Aktuelle Ereignisse, Angriffe, News

Ivanti discloses new critical auth bypass bug in MobileIron Core

/in /by

IT software company Ivanti disclosed today a new critical security vulnerability in its MobileIron Core mobile device management software.

Tracked as CVE-2023-35082, the flaw is a remote unauthenticated API access vulnerability affecting MobileIron Core version 11.2 and older.

Successful exploitation allows attackers to access personally identifiable information (PII) of mobile device users and backdoor compromised servers by deploying web shells when chaining the bug with other flaws.

Ivanti said it would not issue security patches to fix this flaw because it has already been addressed in newer versions of the product, rebranded to Endpoint Manager Mobile (EPMM).

“MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats,” the company said.

“This vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM. Our Support team is always available to help customers to upgrade,” Ivanti said in a separate security advisory.

According to Shodan, more than 2,200 MobileIron user portals are currently exposed online, including over a dozen connected to U.S. local and state government agencies.

Rapid7 security researcher Stephen Fewer, who discovered and reported the bug, provides indicators of compromise (IOCs) to help defenders detect signs of a CVE-2023-35082 attack and urges Ivanti customers to update MobileIron Core software to the latest version immediately.​

Caitlin Condon CVE-2023-35078 tweet

Similar Ivanti bugs exploited in attacks since April

Two other security flaws in Ivanti’s Endpoint Manager Mobile (EPMM) (formerly MobileIron Core) have been exploited by state hackers since April, according to a CISA advisory published on Tuesday.

One of the flaws (CVE-2023-35078), a critical authentication bypass, was exploited as a zero-day to breach the networks of multiple Norwegian government entities.

This vulnerability can be chained with a directory traversal flaw (CVE-2023-35081), allowing threat actors with administrative privileges to deploy web shells on compromised systems.

“Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network,” CISA said.

“Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.”

CISA’s joint advisory with Norway’s National Cyber Security Centre (NCSC-NO) followed orders asking U.S. federal agencies to patch the two actively exploited flaws by August 15 and August 21.

 

(c) Lawrence Abrams

What is Data Security Posture Management (DSPM)?

/in /by

Data Security Posture Management is an approach to securing cloud data by ensuring that sensitive data always has the correct security posture – regardless of where it’s been duplicated or moved to.

So, what is DSPM? Here’s a quick example:

Let’s say you’ve built an excellent security posture for your cloud data. For the sake of this example, your data is in production, it’s protected behind a firewall, it’s not publicly accessible, and your IAM controls have limited access properly. Now along comes a developer and replicates that data into a lower environment.

What happens to that fine security posture you’ve built? Well, it’s gone – and now the data is only protected by the security posture in that lower environment. So if that environment is exposed or improperly secured – so is all that sensitive data you’ve been trying to protect.

Security postures just don’t travel with their data. Data Security Posture Management (DSPM) was created to solve this problem.

How Does Data Security Posture Management Work?#

If we want a data security posture that travels with the data and helps you remediate issues, we need a solution that does three things:

Discovers all the data in your public cloud – including shadow data that’s been created but isn’t used or monitored.
Understands what security posture the data is supposed to have
Prioritizes alerts based on data sensitivity and offers contextualized remediation plans

Data discovery and classification tools have been around for years. But they’ve lacked the ability to offer any business context. If you can find sensitive data but don’t know whether it’s business critical or not, and don’t understand its security posture, it’s not much help to the security team that’s trying to prioritize thousands of alerts from different tools.

For example, let’s say a data discovery tool finds PII data. You wouldn’t need an alert if it has the proper security posture. A good DSPM solution wouldn’t waste your time with one.

Why is Data Security Posture Management So Critical Now?#

It’s an answer you’ve heard before: the cloud.

Before widespread adoption of public cloud infrastructure, securing data meant securing your data center with a firewall. Even if your data was copied or moved, it still stayed inside your organization’s data center. There wasn’t a difference between your infrastructure security and your data security. But for cloud-first companies, sensitive data travels constantly across your cloud, to environments with different security postures. So the need arose to build a product that makes sure all this traveling data has the right security posture.

Wait, Doesn’t Cloud Security Posture Management (CSPM) Already Do This?#

CSPM solutions are built to secure cloud infrastructure while DSPM is focused on cloud data. The difference is significant. A CSPM is built to find vulnerabilities in cloud resources, like VMs and VPC networks. Some may also be able to provide very basic insights on the data, like identifying PII in text files in VMs and S3 buckets. Beyond these basic abilities, CSPM products are often data agnostic and don’t prioritize remediation based on data sensitivity.

