Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Critical Veeam Vulne ...

 Firewall Daily

Veeam has addressed a severe vulnerability in its widely utilized Backup & Replication tool, CVE-2024-40711. This critical flaw has a staggering Common Vulnerability Scoring System (CVSS) score of 9.8. Ransomware gangs have already begun exploiting this Veeam vulnerability, particularly deploying Akira and Fog   show more ...

ransomware in targeted attacks.   CVE-2024-40711 allows unauthenticated remote code execution, enabling attackers to send malicious payloads that could lead to full system control. This alarming discovery was made by Florian Hauser, a security researcher from CODE WHITE in Germany, who reported the vulnerability to Veeam. Hauser emphasized the critical nature of the flaw, stating, “Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos—no technical details from us this time because this might instantly be abused by ransomware gangs.”   Critical Veeam Vulnerability CVE-2024-40711   The exploitation of this vulnerability has already led to security breaches. In one instance, attackers leveraged the Fog ransomware to infiltrate an unprotected Hyper-V server and exfiltrate sensitive data using the rclone utility. While some exploitation attempts have failed—mostly due to the use of compromised VPN gateways lacking multifactor authentication (MFA)—the threat remains high.   In response to the critical Veeam vulnerability, the company released a security patch for Backup & Replication version 12.2 on September 4, 2024. Following this release, watchTowr Labs conducted a detailed analysis of the vulnerabilities on September 9, 2024. To provide system administrators sufficient time for remediation, they withheld the publication of proof-of-concept exploit code until September 15, 2024.   Given Veeam’s extensive use—over 550,000 customers worldwide, including 74% of the Global 2000 companies—this vulnerability poses a risk. Veeam’s products are particularly attractive targets for cybercriminals seeking quick access to backup data, which further emphasizes the need for immediate action and timely updates.   Additional Vulnerabilities Identified   CVE-2024-40711 is part of a broader set of vulnerabilities affecting Veeam products. According to an advisory from Cyble, various other vulnerabilities have been reported, including:   CVE-2024-40713: High severity   CVE-2024-40710: High severity   CVE-2024-40714: High severity   CVE-2024-39718: Medium severity   Additional medium severity vulnerabilities including CVE-2024-42020 through CVE-2024-42024   These vulnerabilities primarily impact several Veeam products, including Veeam Backup & Replication, Veeam ONE for monitoring and analytics, and Veeam Agent for Linux. Other affected products include Veeam Service Provider Console and Veeam Backup for Nutanix AHV, highlighting the widespread implications of these security concerns.   Technical Insights into CVE-2024-40711   CVE-2024-40711 specifically enables unauthenticated attackers to execute remote code, posing a serious risk to users running Veeam Backup & Replication versions 12.1.2.172 and earlier. During an investigation, Cyble’s ODIN scanner identified around 2,466 instances of Veeam Backup exposed to the internet, predominantly in the United States. This high visibility makes these systems particularly vulnerable to exploitation.   Moreover, this incident is not isolated. Veeam previously patched another high-severity vulnerability, CVE-2023-27532, in March 2023, which was linked to the financially motivated FIN7 threat group, known for its connections to several ransomware operations.   Conclusion  To protect against the vulnerabilities identified in Veeam products, organizations must prioritize immediate patching by applying the latest security updates, establish regular update protocols to maintain ongoing security and conduct thorough security assessments to identify potential risks.    Additionally, they should consider isolating Veeam products from the internet where possible, enforce multifactor authentication for management access, and implement comprehensive monitoring tools to detect unusual activities.   

image for Maryland CEO Indicte ...

 Cyber News

A federal grand jury in the District of Columbia has indicted Deepak Jain, a 49-year-old Maryland resident, on charges of major fraud against the United States and making false statements to the U.S. Securities and Exchange Commission (SEC). The indictment, returned yesterday, accuses Jain of masterminding an   show more ...

