Iranian APT group uses previously undocumented Trojan for destructive access to organizations

Read Time:48 Second

Researchers have come across a previously undocumented Trojan used by an APT group of Iranian origin that has been targeting organizations in Israel but also other countries since last year with the intention of damaging their infrastructure.

The group, tracked as Moses Staff by researchers from security firm Cybereason, has been operating since at least September 2021 and its primary goal is to steal sensitive data. It also deploys file encrypting malware, but unlike ransomware, the goal is to cause business disruption and cover its tracks rather than financial gain.

Who is Moses Staff?

Moses Staff’s malicious activities were first documented last year by researchers from Check Point after a wave of attacks targeting organizations in Israel. Over the past two years there have been several groups targeting organizations in the country with ransomware-like attacks and lengthy negotiations, but Moses Staff stands out because its motivation is purely political.

To read this article in full, please click here

Read More

DHS Creates Cyber Safety Review Board

Read Time:1 Minute, 49 Second

DHS Creates Cyber Safety Review Board

The United States Department of Homeland Security has established a Cyber Safety Review Board (CSRB) to investigate “significant cyber incidents.” 

Mandated via President Joe Biden’s May 12 2021 executive order (EO 14028) on improving the nation’s cybersecurity, the board “shall review and assess, with respect to significant cyber incidents […] affecting Federal Civilian Executive Branch Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities and agency responses.”

The CSRB, which was chartered on September 21 2021, will only operate in an advisory capacity.

Rob Silvers, the DHS’ undersecretary for strategy, policy and plans, has been selected to chair the board for two years. Together with Cybersecurity and Infrastructure Security Agency director Jen Easterly, Silvers will choose up to 20 individuals to serve as board members.

CSRB will be formed by a mixture of government workers and private sector representatives who may need to obtain security clearances. According to instructions included in Biden’s EO, the person chosen to serve as the board’s deputy chair should work in the private sector. 

Members will include at least one representative from the Department of Defense, the Department of Justice, DHS, CISA, the National Security Agency and the Federal Bureau of Investigation. 

notice published in the Federal Register Thursday stated: “The CSRB will convene following significant cyber-incidents that trigger the establishment of a Cyber Unified Coordination Group as provided by section V(B)(2) of Presidential Policy Directive (PPD) 41; at any time as directed by the President acting through the Assistant to the President for National Security Affairs (APNSA); or at any time the Secretary or CISA Director deems necessary.”

After reviewing a cyber-incident, the CSRB “may develop advice, information, or recommendations for the Secretary for improving cybersecurity and incident response practices and policy.”

The notice said that CSRB’s advice on cybersecurity would be made publicly available “whenever possible” but that some information may be redacted to prevent the disclosure of sensitive data.

DHS secretary Alejandro Majorkas has exempted the board from the transparency rules of the Federal Advisory Committee Act “in recognition of the sensitive material utilized in CSRB activities and discussions.” 

Read More

#Enigma2022: Contextual Security Should Supplement Machine Learning for Malware Detection

Read Time:2 Minute, 53 Second

#Enigma2022: Contextual Security Should Supplement Machine Learning for Malware Detection

Malware continues to be one of the most effective attack vectors in use today, and it is often combatted with machine learning-powered security tools for intrusion detection and prevention systems.

According to Nidhi Rastogi, Assistant Professor at the Rochester Institute of Technology, machine learning security tools are not nearly as effective as they could be, as several different limitations often hinder them. Rastogi presented her views on the limitations of machine learning for security and a potential solution known as contextual security at a session on February 2 at the Engima 2022 Conference.

A key challenge for contemporary machine learning security comes from false alerts. Rastogi explained the impact of false alerts is both wasted time by organizations and security gaps that could potentially expose an organization to unnecessary risk.

“It is very difficult to get rid of false positives and false negatives,” Rastogi said.

Why Machine Learning Models Generate False Alerts

Among the primary reasons machine learning models tend to generate false alerts is a lack of sufficient representative data.

