key highlights include: Mandatory Data Breach Notification: The Bill mandates data controllers (organizations that determine the purposes and means of personal data processing) to notify both the Personal Data Protection Commissioner (PDPC) and affected data subjects in case of a personal data breach. The notification to the PDPC must occur "as soon as practicable," while notification to data subjects is required "without unnecessary delay" if the breach is likely to cause "significant harm." Data Protection Officer Appointment: The Bill introduces a requirement for certain organizations to appoint a data protection officer (DPO). The DPO will be responsible for overseeing the organization's compliance with the PDPA and acting as a point of contact for data subjects. This aligns with the GDPR's DPO requirement, ensuring dedicated personnel manage data privacy within organizations. Enhanced Data Subject Rights: The Bill strengthens the rights of data subjects by introducing the right to data portability. This allows individuals to request their personal data in a structured, commonly used, and machine-readable format and have it transferred to another controller if desired. Importance of Public Consultation The ongoing public consultations on these crucial aspects offer stakeholders an opportunity to shape the future of data privacy in Malaysia. Feedback on the proposed guidelines for data breach notification procedures, the DPO role's responsibilities, and the implementation of data portability is essential. According to Baker & McKenzie, a global law firm, these consultations "shed light on what may be required for compliance with some of the new legal requirements, while giving the public the opportunity to contribute and shape the final draft of these subsidiary instruments under the PDPA." Impact on Businesses The revised PDPA will have a significant impact on businesses operating in Malaysia. Organizations need to be aware of their obligations under the amended Act, particularly regarding data breach notification, DPO appointment, and data subject rights. Here are some initial steps businesses can take: Review data breach response protocols: Businesses should re-evaluate their existing data breach response plan and ensure it aligns with the Bill's notification requirements. This includes identifying potential breach scenarios, establishing clear communication protocols, and developing a timeline for notification. Assess the need for a DPO: Depending on the nature and volume of personal data an organization processes, it may be necessary to appoint a dedicated DPO. Businesses should assess these factors and identify internal resources or consider appointing an external DPO service provider. Develop data portability procedures: Organizations need to establish clear procedures for handling data subject requests regarding data portability. This may involve developing processes for data extraction and transfer in a structured, commonly used format. Looking Forward The public consultation on the implementation details of the Personal Data Protection (Amendment) Bill 2024 concludes on September 6. Businesses and individuals alike are encouraged to participate in this crucial process and contribute their feedback. By working together, Malaysia can create a robust data privacy framework that protects the rights of individuals while fostering a flourishing digital economy. Additional Considerations: Potential penalties for non-compliance with the amended PDPA: While specific details may be further defined, organizations should be prepared for potentially significant fines for non-compliance. Increased awareness among data subjects: The amended PDPA empowers individuals with greater control over their personal data. Businesses should anticipate an increase in data subject inquiries regarding access, rectification, and erasure rights. The Personal Data Protection (Amendment) Bill 2024 marks a significant step forward for data privacy protection in Malaysia. By aligning with international standards and strengthening data subject rights, the amended PDPA creates a more secure digital environment for all. The ongoing public consultations provide a valuable opportunity to refine implementation details and ensure the amended Act is effective in safeguarding personal data.

image for Malaysian Government ...

 Threat Intelligence

Threat actors have launched a targeted campaign against high-profile individuals and government officials in Malaysia, leveraging malicious ISO files to deliver the Babylon RAT. A recent investigation by Cyble Research and Intelligence Lab (CRIL) has uncovered a targeted cyberattack campaign specifically aimed at   show more ...

