As Phishing Gets Even Sneakier, Browser Security Needs to Step Up

Perception Point's Din Serussi says browser extensions can help mitigate more sophisticated phishing techniques.

Threat Intelligence Efforts, Investment Lagging, Says Opswat

In an annual survey, 62% of respondents admited their threat intel efforts need stepping up.

US cyber safety board to analyze Microsoft Exchange hack of govt emails

The Department of Homeland Security's Cyber Safety Review Board (CSRB) has announced plans to conduct an in-depth review of cloud security practices following recent Chinese hacks of Microsoft Exchange accounts used by US government agencies.

The CSRB is a collaboration of public and private sectors, created to conduct in-depth investigations that offer a better understanding of critical events, discern root causes, and issue informed recommendations on cybersecurity.

In this case, CSRB will explore how the government, industry, and cloud service providers (CSPs) can bolster identity management and authentication in the cloud and develop actionable cybersecurity recommendations for all stakeholders.

Those recommendations will be forwarded to CISA and the current US administration, who will decide what actions must be taken to protect government systems and accounts.

"Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology," stated Alejandro Mayorkas, Secretary of Homeland Security

"Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure."

Storm-0558 hacks of Microsoft Exchange

In mid-July 2023, Microsoft reported that a Chinese hacking group tracked as 'Storm-0558' breached the email accounts of 25 organizations, including US and Western European government agencies, using forged authentication tokens from a stolen Microsoft consumer signing key.

Using this stolen key, the Chinese threat actors exploited a zero-day vulnerability in the GetAccessTokenForResource API function for Outlook Web Access in Exchange Online (OWA) to forge authorization tokens.

These tokens allowed the threat actors to impersonate Azure accounts and access email accounts for numerous government agencies and organizations to monitor and steal email.

After these attacks, Microsoft faced a lot of criticism for not providing adequate logging to Microsoft customers for free. Instead, Microsft required customers to purchase additional licenses to obtain logging data that could have helped detect these attacks.

After working with CISA to identify crucial logging data needed to detect attacks, Microsoft announced that they now offer it for free to all Microsoft customers.

Microsoft revoked the stolen signing key and fixed the API flaw to prevent further abuse. Still, their investigation of the incident failed to reveal exactly how the hackers acquired the key in the first place.

Two weeks after the initial discovery of the breach, Wiz researchers reported that Storm-0558's access was much broader than what Microsoft previously reported, including Azure AD apps that operate with Microsoft's OpenID v2.0.

Wiz revealed that the Chinese hackers could have used the compromised key to access various Microsoft applications and any customer applications that supported Microsoft Account authentication, so the incident might not be limited to accessing and exfiltrating emails from Exchange servers.

Given the severe nature of the breach, the extensive investigative efforts required, and the inconclusive findings to date, the US government has tasked the CSRB to conduct a comprehensive review of the case, hoping it will produce insights that will fortify users, defenders, and service providers against future threats.

CSRB's past reviews include the series of broadly-impacting vulnerabilities in the Log4j software in 2021 and the activities of Lapsus$, a hacking group that excelled in breaching Fortune 500 companies using simple yet highly effective techniques like SIM swapping and social engineering.

The Evolution of API: From Commerce to Cloud

API (or Application Programming Interface) is a ubiquitous term in the tech community today, and it’s one with a long history. As a concept, APIs (or Application Programming Interfaces) have been around since the 1950s. What started out as a potential method to facilitate communication between two computers then evolved to describe the interaction between […]

The post The Evolution of API: From Commerce to Cloud appeared first on Security Affairs.

Xiaomi's MIUI now flags Telegram as dangerous in China

Asian smartphone giant Xiaomi is now blocking Telegram from being installed on devices using its MIUI system and firmware interface.

MIUI is an operating system based on Android that Xiaomi uses on its smartphones and mobile devices. With the release of MIUI 13 in 2022, the company added a new security feature to flag and block malicious applications from running on devices.

However, this feature has faced criticism and suspicion in the past, with users speculating that it could be a veiled attempt by Xiaomi, in partnership with the Chinese Community Party (CCP), to monitor users' activities and censor apps.

These suspicions were further fueled by the fact that MIUI started blocking apps that enabled users to alter network settings beyond the default settings. If an app is deemed malicious or dangerous, MIUI tries to remove the app from the device and block the installation.