DSPM, on the other hand, is about the data itself. This includes identifying data vulnerabilities like overexposure, access controls, data flows, and anomalies. A DPSM solution connects the dots between data and the infrastructure security, allowing security teams to understand what sensitive data is at risk instead of showing them a list of vulnerabilities to remediate. Essentially DSPM is adding a layer of data security and data context over the infrastructure security.

How Does Data Security Posture Management Understand What Data is Sensitive?#

Some data is obviously sensitive – social security numbers, credit card information, and healthcare data for example. These need to be protected not only for security reasons, but to stay compliant with regulations like PCI-DSS, HIPAA, and more.

But a good DSPM solution needs to go beyond this. To truly provide value, it should be able to autonomously draw conclusions about the type of sensitive data it’s finding – and be able to find data that isn’t structured as simply as a credit card number. By understanding and clustering metadata and leveraging ML technologies, DSPMs can find intellectual property, customer data and more that can’t be discovered just from using regular expressions.

Another critical factor is data ownership. DSPM should integrate with data catalogs to understand who is responsible for the data. Finally, there’s the issue of scale. One of the major weaknesses of legacy data discovery and classification solutions is that they aren’t able to scan and classify and the scale of modern cloud infrastructures. DSPM must be able to scan petabytes of data effectively and efficiently, to ensure everything is discovered – without breaking your cloud bill.

Conclusion: DSPM = Security that Travels with Your Data#

Data Security Posture Management is new, and with that comes the natural skepticism of ‘do we really need another security acronym?’ But DSPM is solving real security problems caused by the move to the cloud and can help prevent major data breaches.

Customer information, company secrets, and source code leaks aren’t caused by initial failures to protect sensitive data. They’re caused by the ease with which data is replicated and moved around – without the security posture following. Data Security Posture Management promises to make sure that wherever your data travels in the cloud – your security posture follows and data risks are minimized.

‍To learn more about DSPM and how Sentra can help find, classify and secure your cloud data, get a demo here.

 

(c) Thin

Almost every second hacked company in Germany paid a ransom to cyber criminals

/in /by

Cybercrime is not only a danger for companies, but also an alarmingly successful business model: a ransomware attack led to a ransom payment for almost every second company in Germany (45%).

For smaller companies with up to 1,000 employees, it was even more than half, at 55 percent. This is the result of a SoSafe survey of more than 1,000 safety officers from six European countries, which was published  in the Human Risk Review 2023 .

Compared to other European companies, companies in Germany pay more often than those in the UK (38%) and France (30%). In contrast, more ransom payments are made by Dutch companies (46%). Ransomware also remains one of the most common types of cyberattacks, according to the research: one in three organizations (32%) that have been the victim of a cyberattack in the past three years was attacked with ransomware. “The number of ransomware attacks is alarmingly high. The fact is, ransomware is worthwhile for the attackers and will therefore remain an integral part of their repertoire,” says Dr. Niklas Hellemann, CEO and founder of SoSafe.

Ransomware-as-a-Service – a menacing trend

One of the reasons for this development is the professionalization of cybercrime. Cyber ​​criminals are constantly evolving their business models and deploying their malware via “ransomware-as-a-service” (RaaS) in theDark Web against payments with cryptocurrencies theoretically accessible to everyone – even with different subscription models and their own customer support. Even laypeople without IT or hacking knowledge can carry out highly effective blackmail attacks. New technologies also accelerate this process. In particularArtificial intelligence (AI) and tools such as ChatGPT offer cyber criminals enormous potential for scaling their cyber attacks – initial studies by SoSafe, for example, show a time saving of at least 40 percent in phishing attacks, the main gateway for ransomware.

“The emergence and evolution of the ransomware-as-a-service business model demonstrates how cybercriminals are adapting and diversifying their business strategies to expand their illegal activities. And these ransomware attacks can be very harmful,” says Hellemann. “Recent IBM research shows that a successful ransomware incident costs organizations an average of $4.54 million, not including ransom demands. It can be expected that this type of attack will become more numerous and widespread in the future. It is all the more important to optimize your own security strategy and keep up with the innovations of the digital age. For this, investments should not only be made in new tools and technologies, but above all in the human factor,

Tips for dealing with ransomware attacks

Preventing ransomware attacks is a daunting task. However, security measures focus not only on prevention but also on mitigating the potential consequences of a security incident. In the case of a ransomware attack, the main concern is protection against data loss. Companies can take the following measures:

  • the restriction of the administrative rights of employees,
  • the review and implementation of effective password policies and
  • the introduction of strict access management at the server level.

