Spyware Maker Intellexa Sued by Journalist

Read Time:46 Second

The Greek journalist Thanasis Koukakis was spied on by his own government, with a commercial spyware product called “Predator.” That product is sold by a company in North Macedonia called Cytrox, which is in turn owned by an Israeli company called Intellexa.

Koukakis is suing Intellexa.

The lawsuit filed by Koukakis takes aim at Intellexa and its executive, alleging a criminal breach of privacy and communication laws, reports Haaretz. The founder of Intellexa, a former Israeli intelligence commander named Taj Dilian, is listed as one of the defendants in the suit, as is another shareholder, Sara Hemo, and the firm itself. The objective of the suit, Koukakis says, is to spur an investigation to determine whether a criminal indictment should be brought against the defendants.

Why does it always seem to be Israel? The world would be a much safer place if that government stopped this cyberweapons arms trade from inside its borders.

Read More

Ransomware – undeniably top of mind

Read Time:6 Minute, 37 Second

A brief walk down memory lane:

Ransomware is not a new threat  

Ransomware’s first documented attack was relatively rudimentary. It was delivered via floppy disk containing a malware program in 1989 that told its victims to pay $189 in ransom to a PO Box in Panama. Today ransomware criminals are significantly more sophisticated, thanks to advances in cyber methods and cryptocurrencies. Not all Ransomware is created equally. Like all malware, malicious codes vary in sophistication and modularity. As such, not all ransomware codes are made the same. While some are ordinary and even obtained freely on open-source platforms and forums, others are highly sophisticated and operated exclusively by elite cybercrime syndicates.

How do we prepare for a ransomware incident?

Overcoming a ransomware incident is all about preparation while responding with uncertainty identifies the lack of an effective plan. Today’s media coverage is mainly focused on how Ransomware affects people. Unless you are in the cybersecurity profession or aspiring to be, you may be unaware that Ransomware is no different than other malicious software. The same cybersecurity tools and processes to protect systems from trivial malware like crypto miners are the same for Ransomware. The media is not covering stories about malicious software performing cryptocurrency mining operations as an end-user because the only thing stolen by malicious crypto mining software is processor time.

Align to a model, describe, and communicate

A good plan must be easy to communicate and measure, and there are several organizations that offer helpful frameworks and recommendations such as NIST and CISA.  As you analyze what is best for your organization, consider the ever-changing threat landscape and how you plan to adjust.  The following model offers an agile approach to reducing the risk of a ransomware incident:

Assess – identify gaps including people, process, and technology (where are we today?)
Plan – take action to address gaps (enable measurement)
Practice – test people, process, and technology (phishing, social engineering)
Measure – how are we doing?  identify remaining gaps
Adjust – close remaining gaps

Testing is a critical to step to confirming technology, people, and process work cohesively, yet is often overlooked.  As you establish your plan, emphasize testing and measurements to ensure the desired outcomes are being obtained. Communicate with key stakeholders and align to promote a culture of awareness.

The elephant in the room: To pay or not to pay:

All businesses need to be prepared for “if, not when.”  Cyber criminals exploit vulnerabilities, not always a specific business.  The average time to dwell is closing in on 300 days.  Once exploited, a malicious actor can work their way to financial information.  If financial information is known, the ransom is set at our below an expected threshold.  This is critical for small and medium businesses due to limited resources and ownership having extreme emotional ties to the firm.  Malicious actors strike on the emotional vulnerability and negotiate payment based on known financials.  Establishing a plan is critical to reducing the risk of emotion driving the decision to pay.

Paying a ransom is a business financial decision, like converting cash to crypto on your balance sheet. It can also be considered illegal and not an option as you effectively support terrorism. Outside of legal issues, something to consider:

How much data entry must be inputted to offset from the last backup? Is this possible/feasible? Often this amount exceeds the ransom demand.
What assurances do you have that your data can be decrypted?
Is this still a breach per state / federal guidelines? Was the data posted to the dark web for sale? How do you prove or disprove this?

Statistics show over 50% of victims are reinfected within 6-18 months. Paying the ransom doesn’t prevent the root cause of exploitation. 