elaborate scheme to deceive the SEC into believing that his company’s data center met the highest standards of reliability, availability, and security, when in reality, it did not. Jain, who resides in Potomac, Maryland, served as the CEO of an information technology services firm referred to as "Company A" in the indictment. This firm provided critical data center services to various clients, including the SEC, between 2012 and 2018. Over this period, the SEC paid approximately $10.7 million to Company A for the use of its data center in Beltsville, Maryland. The Scheme Unfolds According to the indictment, Jain’s fraud centered on a fictitious entity called "Uptime Council," which he allegedly created to fabricate the necessary certifications required to secure the SEC contract. Uptime Council purported to audit and inspect data centers, providing certifications for their performance in areas like security, cooling, and power reliability — factors crucial for the management of sensitive governmental data. Jain is alleged to have drafted certification letters on behalf of Uptime Council that falsely claimed Company A’s data center met the rigorous Tier IV standard — the highest rating for data center reliability and security. By doing so, he ensured his company would meet the requirements necessary to win the SEC contract. However, despite these certifications, the SEC encountered several issues with the data center throughout the contract period. Persistent problems with security, power stability, and cooling were reported, which directly contradicted the claims made in the fraudulent certification documents. A Multiyear Fraud The scheme, spanning from 2012 to 2018, allowed Jain’s company to benefit from millions of dollars in government contracts. The indictment paints a picture of a sophisticated and sustained effort to defraud the U.S. government. In a statement, Principal Deputy Assistant Attorney General Nicole M. Argentieri, who leads the Justice Department’s Criminal Division, condemned Jain’s actions: “As alleged in the indictment, Jain orchestrated a years-long scheme to defraud the SEC by falsely certifying that his company’s data center met the highest rating level, when the actual rating did not satisfy the SEC contract. Jain allegedly sought to enrich himself and his company at the expense of the reliability, availability, and security of the SEC’s electronic data. Yesterday’s charges make clear that the Criminal Division will not tolerate fraud schemes that threaten the security of the government’s electronic data.” A Threat to Government Data Security The indictment underscores the serious consequences that arise when data centers entrusted with government information fail to meet necessary security standards. The reliability and availability of these centers are critical, particularly for agencies like the SEC, which manages highly sensitive financial data. Fraudulent certifications of data center standards pose a risk not only to the agency but also to the security of U.S. financial systems. Inspector General Deborah Jeffrey of the SEC expressed her commitment to ensuring integrity in government contracting, stating: “This indictment demonstrates our shared commitment with the Justice Department to hold bad actors accountable for engaging in schemes to defraud the SEC that undermine the integrity and fairness of the government procurement process.” The case is being investigated by the SEC Office of Inspector General, and Jain now faces serious legal repercussions for his alleged actions. The indictment includes six counts of major fraud against the United States and one count of making false statements. If convicted, Jain could face a maximum penalty of 10 years in prison for each fraud count, and up to five years for the false statements charge. The Role of Uptime Council in the Deception The creation of Uptime Council played a pivotal role in Jain’s scheme. By establishing what appeared to be an independent certifying body, Jain gave his fraudulent certifications a veneer of legitimacy, fooling the SEC into trusting that the data center adhered to the stringent Tier IV standards. The indictment details how the certification letters were integral to concealing the truth about Company A’s data center operations. Without Uptime Council’s false endorsement, the data center would likely have failed to meet the technical specifications required by the SEC contract. The Fallout and Legal Proceedings While Jain has been charged, the legal proceedings will unfold in the coming months. The charges, though serious, are still only allegations, and Jain, like any defendant, is presumed innocent until proven guilty in court. Senior Litigation Counsel Vasanth Sridharan and Trial Attorney Spencer Ryan from the Criminal Division’s Fraud Section will be leading the prosecution in this case. It is important to note that the consequences of this fraud are far-reaching. Not only did Jain’s actions allegedly cause financial loss to the U.S. government, but they also posed a threat to the data security of a key federal agency. Government procurement processes rely on the integrity of contractors, and when that trust is broken, it undermines the fairness and reliability of these systems.

image for Alabama Man Arrested ...

 Cyber News

The person behind the bold SIM swap attack that led to the takeover of the U.S. Securities and Exchange Commission's X account has been arrested. The investigation has uncovered a conspiracy that shot Bitcoin (BTC) prices higher within minutes. Eric Council Jr., 25, was apprehended in Athens, Alabama, early today   show more ...

in connection with the January 2024 scheme to manipulate the price of Bitcoin. Council, charged with conspiracy to commit identity theft and access device fraud, allegedly led an unauthorized takeover of the SEC’s account on X (formerly known as Twitter), posting a fabricated message that sent BTC prices soaring by $1,000. Personal Info and Fake ID Engineered SEC SIM Swap The incident unfolded on January 9, when hackers, using a SIM swap attack, gained access to the SEC’s account and falsely announced the approval of Bitcoin exchange-traded funds (ETFs) on all registered exchanges. The post triggered a surge in Bitcoin’s price before a swift SEC correction caused it to drop by over $2,000. The indictment alleges that Council used stolen personal information and a fake ID to execute the SIM swap, obtaining control over a phone number linked to an individual with access to the SEC’s account. SIM swap attacks exploit vulnerabilities in how mobile carriers reassign phone numbers, often deceiving them into switching numbers to a criminal’s SIM card to bypass security measures like two-factor authentication. After purchasing an iPhone using the fraudulent SIM, Council gained the necessary access codes and collaborated with co-conspirators to issue the fake ETF approval announcement. Following the breach, Council allegedly returned the iPhone for cash in Birmingham and searched the internet for terms such as "SECGOV hack" and "how to know if you are under FBI investigation. Aliases and Activities Led to Arrest Authorities identified Council's involvement through his online aliases, including "Ronin," "Easymunny," and "AGiantSchnauzer." These clues, combined with his activities during the attack, drew the FBI's attention. U.S. Attorney Matthew Graves highlighted the seriousness of SIM swapping, emphasizing the FBI’s efforts to tackle cyber-enabled frauds that compromise sensitive data and disrupt financial markets. Council's arrest underscores the growing threat posed by sophisticated digital schemes targeting high-profile organizations. The Justice Department, FBI, and SEC’s Inspector General’s office collaborated in the investigation, with substantial support from the FBI’s Birmingham Field Office.

image for Radiant Capital Hit ...

