• Search for:
    26Dec, 2023
    Why data, AI, and regulations top the threat list for 2024

    The new year finds us confronted by a landscape characterized by political uncertainty, social fragmentation, escalating geopolitical tensions, and a turbulent macro-economic backdrop, making it crucial for security leaders to strategically prepare for the forthcoming challenges.

    Let’s explore the three main security challenges businesses will face in 2024:

    1. Data

    Modern businesses generate and manage vast volumes of data daily. Since data is central to decision-making and competitive advantage, its sudden disruption or unavailability can lead to severe repercussions for the business.

    Some of the essential questions security teams ought to be asking themselves include: How do we manage and safeguard aspects like confidentiality, integrity, and availability of data? What strategies can we employ to protect our data against cyber threats and misuse? How do we address the security challenges that emerge with expanding data repositories? How do we differentiate between valuable data and redundant information?

    Furthermore, there’s often a misalignment in how data is structured versus the business framework. Consequently, security teams may need to engage in discussions with business units to clarify issues such as how we are applying our data. With whom is this data being shared? Who holds accountability for it? Who is responsible for making decisions regarding data security? Is it the information security team, the chief executive, the board, or is it a combined effort?

    2. Artificial intelligence

    Although AI technologies aren’t new, the recent widespread adoption of AI has introduced a myriad of business and security challenges for organizations. Key questions to consider include: How do we monitor AI usage within the organization? How do we regulate the data shared with AI systems by employees? How do we ensure ongoing compliance with ethical standards and legal requirements?

    Data is the cornerstone of AI. How do we provide sufficient data for AI systems while ensuring this data is secure, ethical, and transparent? How do we safeguard AI data and algorithms from manipulation by threat actors? Security teams need to be vigilant about all AI-related risks, including ethical concerns. Despite these challenges, AI offers significant opportunity for companies aiming to evolve and enhance their business models.

    In 2024, corporate boards will likely assume a central role in overseeing AI’s secure deployment across the organization. This scenario presents a prime opportunity for security teams to align closely with business objectives, be at the forefront of the AI revolution, and actively participate in key business decisions alongside management teams.

    3. Regulations

    Security is rapidly evolving, and so are regulations governing it. Over the next 12 months, several regulations will either be introduced, updated, or reviewed. For example, GDPR may lead to stringent reinforcements in 2024; the Digital Operational Resilience Act (DORA) will apply to financial entities across the EU in January 2025; the EU AI Act may be voted in.

    Given these developments, organizations must develop a comprehensive understanding of the regulations in the jurisdictions where they operate. This knowledge is crucial for building the necessary processes and frameworks proactively, as once these regulations are enforced, adjusting to them retroactively will be challenging. Hence, staying ahead of these regulations in 2024 is imperative, as non-compliance could lead to severe legal, financial, and reputational consequences.

    How can cybersecurity leaders address these security challenges?

    Below are four risk management initiatives that cybersecurity leaders can integrate into their 2024 cybersecurity planning:

    1. Communicate issues in business terms

    It’s essential for cybersecurity leaders to present issues in a manner that resonates with business leaders. CEOs typically prefer to avoid technicalities. Their concern is how technology will impact the business and whether it aligns with overall objectives. Will it meet stakeholder expectations? What are the risks in terms of financial, operational, and economic factors, beyond technical aspects?

    2. Establish clear risk tolerance levels

    For security leaders working with management teams, it’s crucial to define the company’s risk tolerance concerning cyber loss, akin to other risk types. For instance, what is the risk tolerance for employing generative AI? Who is responsible for making this decision? What regulations are relevant, and how will this affect the information we disclose?

    3. Implement a robust and practiced response plan

    Executive teams and boardrooms seek assurance. They require confidence that the organization is prepared for unexpected crises, ensuring there is comprehensive situational awareness across the organization, and confirmation that vigilant monitoring of activities is ongoing. They need reassurance that fundamental cyber protection measures are implemented and that a thoroughly documented and regularly rehearsed business continuity and response plan is ready to be activated in the event of a security incident.

    4. Build awareness, foster accountability in the workforce and supply chain

    The nature of work has transformed significantly in recent years, necessitating updates in security policies and procedures to reflect these changes. Organizations must explicitly outline accountability for data collection and usage, engage in collaborative and transparent interactions with stakeholders, and ensure everyone understands their role in safeguarding the business. Likewise, it’s crucial to extend the same security principles and procedures to third parties and supply chain partners that handle data on behalf of the parent organization.

