The Jerusalem Post says that its website was defaced on Monday, and pointed the blame at pro-Iranian hackers who they said posted an illustration depicting a ballistic missile being launched at an exploding nuclear facility in Dimona.
Apple users rejoice! CIS Hardened Images for macOS Big Sur (11) and Catalina (10.15) are now available in Amazon Web Services (AWS) Marketplace. These CIS Hardened Images are the first independently-developed offering for macOS Amazon machine images (AMIs) in AWS Marketplace. CIS Hardened Images, pre-configured virtual machine images, provide an additional layer of security to […]
This blog was written by an independent guest blogger.
Technology in healthcare has the potential to make all the difference in terms of safety outcomes. Right now, modern tech is pushing the envelope of what is possible in the doctor’s office and the patient’s home, as telehealth and artificial intelligence transform the landscape of medical care.
But technology isn’t always safe. Experts predict that the healthcare industry will face two to three times more cyberattacks than other industries, making cybersecurity an essential aspect of modern medicine. As we watch ransomware and other malicious cyberattacks disrupt global trade, it’s easy to remember a world less vulnerable to digital threats.
However, technology ultimately is doing more good than bad in healthcare. Tech’s contributions toward safety have revolutionized care accessibility, reach, and potential. In turn, we can look forward to safer treatments and better patient outcomes.
These are some of the most promising contributions of tech in producing more excellent healthcare safety.
Telehealth has been a central aspect of modern care, bridging the needs of patients with safe solutions during the COVID-19 pandemic. Telehealth has proven to be immensely popular, with 65% of consumers now expecting to use it more even after the pandemic. This widespread utilization of telehealth would have been impossible without advancing technology.
Innovations from 5G networks to Internet of Things (IoT) devices are transforming how we connect and assemble data networks, in turn enabling new medical solutions. These innovations power information systems, a market expected to reach $39.7 billion in value by 2025. The value comes in through the power of these systems to collect, categorize, and assess information — all vital parts of any healthcare procedure.
Information systems and the experts that manage them both create and protect vast amounts of valuable healthcare data. With all this information stored and secured through cloud services, patients can be monitored and treated remotely.
For instance, the Michael J. Fox Foundation for Parkinson’s Research is developing web-based sensors on the Internet of Things that can track and report patient movement data and measure severity. This will allow medical professionals to gain a better understanding of their patient’s condition and how to treat it.
By connecting people with care wherever they are, tech is contributing to a safer world. Telehealth means patients don’t have to risk exposure to COVID-19 as often. Information systems are connecting patients and providers with data. And connected devices are improving medical understanding.
The more data care providers have, the better equipped they are to give patients accessible solutions designed to meet their personal needs.
When it comes to improving safety, few technological innovations have contributed more than artificial intelligence. This category of computing now allows for all kinds of incredible processes, from machine learning to predictive analytics. AI has enhanced the medical field, given surgeons a useful tool, and revolutionized diagnostic potential.
The power of AI comes in its ability to assist us in our most grueling tasks. For instance, AI has given surgeons robotic assistants like the Da Vinci Surgical System. This robot gives the surgeon magnified vision and built-in tremor filtration that makes any surgery a more risk-free process. With these features, Da Vinci has already enhanced the safety of more than seven million procedures.
AI also excels in diagnosing conditions. CureMetrix in San Diego, for example, has developed a system that assists radiologists in analyzing mammograms. Their tech uses machine learning algorithms paired with computer vision to compare imagery. From its database of examples, the system can then detect breast cancer up to six years earlier than a human professional with as much as a 70% reduction in false positives.
With such promising safety features built into the technological revolution, the health and well-being of humanity can only improve. This might make our bodies safer, but what about our data?
Fortunately, tech has answers for that, too.
Technology has given the healthcare industry a plethora of safety improvements. The benefits are clear from more equitable, accessible care to electronic medical records like those that helped scientists track and combat the coronavirus. At the same time, however, connected databases of valuable medical data represent a big risk.
This is where AI comes in. Through machine learning functions, AI cybersecurity systems are capable of comparing calls on operating systems to search for anomalies. If a problematic instance is found, the system can classify and flag the call, allowing system administrators to lock out the offender.