Recent revelations indicate that Xiaomi's MIUI is now flagging the popular messaging platform Telegram as a dangerous app in China.

MIUI flags Telegram as dangerous

According to reports on Telegram channels, when MIUI identifies Telegram, it displays a warning stating, "The app has not passed Xiaomi's security review. This app is fraudulent, and using it may lead to risks like fraudulent deductions or unwarranted consumption. For security reasons, it is advised to activate security measures to ensure application safety and guard against risky apps."

BleepingComputer received confirmation from Chinese mobile developer Hikari Calyx, who stated that reports about MIUI flagging Telegram and other apps in China are "confirmed true."

Flagging Telegram as a suspicious app possibly points to the broader narrative of the Chinese government's ongoing efforts to limit free speech and personal privacy.

Unverified reports on Telegram's Indian community suggest that such attempts to circumvent censorship in China might be relayed to the Chinese police.

Historically, the Chinese authorities have imposed restrictions or outright bans on numerous global platforms, including Facebook, Twitter, WhatsApp, and Google, curtailing access and free communication for millions.

China's censorship apparatus has been known to restrict access to foreign websites, filter out keywords deemed sensitive or anti-state, and monitor internet activity.

Over the years, popular social media platforms like Facebook, Twitter, and YouTube have also been targeted, with Chinese alternatives gaining prominence.

More recently, China has also turned its attention to apps that facilitate unmonitored communication or content sharing, such as we are seeing with Telegram.

While it is common for the Chinese government to flag or even ban apps that don't align with their tight control narrative, labeling a popular messaging app like Telegram as "dangerous" indicates their escalating efforts to control digital communication spaces.

XWorm, Remcos RAT Evade EDRs to Infect Critical Infrastructure

Disguised as harmless PDF documents, LNK files trigger a PowerShell script, initiating a Rust-based injector called Freeze[.]rs and a host of malware infections.

Phishing 3.0: Crooks Leverage AWS in Deceptive Email Campaigns

By Habiba Rashid

The new attack has been dubbed Phishing 3.0.

This is a post from HackRead.com Read the original post: Phishing 3.0: Crooks Leverage AWS in Deceptive Email Campaigns

Police seize LOLEK bulletproof service for hosting malware

Police have taken down the Lolek bulletproof hosting provider, arresting five individuals and seizing servers for facilitating malicious activities, including DDoS attacks and malware distribution.

A bulletproof hosting provider is a hosting company that turns a blind eye to reports of criminal activity or the hosting of copyrighted material on their servers.

Cybercriminals prefer these types of hosting providers over traditional companies, as they can launch cybercrime campaigns without fear that they will be shut down after malicious activity is reported.

On Tuesday, BleepingComputer learned that the platform's site at lolekhosted[.]net had been seized, now displaying a message stating that an international law enforcement operation between Poland and the US seized the site.

"This domain has been seized by the Federal Bureau of Investigation and Internal Revenue Service - Criminal Investigation as part of a coordinated law enforcement action taken against LOLEK HOSTED," reads the Lolek seizure message.

LOLEK HOSTED seizure message
Source: BleepingComputer

Lolek promoted itself as a "100% privacy hosting" service with a no-log policy, meaning they do not log any activity on its servers or routers that could be used to incriminate customers.

Lolekhosted website
Source: BleepingComputer

Customer reviews of the service seen by BleepingComputer said that almost any activity was allowed at the hosting provider, and the platform accepted PayPal and cryptocurrency for payments.

While the FBI and IRS declined to comment this week on the investigation, Europol announced today the seizure of Lolek and the arrest of five administrators in Poland.

"This week, the Polish Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestępczości) under the supervision of the Regional Prosecutor's Office in Katowice (Prokuratura Regionalna w Katowicach) took action against LolekHosted.net, a bulletproof hosting service used by criminals to launch cyber-attacks across the world," reads Europol's announcement.

"Five of its administrators were arrested, and all of its servers seized, rendering LolekHosted.net no longer available."

Europol says that Lolek was seized as cybercriminals used its servers to launch DDoS attacks, distribute information-stealing malware, host command and control servers, host fake online shops, and conduct spam campaigns.

The operation was led by the FBI and IRS, with Europol providing support linking available data to various criminal cases within and outside the EU, as well as tracing cryptocurrency transactions.