    To summarize, we’re facing three key areas that will continue to grow in complexity and challenge: data, AI, and regulation. There’s an increasing expectation for closer engagement between security teams and business operations, coupled with board directors’ growing concerns about their personal liability. If security leaders concentrate on these threat management initiatives, they can significantly help mitigate risk and contribute to building a resilient organization into the future.

    Resource : https://www.helpnetsecurity.com/2023/12/21/2024-security-challenges/

    26Dec, 2023
    MySQL Servers, Docker Hosts Infected With DDoS Malware

    Attackers are targeting MySQL servers and Docker hosts to plant malware capable of launching distributed denial-of-service (DDoS) attacks, according to a warning from researchers at the AhnLab Security Emergency Response Center.

    According to AhnLab, attacks targeting MySQL on Windows have increased in frequency with vulnerable MySQL servers infected with ‘Ddostf’, a DDoS-capable botnet of Chinese origin that has been around since at least 2016.

    Malicious attackers, AhnLab warns, scan the internet for publicly-accessible MySQL servers using the TCP port 3306, and then attempt to compromise them either using weak credentials or exploiting known vulnerabilities.

    The attackers then upload a malicious DLL as a UDF (User-Defined Function) library, which allows them to execute commands on the infected system and to deploy and execute the Ddostf malware.

    Targeting both Linux and Windows environments, Ddostf achieves persistence and then collects system information and sends it to the command-and-control (C&C) server. It then waits for commands to launch DDoS attacks such as SYN, UDP, and HTTP GET/POST floods.

    “Although most of the commands supported by Ddostf are similar to those from typical DDoS bots, a distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period,” AhnLab explained.

    The malware appears to be designed solely for launching DDoS attacks and the researchers believe the threat actor is operating a DDoS-for-hire service.

    OracleIV DDoS-capable malware

    Separately, Cado Security is warning in a new report that Docker hosts are being targeted with the OracleIV DDoS-capable malware, via the Docker Engine API, an HTTP API served by Docker Engine.

    Attackers are scanning for publicly-exposed instances of the Docker Engine API to deploy a malicious container that hosts Python malware compiled as an ELF executable.

    According to Cado, the accidentally exposed Docker Engine API instances have been a popular target for attackers in recent years, especially for deploying cryptocurrency miners. “Once a valid endpoint is discovered, it’s trivial to pull a malicious image and launch a container from it to carry out any conceivable objective. Hosting the malicious container in Dockerhub, Docker’s container image library, streamlines this process even further,” the company said.

    Cado said it observed attackers making HTTP POST requests to retrieve a malicious image from Dockerhub and spawn a container from it. The malicious Docker image, Cado says, has over 3,000 pulls and appears to be updated regularly.

    Baked within the image, OracleIV supports commands for UDP, UDP_PPS, SSL, SYN, HTTP/GET, and SLOW flood attacks, although some of the functions are not working.

    Resource : https://www.securityweek.com/mysql-servers-docker-hosts-infected-with-ddos-malware/

    23Dec, 2023
    Every “Thing” Everywhere All at Once

    In the movie Everything Everywhere All at Once, protagonist Evelyn Wang must travel between dimensions to confront and defeat an evil that threatens her family’s existence in their home universe. For Wang it is a confusing and taxing fight that requires her to use information, experience, and power gained as she navigates the multiverse to know what she must do to overcome the challenges she meets along the way. It’s a convoluted story arc that is not unlike the day-to-day of a CISO working to protect the modern enterprise and the universe of “things” that are being deployed.

    The Modern Enterprise is a Multiverse

    Like Evelyn Wang’s world, today’s technology estates are convoluted and multi-dimensional environments where decisions made anywhere have implications everywhere. Multi-campus, multi-cloud, on-premises, cloud-based, mobile, and software defined are all common terms defining a single enterprise. And then you have to take into account the physical and virtual assets comprising a typical environment, many of which come and go, connect and disconnect independent of IT management. It’s hard to keep up; but keep up you must, because threat actors are constantly on the prowl looking for vulnerabilities that will allow them to perpetrate whatever attack they’ve got in mind.

    A recent conversation I had with the CISO of a large enterprise illustrates the dilemma.

    “I am responsible for every device, whether I know about it or not,” he said. “Because we don’t know all of the devices that are connected to the network, we have blind spots that are unprotected.”

    What You See Isn’t All You Get

    To protect a technology estate, you need to be able to see across the network—in real-time—and have information in context for making good decisions. That is a tall order for any organization, but especially for those that rely on a sprawling IT estate. In a 2022 study commissioned by IBM, technology analyst firm IDC found that the average number of IT assets managed by 29 organizations studied was 2.7 million. That’s a lot of systems and devices, and it’s only the ones that are in the known inventory. Another report found that as many as 20% of an organization’s IT assets may be invisible to IT management and security operations, meaning more than a half-million unsecured things are operating in the average enterprise.

