AgentTesla Malware Targets Users with Malicious Control Panel File

Cyble Research and Intelligence Labs analyzes the distribution method of AgentTesla malware using malicious control panel files.

The post AgentTesla Malware Targets Users with Malicious Control Panel File appeared first on Cyble.

Utilization of Leaked Ransomware Builders in Tech-Related Scams

Key Takeaways This blog sheds light on a new Tech Scam wherein scammers employ deceptive tactics to lure users into paying for non-existent antivirus solutions. Uncovering Tech Scammers possible involvement in different ransomware attacks. The IP address of a domain used in this scam is associated with both the TORZON MARKETPLACE, a DarkWeb marketplace, and …

Utilization of Leaked Ransomware Builders in Tech-Related Scams Read More »

The post Utilization of Leaked Ransomware Builders in Tech-Related Scams appeared first on Cyble.

Irish Police Data Breach Rattles Northern Ireland’s Security Landscape

By Habiba Rashid

The Police Service of Northern Ireland (PSNI) experienced a severe security breach, unintentionally revealing personal details of its entire workforce, including officers and civilian staff.

This is a post from HackRead.com Read the original post: Irish Police Data Breach Rattles Northern Ireland’s Security Landscape

Western Digital, Synology NAS Vulnerabilities Exposed Millions of Users’ Files

Critical vulnerabilities discovered in WD and Synology NAS devices could have exposed the files of millions of users.

The post Western Digital, Synology NAS Vulnerabilities Exposed Millions of Users’ Files appeared first on SecurityWeek.

DARPA launches two-year competition to build AI-powered cyber defenses

As a part of an ongoing White House initiative to make software more secure, the Defense Advanced Research Projects Agency (DARPA) plans to launch a two-year contest, the AI Cyber Challenge, that’ll task competitors with identifying and fixing software vulnerabilities using AI. In collaboration with AI startups Anthropic and OpenAI, as well as Microsoft and […]

Rust-Based Injector Deploys XWorm and Remcos RAT in Multi-Stage Attack

By Waqas

FortiGuard Labs Reveals Insights into Recent Surge of Cyberattacks Utilizing Rust Programming Language.

This is a post from HackRead.com Read the original post: Rust-Based Injector Deploys XWorm and Remcos RAT in Multi-Stage Attack

Collide+Power, Downfall, and Inception: New Side-Channel Attacks Affecting Modern CPUs

Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs. Called Collide+Power (CVE-2023-20583), Downfall (CVE-2022-40982), and Inception (CVE-2023-20569), the novel methods follow the disclosure of another newly discovered security vulnerability affecting AMD's Zen 2 architecture-based processors known as

Google to fight hackers with weekly Chrome security updates

Google has changed the Google Chrome security updates schedule from bi-weekly to weekly to address the growing patch gap problem that allows threat actors extra time to exploit published n-day and zero-day flaws.

This new schedule will start with Google Chrome 116, scheduled for release today.

Google explains that Chromium is an open-source project, allowing anyone to view its source code and scrutinize developer discussions, commits, and fixes made by contributors in real time.

These changes, fixes, and security updates are then added to Chrome's development releases (Beta/Canary), where they are tested for stability, performance, or compatibility issues before they can be pushed to the stable Chrome release.

However, this transparency comes with a cost, as it also allows advanced threat actors to identify flaws before fixes reach a massive user base of stable Chrome releases and exploit them in the wild.

"Bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven't yet received the fix," reads Google's announcement.

"This exploitation of a known and patched security issue is referred to as n-day exploitation."

The patch gap is the time it takes a security fix to be released for testing and for it to finally be pushed out to the main population in public releases of software.

Google identified the problem years ago when the patch gap averaged 35 days, and in 2020. With the release of Chrome 77, it switched to biweekly updates to try to reduce this number.

With the switch to weekly stable updates, Google further minimizes the patch gap and reduces the window of n-day exploitation opportunity to a single week.

While this is definitely a step in the right direction and will positively affect Chrome security, it's essential to underline that it's not ideal in the sense that it won't stop all n-day exploitation.

Reducing the interval between updates will stop the exploitation of flaws that demand more complex exploitation paths, which in turn require more time to develop.