Fortunately, the advancement of AI has only improved these functions. Machine learning means systems can analyze vast amounts of data sets, evaluate examples of malicious attacks, and adapt to fight them. In turn, the security of medical data is enhanced.
Additionally, blockchain technology is emerging as a powerful contender in the battle for cybersecurity. These decentralized data systems lock information behind linked cryptographic hash functions. This means that for a hacker to break in, they have to use serious computing power. For storing and recording medical data safely, blockchain just might be the future.
These are just a tiny fraction of the contributions technology has made in healthcare. In the future, cloud data systems, AI diagnostics, and blockchain will all play a larger role in promoting public safety. Accessibility and quality of care will improve as a result.
For now, the role of tech in healthcare cybersecurity is one to watch. Machine learning and blockchain will battle it out for the position of the biggest contributor to healthcare safety. Whichever wins, humanity is the better for it.
Part 2 of a 2-part series By: Kathleen M. Moriarty, CIS Chief Technology Officer and active participant in the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group “Security Guidance for 5G Cloud Infrastructures” is a series of four documents intended to help secure cloud environments. It’s been created as […]
The internet is meant for all to enjoy. And that’s who we’re looking out for—you and everyone who wants to enjoy life online.
We believe it’s important that someone has your back like that, particularly where some of today’s hacks and attacks can leave people feeling a little uneasy from time to time. You’ve probably seen stories about data breaches at big companies pop up in your news feed. Or perhaps you or someone you know had their debit or credit card number hacked. Problems like these are out there, unfortunate thorns in the side of the internet we’ve come to love. Yet while these issues persist, there’s plenty you can do to avoid them.
That’s where we have your back—doing all we can to make life online enjoyable for everyone, with protection that helps people finally feel safe and stay that way.
The reality is that nobody wants to deal with hackers, malware, and other attacks crop up on the internet. And while it’s important to be aware of those things, we’d rather that you didn’t have to worry about them. Protection should come easy. Whether it’s keeping your banking, shopping, and streaming secure, along with your privacy and personal info too, protection should feel simple and tailored to you. That’s what we strive for.
So as you think about protecting your life online, take a moment to consider what you’re protecting. As you do, you’ll see that it means far more than protecting your computers, phones, and other devices. Ultimately, it’s about protecting you, and all the important things connected to you. You can think of it in three ways …
What’s among the top things people say they want to protect? Their photos. Not far behind photos are all manner of digital treasures that people like to keep close, which ranges anywhere from music they’ve downloaded to old voicemails of their children, nieces, and nephews that they’ve saved over the years. Without a doubt, we have plenty of things stored on our computers and phones that we simply couldn’t do without.
Protecting these things means protecting the devices you use to store and access them. Installing comprehensive online protection software like ours is the first step. In addition to award-winning antivirus software and firewall protection to help keep hackers at bay (and away from your photos and other precious files), it goes a step further.
Our new Online Protection Score shows you just how safe you are and guides you through simple steps that can seal up gaps and improve your protection overall. In all, it’s a personalized and simple way to make sure you’re protected as possible and continually make improvements as they’re needed. It’s a way of getting expert protection without being an expert.
There’s also the “Important Stuff” in life, like our financial records, tax returns, and all the banking that we do on our phones and computers. And let’s throw shopping into mix because shopping’s important too! You can protect the important things like this, which can help hackers out of your business.
For starters, you can protect your important files three ways with our online protection by using a combination of the McAfee® File Lock and Shredder features to manage your privacy:
McAfee File Lock allows you to create password-protected encrypted drives on your PC that only appear when you’ve unlocked them, perfect for storing sensitive files like tax returns and financial documents.
And when you’re looking to dispose of sensitive files, McAfee Shredder securely deletes files so that would-be thieves can’t put the pieces back together.
You can lock down your privacy even further with a VPN that can shield you automatically from snooping attacks online, whether at home or when using public Wi-Fi. It creates an encrypted connection that works like a private tunnel that hides your IP address and the things you’re doing online from cybercrooks. It’s ideal for keeping your sensitive personal information like your financial data, passwords, and browsing history hidden from both hackers and websites.
And here’s another big help. A password manager. You likely have dozens of passwords, plus a few more that you’ve probably forgotten about. You can protect your passwords and the accounts associated with them with a password manager that creates and securely stores a strong, unique password for each of your accounts. Plus, you can use it to update those passwords on the regular. Few things make it tougher for hackers than strong, unique passwords that get changed often. In a time of data breaches and account theft, a password manager is a great call.