political figures and government officials in Malaysia. The attack, which has been active since July, employs malicious ISO files designed to compromise high-profile individuals and institutions. The malicious ISO files, which contain multiple components including a shortcut file, a hidden PowerShell script, a malicious executable, and a decoy PDF file, are crafted to deceive users into thinking they are interacting with legitimate files. Once opened, the ISO files execute a chain of events that ultimately deliver the Babylon RAT, a powerful remote access Trojan (RAT) known for its surveillance and data theft capabilities. Intelligence from Cyble Vision's platform indicates that the threat actor behind this campaign has previously targeted Malaysian entities using Quasar RAT, another open-source RAT, suggesting a pattern of targeting high-profile individuals and institutions in the country. Technical Analysis of the Babylon RAT Campaign The campaign has employed at least three distinct malicious ISO files targeting Malaysian entities, each containing a lure document designed to appeal to a specific audience. The lure documents include topics such as political concerns in Malaysia and the Majlis Amanah Rakyat (MARA), a Malaysian government agency. [caption id="attachment_89021" align="aligncenter" width="600"] Infection Chain of Babylon RAT Campaign. (Source: Cyble Research and Intelligence Labs - CRIL[/caption] Upon opening the malicious ISO file, a PowerShell script is executed in the background, which then launches a decoy PDF file and copies the malicious executable to the %appdata% directory. The script also creates a registry entry to ensure the executable runs on system startup and then executes the malicious file. The final payload, the Babylon RAT, provides the threat actor with extensive control over the victim's machine, allowing them to capture keystrokes, monitor the clipboard, extract passwords, and execute commands remotely. The RAT also maintains persistence on infected systems, ensuring it can continue its operations even after a reboot. About Babylon RAT Babylon is a Remote Access Trojan designed to allow remote access and control over infected machines. It is a high-risk threat due to its multi-functional capabilities, which include gathering system information, launching DDoS attacks, stealing credentials, and more. The RAT which first surfaced on dark web forums around 2015, has been used in various phishing campaigns, targeting multiple sectors over the years. The initial infection vector used in the latest campaign is remains unclear, Cyble researchers said. Key Features and Capabilities of Babylon RAT Remote Access and Control: Enables threat actors to interact with infected devices in real time. Information Gathering: Collects hardware details, OS version, device name, username, IP address, and more. Anti-detection: Has capabilities to evade detection by security tools. Self-spreading: Can spread through local networks. DDoS Attacks: Can launch Distributed Denial-of-Service attacks to disrupt services. Credential Stealing: Extracts usernames and passwords from various installed applications, including browsers. Proxy Usage: Can make the host act as a SOCKS proxy to capture network traffic from multiple infected hosts, bypassing network security measures. The sophisticated cyberattack targeting political figures and government officials in Malaysia is a wake-up call highly-ranked individuals and institutions. The use of Babylon RAT demonstrates the advanced capabilities of these threat actors and their ability to gain unauthorized access to sensitive information. Recommendations Cyble's researchers recommended the following mitigation measures to avoid such future campaigns: Implement advanced email filtering solutions to detect and block malicious attachments, such as ISO files. Deploy and regularly update endpoint security solutions to detect and mitigate threats like Babylon RAT. Implement continuous network monitoring and anomaly detection to identify and respond to unusual activities. Conduct comprehensive security awareness training for political figures and government officials to recognize and avoid phishing attempts and malicious files. Ensure that all systems and software are kept up to date with the latest security patches to reduce vulnerabilities that could be exploited by threat actors.

image for Malicious Actors Pos ...

 Cybersecurity News

Cybercriminals may have leveraged MacroPack, a legitimate framework designed for red team exercises to distribute malicious payloads, such as the Brute Ratel and Havoc tools, as well as a new variant of the PhantomCore remote access trojan (RAT). Analysis of MacroPack lure documents revealed the use of obfuscation   show more ...