 Cyber News

Radiant Capital was hit Wednesday by an apparent private key compromise that resulted in the loss of as much as $58 million in user assets. It was the second hack this year on the Blockchain lending platform, following a $4.5 million hit that Radiant suffered in a January attack. A recent report by crypto security   show more ...

firms Hacken and Extractor noted that 95% of all stolen DeFi funds in the third quarter of 2024 “were lost forever” – with more than half of the $463 million in losses coming from Indian cryptocurrency exchange WazirX. “Access control is the most dangerous attack, with losses double those of all other attacks combined,” the report said. “Smart contract vulnerabilities most commonly appear after new versions are deployed.” Radiant Capital Hacker May Have Accessed Multiple Private Keys Ancilia Inc. was one of the first to report the hack, noting on X that the firm had “noticed several transferFrom user's account through the contract 0xd50cf00b6e600dd036ba8ef475677d816d6c4281. Please revoke your approval ASAP. It seems like the new implementation had vulnerability functions.” Cyvers Alerts reported that the Radiant platform appeared to have “suffered a private key compromise, leading to an ongoing attack. A malicious actor gained control of multi-sig wallets and has already drained over $50 million in user assets. “Users are strongly advised to avoid interacting with the protocol at this time and revoke all data approval for the protocol. Please exercise caution until the situation is resolved.” [caption id="attachment_91512" align="aligncenter" width="500"] Radiant Capital suspicious transactions (Cyvers)[/caption] De.Fi Antivirus noted that the hacker “managed to get access to 3 signers - thus managed to transfer ownership and upgrade the contracts.” How the hacker managed to obtain multiple signers’ private keys and gain control of smart contracts was the subject of some debate; there was some speculation that some Radiant key holders may have fallen victim to phishing or malware attacks. Radiant Capital has so far said little about the attack, its last update occurring almost a day ago: “We are aware of an issue with the Radiant Lending markets on Binance Chain and Arbitrum. We are working with SEAL911, Hypernative, ZeroShadow & Chainalysis and will provide an update as soon as possible. Markets on Base and Mainnet are paused until further notice.” Radiant also urged users to revoke access to the following contracts on revoke.cash: 0xF4B1486DD74D07706052A33d31d7c0AAFD0659E1 0x30798cFe2CCa822321ceed7e6085e633aAbC492F 0xd50Cf00b6e600Dd036Ba8eF475677d816d6c4281 0xA950974f64aA33f27F6C5e017eEE93BF7588ED07 Web3 Security Firm Reshares Scammer’s Post Discussions about the Radiant hack on X attracted multiple scammers that spoofed Radiant Capital accounts via typosquatting, or registering a name similar to the official @RDNTCapital account with misspellings that X users might not notice. Web3 security firm Ancilia was one X user that got fooled and reshared a post from a scam account that included a link to a wallet drainer; the company subsequently apologized and deleted the post. “We accidentally re-posted a scam link, apologized for that,” Ancilia said. “The post has been deleted. The official Twitter handle is @RDNTCapital” The scammers remain quite active on X; here is an image of a similar post: [caption id="attachment_91508" align="aligncenter" width="500"] Radiant Capital wallet drainer scam[/caption]

image for SolarWinds, Firefox, ...

 Firewall Daily

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the pressing need for organizations to address these risks promptly.   The vulnerabilities in question—CVE-2024-30088, CVE-2024-9680, and   show more ...

