Read Time:6 Second
OIG finds city had no authorized list of vendor signatories when it paid hacker posing as a vendor
Category Archives: News
Assess, Remediate, and Implement with CIS SecureSuite
Read Time:19 Second
The world relies on technology. So, a strong cybersecurity program is more important than ever. The challenge of achieving good cyber hygiene can be especially acute for small- and medium-sized businesses. This is particularly true for those with fully remote or hybrid work environments. Add to the mix limited resources and limited talent focused on cybersecurity, and the challenges can seem overwhelming.
Red Cross Hack Linked to Iranian Influence Operation?
Read Time:6 Minute, 50 Second
A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.
On Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement. The ICRC said the hacked servers contained data relating to the organization’s Restoring Family Links services, which works to reconnect people separated by war, violence, migration and other causes.
The same day the ICRC went public with its breach, someone using the nickname “Sheriff” on the English-language cybercrime forum RaidForums advertised the sale of data from the Red Cross and Red Crescent Movement. Sheriff’s sales thread suggests the ICRC was asked to pay a ransom to guarantee the data wouldn’t be leaked or sold online.
“Mr. Mardini, your words have been heard,” Sheriff wrote, posting a link to the Twitter profile of ICRC General Director Robert Mardini and urging forum members to tell him to check his email. “Check your email and send a figure you can pay.”
RaidForums member “unindicted” aka Sheriff selling access to the International Red Cross and Red Crescent Movement data. Image: Ke-la.com
In their online statement about the hack (updated on Feb. 7) the ICRC said it had not had any contact with the hackers, and no ransom demand had been made.
“In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” the ICRC statement reads.
Asked to comment on Sheriff’s claims, the ICRC issued the following statement:
“Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. Our cybersecurity team has looked into any reported allegation of data being available on the dark web.”
The email address that Sheriff used to register at RaidForums — kelvinmiddelkoop@hotmail.com — appears in an affidavit for a search warrant filed by the FBI roughly a year ago. That FBI warrant came on the heels of an investigation published by security firm FireEye, which examined an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States., U.K. and other western audiences.
“This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,” FireEye researchers wrote. “These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran.”
The FBI says the domains registered by the email address tied to Sheriff’s RaidForums account were used in service of the Liberty Front Press, a network of phony news sites thought to originate from Iran.
According to the FBI affidavit, the address kelvinmiddelkoop@hotmail.com was used to register at least three different domains for phony news sites, including awdnews[.]com, sachtimes[.]com, and whatsupic[.]com. A reverse WHOIS search on that email address at DomainTools.com (an advertiser on this site) shows it was used to register 17 domains between 2012 and 2021, including moslimyouthmedia[.]com, moslempress[.]com, and realneinovosti[.]net.
A review of Sheriff’s postings to RaidForum reveals he has used two other nicknames since registering on the forum in December 2021: “Unindicted,” and “threat_actor.” In several posts, Sheriff taunts one FireEye employee by name.
In a Jan. 3, 2022 post, Sheriff says their “team” is seeking licenses for the Cobalt Strike penetration testing tool, and that they’re prepared to pay $3,000 – $4,000 per license. Cobalt Strike is a legitimate security product that is sold only to vetted partners, but compromised or ill-gotten Cobalt Strike licenses frequently are used in the run-up to ransomware attacks.
“We will buy constantly, make contact,” Sheriff advised. “Do not ask if we still need)) the team is interested in licenses indefinitely.”
On Jan. 4, 2022, Sheriff tells RaidForums that their team is in need of access to a specific data broker platform, and offers to pay as much as $35,000 for that access. Sheriff says they will only accept offers that are guaranteed through the forum’s escrow account.
The demand for escrow in a sales thread is almost universally a sign that someone means business and they are ready to transact on whatever was advertised or requested. That’s because escrow transactions necessarily force the buyer to make a deposit with the forum’s administrators before proceeding on any transaction.
Sheriff appears to have been part of a group on RaidForums that offered to buy access to organizations that could be extorted with ransomware or threatened with the publication of stolen data (PDF screenshot from threat intelligence firm KELA). In a “scam report” filed against Sheriff by another RaidForums member on Dec. 31, 2021, the claimant says Sheriff bought access from them and agreed to pay 70 percent of any ransom paid by the victim organization.
Instead, the claimant maintains, Sheriff only paid them roughly 25 percent. “The company pay $1.35 million ransom and only payment was made of $350k to me, so i ask for $600k to fix this dispute,” the affiliate wrote.