While it’s important to focus on protecting things like laptops, phones, photos, files, and data, you’re ultimately protecting something far greater You. Your privacy, your personal information, your accounts, all the things that taken together make you—you. The thing is that our lives are more fluid and mobile than ever before. One moment we’re banking on our laptop, the next we’re splitting the cost of dinner with a payment on our phone. The constant here is you. You’re at the center of all this activity regardless of the device you’re using. The same goes for your family and the people you care about.
That’s why we protect people, not just their devices.
McAfee Identity Protection Service monitors the dark web for your personal info such as emails and associated passwords, up to 60 different types of critical info. If we detect that your data was stolen, you’ll get immediate alerts on the devices of your choice and guidance on how to secure your info quickly and effectively. In all, you can keep tabs on your identity any time you’re connected to the internet, and if an issue crops up you can click, solve, and carry on.
Extended identity protection offers up the extra comfort of knowing that you have licensed recovery pros on the case if identity theft does happen to you. This includes monitoring and restoration services, along with identity theft insurance for lawyer fees, travel expenses, lost wages, and more.
While that’s just a few of the ways McAfee has your back, we hope it gives you a good sense of what online protection should do—how it should protect you and all the things connected to you. And on today’s internet, that’s quite a bit. There’s so much to experience online today, and we believe you should enjoy all of it, freely and with the confidence that comes from knowing you’re safe.
The post The Internet is for Everyone to Enjoy—We’re Helping See to It appeared first on McAfee Blogs.
KrebsOnSecurity.com celebrates its 12th anniversary today! Maybe “celebrate” is too indelicate a word for a year wracked by the global pandemics of COVID-19 and ransomware. Especially since stories about both have helped to grow the audience here tremendously in 2021. But this site’s birthday also is a welcome opportunity to thank you all for your continued readership and support, which helps keep the content here free to everyone.
More than seven million unique visitors came to KrebsOnSecurity.com in 2021, generating some 12 million+ pageviews and leaving almost 8,000 comments. We also now have nearly 50,000 subscribers to our email newsletter, which is still just a text-based (non-HTML) email that goes out each time a new story is published here (~2-3 times a week).
Back when this site first began 12 years ago, I never imagined it would attract such a level of engagement. Before launching KrebsOnSecurity, I was a tech reporter for washingtonpost.com. For many years, The Post’s website was physically, financially and editorially separate from what the dot-com employees affectionately called “The Dead Tree Edition.” When the two newsrooms finally merged in 2009, my position was eliminated.
Happily, the blog I authored for four years at washingtonpost.com — Security Fix — had attracted a sizable readership, and it seemed clear that the worldwide appetite for in-depth news about computer security and cybercrime would become practically insatiable in the coming years.
Happier still, The Post offered a severance package equal to six months of my salary. Had they not thrown that lifeline, I doubt I’d have had the guts to go it alone. But at the time, my wife basically said I had six months to make this “blog thing” work, or else find a “real job.”
God bless her eternal patience with my adopted occupation, because KrebsOnSecurity has helped me avoid finding a real job for a dozen years now. And hopefully they let me keep doing this, because at this point I’m certainly unqualified to do much else.
I’d be remiss if I didn’t take this opportunity to remind Dear Readers that advertisers do help keep the content free here to everyone. For security and privacy reasons, KrebsOnSecurity does not host any third-party content on this site — and this includes the ad creatives, which are simply images or GIFs vetted by Yours Truly and served directly from krebsonsecurity.com.
That’s a long-winded way of asking: If you regularly visit KrebsOnSecurity.com with an ad blocker, please consider adding an exception for this site.
Thanks again, Dear Readers. Please stay safe, healthy and alert in 2022. See you on the other side!
This blog was written by an independent guest blogger.
This article explores how you can locate Insecure direct object references (IDORs) using Burp Suite. Primarily, there are two ways to test the IDOR flaw, manual and semi-automated. For automation, this article focuses on the Autorize Plugin in Burp Suite.
