Attacks increasingly use malicious HTML email attachments

Read Time:43 Second

Researchers warn that attackers are relying more on malicious HTML files in their attacks, with malicious files now accounting for half of all HTML attachments sent via email. This rate of malicious HTML prevalence is double compared to what it was last year and doesn’t appear to be the result of mass attack campaigns that send the same attachment to a large number of people.

“When it comes to attack tactics and tools, the fact that something has been around for a while doesn’t appear to make it any less potent,” researchers from security firm Barracuda Networks said in a new report. “Malicious HTML is still being used by attackers because it works. Getting the right security in place is as important now as it has ever been, if not more so.”

To read this article in full, please click here

Read More

BlackCat group releases screenshots of stolen Western Digital data

Read Time:33 Second

Ransomware group BlackCat has released a set of screenshots on its leak site that it claims are from data stolen from Western Digital in an April system breach. The images include screenshots of videoconferences and internal emails of the storage device manufacturer, according to a tweet by cybersecurity researcher Dominic Alvieri.

The screenshots also included an image of a recent meeting held by Western Digital where the company was discussing how to respond to the cyberattack. The ransomware group, along with the image, wrote, “with the finest threat hunters Western Digital has to offer.” The images of the participants were blurred.

To read this article in full, please click here

Read More

CVE-2022-3405

Read Time:12 Second

Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.

Read More

CVE-2022-30995

Read Time:9 Second

Sensitive information disclosure due to improper authentication. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.

Read More

Fortify your Mac with Intego – the award-winning Mac antivirus

Read Time:20 Second

Graham Cluley Security News is sponsored this week by the folks at Intego. Thanks to the great team there for their support! Established in 1997, Intego is the leading company for Mac antivirus, providing powerful and reliable protection against malware, viruses, and other online threats. Intego offers a wide range of comprehensive security products designed … Continue reading “Fortify your Mac with Intego – the award-winning Mac antivirus”

Read More

oneM2M IoT security specifications granted ITU approval

Read Time:37 Second

The ITU Telecommunication Standardization Sector (ITU-T) has approved a set of security specifications for internet of things (IoT) systems. The oneM2M specifications define a common set of IoT service functions to enable secure data exchange and information interoperability across different vertical sectors, service providers, and use cases. The specifications were approved by more than 190 countries and are now available for use by ITU-T member states.

The ITU-T is responsible for coordinating standards for telecommunications and information communication technology for cybersecurity. It is one of the three branches of the International Telecommunication Union (ITU), a specialized agency of the United Nations that oversees matters relating to information and communication technologies.

To read this article in full, please click here

Read More

SolarWinds Detected Six Months Earlier

Read Time:1 Minute, 13 Second

New reporting from Wired reveals that the Department of Justice detected the SolarWinds attack six months before Mandient detected it in December 2020, but didn’t realize what they detected—and so ignored it.

WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020­but the scale and significance of the breach wasn’t immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it’s not clear why the software maker was also brought onto the investigation.

[…]

Investigators suspected the hackers had breached the DOJ server directly, possibly by exploiting a vulnerability in the Orion software. They reached out to SolarWinds to assist with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In July 2020, with the mystery still unresolved, communication between investigators and SolarWinds stopped. A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say.

Read More

Looking at a penetration test through the eyes of a target

Read Time:8 Minute, 2 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Analyzing an organization’s security posture through the prism of a potential intruder’s tactics, techniques, and procedures (TTPs) provides actionable insights into the exploitable attack surface. This visibility is key to stepping up the defenses of the entire digital ecosystem or its layers so that the chance of a data breach is reduced to a minimum. Penetration testing (pentesting) is one of the fundamental mechanisms in this area.

The need to probe the architecture of a network for weak links through offensive methods co-occurred with the emergence of the “perimeter security” philosophy. Whereas pentesting has largely bridged the gap, the effectiveness of this approach is often hampered by a crude understanding of its goals and the working principles of ethical hackers, which skews companies’ expectations and leads to frustration down the line.