In another post on RaidForums, a user aptly named “FBI Agent” advised other denizens to steer clear of Sheriff’s ransomware affiliate program, noting that transacting with this person could run afoul of sanctions from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) that restrict commerce with people residing in Iran.
“To make it clear, we don’t work with individuals under the OFAC sanctions list, which @Sheriff is under,” the ransomware affiliate program administrator wrote in reply.
RaidForums says Sheriff was referred to the forum by Pompompurin, the same hacker who used a security hole in the FBI’s website last year to blast a phony alert about a cybercrime investigation to state and local authorities. Pompompurin has been quite active on RaidForums for the past few years, frequently posting databases from newly-hacked organizations, and selling access to stolen information.
Reach via Twitter, Pompompurin said they had no idea who might have offered money and information on Sheriff, and that they would never “snitch” on Sheriff.
“I know who he is but I’m not saying anything,” Pompompurin replied.
The information about Sheriff was brought to my attention by an anonymous person who initially contacted KrebsOnSecurity saying they wanted to make a donation to the publication. When the person offering the gift asked if it was okay that the money came from a ransomware transaction, I naturally declined the offer.
That person then proceeded to share the information about the connection between Sheriff’s email address and the FBI search warrant, as well as the account’s credentials.
The same identity approached several other security researchers and journalists, one of whom was able to validate that the kelvinmiddelkoop@hotmail.com address actually belonged to Sheriff’s account. Those researchers were likewise offered tainted donations, except the individual offering the donation seemed to use a different story with each person about who they were or why they were offering money. Others contacted by the same anonymous user said they also received unsolicited details about Sheriff.
It seems clear that whoever offered that money and information has their own agenda, which may also involve attempts to make members of the news media appear untrustworthy for agreeing to accept stolen funds. However, the information they shared checks out, and since there is precious little public reporting on the source of the ICRC intrusion, the potential connection to hacker groups based in Iran seems worth noting.
What’s new in Microsoft’s Sentinel cloud SIEM
Read Time:34 Second
Logging can be the most useful tool in your security arsenal, but it’s something we all tend to overlook and not assign appropriate resources to, as it can use up hard drive storage. Proper logs can provide evidence as to how an incident occurred and what the attacker did.
Too often we don’t keep logs long enough. FireEye indicated that the median dwell time for attackers who use ransomware as their attack tool of choice is 72.75 days. A report on a ransomware attack from last year showed that the attacker lurked in the network for eight weeks before detonating the malware.
Phishing Emails Impersonating LinkedIn Surge by 232% Amid ‘Great Resignation’
Read Time:4 Second
Attackers are increasingly leveraging LinkedIn to socially engineer victims into clicking on phishing links
RSA Advisory Board Discuss Pressing Issues in Cybersecurity
Read Time:5 Second
Three members of the RSA Advisory board offered insights into ransomware, Log4j and supply chain security
Vendors are Fixing Security Flaws Faster
Read Time:59 Second
Google’s Project Zero is reporting that software vendors are patching their code faster.
tl;dr
In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago.
In addition to the average now being well below the 90-day deadline, we have also seen a dropoff in vendors missing the deadline (or the additional 14-day grace period). In 2021, only one bug exceeded its fix deadline, though 14% of bugs required the grace period.
Differences in the amount of time it takes a vendor/product to ship a fix to users reflects their product design, development practices, update cadence, and general processes towards security reports. We hope that this comparison can showcase best practices, and encourage vendors to experiment with new policies.
This data aggregation and analysis is relatively new for Project Zero, but we hope to do it more in the future. We encourage all vendors to consider publishing aggregate data on their time-to-fix and time-to-patch for externally reported vulnerabilities, as well as more data sharing and transparency in general.
Three things you should know about SASE and SD-WAN
Read Time:4 Minute, 54 Second
As organizations have accelerated their plans to better enable dispersed workforces in a post-pandemic reality, many technology decision-makers are broadly rethinking their network architectures. Inevitably their discussions lead to comparisons and debates over both software-defined wide area network (SD-WAN) and secure access service edge (SASE) technologies.
The similarities of SD-WAN and SASE can sometimes lead people to conflate the two technology categories. After all, both SD-WAN and SASE are network architectural approaches designed to help administrators better manage distributed computing environments. They both enable branch and remote workers to securely connect to enterprise assets with improved performance over legacy MPLS and VPN connections. And both use software-based virtualization to deliver bandwidth optimization and traffic prioritization, as opposed to leaning on traditional on-premises hardware like network routers.