As bulletproof hosting providers have become a significant component in malware distribution and cybercrime, law enforcement has been actively targeting these platforms.

In 2018, the Dutch police seized MaxiDed for hosting DDoS botnets, cyber-espionage, malvertising, spam, and malware operations. Since then, numerous arrests [1, 2] have been made for involvement in BPH services.

US cyber board to investigate Microsoft hack of government emails

A U.S. review board tasked with investigating major cybersecurity incidents said it will begin looking at the recent intrusion of U.S. government email systems provided by Microsoft, whose handling of the incident drew ire and scrutiny from federal lawmakers and the wider security community. The Cyber Security Review Board, or CSRB, said Friday that its […]

The MOVEit mass hacks hold a valuable lesson for the software industry

While zero-day exploits are hard to defend against, the software industry must come together and do more to improve security across the board.

Industrial PLCs worldwide impacted by CODESYS V3 RCE flaws

Millions of PLC (programmable logic controllers) used in industrial environments worldwide are at risk to 15 vulnerabilities in the CODESYS V3 software development kit, allowing remote code execution (RCE) and denial of service (DoS) attacks.

Over 500 device manufacturers use the CODESYS V3 SDK for programming on more than 1,000 PLC models according to the IEC 61131-3 standard, allowing users to develop custom automation sequences.

The SDK also provides a Windows management interface and a simulator that allows users to test their PLC configuration and programming before deploying it in production.

The fifteen flaws in the CODESYS V3 SDK were discovered by Microsoft researchers, who reported them to CODESYS in September 2022. The vendor released security updates to address the identified problems in April 2023.

Due to the nature of those devices, they are not frequently updated to fix security problems, so Microsoft's security team published a detailed post yesterday to raise awareness of the risks and to help the patching pick up pace.

CODESYS devices exposed on the internet
Source: Microsoft

The CODESYS vulnerabilities

Microsoft examined two PLCs from Schnieder Electric and WAGO that use CODESYS V3 and discovered 15 high-severity vulnerabilities (CVSS v3: 7.5 – 8.8).

The flaws are: CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47385, CVE-2022-47386, CVE-2022-47387, CVE 2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47392, CVE-2022-47393.

The main issue is in the tag decoding mechanism of the SDK, specifically the fact that tags are copied into the device buffer without verifying their size, giving attackers a buffer overflow opportunity.

Those tags are carriers of data or data structures that provide crucial instructions for the function of the PLC.

The buffer overflow problem isn't isolated, as Microsoft found it in 15 CODESYS V3 SDK components, including CMPTraceMgr, CMPapp, CMPDevice, CMPApp, CMPAppBP, CMPAppForce, and CMPFileTransfer.

Although the flaws require authentication to exploit, Microsoft says this requirement can be bypassed by using CVE-2019-9013, another flaw impacting CODESYS V3 that exposes user credentials during transport in cleartext form, as demonstrated below.

<‌iframe allowfullscreen frameborder="0" height="360" mozallowfullscreen src="https://player.vimeo.com/video/853713538" webkitallowfullscreen width="640">

In 12 of the 15 cases, Microsoft's analysts were able to leverage the flaw to gain remote code execution on the PLC.

CODESYS's security advisory lists the following products as impacted if they run versions before 3.5.19.0, regardless of the hardware and OS configuration:

• CODESYS Control RTE (SL)
• CODESYS Control RTE (for Beckhoff CX) SL
• CODESYS Control Win (SL)
• CODESYS Control Runtime System Toolkit
• CODESYS Safety SIL2 Runtime Toolkit
• CODESYS Safety SIL2 PSP
• CODESYS HMI (SL)
• CODESYS Development System V3
• CODESYS Development System V3 simulation runtime

In addition to the above, the following products are impacted on versions prior to 4.8.0.0:

• CODESYS Control for BeagleBone SL
• CODESYS Control for emPC-A/iMX6 SL
• CODESYS Control for IOT2000 SL
• CODESYS Control for Linux SL
• CODESYS Control for PFC100 SL
• CODESYS Control for PFC200 SL
• CODESYS Control for PLCnext SL
• CODESYS Control for Raspberry Pi SL
• CODESYS Control for WAGO Touch Panels 600 SL

Admins are advised to upgrade to CODESYS V3 v3.5.19.0 as soon as possible, while Microsoft also recommends disconnecting PLCs and other critical industrial devices from the internet.