techniques to evade detection, such as function and variable renaming, string encoding, and removal of comments and surplus whitespace.These activities were used to target victims in China, Pakistan, Russia and the U.S.  MacroPack Generated Malware Payloads Researchers at Cisco Talos discovered several clusters of MacroPack-generated documents, each with distinct lure themes and payloads. The first cluster featured generic Word documents instructing users to enable content, which would allow the malicious macros to execute. These documents, uploaded from China, Taiwan and Pakistan, delivered the Havoc post-exploitation framework as the final payload. [caption id="attachment_88942" align="alignnone" width="1600"] Source: https://blog.talosintelligence.com/[/caption] Havoc is a free, open-source tool used by penetration testers and red teams. However, threat actors have also abused it for malicious purposes. The Havoc implants, or 'demons,' allow attackers to remotely control affected systems. The second cluster of documents, uploaded from Pakistan, had military-themed lures, such as a circular announcing awards for Pakistani Air Force officers. These documents delivered Brute Ratel, another popular red teaming framework that has been co-opted by real threat actors. Brute Ratel enables a wide range of malicious activities, including remote command execution, lateral movement, persistence, and evasion of endpoint security solutions. The Brute Ratel payloads used DNS over HTTPS and Amazon CloudFront CDN servers for command-and-control communications. Obfuscation Techniques One notable aspect of the MacroPack-generated documents was the inclusion of four non-malicious VBA subroutines. These benign functions, traced back to a website hosting VBA examples and a French Microsoft Word programming book, were likely included to lower the overall entropy of the code and bypass heuristic-based detection. The inclusion of non-malicious functions with low entropy may have been to lower the overall entropy of the generated code. The MacroPack author also implemented a feature to generate function and variable names using Markov chains, creating seemingly meaningful names to further evade detection. While the tactics, techniques and procedures (TTPs) observed in these samples were clearly malicious, the researchers was unable to attribute the activities to a single threat actor, and did not rule out the possibility that at least some of the documents may have represented red teaming exercises, rather than real-world attacks. While the researchers have shared indicators of compromise (IOCs) related to the discovered samples, some of these were excluded from the report due to the chances of them being part of legitimate red team activities.

image for Halliburton Confirms ...

 Cybersecurity News

US Oilfield services giant Halliburton has confirmed that a cyberattack in August led to unauthorized third-party access and the removal of information from its systems. This data breach news comes after weeks of speculation following an initial report which highlighted a potential cyber threat directed at Halliburton.   show more ...

While details remain scarce, the company has acknowledged the breach and is currently investigating the nature and scope of the information removed. In its latest 8-K Form filing to the Securities and Exchange Commission (SEC) on August 30, 2024, Halliburton stated, “The Company believes the unauthorized third party accessed and exfiltrated information from the Company’s systems.” Nature of Exfiltrated Data Unclear Despite confirming the breach, Halliburton has not disclosed the specific type of data that was compromised. In its SEC Filing, the company stated, “When it learned of the issue, the Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors to assess and remediate the unauthorized activity.” “The Company’s response efforts included proactively taking certain systems offline to help protect them and notifying law enforcement. The Company’s ongoing investigation and response includes restoration of its systems and assessment of impacted data. “The incident has caused disruptions and limitation of access to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions. The Company believes the unauthorized third party accessed and exfiltrated information from the Company’s systems. The Company is evaluating the nature and scope of the information, and what notifications are required,” the company informed. An investigation by Google’s Mandiant Many media reports stated that on August 26, Halliburton had informed suppliers that they had taken their systems offline out of caution and were working with Google’s incident response firm Mandiant to investigate the breach. The company is evaluating the nature and scope of the stolen information but presently does not anticipate a material impact from the breach. “The Company has incurred, and may continue to incur, certain expenses related to its response to this incident. As of the date of this Current Report on Form 8-K, the Company believes that the incident has not had, and is not reasonably likely to have, a material impact on the Company’s financial condition or results of operations. The Company remains subject to various risks due to the incident, including the adequacy of processes during the period of disruption, diversion of management’s attention, potential litigation, changes in customer behavior, and regulatory scrutiny,” the company stated in its SEC Filing. Weak Password Behind Breach? According to a LinkedIn post by cybersecurity researcher Alon Gal, "Although Halliburton won't disclose how they were hacked, it’s not surprising that they were successfully targeted given that hundreds of their employees are infected with malware. I wouldn't be surprised if hackers gained access through Infostealer credentials, which is an increasingly common intrusion method.” To support his claims, Alon shared graphs and stated, “Password hygiene at the company seems to be very bad, overall for sensitive login pages, 65% of passwords are considered "weak", meaning they are 6-8 characters long and a diversity of 2-3 types of characters (lowercase, uppercase, number, and symbols).” [caption id="attachment_88977" align="alignnone" width="1794"] Source: LinkedIn[/caption] “In terms anti-viruses installed on these infected employee computers, just ~10% had premium anti-viruses, most had stuff like Windows Defender, and a lot had no AV installed at all,” he added. Security Concerns for Energy Sector This attack on Halliburton highlights the growing vulnerability of the energy sector to cyberattacks. The Cyber Express previously reported on potential threats targeting the sector, and Halliburton's experience underscores the need for heightened cybersecurity measures within energy companies. The lack of transparency regarding the nature of the attack and the data compromised is concerning. Companies in this industry must invest in robust security systems and train their employees to be aware of the latest cyber threats. The government must also play a role in protecting critical infrastructure from cyberattacks. This could include providing financial assistance to companies to help them improve their cybersecurity, as well as developing new regulations to strengthen the security of critical infrastructure.