Silent Breach discovered an IDOR vulnerability on the US Department of Defense website in November 2020 and discreetly notified it to the DOD’s Vulnerability Disclosure Program. The flaw was solved by including a user session method into the account setup that required initially logging in to the website.
That was one of the IDORs incidents, but what is an Insecure Direct Object Reference?
“Insecure Direct Object References (IDOR) occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.” – owasp.org
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter that points to an object directly.
Access control challenges are the source of this vulnerability. The word IDOR became famous once it came into the OWASP’s top ten. However, it’s really just some other form of Broken Access Control.
IDORs can cause privilege escalation either horizontally or vertically. To be considered an IDOR, they must meet the preceding requirements:
The request contains an entity identification, whether as a GET or POST option.
There must be an Access Control flaw allowing the individual access to information, for which they shouldn’t be allowed.
Examples:
GET /receipt.php?id=18
POST /privateInfo.php
{userId:03,name:”bob”}
GET /invoice/test.txt
We have POST and a GET request with an identifier. In most cases, user A can only see receipts or private details that belong to him. An attacker can get an IDOR if he modifies this identifier and receives the same information as user A.
It might appear to be a simplistic explanation of IDORs, but that is essentially how they function. The interesting part is how we could automate scanning for this. We may use either a manual or semi-automated technique.
If you are just getting started in bug hunting, I suggest manual testing initially. It’s common practice to learn and grasp the working knowledge of your tool before putting your hands on it. You genuinely get to go into the depths of your capabilities.
To automate the testing of IDORs, we need Autorize Plugin in Burp Suite.
You can install the Autorize plugin in the Burp suite from the Extender tab -> BApp Store.
After installing the autorize plugin:
Navigate to your target webpage, log in to User A (test2/test), and capture the traffic.
Copy the request (cookie and header details) and paste it on the Autorize tab.
Turn on Autorize.
Go to the target webpage, login with User B (test3/test), and capture the traffic.
Burp then makes the identical request with the given cookies and color-codes the outcomes for us.
Lastly, explore the target Web App and test every feature that requires admin credentials and is not accessible via a regular user; if you receive a Bypass/Enforced response, you have an IDOR vulnerability.
To test the IDOR manually, I am using the Port Swigger lab here. Fire up Burp Suite and access the Portswigger Lab.
It’s good practice to set the target scope in Burp Suite. As in our case, you can add the lab URL as the target scope, or you can add only the domain name.
I usually tick the advanced scope control, as it provides us with regex options if necessary.
After setting the target scope, explore the target webshop. Browsing through the webshop reveals a variety of features. By this time, the site map must have clogged up with all the various requests.
We can see various responses, but the one we’re interested in is the download-transcript.
Navigate the webshop, capture the traffic on the proxy tab and send it to the repeater tab.
When we modify this download transcript number, the server will no longer verify that we have permission to download it.
We must be capable of login into username Carlos and the password we just got. We don’t particularly need to be signed in to get the documents because this is an unauthenticated IDOR.
The two ways we can use to test IDORs are:
Manual testing using Burp Suite.
Semi-automated testing using Autorize Plugin from Burp Suite.
Implementing an access control system is the only genuine approach to address this vulnerability. The server must authenticate the user before it can fulfil the request.
What’s the difference between identity fraud and identity theft? Well, it’s subtle, so much so that it’s easy to use them nearly interchangeably. While both can take a bite out of your wallet, they are different—and knowing the differences can help you know understand what’s at stake.
Let’s start with an overview and a few examples of each.
When someone steals or misuses your personal information to exploit an account or accounts you already have.
Examples:
A criminal gets a hold of your debit card information from a data breach and makes purchases with it against your bank account.
A criminal gains access to one of your accounts via a phishing attack and misuse the funds or otherwise misuses the access associated with that account.
When someone uses your personal information to open and abuse new accounts or services in your name—or possibly to impersonate you in other ways.
Examples:
A criminal uses your personal information to open a new line of credit at a retailer under your name and then makes purchases against the line of credit.
A criminal uses your Social Security Number to create a driver’s license with their likeness but your name and personal information.
So there’s that subtle difference we mentioned. Identity fraud involves misuse of an existing account. Identity theft means the theft of your personal information, which is then used to impersonate you in some way, such as opening new accounts in your name.
Above and beyond those definitions and examples, a couple of real-life examples put the differences in perspective as well.