Amazon AWS withdraws Moq sponsorship amid data collection controversy

Amazon AWS has dropped sponsorship support for open source project Moq after the project drew sharp criticism for its quiet addition of data collection features, as first reported by BleepingComputer.

Moq, a widely distributed library on the NuGet software registry, was found to be harvesting hashes of developer email addresses on machines it was installed on. This started last week, after Moq's developer bundled his controversial SponsorLink dependency within the project and without notice.

Amazon AWS drops sponsoring Moq

Moq project, whose maintainers include Daniel Cazzulino (kzu), received severe push back this week after Cazzulino rolled out a 4.20 version that included his SponsorLink package without prior notification.

The inclusion of closed-source SponsorLink package caused Moq to harvest SHA-256 hashes of developer email addresses from local Git configs, and upload these to SponsorLink's CDN.

In reaction, several developers either discontinued use of Moq [1, 2] in favor of alternatives, or suggested building tools that would detect and block any projects that run SponsorLink.

Some went a step further, stating they would boycott projects that use SponsorLink or even report SponsorLink as "malware" to the NuGet registry [1, 2].

SponsorLink, previously shipped on NuGet as obfuscated DLLs, generated a hefty push back among open source software users who stated that disclosing the project's source code was "important for transparency and trust."

More than whether Moq or SponsorLink fell foul of the expectations within open source ecosystems, a pressing concern among users was whether the data collection violated privacy legislation, such as GDPR [1, 2]. A German court has previously ruled that SHA-256 hashing by was is sufficient means of data anonymization.

The developer has rolled back the controversial change in Moq v4.20.2, stating that it "breaks MacOS restore"—a reason that others have, yet again, mocked.

Despite the developer making these amends, there remains suspicion among users that future Moq releases could reintroduce a similar "feature."

Amazon AWS, like many, has distanced itself from Moq and ceased endorsing the open source project.

A code change submitted to Moq by Rich Bowen, Amazon AWS' open source advocate, requests that references to AWS be removed from the project, as seen by BleepingComputer.

Amazon AWS withdraws endorsement for Moq (GitHub)

"We acknowledge that we sponsored in the past," writes Bowen.

"However, the addition of SponsorLink means that we will no longer be using this tool, and don't wish to have our implied endorsement prominently displayed in the README. Thanks."

Moq developer Cazzulino welcomed the request and removed Amazon's AWS name from the project's README:

Moq removes Amazon's name from sponsors (GitHub)

"Properly removing the whole section in #1383. Should auto-merge in a bit," responded the developer.

In fact, the developer has replaced the entire manually-written "Sponsors" list with one that's "auto-updated," according to the pull request.

We have reached out to Amazon AWS for comment. Cazzulino did not respond to BleepingComputer when approached for comment on the matter this week.

SponsorLink is now open source

On a related note, following persistent feedback from his user base, the developer has now made the SponsorLink project open source.

"Full OSS for SponsorLink (including client and backend) now lives in this same repo, under the src folder," writes Cazzulino.

BleepingComputer verified that an 'src' (source code) directly was made available on SponsorLink's GitHub repository sometime yesterday:

SponsorLink's source code now available on GitHub

The reasoning behind why SponsorLink's .NET implementation was previously kept closed-source was also amended.

The developer admits that, "making the source available might have only made it trivial to circumvent" functionality that would ensure users receive their sponsorship status notification.

The move to make SponsorLink open source, according to the developer, would make it "less effective in contributing to an OSS project long-term sustainability."

Earlier reasoning for keeping project closed-source (in red) amended (in green) (GitHub)

Despite the developer making much-requested amendments to Moq and SponsorLink, the projects may take a while to regain user trust among open source veterans.

Researchers Uncover Decade-Long Cyber Espionage on Foreign Embassies in Belarus

A hitherto undocumented threat actor operating for nearly a decade and codenamed MoustachedBouncer has been attributed to cyber espionage attacks aimed at foreign embassies in Belarus. "Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets," ESET security researcher Matthieu

What CISA and NSA Guidance Means for Critical Infrastructure Security

Strategically investing in solutions that meet you where you are makes all the difference in staying secure from cyber threats.

Email Hacking Reigns as Top Cybersecurity Threat, Indusface Study

By Waqas

The new study has identified a cybersecurity training gap and an alarming lack of preparedness in countering emerging threats.