image for Trio of Cybercrimina ...

 Cybersecurity News

Three individuals have admitted guilt in connection with a sophisticated hacking operation that exploited two-factor authentication (2FA) systems, potentially netting up to $10 million. The 2FA bypass operation was orchestrated by culprits, Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque, through a   show more ...

website and Telegram group known as OTP Agency. Their activities drew the attention of the U.K. National Crime Agency (NCA), which confirmed their involvement and revealed the extensive reach of their illicit enterprise. The investigation into OTP Agency began in June 2020, but the fraudulent activities were believed to have commenced as early as September 2019. According to the NCA, the operation was a well-orchestrated scheme where cybercriminals could bypass 2FA protections to access bank accounts and execute fraudulent transactions. By the time the website was taken offline, approximately 12,500 individuals had been targeted by these malicious actors. Details of the 2FA Bypass Operation The OTP Agency offered a range of subscription packages to its members. The basic plan, priced at £30 per week, allowed users to bypass 2FA protections on various banking platforms such as HSBC, Monzo, and Lloyds. For those seeking more advanced capabilities, the elite plan, costing £380 per week, provided access to Visa and Mastercard verification sites, further enhancing the fraudsters' abilities to exploit financial systems. The OTP Agency was marketed aggressively on Telegram, where it boasted a membership base of over 2,200 individuals. The group was used to promote the 2FA bypass service, with Picari and his associates promising quick financial gains for their clients. In a message posted in October 2019, Picari wrote: “First and last professional service for your OTP stealing needs. We promise you will be making profit within minutes of purchasing our service…” Such pitches highlight the operational nature of this 2FA fraud agency. Picari, Vijayanathan, and Siddeeque’s roles were well-defined within the operation. Picari, the mastermind behind the OTP Agency, was responsible for developing and maintaining the website. He also actively promoted the service on Telegram. Vijayanathan assisted in marketing and support, while Siddeeque provided technical assistance to clients utilizing the service. The conversation revealed their awareness of the incriminating evidence and their efforts to mitigate the damage by deleting communications. Legal Proceedings and Sentencing Following their arrest, the trio faced serious charges, including conspiracy to make and supply articles for use in fraud and, in Picari's case, money laundering. The conspiracy charge carries a maximum penalty of 10 years in prison, while money laundering can lead to a 14-year sentence. Despite initially denying their involvement, all three men have now pleaded guilty. They are scheduled to be sentenced at Snaresbrook Crown Court. NCA Operations Manager Anna Smith emphasized the gravity of the trio's actions: “Picari, Vijayanathan, and Siddeeque opened the door for fraudsters to access bank accounts and steal money from unsuspecting members of the public. Their convictions serve as a stern warning to anyone else considering offering similar services; the NCA is fully equipped to disrupt and dismantle websites that threaten people's financial security.” The financial impact of the OTP Agency’s operations is substantial. Estimates suggest that if all members had opted for the elite subscription package, the total earnings could have approached £7.9 million ($10 million). This figure highlights the potential scale of damage caused by such 2FA bypass schemes.

image for Quantum-resistant en ...