Since many ransomware and also phishing attacks primarily target the human security layer and often with some form ofStarting with social engineering , an effective cybersecurity strategy must also include regular awareness training. By promoting the security behavior of their employees and strengthening their resilience, organizations can minimize the risk of a cyber attack.

 

(c) it-daily

New Realst macOS malware steals your cryptocurrency wallets

/in /by

A new Mac malware named “Realst” is being used in a massive campaign targeting Apple computers, with some of its latest variants including support for macOS 14 Sonoma, which is still in development.

The malware, first discovered by security researcher iamdeadlyz, is distributed to both Windows and macOS users in the form of fake blockchain games using names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend.

These games are promoted on social media, with the threat actors using direct messages to share access codes required to download the fake game client from associated websites.

Access codes allow the threat actors to vet those they wish to target and avoid security researchers who want to reveal malicious behavior.

In reality, the game installers infect devices with information-stealing malware, such as RedLine Stealer on Windows and Realst on macOS. This type of malware will steal data from the victim’s web browsers and cryptocurrency wallet apps and send them back to the threat actors.

One of the fake games installing Realst
One of the fake games installing Realst
Source: iamdeadlyz.gitbook.io

SentinelOne analyzed 59 Mach-O samples of the Realst malware found by iamdeadlyz, focusing on its macOS versions, and found several distinct differences.

This allowed the researchers to identify 16 variants of the macOS malware, a sign of active and rapid development.

The Realst Mac malware

When downloading the fake game from the threat actor’s site, they will be offered either Windows or macOS malware, depending on their OS.

The Windows malware is typically RedLine Stealer, but sometimes other malware like Raccoon Stealer and AsyncRAT.

For Mac users, the sites will distribute the Realst info-stealing malware, which targets Mac devices as PKG installers or DMG disk files containing the malicious Mach-O files but no real games or other decoy software.

Files in the downloaded archive
Files in the downloaded archive (SentinelOne)

The “game.py” file is a cross-platform Firefox infostealer and “installer.py” is “chainbreaker,” an open-source macOS keychain database password, keys, and certificates extractor.

SentinelOne found that some samples are codesigned using valid (now revoked) Apple Developer IDs, or ad-hoc signatures, to bypass detection from security tools.

The variants

All 16 distinct Realst variants analyzed by SentinelOne are fairly similar in form and function, although they utilize different API call sets.

In all cases, the malware targets Firefox, Chrome, Opera, Brave, Vivaldi, and the Telegram app, but none of the analyzed Realst samples target Safari.

“Most variants attempt to grab the user’s password via osascript and AppleScript spoofing and perform rudimentary checking that the host device is not a virtual machine via sysctl -n hw.model,” explains SentinelOne in the report.

“Collected data is dropped in a folder simply named “data” [which] may appear in one of several locations depending on the version of the malware: in the user’s home folder, in the working directory of the malware, or in a folder named after the parent game.”

The 16 distinct variants are categorized into four main families based on their traits, namely A, B, C, and D.

Family A, which has the most samples in circulation, uses “AppleScript spoofing” to trick the victim into typing their admin password on a dialog box.

Code to generate password-stealing dialog
Code to generate password-stealing dialog (SentinelOne)

Family B is similar to A and also uses password spoofing but divides the relevant strings into smaller units to evade simple static detection.

Family C also has a reference to chainbreaker within the binary itself, which allows it to extract data from the system’s keychain database.

Chainbreaker reference in the family C binary
Chainbreaker reference in the family C binary (SentinelOne)

Finally, Family D uses the Terminal window to prompt the victim to enter their password, which is used to dump saved credentials stored in Keychain.

Installing pycryptodome
Installing pycryptodome (SentinelOne)

In some cases, Family D leverages the acquired password to gain admin privileges on the system and install the Python cryptography library “pycryptodome,” which is also used to dump credentials from the Keychain.

Roughly 30% of the samples from families A, B, and D contain strings that target the upcoming macOS 14 Sonoma.

Sonoma references in the code
Sonoma references in the code (SentinelOne)

The presence of those strings shows that the malware authors are already preparing for Apple’s forthcoming desktop OS release, ensuring that Realst will be compatible and working as expected.