    Of that 20%, not all of it is traditional IT that has simply gotten lost in a fast-growing technology environment. Because connectivity is so essential, a lot of things that constitute the Internet of Things (IoT) end up attaching themselves to the enterprise network. In our experience here at Ordr, we’ve seen exercise equipment, gaming consoles, Kegerators, Tesla automobiles, and a lot more operating alongside mission-critical IT systems, Internet of Medical Things (IoMT) devices, operational technology (OT), and plenty more.

    Real-time Asset Inventory Is the Foundation for Security

    Every asset in an organization’s inventory that is not accounted for and protected is a potential attack vector, or step along a path or lateral movement that an attacker can use to gain access or move undetected. Threat actors know this and are targeting IoT more and more to take advantage. One cybersecurity firm says attacks targeting IoT devices have increased 700% since 2020, and Microsoft security researchers recently discovered a “a sophisticated attack campaign” targeting IoT devices.

    That puts a lot of pressure on the CISO, and it also feeds into a vicious asset management and security cycle since a failure to keep track of all assets, including IoT, means that you can’t properly identify your attack surface. These include assets with vulnerabilities, those running outdated operating systems, or devices missing a security agent or patches. This also means IT and security operations aren’t running at maximal efficiency, the context by which decisions are made (and automated) are less precise. Threats thrive in chaos, and so risks increase when assets are not fully inventoried, monitored, and managed in real-time.

    Three Security Considerations To Navigate The Modern Asset Universe

    When security blind spots are a problem, the best first step toward a remedy is to employ tools that enable IT and security teams to gain visibility into the enterprise’s cracks and crevasses. But there are considerations for this:

    • Granular context matters – Asset visibility must include deep threat and asset context. This requires a combination of methods to continuously discover and classify an asset – via deep packet inspection of network traffic, API, NetFlow. For example, in order to determine if you’re impacted by a Zero Day like MOVEit, you must know what applications are actually running on your device. Similarly, to identify vulnerabilities that affect your assets, you may need to know the specific minor version of operating systems running.
    • Behavioral analysis via AI can be a differentiator – Devices are deterministic, a video surveillance camera or an HVAC system or a medical device all have specific behaviors in the network based on their functions. The ability to baseline these communications patterns not only surfaces anomalies– early indicators of a potential compromise, but also informs the foundational Zero Trust policies to secure those devices.
    • Automated policies are important to scale – When there are hundreds of thousands of connected devices in the network, the only way to secure them are via automated policies. This means dynamically generating proactive Zero Trust policies to enable only “baseline” communications for mission-critical devices, or generating reactive policies to block ports, move devices to a different segment or terminate sessions. When a device fits a specific profile, a pre-defined policy can automatically be applied, for example, activating a vulnerability scan when a new device is discovered on the network. 

    Evelyn Wang learned how to navigate her way between dimensions of the multiverse to tackle the challenges that were not visible in her home dimension. CISO’s must gain the means to see every asset across a multidimensional enterprise with fidelity and granular context. Only then will they be able to identify their attack surface and address the security gaps that put their enterprise at risk.

    Resource : https://www.securityweek.com/every-thing-everywhere-all-at-once/

    23Dec, 2023
    Crypto Exchange Hack Guilty Plea, Rating AI Vulnerabilities, Intellexa Spyware 

    SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.

    We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

    Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.

    Here are this week’s stories:  

    Ukrainian hackers target major Russian water utility 

    In revenge for the recent Russian attack on Kyivstar, Ukraine’s largest mobile network operator, Ukrainian hackers claim to have launched an attack on Rosvodokanal, the largest private water utility in Russia. The hackers claim to have stolen documents, encrypted 6,000 computers, and deleted 50 Tb of data, disrupting operations. Rosvodokanal is responsible for providing water to millions of consumers, but there do not appear to be any reports of the water supply being impacted by the attack. 

    Former security engineer admits hacking two cryptocurrency exchanges

    The US Justice Department announced that Shakeeb Ahmed has pleaded guilty to hacking two decentralized cryptocurrency exchanges, stealing over $12 million worth of cryptocurrency. The attacks were carried out in 2022 and targeted Nirvana Finance and Crema Finance. The DOJ described Ahmed as a former security engineer at an international technology company, which appears to be Amazon.