 Business

We regularly hear news about breakthroughs leading to the advent of working quantum computers. For now, such a computer doesnt exist, so nobody can use one to crack encryption. But when it does arrive, itll already be too late to address the problem. Thats why new encryption algorithms that are resistant to both   show more ...

classical hacking methods and quantum-computer attacks are being standardized today. These algorithms are known as post-quantum or quantum-resistant. Support for these algorithms is gradually appearing in everyday devices and applications — they were recently integrated into Google Chrome. This, by the way, immediately exposed compatibility issues within standard organizational IT infrastructures. So, where have post-quantum algorithms already been implemented, and what should IT teams prepare for? Which services already support post-quantum algorithms? Amazon. The cloud giant introduced a post-quantum variant of TLS 1.3 for its AWS Key Management Service (KMS) back in 2020. Since then, the solution has been updated, adapting its configuration settings in line with NIST recommendations. Apple iOS/iPadOS/macOS. In February 2024, Apple announced an update to the iMessage protocol, which will use the PQ3 quantum-resistant protocol for key exchange. Its based on the NIST-recommended Kyber algorithm, but also utilizes classical elliptic-curve cryptography, providing dual-layer encryption. Cloudflare. Since September 2023, Cloudflare has supported post-quantum key agreement algorithms for establishing connections to origin servers (client websites), and is gradually rolling out support for post-quantum cryptography for client connections. The technology is used when establishing a TLS connection with compatible servers/clients, applying a dual key agreement algorithm: classical X25519 for one part of the key, and post-quantum Kyber for the other. This popular combination is known as X25519Kyber768. Google Chrome. Test support for post-quantum cryptography for establishing TLS connections appeared in August 2023, and as of version 124 in April 2024, its enabled by default. The algorithm used is X25519Kyber768. Mozilla Firefox. Support for X25519Kyber768 for TLS and QUIC appeared at the beginning of 2024, but its still not enabled by default and must be activated manually. Mullvad. This popular VPN service uses the following PQC method: first, a traditional encrypted connection is established, after which a new key agreement is conducted using the Classic McEliece and Kyber algorithms. The connection is then re-established with these keys. Signal. The messenger implemented the PQDXH protocol in September 2023, using the same X25519Kyber768 mechanism. Tuta(nota). The popular secure email service allows users to send post-quantum encrypted emails using the X25519Kyber768 algorithm. However, the obvious drawback is that this only works when communicating with other Tuta users. Although not yet a commercial product, its also worth mentioning Googles implementation of FIDO2 hardware security keys, which use a combination of classical ECDSA and post-quantum Dilithium. In addition to these, PQC is supported by numerous libraries that serve as the foundation for other products, from email and web servers to operating systems. Notable libraries include OpenSSL and BoringSSL, as well as the experimental branch of Debian. Many of these implementations have been made possible thanks to the Open Quantum Safe initiative, which supports post-quantum forks of popular cryptographic utilities and libraries, available for a variety of popular programming languages. The main drawbacks of quantum-resistant cryptography The algorithms havent been sufficiently analyzed. Although the broader scientific community has been conducting cryptanalysis for several years, the mathematical principles behind post-quantum cryptography are more complex. Moreover, experience with classical cryptography shows that serious