However, there are some vulnerabilities for which malicious actors can build an effective exploit using known techniques, and these cases will remain a problem.

Even in those cases, though, active exploitation will still be reduced to a maximum of seven days in the worst-case scenario, given that users apply security updates as soon as they become available.

"Not all security bug fixes are used for n-day exploitation. But we don’t know which bugs are exploited in practice, and which aren't, so we treat all critical and high severity bugs as if they will be exploited," explains Chrome Security Team member Amy Ressler.

"A lot of work goes into making sure these bugs get triaged and fixed as soon as possible."

"Rather than having fixes sitting and waiting to be included in the next bi-weekly update, weekly updates will allow us to get important security bug fixes to you sooner, and better protect you and your most sensitive data."

Ultimately, the new update frequency will decrease the need for unplanned updates, enabling users and system administrators to adhere to a more consistent security maintenance schedule.

The vulnerability patch gap has also become a massive problem for Android, with Google recently warning that n-day flaws have become as dangerous as zero-days.

Unfortunately, the Android ecosystem makes it much harder for Google to control, as in many cases, a patch will be released, and it will take manufacturers months to introduce it into their phone's operating systems.

EvilProxy phishing campaign targets 120,000 Microsoft 365 users

EvilProxy is becoming one of the more popular phishing platforms to target MFA-protected accounts, with researchers seeing 120,000 phishing emails sent to over a hundred organizations to steal Microsoft 365 accounts.

This new research comes from Proofpoint, which warns of a dramatic surge of successful cloud account takeover incidents in the past five months, impacting primarily high-ranking executives.

The cybersecurity company has observed a very large-scale campaign supported by EvilProxy, which combines brand impersonation, bot detection evasion, and open redirections.

EvilProxy attacks

EvilProxy is a phishing-as-a-service platform that employs reverse proxies to relay authentication requests and user credentials between the user (target) and the legitimate service website.

As the phishing server proxies the legitimate login form, it can steal authentication cookies once a user logs into their account.

Furthermore, as the user already had to pass MFA challenges when logging into an account, the stolen cookie allows the threat actors to bypass multi-factor authentication.

EvilProxy phishing attack flow
Source: Proofpoint

As reported in September 2022 by Resecurity, EvilProxy is sold to cyber criminals for $400/month, promising the ability to target Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI accounts.

A new phishing campaign observed by Proofpoint since March 2023 is using the EvilProxy service to send emails that impersonate popular brands like Adobe, DocuSign, and Concur.

Phishing email used in this campaign
Source: Proofpoint

If the victim clicks on the embedded link, they go through an open redirection via YouTube or SlickDeals, followed by a series of subsequent redirections that aim to lower the chances of discovery and analysis.

Eventually, the victim lands on an EvilProxy phishing page that reverse proxies the Microsoft 365 login page, which also features the victim's organization theme to appear authentic.

Attack stages
Source: Proofpoint

"In order to hide the user email from automatic scanning tools, the attackers employed special encoding of the user email, and used legitimate websites that have been hacked, to upload their PHP code to decode the email address of a particular user," explains Proofpoint.

"After decoding the email address, the user was forwarded to the final website – the actual phishing page, tailor-made just for that target’s organization."

Decoding the target's email address
Source: Proofpoint

Targeting peculiarities

The researchers discovered that the latest campaign redirects users with a Turkish IP address to a legitimate site instead, essentially calling off the attack, which might mean that the operation is based in Turkey.

Also, Proofpoint noticed that the attackers were very selective with which cases they would proceed to the account takeover phase, prioritizing "VIP" targets and ignoring those lower in the hierarchy.

Of those whose accounts were breached, 39% were C-level executives, 9% were CEOs and vice presidents, 17% were chief financial officers, and the rest were employees with access to financial assets or sensitive information.

Compromised targets
Source: Proofpoint

Once a Microsoft 365 account is compromised, the threat actors add their own multi-factor authentication method (via Authenticator App with Notification and Code) to establish persistence.

Reverse proxy phishing kits, and EvilProxy in particular, are a growing threat capable of delivering high-quality phishing at dangerous scales while bypassing security measures and account protections.

Organizations can only defend against this threat through higher security awareness, stricter email filtering rules, and adopting FIDO-based physical keys.