Recent threat actors are not allowing for the use of third-party negotiation. Data is automatically leaked to the world if involved, and threat actors move on to the next victim.

Importance of security orchestration and backup

Modern ransomware protection requires an integrated security architecture that can stretch from endpoints to network and the cloud to detect, correlate and remediate attacks. Your remediation options are essentially either recovering from backups or paying a ransom. The challenge is, just “restoring from backup” oversimplifies the process and causes many organizations to make assumptions about their backup and recovery capabilities, and this often leads to data loss.

To avoid the worst-case scenario, having a plan in place that includes verified, tested and secure backups that can be restored quickly is key to surviving modern attacks like ransomware. It’s important to always remember that your backup infrastructure is part of your overall cybersecurity defense plan and can be the final option for getting back to, or staying in, business.

Here are a few options to consider to proactively protect your attack surface:

Security awareness training

Your organization can have all the best technology at its disposal to prevent threats, but if your employees are not careful about the emails they open or the links they click, the technology won’t help you. Your employees are the weakest link in the cybersecurity chain — that includes everyone — from the C-suite to the boardroom to all stakeholders. Corporate cultures that place greater importance on cybersecurity typically put those organizations in a better position to prevent ransomware.

Zero trust mindset and micro segmentation

In many ransomware cases, hackers gain access to one segment of a network and then freely move laterally to other network segments to obtain the “crown jewels”. But what if the hackers are unable to move within your network and get stuck in one small, data-free segment? That’s the concept of micro segmentation, in which only certain users can access critical applications and networks. By default, access requests from additional users or applications are blocked.

A Zero trust architecture improves upon the micro segmentation strategy, by incorporating authentication and identity management, encryption, vulnerability and patch management, and comprehensive monitoring of devices, traffic, and applications.

While Zero trust should be your ultimate goal, adopting the architecture requires significant planning. Deploying micro segmentation should be the bare minimum in efforts to reduce lateral movement.

Endpoint protection

In the fight against ransomware, endpoint protection is a tool that prevents the ransomware program from even installing and running on the infected device. Taking endpoint protection a step further, endpoint protection and response (EDR) can detect the threat, analyze its nature, and alert your team about the How, What, and Where of the attack. EDR solutions essentially contain the threat and prevent it from spreading

Incident response plan and practice

If your organization falls victim to ransomware, the damage extends well beyond the financial costs. With a ransomware attack, timing is everything. Responding to a ransomware attack is an integral part of your incident management program. But in too many cases, resources for IT teams are stretched thin. Working with a managed incident response team, you get the experience and expertise of cyber defense consultants to either lead the investigation or supplement your internal IT or cybersecurity team.

A quick glance on best practices

Consider options for having an Incident Response Retainer to help with the following.

Quickly respond to attacks and mitigate impact
Minimize impacts of a potential breach
Quickly analyze and recover from the breach
Mitigate security risk
Improve incident response
Leverage an “all hands-on deck” approach, which includes in-depth digital forensic analysis, breach, support, and compromise detection

It is also important to conduct periodic vulnerability assessments to find and patch potential security weaknesses.  In the end, the best way to protect against ransomware is to work with experts to protect against the attacks. Even the best and most security-aware employees may one day fall for a sophisticated phishing email, leading to ransomware. If an attack occurs, knowing you can rely on experts to conduct the forensic investigation to mitigate the risk can make all the difference.

Read More

Cybersecurity Snapshot: 6 Things That Matter Right Now

Read Time:7 Minute, 16 Second

Topics that are top of mind for the week ending Oct. 7 | CISA puts spotlight on asset inventory and vulnerability management | Think tank does deep dive on IoT security | What’s the current state of cybersecurity? Not great | New malware cracks monthly top 10 list | And much more!

1 – CISA: Asset inventory and VM are fundamental practices

As Cybersecurity Awareness Month kicks off, here’s a fresh reminder from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that visibility into all of your IT assets and their vulnerabilities is critical for reducing cyber risk.

In a “binding operational directive” issued this week, CISA stresses the importance of having an updated, comprehensive inventory of IT assets and of continuously detecting their vulnerabilities.