MacOS users are advised to be cautious with blockchain games, as those distributing Realst use Discord channels and “verified” Twitter accounts to create a false image of legitimacy.

Furthermore, as these games specifically target cryptocurrency users, the main goal is likely to steal crypto wallets and the funds within them, leading to costly attacks.

 

(c) Sergiu Gatlan

Super Admin elevation bug puts 900,000 MikroTik devices at risk

/in /by

A critical severity ‘Super Admin’ privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected.

The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to “super-admin” via the device’s Winbox or HTTP interface.

VulnCheck report published today explains that while CVE-2023-30799 requires an existing admin account to exploit, this is not a low bar to clear.

This is because the Mikrotik RouterOS operating system does not prevent password brute-force attacks and comes with a well-known default “admin” user.

“‘En masse’ exploitation is going to be more difficult since valid credentials are required. However, as I outlined in the blog, the routers lack basic protections against password guessing,” VulnCheck researcher Jacob Baines told BleepingComputer.

“We intentionally didn’t release a proof-of-concept exploit, but if we had, I have no doubt that the exploit would have been successfully used in the wild quickly after the blog was released.”

A large-scale problem

The Mikrotik CVE-2023-30799 vulnerability was first disclosed without an identifier in June 2022, and MikroTik fixed the issue in October 2022 for RouterOS stable (v6.49.7) and on July 19, 2023, for RouterOS Long-term (v6.49.8).

VulnCheck reports that a patch for the Long-term branch was made available only after they contacted the vendor and shared new exploits that targeted MikroTik hardware.

The researchers used Shodan to determine the flaw’s impact and found that 474,000 devices were vulnerable as they remotely exposed the web-based management page.

However, as this vulnerability is also exploitable over Winbox, a Mikrotek management client, Baines found that 926,000 devices were exposing this management port, making the impact far larger.

Detected RouterOS versions
Detected RouterOS versions (VulnCheck)

The CVE-2023-30799 vulnerability

While exploiting this vulnerability requires an existing admin account, it elevates you to a higher privilege level called “Super Admin.”

Unlike the admin account, which offers restricted elevated privileges, Super Admin gives full access to the RouteOS operating system.

“By escalating to super admin, the attacker can reach a code path that allows them to control the address of a function call,” Baines told BleepingComputer.

“Super admin is not a privilege given to normal administrators, it’s a privilege that is supposed to be given to certain parts of the underlying software (specifically, in this case, to load libraries for the web interface), and not to actual users.

This makes the vulnerability valuable to threat actors wishing to “jailbreak” the RouterOS device to make significant changes to the underlying operating system or hide their activities from detection.

To develop an exploit for CVE-2023-30799 that obtains a root shell on MIPS-based MikroTik devices, VulnCheck’s analysts used Margin Research’s FOISted remote RouterOS jailbreak exploit.

The new exploit developed by VulnCheck bypasses the requirement for FTP interface exposure and is not impacted by blocking or filtering of bindshells, as it uses the RouterOS web interface to upload files.

Finally, VulnCheck identified a simplified ROP chain that manipulates the stack pointer and the first argument register and calls dlopen, the instructions for which are present in three functions across different RouterOS versions, ensuring broad applicability.

The exploit still requires authentication as “admin,” however, VulnCheck explains that RouterOS ships with a fully functional admin user by default, which nearly 60% of MikroTik devices still use despite the vendor’s hardening guidance suggesting its deletion.

Moreover, the default admin password was an empty string until October 2021, when this issue was fixed with the release of RouterOS 6.49.

Finally, RouterOS does not impose admin password strengthening requirements, so users may set anything they like, which makes them susceptible to brute-forcing attacks, for which MikroTik does not offer any protection except on the SSH interface.

“All of this is to say, RouterOS suffers from a variety of issues that make guessing administrative credentials easier than it should be,” comments VulnCheck

“We believe CVE-2023-30799 is much easier to exploit than the CVSS vector indicates.”

Patch your devices

MikroTik devices have been targeted by malware many times and inadvertently helped build record-breaking DDoS swarms like the Mēris botnet.

Users need to move quickly to patch the flaw by applying the latest update for RouterOS, as attempts to exploit the flaw are bound to increase soon.

Mitigation advice includes removing administrative interfaces from the internet, restricting login IP addresses to a defined allow-list, disabling Winbox and only use SSH, and configuring SSH to use public/private keys instead of passwords.