Preventative medicine for securing IoT tech in healthcare organizations

The widespread adoption of a digital transformation workspace and the shift to web applications has led to a global rise in cybercrime, with 2022 seeing an 87% year-over-year increase in IoT malware attacks.

With vast storehouses of sensitive data, newly adopted Internet of Medical Things technology, and often outdated cybersecurity systems, the healthcare industry has become a prime target for industrious cyber criminals seeking to exploit industry vulnerabilities for profit. Cyberattacks are on the rise in these industries and the attempted cyberattacks that target online apps rose by a notable 137% during the last year.

In this article, we will take a look at why healthcare organizations are at increased risk for cyberattacks. We will explore what the Internet of Medical Things is and will investigate how healthcare organizations should best assess the security of their networks.

We will then reveal why and how HIPAA plays a role in securing sensitive medical data and how attack surface management can secure the IoMT for healthcare organizations.

Why healthcare organizations are at increased risk for cyberattacks

Due to outdated technical systems and wide-ranging points of entry, there is a large potential for entry for savvy threat actors seeking to exploit vulnerabilities in the healthcare industry.

Since healthcare industry organizations are frequently running apps with inadequate protection and insufficient security precautions, the healthcare sector is a particular target for app-based and API-based attacks.

Healthcare organizations will need to embrace web application security testing to secure applications and stay on top of vulnerabilities from the latest cyberattack schemes.

Using broken object-level authorization (or BOLA) methods, hackers can adjust the identification of a particular object in the context of an API command.

This access allows hackers to manipulate the identity of the request, providing an easy access point for users to completely bypass gatekeeping measures and read restricted data. Unauthorized users can even erase a user’s private data.

This type of attack offers a wide range of potential for manipulating and extorting healthcare organizations, whose databases contain an abundant of sensitive information about patient medical histories, current health records, home addresses, and financial details.

What is the internet of medical things?

The Internet of Medical Things (IoMT) refers to the interconnected network of communication technologies that transmits data in real-time through a cloud computing structure, which can be used for Smart Health applications.

The Internet of Medical Things (IoMT) is an offshoot of the widely popular Internet of Things (IoT). The IoT provides enhanced AI-enabled communication between a wide variety of devices, including mobile phones, wearable devices, industrial sensors, and actuating ports, which convey information through cloud storage databases.

The IoT is used to connect smart homes, power smart cars, sync smart cities, establish smart energy grids, and enhance smart retail, among other uses.

The Internet of Medical Things, meanwhile, provides data communication among mobile computers, medical sensors, and cloud computation software. The syncing of these devices allows medical experts to monitor and conduct analyses of a patient’s vital signs and health progress.

Medical professionals can utilize the advanced capabilities provided by the IoMT to assess, diagnose, treat, and track patient conditions.

Given the amount of sensitive data that is transmitted via smart health devices, it is vital for healthcare organizations to secure the Internet of Medical Things. The data that is communicated through devices that combine to form the IoMT is transmitted through layered cloud computing platforms that medical professionals can access via web-based applications that draw data from the cloud.

These cloud data storage platforms can include database storage, access portals for various clients and professionals, and the exchange of Electronic Medical Records, or EMRs. Some interconnected IoMT devices can also offer patient portals so that patients can access their medical records and up-to-date information on their conditions in real-time.

How to assess the security of your healthcare organization?

Conducting an effective risk assessment process will allow IT experts and security managers to assess the overall cybersecurity level of your healthcare organization.

From basic individual security measures, such as a general secure password policy, to specific security patches that will need to be enacted, a security risk assessment should cover the entire breadth of your healthcare organization’s security approach.

A security risk assessment will identify any potential weak spots and vulnerable assets in the healthcare organization’s digital infrastructure, including specific employee training and awareness.

This risk assessment should include assembling an inventory of all of your organization’s assets to understand what is at risk of being compromised in the event of a successful cyberattack.

With this inventory in hand, you will be able to calculate the likely damages that could result to your healthcare organization in the event of a successful cyberattack.

For example, if a bad actor is able to access your organization’s EHR (electronic health records), your organization may find it necessary to halt all patient treatments and procedures until the records are reclaimed and secured. Or, your organization could incur fines for failing to comply with nationwide regulatory measures.