The following considerations will give you the big picture in terms of prerequisites for mounting a simulated cyber incursion that yields positive security dividends rather than being a waste of time and resources.

Eliminating confusion with the terminology

Some corporate security teams may find it hard to distinguish a penetration test from related approaches such as red teaming, vulnerability testing, bug bounty programs, as well as emerging breach and attack simulation (BAS) services. They do overlap in quite a few ways, but each has its unique hallmarks.

Essentially, a pentest is a manual process that boils down to mimicking an attacker’s actions. Its purpose is to find the shortest and most effective way into a target network through the perimeter and different tiers of the internal infrastructure. The outcome is a snapshot of the system’s protections at a specific point in time.

In contrast to this, red teaming focuses on exploiting a segment of a network or an information / operational technology (IT/OT) system over an extended period. It is performed more covertly, which is exactly how things go during real-world compromises. This method is an extremely important prerequisite for maintaining OT cybersecurity, an emerging area geared toward safeguarding industrial control systems (ICS) at the core of critical infrastructure entities.

Vulnerability testing, in turn, aims to pinpoint flaws in software and helps understand how to address them. Bug bounty programs are usually limited to mobile or web applications and may or may not match a real intruder’s behavior model. In addition, the objective of a bug bounty hunter is to find a vulnerability and submit a report as quickly as possible to get a reward rather than investigating the problem in depth.

BAS is the newest technique on the list. It follows a “scan, exploit, and repeat” logic and pushes a deeper automation agenda, relying on tools that execute the testing with little to no human involvement. These projects are continuous by nature and generate results dynamically as changes occur across the network.

By and large, there are two things that set pentesting aside from adjacent security activities. Firstly, it is done by humans and hinges on manual offensive tactics, for the most part. Secondly, it always presupposes a comprehensive assessment of the discovered security imperfections and prioritization of the fixes based on how critical the vulnerable infrastructure components are.

Choosing a penetration testing team worth its salt

Let’s zoom into what factors to consider when approaching companies in this area, how to find professionals amid eye-catching marketing claims, and what pitfalls this process may entail. As a rule, the following criteria are the name of the game:

Background and expertise. The portfolio of completed projects speaks volumes about ethical hackers’ qualifications. Pay attention to customer feedback and whether the team has a track record of running pentests for similar-sized companies that represent the same industry as yours.
Established procedures. Learn how your data will be transmitted, stored, and for how long it will be retained. Also, find out how detailed the pentest report is and whether it covers a sufficient scope of vulnerability information along with severity scores and remediation steps for you to draw the right conclusions. A sample report can give you a better idea of how comprehensive the feedback and takeaways are going to be.
Toolkit. Make sure the team leverages a broad spectrum of cross-platform penetration testing software that spans network protocol analyzers, password-cracking solutions, vulnerability scanners, and for forensic analysis. A few examples are Wireshark, Burp Suite, John the Ripper, and Metasploit.
Awards and certifications. Some of the industry certifications recognized across the board include Certified Ethical Hacker (CEH), Certified Mobile and Web Application Penetration Tester (CMWAPT), GIAC Certified Penetration Tester (GPEN), and Offensive Security Certified Professional (OSCP).

The caveat is that some of these factors are difficult to formalize. Reputation isn’t an exact science, nor is expertise based on past projects. Certifications alone don’t mean a lot without the context of a skill set honed in real-life security audits. Furthermore, it’s challenging to gauge someone’s proficiency in using popular pentesting tools. When combined, though, the above criteria can point you in the right direction with the choice.

The “in-house vs third-party” dilemma

Can an organization conduct penetration tests on its own or rely solely on the services of a third-party organization? The key problem with pentests performed by a company’s security crew is that their view of the supervised infrastructure might be blurred. This is a side effect of being engaged in the same routine tasks for a long time. The cybersecurity talent gap is another stumbling block as some organizations simply lack qualified specialists capable of doing penetration tests efficiently.