CVE-2024-28987—are actively exploited by malicious cyber actors and pose substantial threats to federal and private sector entities alike.  Understanding the New Exploited Vulnerabilities (KEV) Vulnerabilities The three newly added vulnerabilities include CVE-2024-30088, which is a race condition vulnerability within the Microsoft Windows kernel. This issue poses significant risks due to its potential for exploitation.  Another critical vulnerability is CVE-2024-9680, a use-after-free flaw identified in both Mozilla Firefox and Thunderbird. This vulnerability allows attackers to execute arbitrary code, making it a serious concern for users of these applications.  Lastly, CVE-2024-28987 highlights a hardcoded credential vulnerability in SolarWinds Web Help Desk (WHD). This issue enables remote unauthenticated users to access internal functionalities and modify data.  CVE-2024-28987: Hardcoded Credential Vulnerability The first vulnerability, CVE-2024-28987, impacts the SolarWinds Web Help Desk software, particularly version 12.8.3 HF1 and earlier. Classified as critical with a CVSS score of 9.1, this vulnerability enables remote unauthenticated users to access internal functionalities and alter data due to hardcoded credentials embedded within the software. Publicly available proof-of-concept exploits further underscore its severity. Notably, Cyble’s ODIN scanner has detected around 920 internet-facing instances of SolarWinds WHD, with the majority located in the United States.  CVE-2024-9680: Use-After-Free Vulnerability CVE-2024-9680 affects multiple versions of Firefox and Thunderbird, with a staggering CVSS score of 9.8. This vulnerability stems from a use-after-free flaw in animation timelines, allowing attackers to execute arbitrary code. Mozilla has acknowledged reports of this vulnerability being actively exploited in the wild, highlighting the urgency for immediate remediation.  CVE-2024-30088: Windows Kernel Race Condition The third vulnerability, CVE-2024-30088, poses a high severity threat, scoring 7.0 on the CVSS scale. This vulnerability affects various Windows products, including Windows Server 2016, Windows 10, and Windows 11. Exploiting a race condition in the Windows kernel, it allows attackers to gain SYSTEM privileges.  The Importance of Remediation CISA's Binding Operational Directive (BOD) 22-01 establishes a structured approach for federal agencies to manage known exploited vulnerabilities effectively. This directive requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by specified due dates to safeguard their networks against active threats. While BOD 22-01 applies primarily to federal agencies, CISA strongly encourages all organizations to prioritize the timely remediation of vulnerabilities in the KEV catalog.  Organizations that fail to act on these vulnerabilities face significant risks, including potential data breaches, ransomware attacks, and the escalation of privileges that could lead to severe consequences.  Conclusion To effectively mitigate the risks posed by the newly identified vulnerabilities, organizations should take immediate action. First, they must apply the latest patches from official vendors across all systems and establish a routine update schedule, prioritizing critical patches. Implementing network segmentation will help isolate sensitive assets from less secure areas, reducing risk.  Organizations should also develop incident response plan that includes procedures for detecting and recovering from security incidents, with regular testing to ensure its effectiveness. Comprehensive monitoring and logging solutions, along with Security Information and Event Management (SIEM) systems, are essential for real-time threat detection. Additionally, proactively addressing End-of-Life (EOL) products is crucial for minimizing risks. 

image for Globe Life Faces Ext ...

 Cyber Essentials

American insurance giant Globe Life is facing extortion demands from hackers who stole data on over 5,000 individuals from one of its subsidiaries. The insurance company informed the U.S. Securities and Exchange Commission (SEC) that it alerted federal law enforcement about the cyber incident. The company's   show more ...

response is ongoing. "Based on the Company’s investigation to date, which remains ongoing, the Company believes that information relayed to the Company by the threat actor may relate to certain customers and customer leads that can be traced to the Company’s subsidiary, American Income Life Insurance Company," the SEC filing stated. The Texas-based insurer reported $5.21 billion in revenue last year. Its subsidiary, American Income Life Insurance Company, serves over 4 million policyholders and posted approximately $297 million in life insurance premium sales on an annual basis. What Globe Life Data was Compromised The breached data includes sensitive details such as Social Security numbers, names, addresses, and health-related information, though Globe Life acknowledged that the “the total number of potentially impacted persons or the full scope of information possessed by the threat actor has not been fully verified.” No other form of personally identifiable or sensitive financial information, such as credit card data or banking information, was involved, the SEC filing said. The hackers recently shared some of the stolen data with short sellers and attorneys involved in lawsuits, according to the filing, and claimed to have additional information that has yet to be confirmed. Globe Life also clarified that the extortion effort did not involve ransomware or cause any disruption to its operations. Fraud Allegations Back in June, Globe Life had informed the SEC about a state insurance regulator's inquiry into "potential vulnerabilities related to access permissions and user identity management for a Company web portal," which may have enabled unauthorized access to some customer and policyholder records. The disclosure was made amidst increasing scrutiny and financial setbacks suffered by the company. The Texas-based insurer had faced allegations of fraudulent sales tactics and other business and workplace improprieties. Globe Life and its biggest subsidiary, American Income Life (AIL), had allegedly engaged in insurance fraud, framing of policies for dead and fictitious individuals, withdrawal of consumer funds without approval, unfair dismissal, misleading sales tactics and illegal kickbacks, according to the June allegations. It was also alleged that some of AIL’s most profitable agents had faced accusations of kidnapping, assault and child grooming from defendants, witnesses and plaintiffs. Following the breach, the company hired cybersecurity experts to investigate the situation and implement corrective measures. The situation continues to evolve.

image for GitHub Issues Urgent ...