Your risk assessment process should include a comprehensive analysis of every possible threat, vulnerable situation, and exposed data. Natural disasters such as floods or blackouts can lead to exposed vulnerable databases, while insidious interpersonal attacks can come in the form of phishing emails, or DDoS, distributed denial-of-service attacks on the healthcare organization servers.

Embittered former employees with access to restricted servers and databases could enact their dissatisfaction via malicious tampering with sensitive data. Any risk situations should be considered to accurately assess the organization’s overall security situation- and will allow the right individuals to prevent and mitigate lasting damages.

How/why does HIPAA play a role?

HIPAA, the Health Insurance Portability and Accountability Act of 1996, provides nationwide regulations that ensure that each healthcare organization complies with the latest baseline security measures. HIPAA provides guidelines that can instruct healthcare organizations on how to craft effective contingency plans that help mitigate the damages in unexpected situations, such as a fire or flood.

For instance, to comply with HIPAA regulations, healthcare organizations must maintain three copies of their entire database at a minimum. These three copies must be stored in at least two distinct types of media, and one of these three copies of data must be stored offsite. If an organization fails to meet the basic requirements mandated by HIPAA, they may be subject to ample fines as a consequence.

The United States Department of Health and Human Services, or HHS, released the HIPAA Privacy Rule to guarantee that healthcare organizations will remain in compliance with HIPAA standards.

The HIPAA Privacy Rule protects sensitive data that contains a patient’s health information from being released or shared without the explicit consent and knowledge of the patient in question. This rule encompasses both the sharing of patient records among medical professionals and the protection of patient records against bad actors and cyberattacks.

How can attack surface management secure your IoT?

Attack surface management can be used to secure the IoMT for healthcare organizations by embracing a risk-based vulnerability management program. Reducing the areas of security vulnerabilities for bad actors reduces the possibility of enacting successful cyberattacks from the onset.

Most successful attacks are enacted through the penetration of vulnerable devices, which provide a surface for the attack.

Cloud-based databases, network services, firmware, specific individual devices, storage systems, servers, and web-based apps can each contribute to either the safety or vulnerability of an overall system’s robust security program.

Proactively managing, measuring, and reducing an organization's Internet-facing attack surface can significantly reduce the risk of a network breach.

Using a combination of specialist in-house expertise along with our proprietary automation platform and attack surface analysis tools, we can provide everything from a single point-in-time risk analysis to longer-term planning, execution, and metrics collection as you work to reduce your exposure to Internet-based attacks.

Attack surface management requires strong authentication safeguards to ensure that each user requesting access to a restricted area is amply verified before being admitted to accessing the data in question.

Automated exploitative tools will be prevented from gaining initial access to a restricted system, and weak authentication areas will be patched to create a more effective security foundation.

Attack surface management reduces an organization’s potential vulnerability to internet-based cyberattacks, which will directly impact the overall security of the interconnected IoMT devices and systems since all of the sensitive medical data is stored and communicating over the internet.

Final Thoughts

The healthcare industry is in a state of transition, with more organizations increasingly coming to rely on interconnected Smart Health devices that run off the IoMT.

The Internet of Medical Things provides an innovative way for updating medical practices and providing enhanced patient condition analysis and treatment procedures. But without adequate security measures, healthcare organizations will be open to increased security vulnerabilities.

Identifying all possible threats and vulnerabilities is key to establishing sufficient security measures that will provide comprehensive protection across all aspects of the healthcare organization’s digital network and in-house software systems.

Maintaining compliance with HIPAA guidelines and standards can assure that healthcare organizations have sufficient security measures in place.

Enacting attack surface management can help secure the internet on which Internet of Medical Things devices run. Protecting patient data and Electronic Medical Records is key for ensuring a secure medical system as IoMT technology continues to evolve.

Sponsored and written by Outpost24

Symmetry raises $18M to bolster organizations’ data security programs

As organizations embrace cloud services — and are forced to confront changing regulations and data use standards — their ability to maintain control of data security frequently becomes strained. If they lose that control, the consequences can be quite severe. The average cost of a data breach is about $3.86 million (per IBM), and most […]

Out-of-bounds write vulnerabilities in popular chemistry software; Foxit PDF Reader issues could lead to remote code execution

Seven of the vulnerabilities included in today’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10.