As for identity fraud, individual cases of fraud don’t always make the headlines, but that’s not to say you won’t hear about it a couple of different ways.
The first way may be news stories about data breaches, where hackers gain things like names, emails, and payment information from companies or organizations. (Chipotle, RobinHood, and T-Mobile being recent examples.) That info can then end up in the hands of a fraudster, who then accesses those accounts to drain funds or make purchases.
On a smaller scale, you may know someone who has had to get a new credit or debit card because theirs was compromised, perhaps by a breach or by mistakenly making a payment through an insecure website or by visiting a phony login page as part of a phishing attack. These can lead to fraud as well.
Identity theft took on new forms during the pandemic, such as was the case of a Rhode Island man charged with nearly half a million dollars in a pandemic unemployment fraud case. Authorities allege that the man-made 85 unemployment claims in 2020 using the identities of several other people.
Similarly, a Massachusetts man was sentenced for filing fraudulent claims for relief funds, as well as open store credit accounts using fake identities. Court proceedings alleged that the personal information used to commit this fraud came from several sources, including information stolen from a realty company that collected that information from potential renters.
Identity theft can stem from the workplace as well, such as the sentencing of a Maryland man who used stolen lists of personal information from his former employer. From there, he was found guilty of garnering more than a million dollars in funds from food assistance programs and fraudulent car loans.
Identity theft can run far deeper than these examples. Because it effectively allows someone else to pose as you, an identity thief can do more than drain your accounts. They can also claim health insurance benefits, file taxes in your name, or possibly purchase the property. Further, an identity thief can potentially get a job, driver’s license, or other forms of ID in your name, which could ruin your credit history, reputation, or even create a police record in your name.
So while both identity fraud and identity theft are certainly something you want to prevent, identity theft holds the potential to affect far-reaching aspects of your life—which marks a distinct difference between the two.
It usually starts with someone saying anything from, “That’s strange …” to “Oh, no!” There’ll be a strange charge on your credit card bill, a piece of mail from a bill collector, or a statement from an account you never opened—just to name a few things.
With that, I have a few recent blogs that help you spot all kinds of identity crime, along with advice to help keep it from happening to you in the first place:
Top Signs of Identity Theft
How to Report Identity Theft to Social Security
Can Thieves Steal Identities with Only a Name and Address?
Quizzes and Other Identity Theft Schemes to Avoid on Social Media
While there are differences between identity fraud and identity theft, they do share a couple of things in common: you can take steps to prevent them, and you can take steps to limit their impact should you find yourself faced with one or the other.
The articles called out above will give you the details, yet staying safe begins with vigilance. Check on your accounts and credit reports regularly and really scrutinize what’s happening in them. Consider covering yourself with an —and act on anything that looks strange or outright fishy by reporting it to the company or institution in question.
The post What’s the Difference Between Identity Fraud and Identity Theft? appeared first on McAfee Blogs.
Log4j/Log4shell is a remote code execution vulnerability (RCE) in Apache software allowing attackers unauthenticated access into the remote system. It is found in a heavily utilized java open-source logging framework known as log4j. The framework is widely used across millions of enterprise applications and therefore a lucrative target for threat actors to exploit. The availability of the POC exploit and ease of exploitation triggered the widespread exploitation attempts that we are now witnessing.
CVE-2021-44228 – Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation.
Should the vulnerability be present, an attacker might run arbitrary code by forcing the application or server to log a specific string. This string can force the vulnerable system to download and run a malicious script from the attacker-controlled system, which would allow them to effectively take over the vulnerable application or server.
A full technical analysis can be found here:
McAfee Advanced Threat Research: Log4Shell Vulnerability is the Coal in our Stocking for 2021
In this blog, we present an overview of how you can mitigate the risk of this vulnerability exploitation with McAfee Enterprise solutions. Due to the severity of this vulnerability and the observed exploitation attempts already taking place, the KB article linked below will be continually updated to communicate detailed actions to mitigate risk with McAfee Enterprise products. Subscribe to this KB article to receive updates pertaining to related coverage and countermeasures.