 Firewall Daily

GitHub has released a critical security advisory highlighting vulnerabilities that merit immediate action from users of GitHub Enterprise Server (GHES). The advisory focuses on a GitHub vulnerability that could compromise the security of organizations relying on this self-hosted version of GitHub, which is designed   show more ...

for managing infrastructure, security, and compliance. The vulnerability, CVE-2024-9487, has been classified as critical, with a CVSS score of 9.5. It affects several versions of GitHub Enterprise Server, including up to 3.11.15, 3.12.9, 3.13.4, and 3.14.1. GitHub has confirmed that a patch is available, making it essential for organizations to apply the patch to secure their systems effectively. Details of the GitHub Vulnerability  The vulnerability, CVE-2024-9487, allows attackers to bypass SAML Single Sign-On (SSO) authentication, leading to unauthorized user provisioning and access to the GitHub instance. To exploit this vulnerability in GitHub, attackers must have the encrypted assertions feature enabled, direct network access, and a signed SAML response or metadata document. The combination of these factors presents a serious risk, emphasizing the urgency for organizations to implement the available patch. The implications of unpatched vulnerabilities in the GitHub Enterprise Server can be severe. As the platform is responsible for protecting sensitive source code, project data, and developer credentials, any lapses can lead to data breaches, unauthorized access, and potential sabotage of development pipelines. Additionally, organizations that fail to patch vulnerabilities may face regulatory penalties, especially in sectors where compliance with data protection and cybersecurity regulations is crucial.  Recommendations for Organizations  To effectively mitigate the risks associated with vulnerabilities in GitHub Enterprise Server, organizations should adopt several best practices. First, it is important to regularly update all software and hardware systems with the latest patches from official vendors. This routine maintenance is critical for preventing exploits and ensuring the integrity of the development environment.   Next, organizations should establish a comprehensive patch management strategy. This strategy should encompass inventory management, patch assessment, testing, deployment, and verification. By creating a systematic approach to patch management, organizations can ensure that these GitHub vulnerabilities and other systems are addressed in a timely manner.  Network segmentation is another key recommendation. By dividing networks using firewalls, VLANs, and access controls, organizations can protect critical assets and reduce exposure to potential threats. This strategy limits the attack surface, making it more difficult for attackers to exploit vulnerabilities in GitHub.  Furthermore, creating and maintaining an incident response plan is essential. Such a plan should outline procedures for detecting, responding to, and recovering from security incidents, ensuring that organizations are prepared to act swiftly in the event of a breach.  Organizations are also encouraged to implement comprehensive monitoring and logging systems to detect and analyze suspicious activities. Utilizing Security Information and Event Management (SIEM) solutions can help aggregate and correlate logs for real-time threat detection, enhancing overall security posture.  Finally, it is crucial for organizations to proactively identify and assess the criticality of End-of-Life (EOL) products within their infrastructure. Addressing these products can further strengthen security and reduce GitHub vulnerabilities and beyond.  Conclusion Organizations must act decisively to protect their development environments. By following the outlined recommendations, businesses can enhance their security measures and defend against potential threats. Timely action is essential not only for mitigating risks but also for ensuring compliance with necessary regulations. Addressing these vulnerabilities in GitHub is a crucial step toward safeguarding sensitive information and maintaining robust development practices. 

image for CISA, FBI Release Pr ...

 Cyber News

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have taken a significant step forward in promoting secure software development by releasing the Product Security Bad Practices catalog for public comment. This document identifies software development practices   show more ...