The document’s requirements include that by April 3, 2023 civilian executive-branch agencies of the federal government be able to:

Perform automated discovery of IP-addressable networked assets that are on-prem, remote and in the cloud every seven days.
Trigger vulnerability detection across all discovered assets every 14 days.
Ingest detected vulnerabilities into CISA’s Continuous Diagnostics and Mitigation (CDM) dashboard within 72 hours of discovery.
Search for inventoried assets and detected vulnerabilities within 72 hours of receiving a CISA request and deliver the results within seven days. 

Further analysis and commentary about the CISA directive from FCW, Forrester, The Record and Federal News Network

More resources about Cybersecurity Awareness Month from CISA, the National Cybersecurity Alliance, the Center for Internet Security and the National Institute of Standards and Technology.

For more information about asset inventory and vulnerability management, check out these Tenable resources:

VM Fundamentals: How to Perform Asset Discovery and Classification
Full IT Visibility Requires Business Risk Context
These Are the Building Blocks of Effective Vulnerability Management
Busting 5 Common Myths About Vulnerability Assessment
Cloud Security: Why You Shouldn’t Ignore Ephemeral Assets

2 – A framework for securing the IoT ecosystem

The Internet of Things (IoT) ecosystem – devices, services, networks – keeps growing, along with complex cybersecurity issues that accompany it. 

In a new report, the Atlantic Council think tank outlines key technology and policy issues that complicate IoT security, using the U.S., the U.K., Australia and Singapore as case studies, and zooming in on three industries: smart homes; networking and telecommunications; and consumer healthcare.

The report also recommends specific steps that governments can take to help make IoT products more secure, including:

Mandate that IoT manufacturers operating in their markets meet a baseline of minimally acceptable security requirements for their products.
Pressure domestic suppliers and retailers to demand from manufacturers that they make their IoT products more secure.
Create advanced security requirements for IoT products, and encourage manufacturers to adopt them.

Overview of Actors and Actions to Improve IoT Security

(Source: Atlantic Council’s “Security in the billions: Toward a multinational strategy to better secure the IoT ecosystem,” Sept. 2022)

For more information about IoT security:

What is IoT security?(TechTarget)
IoT Security Assurance Framework(IoT Security Foundation)
Securing the Internet of Things(U.S. Department of Homeland Security)
Securing the IoT Supply Chain(IoT Security Foundation)
Three strategies for navigating the fragmented IoT security ecosystem(IoXT Alliance)

3 – U.S. government details hack of defense organization

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released an eye-opening joint advisory this week, outlining a months-long advanced persistent threat (APT) attack against an unnamed “defense industrial base organization.”

According to the advisory, it’s likely that multiple APT groups were involved and that they used an open-source toolkit called Impacket to breach the victim’s enterprise network and an exfiltration tool called CovalentStealer to swipe sensitive data. The attackers also exploited a Microsoft Exchange vulnerability to access company email accounts.

The agencies want defense industrial organizations and critical infrastructure providers to read the advisory to understand how the hack was carried out and how they could defend themselves against similar attacks.

Here’s a quick glance at some mitigation recommendations:

Segment networks based on role and functionality
Manage vulnerabilities and misconfigurations
Search for anomalous behavior
Restrict and secure use of remote admin tools
Implement a mandatory access control model
Audit account usage

More coverage and analysis about this advisory from The Hacker News, MeriTalk, The Record and Infosecurity Magazine.

4 – A temperature check on tool sprawl

There’s a trend among CISOs wanting to consolidate their cybersecurity product stacks and shrink their roster of vendors, in an attempt to rein in tool sprawl. It’s a pain point for cyber teams, as they move away from siloed point tools and seek integrated products that interoperate and share data, and that ultimately make it easier to get actionable insights for reducing cyber risk. At a recent Tenable webinar, we took the opportunity to poll participants about the size of their tool stacks. Here’s what we found.