RedHotel Checks in As Dominant China-Backed Cyberspy Group

The APT has been rampaging across three continents on behalf of China's Ministry of State Security, and now claims the throne as kings of intelligence gathering and economic espionage.

Interpol Shuts Down African Cybercrime Group, Seizes $2 Million

Operation Jackal involved law enforcement agencies in 21 countries and yielded more than 100 arrests.

AI Risk Database Tackles AI Supply Chain Risks

The open source tool — a collaboration between Robust Intelligence, MITRE, and Indiana University — assesses heavily shared, public machine learning models for risk.

China-Linked Hackers Strike Worldwide: 17 Nations Hit in 3-Year Cyber Campaign

Hackers associated with China's Ministry of State Security (MSS) have been linked to attacks in 17 different countries in Asia, Europe, and North America from 2021 to 2023. Cybersecurity firm Recorded Future attributed the intrusion set to a nation-state group it tracks under the name RedHotel (previously Threat Activity Group-22 or TAG-222), which overlaps with a cluster of activity broadly

Why Shellshock Remains a Cybersecurity Threat After 9 Years

Nearly a decade after it was disclosed, the Shellshock vulnerability still plagues organizations. Learn how to protect yourself.

Sweet Security Emerges From Stealth With $12 Million Seed Funding and a Cloud Runtime Solution

Israeli startup emerged from stealth with $12 million in Seed funding and launched a Cloud Runtime Security Suite.

The post Sweet Security Emerges From Stealth With $12 Million Seed Funding and a Cloud Runtime Solution appeared first on SecurityWeek.

Closing Coverage Gaps Where Customer Resources Meet Cloud Environments

Protecting the spaces where private, public, and hybrid clouds meet users' technologies requires a cloud-centric approach.

Introducing ExposureAI in Tenable One: Meet the Future of Preventive Cybersecurity

The Tenable One Exposure Management Platform is already transforming how organizations practice preventive cybersecurity. Now, with the introduction of Exposure AI, users can unleash the full potential of generative artificial intelligence to stay one step ahead of attackers.

Today, we unveiled ExposureAI in the Tenable One Exposure Management Platform, giving you new generative AI capabilities that will boost your preventive cybersecurity by elevating your cyber expertise. ExposureAI will help you accelerate how you search, analyze and make decisions so you can stay ahead of attackers.

Generative AI tools will change the way cybersecurity teams operate at a time when you’re facing unprecedented pressure as cyber defenders:

• More than 117,000 hosts and 600 new domains are created every minute
• 230 million cloud misconfigurations on average need to be addressed each day
• More than 480 new CVEs on average are published each week
• More than 95 million Active Directory accounts are attacked each day

We believe the future of preventive security is Exposure Management, powered by AI.

Search, explain and drive action faster with ExposureAI

ExposureAI will provide new insights to make exposure management more accessible, turning all analysts into expert defenders. Delivering the best AI-based capabilities requires having the best data, and we have the largest repository of contextual exposure data in the world. Specifically, ExposureAI leverages 1 trillion unique exposures, assets and security findings encompassing:

• 60 billion exposure events
• 800 million different security configurations
• 1 billion assets

This massive data platform that fuels the ExposureAI engine is called the Tenable Exposure Graph, our Snowflake-powered data lake.

ExposureAI will enhance exposure management programs in three important ways over the coming weeks and months:

Search

Finding needles in a haystack is hard, and so is searching for specific exposure and asset data. It often requires figuring out what filters are available, understanding which assets and exposures are supported by those filters, and running through an iterative exercise to whittle down the data until you discover exactly what you need. More skilled users could also take advantage of APIs and scripts to automate some of those tasks. But either approach takes significant time and resources.

ExposureAI introduces new ways to discover the data you’re looking for. Now, you will simply be able to ask questions using natural language search queries to accelerate the search process. Need to know your exposure to Log4Shell? No need to toggle through nested filters to create the query. Just type in, “How many assets have log4j installed,” and ExposureAI using generative AI will translate the question into a SQL-like query in the background to pull the relevant data. Are you focused only on users with keys to the kingdom? Just modify your query accordingly: “How many assets with Domain Administrator access have log4j installed?”