To get around these obstacles, it is recommended to involve external pentesters periodically. In addition to ensuring an unbiased assessment and leaving no room for conflict of interest, third-party professionals are often better equipped for penetration testing because that’s their main focus. Employees can play a role in this process by collaborating with the contractors, which will extend their security horizons and polish their skills going forward.

Penetration testing: how long and how often?

The duration of a pentest usually ranges from three weeks to a month, depending on the objectives and size of the target network. Even if the attack surface is relatively small, it may be necessary to spend extra time on a thorough analysis of potential entry points.

Oddly enough, the process of preparing a contract between a customer and a security services provider can be more time-consuming than the pentest itself. In practice, various approvals can last from two to four months. The larger the client company, the more bureaucratic hurdles need to be tackled. When working with startups, the project approval stage tends to be much shorter.

Ideally, penetration tests should be conducted whenever the target application undergoes updates or a significant change is introduced to the IT environment. When it comes to a broad assessment of a company’s security posture, continuous pentesting is redundant – it typically suffices to perform such analysis two or three times a year.

Pentest report, a goldmine of data for timely decisions

The takeaways from a penetration test should include not only the list of vulnerabilities and misconfigurations found in the system but also recommendations on the ways to fix them. Contrary to some companies’ expectations, these tend to be fairly general tips since a detailed roadmap for resolving all the problems requires a deeper dive into the customer’s business model and internal procedures, which is rarely the case.

The executive summary outlines the scope of testing, discovered risks, and potential business impact. Because this part is primarily geared toward management and stakeholders, it has to be easy for non-technical folks to comprehend. This is a foundation for making informed strategic decisions quickly enough to close security gaps before attackers get a chance to exploit them.

The description of each vulnerability unearthed during the exercise must be coupled with an evaluation of its likelihood and potential impact according to a severity scoring system such as CVSS. Most importantly, a quality report has to provide a clear-cut answer to the question “What to do?”, not just “What’s not right?”. This translates to remediation advice where multiple hands-on options are suggested to handle a specific security flaw. Unlike the executive summary, this part is intended for IT people within the organization, so it gets into a good deal of technical detail.

The bottom line

Ethical hackers follow the path of a potential intruder – from the perimeter entry point to specific assets within the digital infrastructure. Not only does this strategy unveil security gaps, but it also shines a light on the ways to resolve them.

Unfortunately, few organizations take this route to assess their security postures proactively. Most do it for the sake of a checklist, often to comply with regulatory requirements. Some don’t bother until a real-world breach happens. This mindset needs to change.

Of course, there are alternative methods to keep abreast of a network’s security condition. Security Information and Events Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and vulnerability scanners are a few examples. The industry is also increasingly embracing AI and machine learning models to enhance the accuracy of threat detection and analysis.

Still, penetration testing maintains a status quo in the cybersecurity ecosystem. That’s because no automatic tool can think like an attacker, and human touch makes any protection vector more meaningful to corporate decision makers.

Read More

Skilling up the security team for the AI-dominated era

Read Time:58 Second

As artificial intelligence and machine learning models become more firmly woven into the enterprise IT fabric and the cyberattack infrastructure, security teams will need to level up their skills to meet a whole new generation of AI-based cyber risks.

Forward-looking CISOs are already being called upon to think about newly emerging risks like generative AI-enabled phishing attacks that will be more targeted than ever or adversarial AI attacks that poison learning models to skew their output. And those are just a couple examples among a host of other new risks that will crop up in what’s looking to be the AI-dominated era of the future.

Time to prepare for AI-powered attacks

There is still time to prepare for many of these risks. Just the faintest amount of demonstrable data shows that attackers are beginning to use large language model (LLM) powered tools like ChatGPT to boost their attacks. And most adversarial AI examples are still largely theoretical. However, these risks will only stay theoretical for so long and is time to start building a bench of AI-related risk expertise.

To read this article in full, please click here

Read More