deemed particularly risky and provides guidelines for mitigating these risks. It calls on software manufacturers, particularly those producing software for critical infrastructure or national critical functions (NCFs), to avoid these bad practices to strengthen overall cybersecurity. The public comment period opens today and runs until Monday, December 2, 2024, giving stakeholders a chance to provide input and contribute to refining this guidance. National Cybersecurity Strategy and the Call for Secure Software The release of this catalog aligns with the National Cybersecurity Strategy, which aims to shift the responsibility for defending cyberspace onto the entities best positioned to manage it—namely, the software manufacturers. As the strategy highlights, many of the most dangerous cybersecurity vulnerabilities stem from poor software development practices. To fully realize a secure digital infrastructure, manufacturers must avoid these practices, especially when their products are used in critical systems. CISA Director Jen Easterly stressed the urgency of addressing these risks, noting that "it's 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop." Easterly emphasized that the guidance provided in the catalog is voluntary but designed to encourage software manufacturers to take ownership of their customers' security and contribute to a future where security is built into software by design. White House National Cyber Director Harry Coker Jr. echoed this sentiment, pointing to the wide-ranging consequences of poor software security practices and their impact on national security and everyday American lives. He urged the private sector to take its responsibility seriously, saying, "Our private sector partners must shoulder their responsibility and build secure products." FBI's Call for Secure Software Practices Bryan Vorndran, Assistant Director of the FBI's Cyber Division, also underscored the importance of avoiding bad practices in software development. According to Vorndran, software used in critical infrastructure must be held to a high standard because vulnerabilities in such systems put both national security and everyday users at risk. The FBI, like CISA, urged software manufacturers to avoid the risky practices outlined in the catalog to prevent vulnerabilities from being exploited by malicious actors. Secure by Design Initiative The release of the Product Security Bad Practices catalog is a continuation of CISA’s Secure by Design initiative, a global effort supported by 18 U.S. and international agencies. This initiative encourages software manufacturers to adopt best practices in security and has already secured commitments from over 220 manufacturers through CISA’s Secure by Design Pledge. The new catalog builds on previous efforts, such as the NIST Secure Software Development Framework (SSDF), and is intended to serve as a central guiding document for future actions under the Secure by Design initiative. Structure of the Product Security Bad Practices Catalog The catalog is divided into three major categories: Product Properties: This refers to observable, security-related qualities of a software product. These properties should be built into software to ensure it operates securely under various conditions. Security Features: This section outlines the security functionalities a product should support. These features are essential for protecting software from unauthorized access, malicious use, and exploitation. Organizational Processes and Policies: This category focuses on the internal processes of software manufacturers, particularly their transparency and commitment to security in their development approach. The catalog does not claim to be exhaustive; rather, it focuses on the most dangerous and pressing bad practices that software manufacturers must avoid based on the current threat landscape. The absence of a practice from the list does not mean that it is acceptable—CISA simply prioritized the most critical issues for inclusion in this document. Specific Bad Practices Highlighted Some of the notable bad practices mentioned include: Development in Memory-Unsafe Languages: The use of memory-unsafe languages like C or C++ in software intended for critical infrastructure introduces significant vulnerabilities. Software manufacturers are urged to transition to memory-safe languages and publish a memory safety roadmap by January 1, 2026. Inclusion of User-Provided Input in SQL Query Strings: Products that allow raw SQL queries based on user input are highly vulnerable to SQL injection attacks. The catalog recommends enforcing the use of parameterized queries to mitigate this risk. Presence of Default Passwords: Releasing products with default passwords significantly elevates security risks, particularly in critical infrastructure. Manufacturers are urged to eliminate default passwords and enforce stronger authentication measures, such as multi-factor authentication (MFA). Known Exploited Vulnerabilities: Products released with known vulnerabilities that are listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog are dangerous. Software manufacturers must ensure that these vulnerabilities are patched prior to release and continue to issue timely updates if new vulnerabilities are discovered post-release. Open Source Software with Vulnerabilities: Using open-source components with known vulnerabilities presents significant risks. Software manufacturers are advised to maintain a software bill of materials (SBOM), regularly scan for vulnerabilities, and issue timely patches. The Product Security Bad Practices catalog represents a critical tool for improving software security across industries, particularly in sectors tied to critical infrastructure. By outlining the most dangerous practices to avoid, CISA and the FBI aim to guide software manufacturers toward safer development practices. Public comment is encouraged to ensure the catalog remains relevant and effective.

image for Which cybersecurity ...

 Business

Although automation and machine learning (ML) have been used in information security for almost two decades, experimentation in this field continues non-stop. Security professionals need to combat increasingly sophisticated cyberthreats and a growing number of attacks without significant increases in budget or   show more ...

personnel. On the positive side, AI greatly reduces the workload on security analysts, while also accelerating many phases of incident handling — from detection to response. However, a number of seemingly obvious areas of ML application are underperforming. AI-based detection of cyberthreats To massively oversimplify, there are two basic — and long-tested — ways to apply ML: Attack detection. By training AI on examples of phishing emails, malicious files, and dangerous app behavior, we can achieve an acceptable level of detection of similar The main pitfall is that this area is highly dynamic — with attackers constantly devising new methods of disguise. Therefore, the model needs frequent retraining to maintain its effectiveness. This requires a labeled dataset — that is, a large collection of recent, verified examples of malicious behavior. An algorithm trained in this way wont be effective against fundamentally new, never-before-seen attacks. Whats more, there are certain difficulties in detecting attacks that rely entirely on legitimate IT tools (LotL). Despite these limitations, most infosec vendors use this method, which is quite effective for email analysis, phishing detection, and identifying certain classes of malware. That said, it promises neither full automation nor 100% reliability. Anomaly detection. By training AI on normal server and workstation activity, we can identify deviations from this norm — such as when an accountant suddenly starts performing administrative actions with the mail server. The pitfalls here are that this method requires (a) collecting and storing vast amounts of telemetry, and (b) regular retraining of the AI to keep up with changes in the IT infrastructure. Even then, therell be many false positives (FPs) and no guarantee of attack detection. Anomaly detection must be tailored to the specific organization, so using such a tool requires people highly skilled in cybersecurity, data analysis, and ML. And these priceless employees have to provide 24/7 system support. The philosophical conclusion we can draw thus far is that AI excels at routine tasks where the subject area and object characteristics change slowly and infrequently: writing coherent texts, recognizing dog breeds, and so on. Where there is a human mind actively resisting the training data, statically configured AI in time gradually becomes less and less effective. Analysts fine-tune the AI instead of creating cyberthreat detection rules — the work domain changes, but, contrary to a common misconception, no human-labor saving is achieved. Furthermore, the desire to improve AI threat detection and boost the number of true positives (TP) inevitably leads to a rise in the number of FPs, which directly increases the human workload. Conversely, trying to cut FPs to near zero results in fewer TPs as well — thereby increasing the risk of missing a cyberattack. As a result, AI has a place in the detection toolkit, but not as a silver bullet able to solve all detection problems in cybersecurity, or work completely autonomously. AI as a SOC analysts partner AI cant be entirely entrusted with searching for cyberthreats, but it can reduce the human workload by independently analyzing simple SIEM alerts and assisting analysts in other cases: Filtering false positives. Having been trained on SIEM alerts and analysts verdicts, AI can filter FPs quite reliably: our Kaspersky MDR solution achieves a SOC workload reduction of around 25%. See our forthcoming post for details of this auto-analytics implementation. Alert prioritization. The same ML engine doesnt just filter out FPs; it also assesses the likelihood that a detected event indicates serious malicious activity. Such critical alerts are then passed to experts for prioritized analysis. Alternatively, threat probability can be represented as a visual indicator — helping the analyst prioritize the most important alerts. Anomaly detection. AI can quickly alert about anomalies in the protected infrastructure by tracking phenomena like a surge in the number of alerts, a sharp increase or decrease in the flow of telemetry from certain sensors, or changes in its structure. Suspicious behavior detection. Although searching for arbitrary anomalies in a network entails significant difficulties, certain scenarios lend themselves well to automation, and in these cases, ML outperforms static rules. Examples include detecting unauthorized account usage from unusual subnets; detecting abnormal access to file servers and scanning them; and searching for pass-the-ticket attacks. Large language models in cybersecurity As the top trending topic in AI, large language models (LLMs) have also been extensively tested by infosec firms. Leaving aside cybercriminal pursuits such as generating phishing emails and malware using GPT, we note these interesting (and plentiful) experiments in leveraging LLMs for routine tasks: Generating detailed cyberthreat descriptions Drafting incident investigation reports Fuzzy search in data archives and logs via chats Generating tests, test cases, and code for fuzzing Initial analysis of decompiled source code in reverse engineering De-obfuscation and explanation of long command lines (our MDR service already employs this technology) Generating hints and tips for writing detection rules and scripts Most of the linked-to papers and articles describe niche implementations or scientific experiments, so they dont provide a measurable assessment of performance. Moreover, available research on the performance of skilled employees aided by LLMs shows mixed results. Therefore, such solutions should be implemented slowly and in stages, with a preliminary assessment of the savings potential, and a detailed evaluation of the time investment and the quality of result.