    Apple and Adobe patches

    Apple and Adobe have each released patches for a single vulnerability. Apple released macOS Sonoma 14.2.1 to address a WindowServer issue that involved content being unintentionally exposed when users shared their screen. Adobe released an Experience Manager Forms update to address an Apache Struts vulnerability that has been exploited in the wild

    Hundreds of TeamCity instances still vulnerable to attacks

    Hundreds of TeamCity instances are vulnerable to attacks exploiting CVE-2023-42793, according to Censys. The Russian cyberespionage group known as APT29 has been exploiting the vulnerability on a large scale since September 2023, according to government agencies.

    GWT vulnerability remains unpatched 8 years after discovery

    A potentially serious vulnerability affecting GWT, a popular open source web application framework, remains unpatched eight years after it was discovered, according to Bishop Fox. The flaw can expose application owners to unauthenticated server-side code execution. There have been several discussions on the security hole since 2015, but it still has not been fixed. Bishop Fox has published a blog post describing how the vulnerability can be exploited and how developers can check if their GWT-based application is affected. 

    AI vulnerability rating taxonomy for LLMs

    Bug bounty platform Bugcrowd has updated its Vulnerability Rating Taxonomy (VRT) to define how AI vulnerabilities in Large Language Models (LLMs) are classified, reported, and prioritized on its platform in an effort to enable hackers and customers to have a shared understanding of how these types of flaws are handled. 

    Payment fraud underground shows signs of recovery 

    Recorded Future has published its 2023 Payment Fraud report, which reveals that the payment fraud underground is showing signs of recovery following Russia’s crackdown on domestic cybercriminals and its invasion of Ukraine. The report also shows that the volume of stolen payment cards on carding shops has started to rebound. A total of 119 million cards were offered for sale, with a median fraud charge of $79. 

    Google shuts down thousands of YouTube channels 

    Google has terminated thousands of YouTube channels as part of investigations into influence campaigns linked to China, Russia, and Iran. Ads accounts, domains, and other resources linked to these campaigns were also blocked. Hundreds of YouTube accounts linked to campaigns in Turkey, Azerbaijan, Ethiopia, and Sudan also got the ax. 

    Intellexa and its Alien/Predator spyware products

    Cisco has published a new report detailing the evolution of Intellexa, ‘an intelligence agency-grade spyware vendor’ that emerged from the ashes of Cytrox, after it was bought. The report also dives into the vendor’s Alien/Predator line of implants, which were found to persist device reboots. 

    CISA finalizes Microsoft 365 secure configuration guidance

    US cybersecurity agency CISA announced that the final version of its Microsoft 365 Secure Configuration Baselines guidance, which includes input from a public comment period, is now available to the public. The guidance, which aims to help organizations improve the security and resilience of their M365 services, is accompanied by an updated SCuBAGear tool, enabling interested parties to assess their M365 services against CISA’s baselines.

    Resource : https://www.securityweek.com/in-other-news-crypto-exchange-hack-guilty-plea-rating-ai-vulnerabilities-intellexa-spyware/

    22Dec, 2023
    Top 7 Trends Shaping SaaS Security in 2024

    Over the past few years, SaaS has developed into the backbone of corporate IT. Service businesses, such as medical practices, law firms, and financial services firms, are almost entirely SaaS based. Non-service businesses, including manufacturers and retailers, have about 70% of their software in the cloud.

    These applications contain a wealth of data, from minimally sensitive general corporate information to highly sensitive intellectual property, customer records, and employee data. Threat actors have noted this shift, and are actively working to breach apps to access the data.

    Here are the top trends influencing the state of SaaS Security for 2024 — and what you can do about it.

    Democratization of SaaS 

    SaaS apps have transformed the way organizations purchase and use software. Business units purchase and onboard the SaaS tools that best fit their needs. While this is empowering for business units that have long been frustrated by delays in procuring and onboarding software, it does require organizations to rethink the way they secure data.

    Security teams are being forced to develop new ways to secure company data. Lacking access and visibility into an application, they are placed in the role of advising a business unit that is using SaaS applications. To further complicate matters, every SaaS application has different settings and uses different terminology to describe security features. Security teams can’t create a one-size-fits-all guidance document because of the differences between the apps.

    Security teams must find new ways to collaborate with business units. They need a tool that offers visibility and guidance for each application setting so that they – and the business unit – understand the risks and ramifications involved in the configuration choices that they make.

    ITDR Forms a Critical Safety Net

    If a threat actor gains access to a high-privilege account, they gain unfettered access within the application. Organizations are now understanding that identity is the de facto perimeter for their SaaS applications.