KB95091: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution
Organisations preparing to defend against this threat needs to think beyond the initial access vector. What the vulnerability allows a threat actor to do is initially only connect to a remote endpoint and establish a beachhead. The attacker only gets a return on investment when they can exploit that initial foothold either to move laterally, execute additional payloads on the endpoint or attack other organisations as part of a botnet. Instead of just focusing on the initial access vector, let’s look at the entire defensive kill chain.
The impact on organisations varies between resource takeover, denial of service or data theft. Therefore, making visibility in attack patterns and trend via threat intelligence extremely critical. In addition, other attack vectors have been discovered which allows for local exploitation of the log4j library over WebSocket.
Let’s walk through the defense lifecycle in more details
Threat Intelligence is critical to adapt security controls and gain an understanding of attacker techniques and active campaigns exploiting the vulnerability
The MVISION Insights platform reports threat intelligence related to the Log4j attacks under the campaign name Log4Shell – A Log4j Vulnerability – CVE-2021-44228.
The Global Prevalence map snapshots captured on the 10th and 16th December 2021 demonstrates how impactful has being the vulnerability so far and how fast activity, both defender and attack, is increasing and spreading worldwide.
MITRE Techniques Observed:
Exploit Public-Facing Application – T1190 (Initial Access)
Exploitation of Remote Services – T1210 (Lateral Movement)
External Remote Services – T1133 (Initial Access, Persistence)
Resource Hijacking – T1496 (impact)
Web Shell – T1505.003 (Persistence)
As we are writing this blog, on MVISION Insights there are 1,813 IOCs including MD5, SHA256, URL, IP, DOMAIN, HOSTNAME. In terms of Determinism, 1,632 are unique and 30 are commodity.
The top MD5 detected so far has been related to Kinsing (MD5: 648effa354b3cbaad87b45f48d59c616), a crypto miner with backdooring features. The file runs on Linux machines and has been uploaded on Virus Total for the first time in December 2020. Its detection increased by 161% between the 11th and the 15th of December 2021 and it is currently observed in 19 different countries. The log4j vulnerability is helping threat actors to push Kinsing malware via encoded payloads to vulnerable services exposed to the internet. And this is just the tip of the iceberg. We are actively monitoring for and analyzing new payloads.
The same unique indicator is also reported as part of other two threat campaign on MVISION Insights:
Kinsing Malware Adds Windows to Its Target List
Misconfigured Apache Hadoop YARN Exploited
Since April 2020, when the Kinsing crypto miner was discovered, further developments of the malware have occurred including a rootkit component and other features that make detection harder. Kinsing comes with multiple shell scripts that download and install the backdoor, miner, and rootkit alter the system itself.
The IP address 45.155.205[.]233 included within the MVISION Insights IOCs and used by threat actor as a log4j callback attack server has been detected 6,884 times by December 4th topping 15,106 detections by December 7th. Most detected countries included the United States, Turkey, Thailand, UK, Taiwan, and Italy.
MVISION Insights also includes indicators related to unique variants of MIRAI botnet that McAfee observed being leveraged by threat actors to exploit the log4j vulnerability.
Shell scripts are using wget and curl tools for external communication as part of the attack chains analyzed.
Latest updates highlighted Conti ransomware group actively leveraging the Log4Shell exploit to gain access to internal corporate resources and lunch their malicious payloads. But also, Khonsari group and state sponsored APT35 have been reported by researchers.
In this case, you should detect and prioritise internet facing applications running java-based web servers such as Apache Tomcat, either isolate or patch these resources. Run vulnerability scans for both monolithic and containerized workloads to build an inventory of assets that might be impacted.
Continuously discovers your cloud resources and can run vulnerability scans for Virtual Machines and Containerized workloads in the cloud. MVISION Cloud has the ability to build an inventory of running processes within workloads as part of it application control capabilities. If log4j is used as a separate package we will detect the vulnerability in both runtime and container registry. If the log4j is included in the java binary we will not be able to scan it.
Ensure you run configuration audits for cloud assets that allow unrestricted outbound access and does not use firewalls or NAT GW’s for outbound connections. Run configuration audits for secondary misconfigurations that might allow the attacker to exploit IAM to elevate privileges, gain persistence or takeover other resources.
Compares the available defensive capabilities on the endpoint to the attacker techniques, tools and IOC’s and highlights exposed endpoints.
You can perform real time searches in MVISION EDR to identify endpoints with Log4j binaries.