This is a post from HackRead.com Read the original post: Email Hacking Reigns as Top Cybersecurity Threat, Indusface Study

EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA via Reverse Proxy

By Habiba Rashid

The EvilProxy phishing kit is a malicious tool that has emerged as a key player, as it exploits MFA's limitations. So far, it has targeted over 100 firms.

This is a post from HackRead.com Read the original post: EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA via Reverse Proxy

In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities

Weekly cybersecurity news roundup that provides a summary of noteworthy stories that might have slipped under the radar for the week of August 7, 2023.

The post In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities appeared first on SecurityWeek.

Cybersecurity Snapshot: U.S. To Award Millions in AI Cyber Tool Contest, While NIST Revamps Cybersecurity Framework

Got an idea for a new AI-based cybersecurity product? You could win millions in a new contest. Meanwhile, NIST has drafted a major revision to the CSF 2.0 and wants your opinion about it. Also, there’s a new free tool that flags security flaws in public AI models. Plus, most cloud breaches are caused by credential missteps. And much more!

Dive into six things that are top of mind for the week ending August 11.

1 – White House contest to spur development of AI cyber tools

To promote the development of AI-powered cybersecurity products, the White House and the Defense Advanced Research Projects Agency (DARPA) this week unveiled a two-year competition with about $20 million in prizes.

The Artificial Intelligence Cyber Challenge (AIxCC), announced at the Black Hat USA 2023 conference in Las Vegas, is aimed at computer scientists, AI experts, software developers and cybersecurity masters interested in creating next-generation cyber tools that leverage the power of AI.

AI vendors Anthropic, Google, Microsoft and OpenAI will support participants by providing their technology and expertise, while the Open Source Security Foundation (OpenSSF) will act as an advisor.

Small businesses can participate as part of the “funded track,” which will provide monetary support to seven SMBs. All others can enter via the “open track.”

After entrants submit proposals, up to 20 will be selected to participate in a semifinal competition held at DefCon in August 2024. The five teams with the highest scores will be awarded prizes and will move on to the final round at DefCon in August 2025.

“If successful, AIxCC will not only produce the next generation of cybersecurity tools, but will show how AI can be used to better society by defending its critical underpinnings,” Perri Adams, DARPA’s AIxCC program manager, said in a statement.

To get more details, check out the White House’s announcement, DARPA’s announcement, OpenSSF’s announcement and the AIxCC website.

2 – NIST releases Cybersecurity Framework 2.0 draft

The U.S. National Institute of Standards and Technology (NIST) wants you – yes, you! – to comment on the draft of its Cybersecurity Framework 2.0 it released this week.

Described as a “major update” to the framework, which was first released in 2014, this draft features an expanded scope, adds a sixth function titled “Govern,” and aims to simplify its implementation through revised guidance.

For example, the framework originally focused specifically on securing U.S. critical infrastructure organizations, but it now aims to encompass all types of organizations worldwide, regardless of size, type and industry sector.

Meanwhile, the new “Govern” function was added to address areas such as risk management strategy, organizational context, cybersecurity supply chain risk management, and policies, processes and procedures.

The five other functions are:

• Identify, focused on assessing an organization’s cyber risk
• Protect, about adopting measures to prevent and reduce cyber risk
• Detect, centered on discovering and analyzing cyberattacks and breaches
• Respond, devoted to taking action after a cyber incident
• Recover, focused on the restoration of impacted assets and operations

“The NIST Cybersecurity Framework (Framework or CSF) 2.0 provides guidance for reducing cybersecurity risks by helping organizations to understand, assess, prioritize, and communicate about those risks and the actions that will reduce them,” the draft document reads.

Care to share your feedback on this CSF 2.0 draft with NIST? You can email your comments to [email protected] until Nov. 4, 2023. NIST is particularly interested in hearing whether the public thinks this draft addresses current and anticipated cybersecurity challenges, and aligns with established practices and guidance.

NIST expects to publish the final version of the CSF 2.0 in early 2024, at which point it will officially replace CSF 1.1, released in 2018.

To get more details, check out the CSF’s homepage, NIST’s announcement, a draft summary and the full 52-page draft document.