flaws or new attack methods can sometimes be discovered decades later. Its almost certain that vulnerabilities will be found in modern PQC algorithms — not just implementation vulnerabilities, but fundamental algorithmic defects. Key sizes are significantly larger than in RSA and ECC. For example, the Kyber768 post-quantum algorithm has a public key size of 2400 bytes. This leads to a significant increase in data transmission volumes if key renegotiation occurs frequently. In tightly designed or low-power systems, there might not be enough memory for such large keys. The computational load of PQC is also higher than classical, which slows down operations and increases energy consumption by 2–3 times. However, this issue may be resolved in the future with optimized hardware. Compatibility issues. All updates to encryption standards and protocols — even classical ones — create complications when some systems have been updated and other related ones havent. Post-quantum compatibility problems Practical issues will primarily affect services using the TLS protocol for connections. TLS is implemented in numerous ways across thousands of products — sometimes with errors. As soon as Google enabled Kyber support by default in Chromium 124, administrators started reporting that Chrome and Edge couldnt establish connections with web servers, as they would immediately disconnect with an error after the ClientHello TLS handshake. This issue was caused by problem number two: the large key size. As a result, the ClientHello TLS message, which always fitted into a single TCP packet, expanded into multiple packets, and so servers, proxies, and firewalls not prepared for this larger ClientHello message would immediately terminate the connection. Appropriate behavior would involve reading the following packets and agreeing on an older, classical encryption algorithm with the client. A list of incompatible web servers and firewalls affected by this issue is being tracked on a dedicated site, with Cisco notably listed. If an organization suddenly cant open any websites, the problem is likely with the proxy or firewall, which needs an update. Until the developers of incompatible applications and devices release patches, a temporary solution is to disable PQC: using MS Edge and Chrome group policies in Chromes advanced settings: chrome://flags/#enable-tls13-kyber in Firefoxs settings: about:config -> security.tls.enable_kyber Administrators are advised to check their websites and web applications by enabling Kyber support in Firefox or Chrome and attempting to access the site. If an SSL/TLS error occurs, the web server needs to be updated. Quantum-resistant cryptography standards Standardization is key to preventing a protocol mess and compatibility issues. For PQC, this process is ongoing but far from complete. NIST recently introduced the first full-fledged standards for post-quantum cryptography — FIPS 203, FIPS 204, and FIPS 205. Essentially, these are CRYSTALS-Kyber for key exchange, along with CRYSTALS-Dilithium and SPHINCS+ for various digital-signature scenarios. European organizations  from — ENISA and ETSI to BSI and ANSSI — intend to adopt NISTs standards but are open to considering additional algorithms if they prove to be better. They all emphasize the necessity of double encryption for critical data — using both post-quantum and classical algorithms simultaneously. Given the novelty of post-quantum algorithms, innovative methods of breaking them may emerge, which is why the second layer of encryption is recommended. China plans to standardize post-quantum algorithms in 2025. The Chinese Association for Cryptologic Research (CACR) announced the finalists in 2020: Aigis-sig and Aigis-enc (modified relatives of CRYSTALS-Kyber and CRYSTALS-Dilithium) and LAC.PKE. Meanwhile, the IETF working group responsible for internet protocols will likely endorse the use of cryptography standards proposed by NIST in these protocols.