    When threat actors take over an authorized user account, they typically follow common tactics, techniques and procedures (TTP) as they work their way through the app toward the data they want. They leave behind indicators of compromise (IoC), which might be based on actions taken within the app or logs.

    As we move into the new year, we are going to see more organizations adopting an Identity Threat Detection & Response (ITDR) approach. ITDR mitigates that concern. As a key component in Identity Security Posture Management, ITDR capabilities can detect TTPs and IoCs, and then send an alert to the incident response team. Through ITDR, threat actors who have managed to breach the identity perimeter can still be stopped before they steal critical data or insert ransomware into the application.

    Cross-Border Compliance Means More Tenants to Secure

    Global companies are increasingly facing different regulatory requirements from one country to the next. As a result, 2024 will see an increase in the number of geo-specific tenants as part of the effort to keep data segmented in accordance with the different regulations.

    This change will have a limited impact on software costs as most SaaS app pricing is based on subscribers rather than tenants. However, it will have a significant impact on security. Each tenant will need to be configured independently, and just because one instance of the application is secure doesn’t mean that all tenants are secure.

    To secure all these tenants, security teams should look for a security solution that allows them to set app benchmarks, compare tenants, and display security settings side-by-side without charging extra for each additional tenant. By applying best practices throughout the organization, companies can keep all their tenants secure.

    Misconfigured Settings Are Leading to New Exploits

    A default misconfiguration in ServiceNow triggered widespread panic in October. The setting, which was part of the application’s Access Control Lists, allowed unauthorized users to extract data from records. The misconfiguration impacted thousands of companies. A similar misconfiguration in Salesforce Community back in May also impacted a significant number of companies and led to data breaches.

    Misconfigurations like these have the potential to cause major damage to companies. They lead to data leaks that break the trust between companies and their stakeholders, and have the potential to turn into onerous fines, depending on the nature of the data that leaked.

    Securing misconfigurations is an organization’s best chance at preventing these exploits from impacting their operations and hurting their bottom lines.

    Increased Reliance on Third-Party Applications Adds to SaaS Risk

    Third-party applications add real value for end users. They improve processes, extend functionality, and connect data between multiple applications. Users connect these SaaS apps with the click of button, and instantly begin improving their workflows.

    In March 2023, Adaptive Shield released a report showing that organizations using Google Workplace with 10,000-20,000 users averaged 13,913 third-party apps connected to Google Workplace alone. An astonishing 89% of these requested either high- or medium-risk permissions. Many of these high-risk apps are used once and forgotten about, or used by a small number of employees. However, even these dormant or lightly used applications have significant permissions and can be used to compromise or breach a SaaS application.

    The use of third-party applications is only increasing, as more apps are developed and employees use their own judgment – rather than checking with their security team – when integrating third-party applications into their stack. Security teams must develop visibility into all their integrated apps, and gain insights into the permissions requested, the value the app contributes to the organization, and the risk it poses.

    Multiple Devices to Secure as Working from Home Isn’t Going Anywhere 

    In 2023, nearly 40% of all employees worked from home at least part of the time. According to WFHResearch, approximately 12% of employees work exclusively in their homes, while another 28% have hybrid roles.

    These figures should give pause to security personnel concerned about users logging in to their work accounts from personal devices. One of the biggest concerns security teams have is when high-privileged users log into their accounts using an unmanaged or unsecured device. These devices may have critical vulnerabilities, and create a new attack vector. For many teams, there is almost no way to tell which devices are used to access the SaaS app or see whether those devices are secure.

    Organizations Are Turning to SSPM to Secure SaaS

    While all these trends point to legitimate SaaS security concerns, SaaS Security Posture Management (SSPM) tools coupled with ITDR capabilities, like Adaptive Shield, can fully secure the SaaS stack. SSPMs are designed to automatically monitor configurations, looking for configuration drifts that weaken an app’s posture. In SaaS Security Survey, 2024 Plans & Priorities by Cloud Security Association and Adaptive Shield, 71% of respondents said their company had increased their investment into SaaS security tools over the past year, and 80% were either already suing SSPM or planned to invest in one within the next 18 months.

    SSPMs can provide baselining tools for multiple tenants of the same app, and enable users to establish best practices, compare settings from different instances, and improve the overall posture of the SaaS stack.

    SSPMs also detect and monitor third-party applications, alerting users if their integrated apps are requesting too much access and updating the security team when integrated apps are dormant. It tracks users, and monitors the devices being used to access applications to prevent the use of unmanaged or unsecured devices on corporate SaaS apps. Furthermore, their built-in communication tools make it easy for business units to collaborate with security personnel in securing their applications.