3 – Open source tool detects supply chain risks in AI models

Is your organization using an artificial intelligence model it pulled from a public repository? Are you sure it’s secure? If not, you might want to check out a new and free open-source tool designed to flag supply-chain vulnerabilities and risks in publicly available AI models.

The AI Risk Database was created in March by AI vendor Robust Intelligence, which then collaborated with MITRE to further refine it into the version unveiled this week on GitHub. Indiana University is also part of the collaboration.

“This collaboration and release of the AI Risk Database can directly enable more organizations to see for themselves how they are directly at risk and vulnerable in deploying specific types of AI-enabled systems,” Douglas Robbins, MITRE vice president of engineering and prototyping, said in a statement.

Representatives from the three organizations talked about the AI Risk Database in a pair of presentations at Black Hat USA 2023 in Las Vegas.

To get more details, check out the announcement from MITRE and Robust Intelligence.

For more information about using AI for cybersecurity, check out these Tenable resources:

• “CSA Offers Guidance on How To Use ChatGPT Securely in Your Org”
• “Introducing ExposureAI in Tenable One: Meet the Future of Preventive Cybersecurity”
• “AI Is About To Take Cybersecurity By Storm: Here's What You Can Expect”
• “How Generative AI Is Changing Security Research”

How Generative AI is Changing Security Research: The Development of the G-3PO Tool

4 – Google: Most cloud breaches due to credential failures

Weak or non-existent passwords, along with leaked credentials accounted for about 62% of cloud compromises observed by Google Cloud incident response teams in the first quarter of 2023.

Enterprises impacted by this “consistent challenge” could address it by beefing up their identity management wares and processes, Google said in the “August 2023 Threat Horizons Report” from its Cybersecurity Action Team.

(Source: “August 2023 Threat Horizons Report” from Google’s Cybersecurity Action Team)

Other findings from the 31-page report include:

• Cyber crooks are getting legit-looking Android applications approved in the Google Play Store, and then are adding malicious features to them via stealthy versioning updates done through unapproved channels. Enterprise mitigations for this type of threat include:
  • Adopt an enterprise mobility management system
  • Create lists of pre-approved applications for your users
• According to an analysis of anonymized alert statistics from Google’s Chronicle Security Operations, the top risk action that can lead to compromises was, by far, cross-project abuse of Google Cloud Platform’s access token generation permission

(Source: “August 2023 Threat Horizons Report” from Google’s Cybersecurity Action Team)

To get all the details, read the full report.

For more information about identity and access management security:

• “Identity Defined Security 101 Best Practices” (Identity Defined Security Alliance)
• “Identity and Access Management: Recommended Best Practices for Administrators” (CISA / NSA)
• “Eliminating Attack Paths in Active Directory: A closer look at preventing privilege escalations” (Tenable)
• “Why IAM’s identity-first security is core to zero trust” (Venture Beat)
• “Tool sprawl, technical complexity hamper identity security” (Tenable)

5 – CISA issues cybersecurity strategic plan

Cyberbreaches have become rare. Organizations are secure and can withstand cyberattacks. Tech products are inherently secure.

These statements aren’t true today, but the U.S. Cybersecurity and Infrastructure Security Agency (CISA) wants to make them a reality, as stated in its newly released Cybersecurity Strategic Plan.

“We must be clear-eyed about the future we seek, one in which damaging cyber intrusions are a shocking anomaly, in which organizations are secure and resilient, in which technology products are safe and secure by design and default,” reads the document.

The plan, which outlines CISA’s cybersecurity mission for the next three years, establishes three main goals:

• Address immediate threats by:
  • improving visibility into and mitigations of cyberthreats
  • coordinating disclosures, hunts and mitigations of critical vulnerabilities
  • Planning and executing cyberdefense operations and incident response
• Harden the terrain by:
  • understanding how attacks occur and how to stop them
  • driving effective cybersecurity investments
  • filling gaps in cybersecurity services
• Drive security at scale by:
  • promoting the development of secure tech products
  • understanding and reducing emerging technologies’ cyber risks
  • helping to build a cyber workforce

To get all the details, check out CISA’s announcement and the full plan document.

For more information:

• “CISA seeks to address visibility, resilience in 3-year strategic plan” (Cybersecurity Dive)
• “CISA strategic plan aligns with National Cybersecurity Strategy” (SC Magazine)
• “The next step in CISA’s maturity is its new cyber strategic plan” (Federal News Network)

6 – Biden seeks to limit U.S. investments in Chinese AI

Citing national security concerns, the Biden administration this week issued an executive order to regulate U.S. technology investments in certain “countries of concern,” including China, in areas including artificial intelligence, microelectronics and quantum computing.