image for White House Unveils ...

 Feed

The White House Office of the National Cyber Director released a plan outlining steps network operators and service providers need to take to secure BGP from abuse and configuration errors.

 Incident Response, Learnings

Hackers exploited a vulnerability in Verkada's customer support server, gaining access to the Command platform and extracting video footage and customer data. Another incident involved a hacker installing the Mirai botnet on Verkada's network server.

 Trends, Reports, Analysis

The most common scams involve government impersonation, business impersonation, and tech support, where scammers persuade victims to withdraw cash from their bank accounts and deposit it into Bitcoin ATMs.

 Trends, Reports, Analysis

Automated threats are increasingly difficult to keep up with, with 98% of organizations attacked by bots experiencing revenue loss, according to Kasada. Web scraping and account fraud are the primary threats causing revenue losses.

 Malware and Vulnerabilities

Debian has patched two critical vulnerabilities in the Dovecot mail server, identified as CVE-2024-23184 and CVE-2024-23185, which could lead to denial-of-service attacks.

 Trends, Reports, Analysis

Ransomware groups are increasingly weaponizing stolen data to pressure victims into paying. They analyze data to maximize damage and create opportunities for extortion, targeting business leaders and employees for blame.

 Incident Response, Learnings

The Biden administration has dropped its appeal of a court decision that rejected new regulations restricting hospitals' use of web-tracking tools. A Texas judge ruled the administration's efforts illegal in June.

 Security Products & Services

DVUEFI was created to assist ethical hackers, security researchers, and firmware enthusiasts in beginning their journey into UEFI firmware security by providing examples to explore potential vulnerabilities.

 Identity Theft, Fraud, Scams

A new twist on the old sextortion scam involves sending personalized emails with webcam footage of individuals and a photo of their home, obtained from online mapping applications.

 Trends, Reports, Analysis

Initial Access Brokers (IABs) are now targeting companies with revenues reaching $2 billion, particularly in the US and business services sector, according to new research from Cyberint.

 Trends, Reports, Analysis

The ransomware crisis is escalating, with a surge in attacks and payouts. New ransomware groups like PLAY and Medusa have led a wave of attacks in the second quarter, following the takedown of LockBit and BlackCat.

 Identity Theft, Fraud, Scams

The attack involves compromising hotel managers' accounts to access customer reservation systems, ultimately tricking hotel guests via the Booking.com app. The scheme utilizes a fake domain to deceive users and harvest sensitive data.

 Malware and Vulnerabilities

The Python-based infostealer collects user information, text files, PDF files, browser data, crypto wallets, game platforms, browser extensions, and cookies. The stolen data is sent via email to the attacker.

 Trends, Reports, Analysis

According to telemetry data from Trend Micro, Ransomware attacks in Southeast Asia are on the rise in 2024, with major incidents in countries like Thailand, Japan, South Korea, Singapore, Taiwan, and Indonesia.

 Expert Blogs and Opinion

The latest version 4.0.1 of the Payment Card Industry Data Security Standard (PCI DSS) has introduced key changes to address the evolving digital landscape. While some requirements are already in effect, others will come into play by April 2025.

 Feed

This article provides an in-depth analysis of two kernel vulnerabilities within the Mali GPU, reachable from the default application sandbox, which the researcher independently identified and reported to Google. It includes a kernel exploit that achieves arbitrary kernel r/w capabilities. Consequently, it disables SELinux and elevates privileges to root on Google Pixel 7 and 8 Pro models.

 Feed

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged   show more ...

the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.

 Feed

Ubuntu Security Notice 6985-1 - It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or execute code with the privileges of the user invoking the program.

 Feed

Debian Linux Security Advisory 5765-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

 Feed

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.

 Feed

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.

 Feed

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.

 Feed

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.

 Feed

Ubuntu Security Notice 6988-1 - It was discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay and manipulate responses. This issue only affected Ubuntu 24.04 LTS. It was discovered that Twisted did not properly   show more ...

sanitize certain input. An attacker could use this vulnerability to possibly execute an HTML injection leading to a cross-site scripting attack.

 Feed

Debian Linux Security Advisory 5764-1 - David Benjamin reported a flaw in the X.509 name checks in OpenSSL, a Secure Sockets Layer toolkit, which may cause an application performing certificate name checks to crash, resulting in denial of service.

 Feed

Ubuntu Security Notice 6986-1 - David Benjamin discovered that OpenSSL incorrectly handled certain X.509 certificates. An attacker could possible use this issue to cause a denial of service or expose sensitive information.

 Feed

Ubuntu Security Notice 6981-2 - USN-6981-1 fixed vulnerabilities in Drupal. This update provides the corresponding updates for Ubuntu 14.04 LTS. It was discovered that Drupal incorrectly sanitized uploaded filenames. A remote attacker could possibly use this issue to execute arbitrary code.