    SaaS apps have grown in popularity for good reason. They allow organizations to scale as needed, subscribe to the apps they need at the moment, and limit investment in some IT. With SSPM, these applications can be secured as well.

    Resource : https://thehackernews.com/2023/12/top-7-trends-shaping-saas-security-in.html

    22Dec, 2023
    Indian tech giant HCL investigating ransomware attack

    Indian information technology company HCL Technologies reported a ransomware attack to regulators on Wednesday and said that it is investigating the incident.

    In a filing with the National Stock Exchange of India, the company said it “has become aware of a ransomware incident in an isolated cloud environment for one of its projects.”

    “There has been no impact observed due to this incident on the overall HCLTech network. Cybersecurity and data protection is a top priority for HCLTech,” the company’s secretary Manish Anand said.

    “A detailed investigation is underway in consultation with relevant stakeholders to assess the root cause and take remedial action as necessary. This is for your information and records.”

    HCL Technologies, based in Noida, is one of the largest tech companies in the world with more than 225,000 employees spread across 52 countries. The company reported revenues of $13 billion for fiscal 2023. HCL Technologies shares fell 3.24% on Wednesday.

    This is the latest ransomware attack in 2023 to target a major Indian corporation. The country’s largest drugmaker, Sun Pharmaceuticals, confirmed a ransomware attack in regulatory filings in March, warning that the incident involved the theft of company data and personal information.

    Tata Power reported a cyberattack in October 2022 that affected its billion-dollar power business. Tata did not call the incident a ransomware attack but reported that it was forced to “restore” systems and segment the affected networks in order to protect other parts of their business.

    In April, India’s Computer Emergency Response Team (CERT-In) said that reported ransomware attacks on organizations in the country increased 53% throughout 2022.

    “IT & [Information Technology Enabled Services] was majorly impacted sector followed by Finance and Manufacturing. Ransomware players targeted critical infrastructure organizations and disrupted critical services in order to pressurize and extract ransom payments,” they said.

    Resource : https://therecord.media/hcl-india-ransomware-attack?&web_view=true

    19Dec, 2023
    Five Eyes Agencies Publish Guidance on Eliminating Memory Safety Bugs

    Government agencies in the US, UK, Canada, Australia, and New Zealand have published guidance for software makers to eliminate memory safety vulnerabilities.

    The document, named Case for Memory Safe Roadmaps (PDF), recommends the adoption of memory safe programming languages (MSLs), which will help eliminate well-known and common coding errors that threat actors routinely exploit in malicious attacks.

    The guidance also provides software manufacturers with instructions on “creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products”.

    Memory safety bugs, the Five Eyes government agencies note, persist despite significant efforts put into reducing their prevalence. Transitioning to an MSL, however, should eliminate this type of security flaws and reduce their impact, allowing both developers and customers to invest resources in other areas.

    “Eliminating this vulnerability class should be seen as a business imperative likely requiring participation from many departments. The authoring agencies urge executives to lead from the top by publicly identifying senior staff who will drive publication of their roadmap and assist with realigning resources as needed,” the guidance reads.

    Some of the mitigation methods used to reduce memory safety bugs include developer training, code coverage (testing as much code as possible), secure code guidelines, fuzzing, the use of static application security testing (SAST) and dynamic application security testing (DAST) tools, and the use of safer language subsets.

    To reduce the impact of this type of vulnerabilities, defenders have marked memory segments as non-executable, adopted Control Flow Integrity (CFI), Address Space Layout Randomization (ASLR), sandboxing, and other mitigation methods, and are considering the use of hardware to support memory protections.

    “Despite software manufacturers investing vast resources attempting to mitigate memory safety vulnerabilities, they remain pervasive. Customers must then expend significant resources responding to these vulnerabilities through both onerous patch management programs and incident response activities,” the guidance reads.

    The adoption of MSLs should bring benefits to both software makers and their customers, by improving code reliability, reducing the need to patch the reported vulnerabilities and the number of emergency releases, and ultimately reducing the number of urgent updates that customers will need to install, as well as data breaches.

    “In addition to bringing benefits to software manufacturers and their customers, MSLs reduce a product’s attack surface. That reduction in attack surface will increase the cost to malicious actors who then need to invest more resources discovering other exploitable vulnerabilities,” the guidance reads.

    When developing a memory safety roadmap, software manufacturers should consider how to prioritize transition, the use of appropriate MSLs, and how they will train developers. For each of these aspects, the Five Eyes agencies recommend specific steps to follow.

    The guidance also provides an overview of the implementation challenges that software makers will encounter when adopting MSLs, as well as details on the elements that a memory safety roadmap should include.