image for Sudanese Brothers Ar ...

 A Little Sunshine

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and   show more ...

cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks. Image: FBI Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week. The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27. AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit PayPal the following month, followed by Twitter/X (Aug. 2023), and OpenAI (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the FBI and the Department of State. Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks. The government isn’t saying where the Omed brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the U.S. Department of Justice says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March. AnonSudan accepted orders over the instant messaging service Telegram, and marketed its DDoS service by several names, including “Skynet,” “InfraShutdown,” and the “Godzilla botnet.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets. Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims. Amazon was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers. “Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.” The security firm CrowdStrike said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors. The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers. A passport for Ahmed Salah Yousif Omer. Image: FBI. If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people. As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area. In February 2024, AnonSudan launched a digital assault on the Cedars-Sinai Hospital in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals. The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.

 Feed

ABB Cylon Aspect version 3.08.01 allows an unauthenticated attacker to perform network operations such as ping, traceroute, or nslookup on arbitrary hosts or IPs by sending a crafted GET request to networkDiagAjax.php. This could be exploited to interact with or probe internal or external systems, leading to internal information disclosure and misuse of network resources.

 Feed

Red Hat Security Advisory 2024-8180-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include code execution, out of bounds read, spoofing, and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-8179-03 - An update for resource-agents is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2024-8127-03 - An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and integer overflow vulnerabilities.

 Feed

Red Hat Security Advisory 2024-8124-03 - An update for java-17-openjdk is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 8.6   show more ...

Telecommunications Update Service, Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9.2 Extended Update Support, and Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and integer overflow vulnerabilities.

 Feed

Red Hat Security Advisory 2024-8121-03 - An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise   show more ...

Linux 8.4 Update Services for SAP Solutions, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 8.6 Telecommunications Update Service, Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, Red Hat Enterprise Linux 9.2 Extended Update Support, and Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and integer overflow vulnerabilities.

 Feed

Red Hat Security Advisory 2024-8117-03 - An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat   show more ...

Enterprise Linux 8.4 Update Services for SAP Solutions, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 8.6 Telecommunications Update Service, Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, Red Hat Enterprise Linux 9.2 Extended Update Support, and Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and integer overflow vulnerabilities.

 Feed

Red Hat Security Advisory 2024-7944-03 - Red Hat OpenShift Container Platform release 4.16.17 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a remote SQL injection vulnerability.

 Feed

Red Hat Security Advisory 2024-7941-03 - Red Hat OpenShift Container Platform release 4.13.52 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include an open redirection vulnerability.