Example of natural language search queries in Tenable One

Sample results from natural language search query

Explain

Understanding exposures in the proper context can also be challenging and time intensive. Many factors must be considered as part of the analysis, such as exposure details, asset or resource characteristics, user entitlements, external accessibility and attack path details. Let’s use attack path analysis to illustrate this point. Typical attack path analysis solutions provide comprehensive insight from the threat actor’s perspective pertaining to specific attacker entry points, asset targets and threats. This information is generally displayed in a visual format to easily show and toggle between all potential paths with asset and user relationships. To understand the full attack sequence, analysts need to click on each node for step-by-step details, which requires elevated expertise to interpret the results and is extremely time consuming.

Attack Path Analysis in Tenable One uses ExposureAI to help eliminate that manual analysis by incorporating generative AI to summarize the complete attack path in a written narrative. Each narrative describes the attacker's tactics, techniques and procedures (TTPs) from the initial entry point all the way to the asset target. ExposureAI translates the attack path visualization details for faster explanation and analysis so that users can quickly make judgments on each attack path. This enables security generalists who don’t have PhDs in attack path analysis to understand powerful attacker-centric context into different exposures and use those insights to take precise and effective action.

Example of how ExposureAI explains an attack path from entry point to critical asset

Action

Making decisions regarding what security issues to address first is an age-old challenge. As mentioned above, organizations are bombarded with vulnerability and misconfiguration overload. Prioritizing and taking action to remediate high-risk exposures often requires you to know exactly where to look. And given today’s highly dynamic threat landscape, it’s important that practitioners constantly stay updated as threats evolve.

ExposureAI will help security teams be much more proactive in addressing emerging cyber risks. By using generative AI to continuously analyze exposure and asset data, ExposureAI will surface high-risk exposure insights and recommend actions, such as addressing software vulnerabilities, cloud misconfigurations, web app flaws and identity weaknesses. That’ll help you stay ahead of emerging threats. Stay tuned for more about this use case in the coming months.

Join Us at Black Hat USA 2023!

If you’re attending Black Hat USA 2023, please stop by booth #1632 to see ExposureAI demos of Tenable One and attend talks with our subject matter experts about generative AI.

Stay tuned for more information in the coming weeks. We’ll be providing additional product details in upcoming Tenable webinars, Tenable Community posts and Tenable Product Education videos.

Cybersecurity giant Rapid7 announces sweeping layoffs as losses mount

U.S. cybersecurity giant Rapid7 has announced plans to lay off 18% of its workforce, affecting more than 400 global employees. In a regulatory filing, the Boston-based cybersecurity company said its restructuring effort is “designed to improve operational efficiencies, reduce operating costs and better align the company’s workforce with current business needs.” The filing confirms that […]

Microsoft Paid Out $13 Million via Bug Bounty Programs for Fourth Consecutive Year

For the fourth consecutive year, Microsoft has paid out more than $13 million through its bug bounty programs.

The post Microsoft Paid Out $13 Million via Bug Bounty Programs for Fourth Consecutive Year appeared first on SecurityWeek.

Cloud Security Firm Kivera Raises $3.5 Million in Seed Funding

Australian cybersecurity startup Kivera raised $3.5 million in seed funding from General Advance, Round 13 Capital and angel investors.

The post Cloud Security Firm Kivera Raises $3.5 Million in Seed Funding appeared first on SecurityWeek.

Parsing the UK voter register cyberattack

A catastrophic breach of the United Kingdom electoral register affects tens of millions of residents following a cyberattack at the U.K. Electoral Commission. With data on more than 40 million voters accessed by unnamed hackers, the cyberattack is already one of the U.K.’s largest ever hacks. The Electoral Commission said the hackers accessed a “high […]

Continuous Security Validation with Penetration Testing as a Service (PTaaS)

Validate security continuously across your full stack with Pen Testing as a Service. In today's modern security operations center (SOC), it's a battle between the defenders and the cybercriminals. Both are using tools and expertise – however, the cybercriminals have the element of surprise on their side, and a host of tactics, techniques, and procedures (TTPs) that have evolved. These external