    “The most promising path towards eliminating memory safety vulnerabilities is for software manufacturers to find ways to standardize on memory safe programming languages, and to migrate security critical software components to a memory safe programming language for existing codebases,” the guidance reads.

    The guide was authored by the US cybersecurity agency CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), Australia’s Cyber Security Centre, the Canadian Centre for Cyber Security, UK’s National Cyber Security Centre, and New Zealand’s National Cyber Security Centre and Computer Emergency Response Team.

    Resource : https://www.securityweek.com/five-eyes-agencies-publish-guidance-on-eliminating-memory-safety-bugs/

    19Dec, 2023
    MITRE Unveils EMB3D Threat Model for Embedded Devices Used in Critical Infrastructure

    MITRE has teamed up with the cybersecurity community and the industrial sector to create EMB3D, a threat model specifically designed for embedded devices used in critical infrastructure.

    EMB3D is the work of MITRE, Red Balloon Security, Narf Industries, and Niyo ‘Little Thunder’ Pearson of ONE Gas. 

    Its goal is to provide a collaborative framework that enables organizations to have a common understanding of the threats targeting embedded devices and how those threats can be mitigated. 

    The new threat model — recommended for manufacturers, vendors, asset owners, testers and security researchers — expands on resources such as ATT&CK, CVE and CWE, with a focus on embedded devices. It provides a knowledge base of threats, including ones seen in the wild and ones demonstrated through theoretic research and proofs of concept. 

    In order to help users create and tailor threat models to specific devices, threats are mapped to device properties. The mitigations suggested by EMB3D are exclusively focused on technical mechanisms that can be implemented by device vendors. 

    “The EMB3D model will provide a means for ICS device manufacturers to understand the evolving threat landscape and potential available mitigations earlier in the design cycle, resulting in more inherently secure devices,” Pearson said. “This will eliminate or reduce the need to ‘bolt on’ security after the fact, resulting in more secure infrastructure and reduced security costs.” 

    The framework will be continuously updated by its maintainers and the cybersecurity community with new information on threat actors, vulnerabilities and defenses. 

    EMB3D is in a pre-release review period, with device vendors, asset owners, academics and researchers being encouraged to review the framework before its official launch, which is scheduled for early 2024.

    Resource : https://www.securityweek.com/mitre-unveils-emb3d-threat-model-for-embedded-devices-used-in-critical-infrastructure/

    18Dec, 2023
    MongoDB Suffers Security Breach, Exposing Customer Data

    MongoDB on Saturday disclosed it’s actively investigating a security incident that has led to unauthorized access to “certain” corporate systems, resulting in the exposure of customer account metadata and contact information.

    The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.

    It further noted that “this unauthorized access has been going on for some period of time before discovery,” but emphasized it’s not “aware of any exposure to the data that customers store in MongoDB Atlas.” It did not disclose the exact time period of the compromise.

    In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.

    That’s not all. The company said it’s also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event.

    When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will “provide updates as soon as we can.”

    Resource : https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html

    18Dec, 2023
    5 Critical Steps to Prepare for AI-Powered Malware in Your Connected Asset Ecosystem

    Despite the hype and the seemingly endless stream of news stories that may have led you to believe that the opposite is already the case, actual hard evidence of criminal use of AI is as rare as the proverbial hobbyhorse-based fertilizer. Though it is impossible to deny that criminal interest abounds, they lack the toolset or skills to do something about it yet.

    Over the course of 2023, there have been multiple Large Language Model (LLM)-based services advertised on cybercriminal forums and Telegram channels, pushing services with names such as WolfGPT, Evil GPT or DarkBARD. However, even these services, it seems, are either scams in themselves or simply short-lived wrapper services that sell access to a legitimate LLM through stolen credentials and jailbroken user prompts. The possible exception to all this was WormGPT, a service that was permanently shuttered after a mere two months when the creators had enough of the media exposure they garnered. Voice synthesis has already been used in a few fake kidnap extortion attempts and possibly in one or two Business Email Compromise attacks as well, but that’s about it.

    So why talk about strategies and steps to prepare for AI-powered malware? Well, to quote Joseph Heller’s Catch-22, “Just because you’re paranoid doesn’t mean they aren’t after you”.

    AI-powered malware (as opposed to AI-generated) represents a new frontier in the ever-expanding portfolio of malicious cyber capability. To me, this category will encompass a wide range of sophisticated techniques where artificial intelligence is utilized to enhance the effectiveness and stealth of malicious activities including:

    Fake content generation

    The capabilities offered by Generative Adversarial Networks (GAN) and LLMs will allow threat actors to create entirely fake, but legitimate looking image and video-based content for social media. This content, used in combination with LLM-enhanced messaging has the potential to convince the unwitting or the highly targeted to click on malicious links and to assist in further propagation through organic sharing.