 Feed

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023. The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647. "This

 Feed

Cybersecurity researchers have gleaned additional insights into a nascent ransomware-as-a-service (RaaS) called Cicada3301 after successfully gaining access to the group's affiliate panel on the dark web. Singapore-headquartered Group-IB said it contacted the threat actor behind the Cicada3301 persona on the RAMP cybercrime forum via the Tox messaging service after the latter put out an

 Feed

An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa. The activity has been attributed to a group tracked as SideWinder, which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04. "

 Feed

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023. The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks,

 Feed

A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances. The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability. "A security issue

 Data loss

WordPress's emperor, Matt Mullenweg, demands a hefty tribute from WP Engine, and a battle erupts, leaving millions of websites hanging in the balance. Meanwhile, the Internet Archive, a digital library preserving our online history, is under siege from hackers. All this and more is discussed in the latest edition   show more ...

of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

 Data loss

No-one would be bold enough to say that the ransomware problem is receding, but a newly-published report by Microsoft does deliver a slither of encouraging news amongst the gloom. And boy do we need some good news - amid reports that 389 US-based healthcare institutions were hit by ransomware last year - more than one every single day. Read more in my article on the Tripwire State of Security blog.

 Threat Lab

The more devices, digital apps and online accounts you use, the more efficient and convenient your life becomes. But all that ease of use comes with a price. Your devices are constantly collecting your personal data to fine-tune your user experience. At the same time, hackers, and other cyber criminals are working   show more ...

round the clock to steal this sensitive information. Think of your digital identity as a confidential file full of high-value information – passwords, credit card numbers, bank account details, social security numbers and more. If you’re not taking the proper steps to guard your online privacy, you could end up handing over the files to a vast army of cybercriminals. According to the Identity Theft Resource Center, there were 3,205 data compromises in 2023. That’s a 20% increase over the previous year. A data compromise can consist of any of the following: Data breach: Unauthorized access to your confidential information (i.e. social security number, date of birth, credit card number, address, etc.) Data exposure: Confidential information is likely exposed, but may or may not have been accessed Data leak: Accidental exposure of sensitive information, which may or may not have been accessed High-profile companies and organizations are not immune to these attacks. many of which resulted in consumer data exposure. Here’s just a few that happened this last year that may have impacted your personal data. National Public Data: Nearly 3 billion Americans had their personal records, including social security numbers, hacked and leaked on to the dark web. T-Mobile: About 37 million T-Mobile customers had their personal data compromised in a January 2023 hack that accessed names, addresses and birth dates. Ticketmaster: In May, 2024, over 560 million customer records, including names, addresses, emails, order history and payment information, were leaked online and offered for sale by hackers who infiltrated Ticketmaster. The best defense to counter these cyberattacks is always a good offense, so be proactive and protect yourself. Here are some essential tips for safeguarding your online identity: Create secure passwords: When it comes to passwords – longer is stronger. Make them complex and unique, incorporating letters, numbers and symbols. Turn on multifactor authentication: Add multi-factor authentication to your logins for extra security. This second step helps confirm your identity by sending a text or email with a security code or question. Limit how much personal information you share online: Be wary of oversharing on social media. Cybercriminals can act like detectives, putting personal details together to steal your identity. Limit app access to your information: Apps collect your data and share it, so be sure to manage your app permissions and control how much access they have to your information. Adopt safe browsing habits: Update browser privacy settings and avoid suspicious websites. Also, limit the number of cookies you accept and clear your browsing history and cache regularly. Beware of phishing scams: Phishing scams appear in our email inboxes, text messages, social media, and even voicemails. They’re designed to trick you into giving up your personal and financial information, so learn the tell-tale signs and avoid these scammers. Beware of public Wi-Fi: Public Wi-Fi networks often lack security, giving hackers easy access to your data. Always confirm your connection is encrypted and avoid making financial transactions unless you’re on a private network. Use a VPN: A VPN (virtual private network) protects your online identity and information. A trusted VPN will encrypt your internet connection and hide your IP address from potential hackers Use an all-in-one device, privacy, and protection solution: For ultimate device, privacy, and identity protection, use an all-in-one device solution like Webroot Premium and get the best of all worlds –threat detection, password manager, dark web monitoring, and real-time virus protection. Keep your devices and apps up to date: Install updates to get the newest features and latest security upgrades. Enable automatic updates to make sure you’re always protected. Remember that the tech that makes your life easier is also tracking you and gathering your sensitive details. Cyber thieves will never stop trying to crack the safe and steal your precious data, but with a few smart moves, you can lock them out and protect what might be your most valuable asset of all – your online privacy. Looking for more information and solutions? Federal Trade Commission Protecting Your Privacy Online Online Privacy Recommendations for Your Children 7 tips on keeping your data private when using AI Internet Safety Month: Keep your online experience safe and secure Webroot Premium, all-in-one device, privacy, and identity protection The post 10 steps to safeguarding your privacy online appeared first on Webroot Blog.

2024-10
Aggregator history
Thursday, October 17
TUE
WED
THU
FRI
SAT
SUN
MON
OctoberNovemberDecember