The executive order calls for the creation of a national security program that the Treasury Department will be tasked with implementing and managing.

“This program will seek to prevent foreign countries of concern from exploiting U.S. investment in this narrow set of technologies that are critical to support their development of military, intelligence, surveillance, and cyber-enabled capabilities that risk U.S. national security,” reads the White House announcement.

The Treasury Department is now in the process of gathering public feedback to help it craft the rules of this executive order’s program. Draft regulations will be released at a later date.

For more information, check out:

• Executive Order on Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern
• The White House announcement
• The Treasury Department announcement
• The executive order’s program home page
• An FAQ from the Treasury Department

Mobb Wins Black Hat Startup Spotlight Competition

The four finalists in the startup competition tackled problems in firmware security, cloud infrastructure, open source software, and vulnerability remediation.

Lapsus$ hackers took SIM-swapping attacks to the next level

The U.S. government released a report after analyzing simple techniques, e.g. SIM swapping, used by the Lapsus$ extortion group to breach dozens of organizations with a strong security posture.

Reviewing the group’s operations started in December last year following a long trail of incidents attributed to or claimed by Lapsus$ after leaking proprietary data from alleged victims.

Among high-profile companies impacted by Lapsus$ are Microsoft, Cisco, Okta, Nvidia, T-Mobile, Samsung, Uber, Vodafone, Ubisoft, and Globant.

Lapsus$ is described as a loosely-organized group formed mainly of teenagers, with members in the U.K. and Brazil that acted between 2021 and 2022 for notoriety, financial gain, or for fun. However, they also combined techniques of various complexity with “flashes of creativity.”

SIM-swap power

The Department of Homeland Security (DHS) Cyber Safety Review Board (CSRB) finalized its analysis and describes the group’s tactics and techniques in a report that also includes recommendations for the industry.

“Lapsus$ employed low-cost techniques, well-known and available to other threat actors, revealing weak points in our cyber infrastructure that could be vulnerable to future attacks” - Department of Homeland Security Cyber Safety Review Board.

The group used SIM swapping to gain access to a target company’s internal network and steal confidential information like source code, details about proprietary technology, or business and customer-related documents.

In a SIM-swapping attack, the threat actor steals the victim’s phone number by porting it to a SIM card owned by the attacker. The trick relies on social engineering or an insider at the victim’s mobile carrier.

With control over the victim’s phone number, the attacker can receive SMS-based ephemeral codes for two-factor authentication (2FA) required to log into various enterprise services or breach corporate networks.

Fraudulent SIM-swap chain of events
source: DHS CSRB

Going to the source

In the case of Lapsus$, some of the fraudulent SIM swaps were performed straight from the telecommunications provider’s customer management tools after hijacking accounts belonging to employees and contractors.

To obtain confidential information about their victim (name, phone number, customer proprietary network information), members of the group sometimes used fraudulent emergency disclosure requests (EDRs).

An attacker can create a fake EDR by impersonating a legitimate requestor, such as a law enforcement agent, or by applying official logos to the request.

Lapsus$ also relied on insiders at targeted companies, employees, or contractors, to obtain credentials, approve multi-factor authentication (MFA) requests, or use internal access to help the threat actor.

“After executing the fraudulent SIM swaps, Lapsus$ took over online accounts via sign-in and account recovery workflows that sent one-time links or MFA passcodes via SMS or voice calls” - Department of Homeland Security Cyber Safety Review Board.

In one case, Lapsus$ used their unauthorized access to a telco provider to try to compromise mobile phone accounts connected to FBI and Department of Defense personnel.

The attempt was unsuccessful due to extra security implemented for those accounts.

Making and spending money

During the research, CSRB’s findings, the group paid as much as $20,000 per week to access a telecommunications provider’s platform and perform SIM swaps.

Although the FBI was not aware of Lapsus$ selling the data they stole or found evidence of victims paying ransoms to the group, CSRB says that some security experts “observed Lapsus$ extorting organizations with some paying ransoms.”

According to CSRB’s findings the group also exploited unpatched vulnerabilities in Microsoft Active Directory to increase their privileges on the victim network.