The attacker only succeeds if they can get to this stage so blocking outbound suspicious connections, preventing execution of additional payloads, and protecting credentials/auth tokens theft are things that could prove to be critical in defeating the attack. As part of the available threat intelligence attackers are using several post exploit methodologies to pivot from the original log4j injection vulnerability. This varies from misuse of resources with crypto miners, deploying malware, or exfiltrating sensitive information.
Use Application Control (VM and Containers) to kill unverified server processes and payloads from executing.
OS Hardening (VM) – ensure that SE Linux state is enforcing
Use UCE URL filtering and Remote Browser Isolation to prevent browser-based exploit attempts over WebSocket and C2 attempts.
Use signature-based protection in ENS 10.7 to block known hashes of second stage malicious payloads. On December 12, 2021, McAfee Enterprise released V3 AMCore content 4648 (ENS) and V2 DAT 10196 (VSE). Generic detections are provided under the title Exploit-CVE-2021-44228.C.
In ENS (Endpoint Security) 10.7 update 4 and above, there is a powerful security feature available to every defender, which is the ability to trigger a memory scan from an Expert Rule. For more details on this capability, please see this blog post from our AC3 team
https://www.mcafee.com/blogs/enterprise/log4j-and-the-memory-that-knew-too-much
Additionally, it is recommended to enable the ENS ATP rules that prevent or detect post exploitation techniques such of second stage payload execution, credential dumping or encryption activity from ransomware, use of malicious tools or lateral movement.
An Emergency User Defined Signature has been written and tested by McAfee Enterprise to provide immediate protection against the Apache Log4j2 Remote Code Execution Vulnerability.
User-Defined Signature: KB95088 – REGISTERED – NSP Emergent UDS Release Notes – UDS-HTTP: Apache Log4j2 Remote Code Execution Vulnerability
Attack ID: 0x4529f700
Attack Protocol: HTTP
Attack Direction: Client to Server
To be included in the next regular sigset? Yes
Released date: December 10, 2021
For details on latest signatures, please follow the KB…KB95091: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution
Assuming breach is critical especially if you know that you had exposed assets and therefore, build forensics and post exploitation detection techniques this includes exploitation of living of the land binaries (LOLBINS), credential dumping as well as using information such as known file hashes / hunting queries to query web server / reverse proxy/ Network IPS logs.
In addition to an Intelligence Summary, Insights provides exportable YARA rules to find additional Indicators of Compromise.
As mentioned above, you can leverage Real Time and Historical Search functionality to proactively identify vulnerable systems or post exploit activity such as…
historical process execution spawning from Java as this could be a clear indicator that the parent java process was used to spawn additional malicious processes.
monitoring for detection of threats emanating from assets running Java
identify outbound communication attempts to known C2 domains through DNS or Web traffic
Identify Indicators of Compromise associated with exploit payloads
Along with control on the endpoint, visibility into attacks and where data is being uploaded is also critical to stopping Data Exfiltration. Mapping threats to the MITRE ATT&CK Framework will provide visibility into ongoing attacks happening in the cloud and where security controls can be improved to stop future attacks.
Another critical method to stopping the exfiltration of data is putting restrictions against data uploads to non-sanctioned cloud storage. Limiting data uploads to only sanctioned Cloud Service Providers can stop external and insider threats from transferring data to Cloud Services that are questionable or not sanctioned. The Cloud Registry within MVISION Cloud/Unified Cloud Edge will provide ratings for well over 25,000 Cloud Service Providers so restrictions can be placed on CSPs with high risks or attributes that put company data at risk.
The current situation is dynamic and our resources to help you understand the attack and mitigations available are also evolving. For the latest updates on McAfee Enterprise threat intelligence and defender resources please continue to follow these sites
MCFE Log4Shell Vulnerability KB: https://kc.mcafee.com/corporate/index?page=content&id=KB95091
MCFE Log4Shell Security Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10377
MCFE Log4Shell Vulnerability Blog: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/log4shell-vulnerability-is-the-coal-in-our-stocking-for-2021/
MCFE Log4Shell Exploit Demonstration by McAfee ATR: https://www.linkedin.com/posts/mcafeeenterprise_cve-2021-44228-log4shell-exploitation-activity-6876241150219485184-URLE
MCFE LinkedIn Live Customer Briefing: https://www.linkedin.com/posts/mcafeeenterprise_mcafee-enterprise-atr-explore-the-internet-breaking-activity-6876614287197122560-wNuD
FEYE Log4Shell Vulnerability KB: https://community.fireeye.com/s/article/000003827
The post Threat Intelligence and Protections Update Log4Shell CVE-2021-44228 appeared first on McAfee Blogs.