    Enhanced phishing lures

    AI-powered attacks go beyond traditional phishing methods. AI-powered tools make light work of the research and footprinting activities that were previously reserved for more sophisticated attacks. AI-enhanced phishing will be highly targeted and well. These emails will not only be more convincing, but threat actors will also be able to automate the fine-tuning of content and tactics in near real-time. This level of sophistication increases the likelihood of successful social engineering attacks and credential harvesting.

    AI-Generated or Assisted Malware

    In more advanced scenarios, AI will be directly involved in the development and execution of malware. While contemporary examples are rare, such the Black Mamba proof of concept from Hyas Labs, they do showcase the potential of AI to assist in crafting malware. In reality, the Black Mamba PoC offered little in the way of new functionality; abuse of legitimate sites for C2, polymorphism, and writing malicious code solely to memory are hardly innovative.

    There is an argument to be made though that this approach was already hamstrung by restricting itself to human thought processes. Asking an AI to develop and idea formulated by a human fails to maximize the innovate potential of AI. Outside of this paradigm, the potential for the development of AI-assisted or AI-generated malware, that is not only evasive but can adapt its behavior based on the target environment, is real. This will pose a significant challenge for traditional cybersecurity measures, equally constrained by human understanding.

    The potential threat isn’t limited to conventional computing systems. Internet of Things (IoT) and Operational Technology (OT) devices, integral components of many connected ecosystems, are increasingly targeted for sophisticated cyberattacks. AI-powered malware could just as easily exploit vulnerabilities in IoT devices, gaining unauthorized access to networks. Malicious actors can leverage AI to craft attacks tailored to the specific vulnerabilities of IoT devices, potentially causing disruptions or unauthorized access.

    OT involved in industrial processes and critical infrastructure is equally at risk. AI-powered malware may target these systems, leading to disruptions in manufacturing, energy production, or even transportation. The ability of AI to analyze and adapt to intricate OT environments poses a unique challenge, overcoming the knowledge-gap that has for so long been a barrier to the widespread dissemination of attacks.

    A comprehensive strategy that recognizes the distinct challenges posed by AI-powered malware in these environments is crucial to ensure the resilience and security of connected ecosystems in the future. Here are five critical steps to optimize defenses and prepare for the challenge.

    Complete visibility

    The ability to see and understand every connected asset in your environment is crucial. It enables the detection of anomalous behavior, identification of risk, and a swift response to potential threats. Effective security relies on the solid foundation of visibility. Know good; detect bad.

    Continuous Risk Assessment

    Traditional risk assessments are point-in-time evaluations, but as AI algorithms learn and adapt, the risks to a system will change dynamically. Continuous risk assessment means evaluating security posture in real time, identifying changes, anomalies, and emerging risk, and adapting defenses accordingly.

    Minimize Attack Surface

    AI-powered attacks will often exploit vulnerabilities in systems and processes. By minimizing the attack surface, organizations can significantly reduce the potential vectors for attack and make it more challenging for malicious actors to find and exploit weaknesses. This means not only securing unnecessary services, closing unused ports, and limiting user privileges, but also evaluating business processes that socially engineered attacks may seek to exploit.

    Build a Defensible Environment

    A defensible environment is one that is designed with security in mind from the ground up, or one that has been holistically re-evaluated from the same perspective. Strong authentication mechanisms, encryption of sensitive data, and properly segmented networks all help to mitigate and contain potential breaches. In the face of AI-powered attacks, a defensible environment means that even if one part of the system is compromised, the overall integrity of the network remains resilient, making it more challenging for attackers to move laterally and escalate privileges.

    Manage, Automate, Monitor, Respond, Archive

    AI-powered attacks will become progressively more common, and a well-rounded security approach involves more than simply managing incidents effectively. Automation helps in responding to threats at machine speed, and archiving data is crucial for post-incident analysis and further response. The knowledge that a specific asset has been compromised facilitates immediate proactive steps in securing all other devices that fit that same risk profile.

    These five points represent an outline for effective preparation to defend against future AI-powered attacks. They emphasize proactive measures, adaptability, and a holistic approach to cybersecurity. As AI continues to evolve, a defensive strategy that is equally dynamic and adaptable is essential for organizations to stay ahead of emerging threats.

    Resource : https://www.securityweek.com/5-critical-steps-to-prepare-for-ai-powered-malware-in-your-connected-asset-ecosystem/