Machine learning, by definition, is an approach where a machine learns how to do something that is often enabled by some form of training on a data set. If the training data set doesn’t have all the correct data, it cannot identify all malware accurately.

Rastogi said that one possible way to improve machine learning security models is to integrate a continuous learning model. In that approach, as new attack vectors and vulnerabilities are discovered, the new data is continuously being used to train the machine learning system.

Adding Context to Boost Malware Detection Efficacy

However, getting the right data to train a model is often easier said than done. Rastogi suggests providing additional context as an opportunity to improve malware detection and machine learning models.

The additional context can be derived from third-party and open source threat intelligence (OSINT) sources. Those sources provide threat reports and analysis on new and often novel attacks. The challenge with OSINT is that it is usually in the form of unstructured data, blog posts and other formats that don’t work particularly well to train a machine learning model.

“These reports are written in human-understandable language and provide context which otherwise wouldn’t be possible to capture in code,” Rastogi said.

Using Knowledge Graphs for Contextual Security

So how can unstructured data help to inform machine learning and improve malware detection? Rastogi and her team are attempting to use an approach known as a knowledge graph.

A knowledge graph uses what is known as a graph database, which maps the relationship between different data points. According to Rastogi, the biggest advantage of using knowledge graphs is that it enables an approach to capture and better understand unstructured information written in a language understood by humans.

“All of this combined data on a knowledge graph can help to identify or infer attack patterns when a malware threat is evolving,” she said. “That’s the advantage of using knowledge graphs, and that’s what our research is pursuing.”

By adding context and data lineage that help track the source of the data and its trustworthiness, Rastogi said that the overall accuracy of malware detection could be improved.

“We need to go beyond measuring the performance of machine learning models using accuracy and precision scores,” Rastogi said. “We want to be able to help analysts by inference with confidence and context.”

Read More

KP Snacks Hit by Cyber-attack

Read Time:1 Minute, 55 Second

KP Snacks Hit by Cyber-attack

Brits could be facing a snack shortage following a cyber-attack on 169-year-old food producer KP Snacks

The German-owned maker of KP Nuts, Hula Hoops, Choc Dips, Nik Naks and Butterkist popcorn was targeted by threat actors on Friday. After gaining access to the company’s network, hackers deployed ransomware and took the snack maker’s data hostage.

“As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation,” said the British-based firm, which is known internationally for its potato chips sold under brands that include McCoy’s, Tyrrell’s and POM-BEAR.

KP Snacks, which is owned by Intersnack, said that its internal IT teams are working with third-party experts to assess the situation.

Shoppers seeking their favorite snacks may go home disappointed as the website Better Retailing, which first published news of the attack, reported that retailers had been warned by KP Snacks of delays to deliveries. 

According to a letter sent out to shop owners and published by Better Retailing, KP Snacks “cannot safely process orders or dispatch goods” because of the cyber-attack.

Disruptions including late deliveries and cancellations could plague the snack maker “until the end of March at the earliest”. 

“While this is causing some disruption to our manufacturing and shipping processes, we are already working on plans to keep our products stocked and on shelves,” said the company in a statement. 

“We have been continuing to keep our employees, customers, and suppliers informed of any developments and apologize for any disruption this may have caused.”

BBC News reported that cyber-criminals have published on the dark net what appear to be personal documents from KP Snacks staff, featuring the company letterhead. The post threatened to publish more data unless a ransom was paid.

Keiron Holyome, vice president UK, Ireland, and Middle East, at BlackBerrycommented: “This attack on KP Snacks underscores that the global cyber risk equally applies to British institutions and their supply chains, with KP Snacks now predicting shortages after a ransomware attack.

“It doesn’t matter whether it’s logistics, fuel or food–these supply chains present unique and complex challenges from a cybersecurity perspective.”