 Feed

Ubuntu Security Notice 6987-1 - It was discovered that Django incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. It was discovered that Django incorrectly handled certain email sending failures. A remote attacker could possibly use this issue to enumerate user emails by issuing password reset requests and observing the outcomes.

 Feed

Red Hat Security Advisory 2024-6297-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

 Feed

A new malware campaign is spoofing Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign. The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers

 Feed

The Dutch Data Protection Authority (Dutch DPA) has imposed a fine of €30.5 million ($33.7 million) against facial recognition firm Clearview AI for violating the General Data Protection Regulation (GDPR) in the European Union (E.U.) by building an "illegal database with billions of photos of faces," including those of Dutch citizens. "Facial recognition is a highly intrusive technology that you

 Feed

A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package

 Feed

Account takeover attacks have emerged as one of the most persistent and damaging threats to cloud-based SaaS environments. Yet despite significant investments in traditional security measures, many organizations continue to struggle with preventing these attacks. A new report, "Why Account Takeover Attacks Still Succeed, and Why the Browser is Your Secret Weapon in Stopping Them" argues that the

 Feed

Zyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands. Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection. "The improper neutralization of special elements in the

 Feed

North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview. The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for

 Feed

Google has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), relates to a case of privilege escalation in the Android Framework component. According to the description of the bug in the NIST National

 Center

Source: www.databreachtoday.com – Author: 1 Critical Infrastructure Security , Governance & Risk Management , Operational Technology (OT) Agency Publishes Notice Soliciting Comments on Potential Federal Response David Perera (@daveperera) • September 3, 2024     Ventilation pipes on the facade of a   show more ...

computer data center (Image: Shutterstock) An artificial intelligence-fueled growth in data center construction […] La entrada US NTIA Probes Data Center Security Risks – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Governance & Risk Management , Government , Industry Specific Director Hails New Guidance as ‘First Step’ in Resolving BGP Security Risks Chris Riotta (@chrisriotta) • September 3, 2024     An external gateway running on the Border Gateway   show more ...

Protocol (Image: Shutterstock) U.S. National Cyber Director Harry Coker unveiled new guidance […] La entrada ONCD Unveils BGP Security Road Map Amid Rising Threats – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development Sprague Replaces Veteran CEO, Plans to Double Down on PTaaS and AI Red Teaming Michael Novinson (MichaelNovinson) • September   show more ...

3, 2024     Kara Sprague, incoming CEO, HackerOne (Image: HackerOne) HackerOne has tapped F5’s […] La entrada New HackerOne CEO Kara Sprague to Expand Beyond Bug Bounties – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Breach Notification , Healthcare , HIPAA/HITECH Tennessee-Based Specialty Networks Incident Is Latest Attack on Business Associates Marianne Kolbasuk McGee (HealthInfoSec) • September 3, 2024     Image: Getty Images A vendor that provides information systems and   show more ...

transcription services to radiology practices is alerting 411,037 people of a hack discovered last […] La entrada Radiology IT Vendor Hack Hits 4 Practices, 411,000 People – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Presented by Elastic x Google     60 minutes     The impact of cloud-native technologies has created challenges around managing the volume, complexity, and pace of change in applications for SREs and operations teams. The emergence of AIOps to help deal with this   show more ...

complexity is a real solution to […] La entrada Smarter observability with AIOps, generative AI, and machine learning: Insights from Elastic and Google Cloud – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Leadership & Executive Communication , Next-Generation Technologies & Secure Development , Threat Detection CRQ Can Help Organizations Optimize Investment, Improve Resilience, Manage Threats Chris Novak, Senior Director, Verizon Cyber Security Consulting •   show more ...

September 3, 2024     In May 2023, a ransomware gang calling itself CL0P abused a zero-day exploit […] La entrada Quantifying Risks to Make the Right Cybersecurity Investments – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-09
Aggregator history
Wednesday, September 04
SUN
MON
TUE
WED
THU
FRI
SAT
SeptemberOctoberNovember