It is estimated that Lapsus$ leveraged Active Directory security issues in up to 60% of their attacks, showing that members of the group had the technical skills to move inside a network.

Hitting the brakes

While Lapsus$ was characterized by effectiveness, speed, creativity, and boldness, the group was not always successful in its attacks. It failed in environments that implemented application or token-based multi-factor authentication (MFA).

Also, robust network intrusion detection systems and flagging suspicious account activity prevented Lapsus$ attacks. Where incident response procedures were followed, the impact was “significantly mitigated,” CSRB says in the report.

Despite security researchers and experts decrying for years the use of SMS-based authentication as insecure, DHS’ Cyber Safety Review Board highlights that “most organizations were not prepared to prevent” the attacks from Lapsus$ or other groups employing similar tactics.

The Board’s recommendations to prevent other actors from gaining unauthorized access to an internal network include:

• transitioning to a passwordless environment with secure identity and access management solutions and discarding SMS as a two-step authentication method
• prioritizing efforts to reduce the efficiency of social engineering through robust authentication capabilities that are resilient to MFA phishing
• telco providers should treat SIM swaps as highly privileged actions that require strong identity verification, and provide account-locking options for consumers
• strengthen Federal Communications Commission (FCC) and Federal Trade Commission (FTC) oversight and enforcement activities
• planning for disruptive cyberattacks and investing in prevention, response, and recovery; adopting a zero-trust model and strengthening authentication practices
• building resilience against social engineering attacks when it comes Emergency Disclosure (Data) Requests
• organizations should increase cooperation with law enforcement by reporting incidents promptly; the U.S. Government “clear, consistent guidance about its cyber incident-related roles and responsibilities”

Lapsus$ fell silent since September 2022, likely due to law enforcement investigations that led to the arrests of several members of the group.

In March last year, the City of London Police announced the arrest of seven individuals linked to Lapsus$. A few days later, on April 1, two more were apprehended, a 16-year-old and a 17-year-old.

In October, during Operation Dark Cloud, the Brazilian Federal Police arrested an individual suspected to be part of the Lapsus$ extortion group, for breaching the systems of the country’s Ministry of Health.

Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116

Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116. "Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien said in a post published Thursday. Kyber was chosen by the U.S. Department of Commerce's

Z-Library Petitions U.S. and Argentina to Cease ‘Illegal’ Criminal Prosecution

Z-Library has launched a petition calling on the U.S. Attorney General and Argentina's Minister of Foreign Affairs to stop the criminal prosecution, labeling it as illegal. The shadow library asks its supporters to sign a petition which stresses that the site is essential to ensure freedom of information and the progress of science.

From: TF, for the latest news on copyright battles, piracy and more.

Microsoft Discloses Codesys Flaws Allowing Shutdown of Industrial Operations, Spying

Over a dozen Codesys vulnerabilities discovered by Microsoft researchers can be exploited to shut down industrial processes or deploy backdoors.

The post Microsoft Discloses Codesys Flaws Allowing Shutdown of Industrial Operations, Spying appeared first on SecurityWeek.

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

Northern Ireland’s top police officer apologized for what he described as an “industrial scale” data breach in which the personal information of more than 10,000 officers and staff was released to the public.

The post Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach appeared first on SecurityWeek.

The Inability to Simultaneously Verify Sentience, Location, and Identity

Really interesting “systematization of knowledge” paper:

“SoK: The Ghost Trilemma”

Abstract: Trolls, bots, and sybils distort online discourse and compromise the security of networked platforms. User identity is central to the vectors of attack and manipulation employed in these contexts. However it has long seemed that, try as it might, the security community has been unable to stem the rising tide of such problems. We posit the Ghost Trilemma, that there are three key properties of identity—sentience, location, and uniqueness—that cannot be simultaneously verified in a fully-decentralized setting. Many fully-decentralized systems—whether for communication or social coordination—grapple with this trilemma in some way, perhaps unknowingly. In this Systematization of Knowledge (SoK) paper, we examine the design space, use cases, problems with prior approaches, and possible paths forward. We sketch a proof of this trilemma and outline options for practical, incrementally deployable schemes to achieve an acceptable tradeoff of trust in centralized trust anchors, decentralized operation, and an ability to withstand a range of attacks, while protecting user privacy.

I think this conceptualization makes sense, and explains a lot.