Read More

CVE-2022-20699, CVE-2022-20700, CVE-2022-20708: Critical Flaws in Cisco Small Business RV Series Routers

Read Time:3 Minute, 48 Second

Cisco patches 15 flaws in Cisco Small Business RV Series Routers, including three with critical 10.0 CVSSv3 scores.

Update February 4: Cisco has updated their advisory to announce partial patches for the RV160 and RV260 Series Routers. The Solution section has been updated with this information.

Background

On February 2, Cisco published an advisory for 15 vulnerabilities in its Small Business RV Series Routers. Three of the 15 vulnerabilities listed in the advisory received a CVSSv3 score of 10.0, the highest possible rating.

CVE
Type
CVSSv3
Cisco BugIDs

CVE-2022-20699
Remote Code Execution Vulnerability
10.0
CSCwa13836

CVE-2022-20700
Privilege Escalation Vulnerability
10.0
CSCwa14564, CSCwa14565

CVE-2022-20701
Privilege Escalation Vulnerability
9.0
CSCwa12836, CSCwa13119

CVE-2022-20702
Privilege Escalation Vulnerability
6.0
CSCwa15167, CSCwa15168

CVE-2022-20703
Digital Signature Verification Bypass Vulnerability
9.3
CSCwa12748, CSCwa13115

CVE-2022-20704
SSL Certificate Validation Vulnerability
4.8
CSCwa13205, CSCwa13682

CVE-2022-20705
Improper Session Management Vulnerability
5.3
CSCwa14601, CSCwa14602, CSCwa32432, CSCwa54598

CVE-2022-20706
Command Injection Vulnerability
8.3
CSCwa14007, CSCwa14008

CVE-2022-20707
Command Injection
7.3
CSCwa12732

CVE-2022-20708
Command Injection
10.0
CSCwa13900

CVE-2022-20749
Command Injection
7.3
CSCwa36774

CVE-2022-20709
Arbitrary File Upload
5.3
CSCwa13882

CVE-2022-20710
Denial of Service
5.3
CSCvz88279, CSCvz94704

CVE-2022-20711
Arbitrary File Overwrite
8.2
CSCwa13888

CVE-2022-20712
Remote Code Execution
7.3
CSCwa18769, CSCwa18770

Analysis

CVE-2022-20699 is a remote code execution (RCE) vulnerability in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. According to Cisco, the flaws exist due to an insufficient boundary check within the Secure Socket Layer Virtual Private Network (SSL VPN) module of these devices. A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable device that is “acting as an SSL VPN Gateway.” Successful exploitation would grant an attacker arbitrary code execution on the device with root privileges.

CVE-2022-20700, CVE-2022-20701, CVE-2022-20702 are elevation of privilege vulnerabilities in the RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345 and RV345P routers. According to Cisco, these vulnerabilities reside in the web-based management interface of its Cisco Small Business RV Series Routers. The most severe of these three flaws is CVE-2022-20700. A remote, unauthenticated attacker could exploit this vulnerability by “submitting specific commands” to a vulnerable device. Successful exploitation would elevate the attacker’s privileges, allowing them to execute arbitrary commands as root.

CVE-2022-20707, CVE-2022-20708 and CVE-2022-20749 are RCE vulnerabilities in the Cisco RV340, RV340W, RV345 and RV345P Dual WAN Gigabit Routers. The most severe of these three flaws is CVE-2022-20708. According to Cisco, all three vulnerabilities reside in the web-based management interface of these devices. A remote, unauthenticated attacker could exploit these vulnerabilities by sending a specially crafted input to a vulnerable device. Successful exploitation would grant an attacker arbitrary command execution privileges at the operating system level.

At least 8,400 RV34X devices are publicly accessible

According to searches conducted on Shodan, there are at least 8,400* publicly accessible RV34X devices.