However, SASE offers native security and performance features that extend the value proposition of SD-WAN management. The two technologies handle cloud connections differently and they also tend to support different network topologies. This point is why it is crucial for organizations to understand the differences and the relationship between SASE and SD-WAN.
The following are three big factors that should inform how leaders chart a path for future-proofed connectivity.
SASE encompasses (and extends) SD-WAN principles
Comparing SASE with SD-WAN is no apples-to-apples affair, because in truth SD-WAN functionality is a subset of the broader SASE feature set.
Since SD-WAN first started to gain steam in the early 2010s, the draw has been its ability to optimize traffic across widely dispersed geographic locations, securely terminate traffic, and do it all with the required remediation to different destinations. It does this using a virtualized network control plane that has the flexibility to use a range of transport services, whether broadband internet, MPLS, or LTE, to connect sites and services. That control plane centralizes management and makes it much easier and more affordable for large organizations to unify the connection of branch offices to corporate networks.
The connections are secure, but the sticking point is that SD-WAN is not designed to inspect traffic or apply robust security policies. Security teams still need to layer in a mix of secure web gateways, application firewalls, and cloud controls to achieve their risk management goals. This means that SD-WAN traffic must traverse across a central inspection point for appropriate security controls to preside over it. This greatly limits the secure flexibility of SD-WAN in cloud environments or when connecting remote users or IoT devices to anything other than the main corporate network. This is because all traffic must be backhauled to the corporate network in order for it to be managed from a security perspective, incurring latency and performance problems in the process.
The big difference with SASE is it takes that centralized management principle of SD-WAN and bolsters it with a full slate of security controls that are administered through a cloud-based service that pushes traffic inspection out to the edge.
SASE is designed with key security controls baked in
When Gartner first defined the SASE category back in 2019, it laid out the bare minimum five ingredients that create the category. SASE technology combines SD-WAN network controls with four other security control functions directly baked into the architectural framework:
Secure Web Gateway (SWG),
Cloud access security brokers (CASB),
Zero trust network architecture (ZTNA), and
Firewall as a service (FWaaS)
As SASE technology evolves, other functionality like next generation anti-malware (NGAV) and managed detection and response (MDR) has been added to that mix to create a more complete package of security management capabilities.
SASE topology looks more like a mesh than secured SD-WAN’s hub and spoke
That built-in security functionality is bundled up into a single SASE cloud service that applies the security controls and inspection from a distributed set of SASE points of presence (POPs) located close to the connecting device. In this way, SASE topology looks much more like a mesh than the hub-and-spoke model necessary for secure management of SD-WAN traffic.
This cloud-native model concurrently enables a higher level of security assurance while maximizing performance and operational efficiency in an era of cloud-first, IoT-heavy environments.
SASE unifies management of hybrid environments while dispersing network inspection, and when that’s paired with Artificial Intelligence for IT operations (AIOps) technology, IT teams are able to scale up visibility and management of edge devices. SASE and AIOps together can help organizations automate more management functionality and keep tabs on a diverse portfolio of network devices that keeps getting bigger as IoT devices rapidly proliferate.
Many organizations have delayed their SD-WAN implementation for fear of transitional bumps or shocks. Adding SASE options can sometimes compound that fear and elicit analysis paralysis.
Technology and business leaders should rest easy with the understanding that while SASE does extend SD-WAN principles, there’s no SD-WAN prerequisite for embarking on a SASE journey.
Companies with no SD-WAN infrastructure can reap the benefits of greenfield SASE deployments in as little as six months. In that same vein, it’s important to understand that getting started with SASE is not a big-bang proposition. SASE is not all or nothing and it can most definitely be rolled out incrementally. There is a simple step-by step process that can get an organization where it needs to be to achieve gains in network and application performance, as well as visibility and policy control along the way.
There are options, AT&T can help you systematically move in that direction based on your existing implementations and your goals for security, network performance, and business enablement.
Learn more about how AT&T SASE can help your organization continue your transformative journey toward superior user experience and better protection.
Finance Officer Jailed After Stealing £200,000 from Charity
4 security concerns for low-code and no-code development
Read Time:39 Second
There’s an increased push for what is being dubbed the citizen developer, coupled with the desire to empower application development and creation by non-developers. This is typically facilitated using low-code or no-code frameworks. These frameworks and tools allow non-developers to use a GUI to grab and move components to make business logic friendly applications.
Empowering the broader IT and business community to create applications to drive business value has an obvious appeal. That said the use of low code and no code platforms aren’t without their own security concerns. Much like any other software product, the rigor that goes into developing the platform and its associated code is a concern that shouldn’t be overlooked.