(99 respondents polled by Tenable in Sept. 2022)

For more information about this topic:

The shift to integrated cybersecurity platforms: a growing trend among CISOs(Tenable)
Most enterprises looking to consolidate security vendors” (CSO Magazine)
Note to Security Vendors: Companies Are Picking Favorites(Dark Reading)
Thanks to the economy, cybersecurity consolidation is coming” (Protocol)
Cybersecurity: Best-of-Breed Approach or Single-Vendor Platform?” (BizTech Magazine)

5 – The state of cybersecurity? Not good enough

Here’s a bumper crop of insights into how security teams are tackling – with varying degrees of success – the challenges of a growing and complex attack surface: The wide-ranging “2022 State of Cybersecurity” report from the non-profit Computing Technology Industry Association (CompTIA.)

“Digital transformation driven by cloud and mobile adoption is forcing a new strategic approach to cybersecurity, but fully adopting this new approach poses significant challenges, both tactically and financially,” reads the report.

As a result, the report, which polled more than 1,200 business and IT pros involved in cybersecurity in the U.S., Canada, Europe, Oceania and Southeast Asia, concludes that cybersecurity remains “a problematic area” which is making “relatively slow progress.”

Meanwhile, four key trends are impacting cybersecurity teams, including: 

The further merging of cybersecurity and business operations
An emphasis on zero trust to trigger improvements
A focus on staff specialization 
A boost in tools’ automated capabilities

When asked to list their organization’s main changes in cybersecurity approach this year, the 500 U.S. respondents listed these top five:

Higher priority on incident response (cited by 43%)
More diverse set of technology tools (39%)
Greater focus on process improvement (38%)
Shift to proactive measures (37%)
Greater focus on employee education (36%)

As they deal with the most common types of incidents – malware-infected devices and infrastructure, lost or stolen devices, unauthorized backend access and ransomware attacks – U.S. respondents react in various ways, as illustrated by the charts below.

(Source: CompTIA’s “2022 State of Cybersecurity” report, Sept. 2022)

For more information:

Check out highlights from the report
Read the full report on the web or as a PDF

6 – CIS: New strains show up in August’s top malware list

The Center for Internet Security recently released its list of the top malware for August, noting that the lineup features notable changes compared with the previous month.

Namely, LingyunNET, RecordBreaker and TeamSpy made their debut on the monthly list, and SocGholish and Tinba returned to it.

Here’s the full list:

SocGholish, a remote access trojan (RAT) and a banking trojan that uses fake Flash updates
ZeuS, a modular banking trojan that uses keystroke logging
CoinMiner, a cryptocurrency miner that spreads using Windows Management Instrumentation (WMI) and EternalBlue
TeamSpy, spyware that uses remote access tool TeamViewer and malware to steal information
NanoCore, a RAT that spreads via malspam as a malicious Excel spreadsheet
LingyunNet, riskware that uses victims’ system resources
Agent Tesla, a RAT that captures credentials, keystrokes and screenshots
Gh0st, a RAT for creating backdoors to control endpoints
RecordBreaker, an information stealer that’s the successor to Racoon Stealer
Tinba, a banking trojan also known as Tiny Banker because of its small file size

(Source: Center for Internet Security, Sept. 2022)

To get all the details, context and indicators of compromise for each malware, read the CIS report.

Tenable has launched the Tenable One Exposure Management Platform, which unifies a variety of data sources into a single exposure view to help organizations gain visibility, prioritize efforts and communicate cyber risks. Check out these resources to learn more about it!  

Introducing the Tenable One Exposure Management Platform (blog)
Exposure Management: Reducing Risk in the Modern Attack Surface (blog)
3 Real-World Challenges Facing Cybersecurity Organizations: How an Exposure Management Platform Can Help (white paper)
From Risk-Based Vulnerability Management to Exposure Management (infographic)
Exposure Management and the Future of Cybersecurity (LinkedIn Live)

Read More

3 actions Latin American leaders must take to reduce risk of cyberattacks

Read Time:30 Second

We have witnessed increased cyberattacks on the Latin American region in recent days. Mexico’s President Obrador confirmed that its government has suffered what is perhaps a sensitive attack on its intelligence and armed forces. Chilean Armed Forces suffered a similar attack and its judiciary system was also compromised. The Colombian National Institute for Drug and Food Surveillance (INVIMA) was also attacked. Moreover, there was an attempt to breach systems at the Ministry of Health of Costa Rica, a country that was the victim of a large ransomware attack this year.

To read this article in full, please click here

Read More