Most of us take our skills for granted when it comes to technology. We move effortlessly between applications and multiple devices. We install new software, set up numerous accounts, and easily clear technical hurdles that come our way. Unfortunately, that picture isn’t the norm for many older adults.
Engaging with technology can be challenging for older adults. However, when digital literacy skills are neglected or avoided, everyday activities such as online bill paying, shopping, medical appointments, and even social media can be overwhelming. And, since the pandemic, the digital divide between older adults and digital skills has become even more evident.
One Pew study revealed that older adults continue to lag behind younger adults when it comes to technology adoption in that 41% do not use the internet at all, 23% do not use cell phones, and over 75% say they require help when learning how to use new technology.
The Pew study also highlighted good news: Attitudes shift for the better when older adults increase their digital skills and access the Internet more frequently. Fully 79% of older adults who use the internet regularly agree with the statement that “people without internet access are at a real disadvantage because of all the information they might be missing.” In comparison, 94% agree with the statement that “the internet makes it much easier to find information today than in the past.”
So how can we help the older adults in our lives grow both their digital skills and their confidence? Building practical digital skills begin with a commitment to one another, to consistency, and to learning. Here are some tips to get you started.
If you are helping an older adult build their digital skills, it’s crucial to schedule dedicated training time. Commitment and consistency will be key to achieving real results. If you’re the older adult learning on your own, set aside dedicated learning time with clear goals. For instance, “Each day this week from 7 a.m. to 9 a.m. I will learn how to set up my email and how to maximize security on all my devices.”
Fortunately, more and more resources are emerging to help older adults bridge their technology gaps, and most are free. A few places to begin include AARP’s Senior Planet, Candoo Tech, and GetSetUp. To find a program in your area, go to at3center.net.
Online security is one of the most critical conversations you can have with the older adults in your life. Following best practices such as installing security software, using strong passwords with Two-Factor Authentication (2FA), understanding data privacy, and knowing how to identify phishing and malware scams are fundamental components of digital literacy. For a deeper dive into cybersecurity best practices, read more.
Older adults can easily fall prey to scams, conspiracies, hoaxes, and false news stories online. A recent study out of Princeton and NYU found that, prior to the 2016 election, adults over 65 were seven times more likely than those under 29 to post articles from fake news domains. Understanding how to spot misinformation online is a critical skill for anyone online. One resource to build media literacy is MediaWise for Seniors, a series of free online courses by Poynter designed to help older adults detect and combat fake news and misinformation. In addition, consider dialogue on how to challenge each piece of digital content by asking:
Do I understand all the points of view of this story?
What do I think about this topic or idea?
Am I overly emotional and eager to share this publicly?
Am I being manipulated by this content?
What if I’m wrong?
Jargon excludes and when you use insider language with a non-technical person, it can get overwhelming. Slow down. Use ordinary terms. For instance, instead of the hyperlink, consider “link.” Instead of URL, opt for “website address.” Rather than DM/PM, use “Private Message.” Note: Avoiding jargon doesn’t mean you dumb down to a person; it means using plain language to explain the same concept.
It’s a myth (and an unfortunate stereotype) that older adults don’t have the ability or don’t want to learn about technology. Frankly, they can, and they do. However, physical and mental changes are part of the aging process, which means repetition and patience are part of the process. Consider creating easy-to-read cheat sheets to summarize the day’s lesson.
Technology is impacting our lives in myriad ways, and no one feels this reality pressing in more than older adults. If you find yourself in the privileged position of coaching an older adult toward digital confidence, remind them of the gains ahead and that the gap from “here” to “there” isn’t nearly as large as they’ve imagined. Whenever possible, point their sights to the proven benefits of stepping off the sidelines and into a connected world.
The post Helping Older Adults Build Strong Digital Literacy Skills appeared first on McAfee Blogs.