Router Model
Results

RV345
1,706

RV345P
616

RV340W
607

RV340
5,472

Total
8,401

*These results were captured on February 2, 2022

Proof of concept

In its advisory, Cisco says they are aware of proofs-of-concept (PoC) exploits for several of the vulnerabilities patched. However, none of the PoCs were hosted on public repositories like GitHub at the time this blog was published.

Solution

Cisco has released fixes for all 15 vulnerabilities for the RV340 and RV345 Series Routers. For the RV160 and RV260 Series routers, five of the vulnerabilities have been addressed in firmware release 1.0.01.07. The Cisco advisory notes that the additional fixes are expected soon. We recommend referring to the advisory to stay up to date on additional patches and recommendations from Cisco.

Product Identifier
Vulnerable Version
Fixed Version

RV160, RV160W, RV260, RV260P, RV260W
1.0.01.05 and below
1.0.01.07

RV340, RV340W, RV345 and RV345P
1.0.03.24
1.0.03.26 and above

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Cisco Security Advisory

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Zero trust with zero passwords – free guide explains what you need to know

Read Time:21 Second

Graham Cluley Security News is sponsored this week by the folks at HYPR. Thanks to the great team there for their support! A new guide provides practical guidance for eliminating passwords to accelerate your Zero Trust strategy, and explains how Zero Trust can increase business agility. The free guide, by the analysts at The Cyber … Continue reading “Zero trust with zero passwords – free guide explains what you need to know”

Read More

Interview with the Head of the NSA’s Research Directorate

Read Time:1 Minute, 10 Second

MIT Technology Review published an interview with Gil Herrera, the new head of the NSA’s Research Directorate. There’s a lot of talk about quantum computing, monitoring 5G networks, and the problems of big data:

The math department, often in conjunction with the computer science department, helps tackle one of NSA’s most interesting problems: big data. Despite public reckoning over mass surveillance, NSA famously faces the challenge of collecting such extreme quantities of data that, on top of legal and ethical problems, it can be nearly impossible to sift through all of it to find everything of value. NSA views the kind of “vast access and collection” that it talks about internally as both an achievement and its own set of problems. The field of data science aims to solve them.

“Everyone thinks their data is the messiest in the world, and mine maybe is because it’s taken from people who don’t want us to have it, frankly,” said Herrera’s immediate predecessor at the NSA, the computer scientist Deborah Frincke, during a 2017 talk at Stanford. “The adversary does not speak clearly in English with nice statements into a mic and, if we can’t understand it, send us a clearer statement.”

Making sense of vast stores of unclear, often stolen data in hundreds of languages and even more technical formats remains one of the directorate’s enduring tasks.

Read More

Smashing Security podcast #260: New hire mystery, hacktivist ransomware, and digi-dating

Read Time:21 Second

Who’s that new guy working at your company, and why don’t you recognise him from the interview? How are hacktivists raising the heat in Belarus? And should you be fully vaxxed for your online date?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Read More

Using KPIs to generate results in Cybersecurity

Read Time:4 Minute, 52 Second

Gaining investment from business leaders to create a mature cybersecurity program and fund initiatives is an imperative for success in enterprise risk mitigation. All too often, security and IT organizations struggle to capture the attention of executives needed to advance their priorities and build even basic cybersecurity capabilities.

Year after year, important initiatives get deprioritized for other business initiatives, pushing out the adoption of important technologies or funding of headcount to manage critical processes. The result is an organization with increasing exposure to risk and unwanted cybersecurity challenges. Fundamental capabilities for effective security operations that improve visibility, such as a SIEM, are deemed too expensive.

What strategies can cybersecurity staff use to cut through the noise of competing business initiatives and get the focus and investment they need to achieve their objectives? Or to properly fund the adoption of a new technology or capability? 

One way is to build a reporting system that speaks executive language and abstracts difficult to understand technology into business concepts: risk, reward, performance objectives, metrics, and success. Simply establishing what the basic priorities of a cybersecurity program are and then formally reporting out on key performance indicators on a regular basis can have a profound impact. What an organization chooses to pay attention naturally grows. 

What is reported can vary from organization to organization, depending on the operating environment, the type of data transmitted and stored, and regulatory and compliance standards in play, to name a few. A guiding principle should be simplicity; too many data points create noise and inaction. At a minimum, many organizations will look at the attack surface, vulnerabilities and exposures, incidents, and employee training as a good starting point. 

Asset management

Asset management is at the core of every program. It’s impossible to guard what you don’t know or see, and yet most organizations fail to have a full grasp of their basic IT footprint. Every piece of hardware and software owned by an organization must be accounted for and every connection to its networks and infrastructure from ancillary systems monitored.

Shadow IT, Bring Your Own Device, and Work from Anywhere have exacerbated these challenges as traditional network edges evaporate and the flow of corporate data across untrusted networks and devices has become increasingly common. This complicated patch work is the corporation’s attack surface. Reporting the scope of that footprint, at the very least, demonstrates awareness of what matters to the organization.

Surprisingly, many organizations can’t easily quantify how many servers they own, the type of operating systems they run, the number of workstations and mobile devices they have, or even where their assets are at any given point in time. This knowledge is fundamental and reporting it regularly to executives ensures that they appreciate the scope of the program while also establishing a priority to keep data fresh and consistently update to date. 

Vulnerabilities and patch management

This is perhaps one of the most impactful KPIs, not only because it’s so important in protecting the enterprise, but because it’s a constantly moving target (NIST’s National Vulnerability Database boasts greater than 17,000 submitted CVEs just this year). The vast majority of data breaches (upwards of 90%) leverage exploitation of a known vulnerability.

An effective vulnerability management program should involve scanning to identify new vulnerabilities in their infrastructure on a regular basis. KPIs around this can include the number of existing vulnerabilities discovered in the organization over the reporting period, categorization by CVE, how quickly they are patched after discovery, and graphs that linearly show reduction in vulnerabilities over time.

Cyber incidents

A risk register that tracks every incident in the organization, its severity, the resolution, and lessons learned is a must. Raising awareness to incident quantity, associated impacts to the business, efforts to determine root cause, and mitigations are essential.

Many organizations lack even a fundamental classification system that is well understood across the company. Socializing with executives the incidents from the last reporting period reinforces a shared understanding of what constitutes a Level 1 versus a Level 4 incident, the organization’s expected response, who should be notified, etc. A KPI review keeps these classification systems top of mind and also improves overall organizational readiness when new incidents occur.

Employee training

Performance metrics can include the progress of employee training and awareness campaigns, structured training (online and in-person), initiatives that focus on core concepts (such as thinking before clicking, or how a clean desk is a cybersecurity priority), or the lessons learned from a recent tabletop exercise.

All make for great topics of discussion with executive stakeholders. Many organizations get fun and creative in this area, coming up with security mascots or even inter-business unit competitions.

Getting started

For organizations that are early in the KPI development journey, a great launch point is a Balanced Scorecard. This innovative approach to change management helps:

clarify vision, mission, and strategic themes
gain alignment and buy-in
break through organizational silos
define key objectives, initiatives, and success metrics
inform dashboard content

Initially designed by Dr. Robert Kaplan and Dr. David Norton for performance management, this framework can be valuable tool for a security team to organize their strategy and distill out simple measures of success. 

Cultivate curiosity 

Perhaps the best value of a KPI review is the simple act of cultivating curiosity. KPI reviews are an opportunity for executives to question the what and the why; to inquire more deeply. Provoking curiosity inherently creates focus, attention, and concern. Cultivating it is one of the powerful catalysts a security team can use in maturing cybersecurity program.

Many technologists, buried in complexities of engineering solutions and securing bits and bytes, underutilize this simple strategy to keep their priorities top of mind with business leaders. Cultivate curiosity, generate questions, and watch investment in your ideas and programs grow.

Read More

News, Advisories and much more

Exit mobile version