 

(c) Sergiu Gatlan

Lazarus hackers linked to $60 million Alphapo cryptocurrency heist

/in /by

Blockchain analysts blame the North Korean Lazarus hacking group for a recent attack on payment processing platform Alphapo where the attackers stole almost $60 million in crypto.

Alphapo is a centralized crypto payment provider for gambling sites, e-commerce subscription services, and other online platforms, which was attacked on Sunday, July 23rd, with the initial stolen amount estimated to be $23 million.

This theft included over 6 million USDT, 108k USDC, 100.2 million FTN, 430k TFL, 2.5k ETH, and 1,700 DAI, all drained from hot wallets, likely made possible by a leak of private keys.

Well-known crypto chain investigator “ZackXBT” warned yesterday that the attackers also drained an additional $37M of TRON and BTC, as seen on Dune Analytics data, raising the total amount stolen from Alphapo to $60,000,000.

ZackXBT tweet

Moreover, ZackXBT claimed that the attack appears to carry characteristics of a Lazarus heist and backed the claim by saying that Lazarus creates “a very distinct fingerprint on-chain,” but no further details were provided.

The Lazarus Group is a North Korean threat actor with ties to the North Korean government, previously linked to the $35 million Atomic Wallet heist, the $100 million Harmony Horizon hack, and the $617 million Axie Infinity theft.

Typically, Lazarus uses fake job offers to lure employees of crypto firms to open infected files, compromising their computers and losing account credentials.

This creates an attack avenue into the victim’s employer network, where they can get unauthorized access and meticulously plan and execute attacks costing millions of dollars.

Analysts tracking the movement of the stolen funds to cryptocurrency exchanges report seeing laundering attempts through Bitget, Bybit, and others. At the same time, Lazarus is also known for using small cryptocurrency mixing services.

Dave Schwed, COO of blockchain security company Halborn, told BleepingComputer that the attackers likely stole private keys, allowing access to the wallets.

While we lack specifics, it seems that the alleged “hack” likely pertains to the theft of private keys. This inference comes from observing the movement of funds from independent hot wallets and the sudden halting of trading. Moreover, the subsequent transactions have led ZachXBT, a renowned “on-chain sleuth”, to surmise that North Korea’s notorious Lazarus group is the perpetrator of this attack.

Given their history of similar exploits, I find myself agreeing with this theory. – D. Schwed

At this time, BleepingComputer has not been able to independently confirm the involvement of the North Korean threat group in the Alphapo hack with blockchain analysis firms or law enforcement agencies.

We will update this post as soon as we know more.

 

(c) Sergiu Gatlan

Ukraine takes down massive bot farm, seizes 150,000 SIM cards

/in /by

The Cyber ​​Police Department of the National Police of Ukraine dismantled another massive bot farm linked to more than 100 individuals after searches at almost two dozen locations.

The bots were used to push Russian propaganda justifying Russia’s war in Ukraine, to disseminate illegal content and personal information, and in various other fraudulent activities.

In a joint operation, the cyber police and units of the Ukrainian National Police executed 21 search operations in Vinnytsia, Zaporizhzhia, and Lvivand.

They seized computer equipment, mobile phones, over 250 GSM gateways, and roughly 150,000 SIM cards of multiple mobile operators.

Ukraine Cyber Police bot farm searches
Cyber Police bot farm searches (Ukraine’s Cyber Police)

​”The cyber police established that the attackers used special equipment and software to register thousands of bot accounts in various social networks and subsequently launch advertisements that violated the norms and legislation of Ukraine,” a cyber police press release reads [machine translation].

“In addition to spreading hostile propaganda, the accounts were also used for unauthorized distribution of personal data of Ukrainian citizens on the Internet, in Internet fraud schemes, and for sending known false messages about threats to citizens’ safety, destruction or damage to property.”

Russian disinformation bot farms dismantled

Since the start of the war in Ukraine, Russian threat actors have been involved in disinformation campaigns targeting Ukraine and have invested in Ukraine-based bot farms.

For instance, in September 2022, the Cyber Department of the Ukrainian Security Service (SSU) took down another army of thousands of bots spreading Russian disinformation across multiple messaging platforms and social networks.

In August 2022, the Ukrainian cyber police dismantled a massive bot farm of more than 1,000,000 bots that was also used to spread Russian disinformation and fake news on social networks.

Months earlier, the SSU also announced it shut down five fake news networks controlling over 100,000 fake social media accounts.

These disinformation bot farms operated from Kharkiv, Cherkasy, Ternopil, and Zakarpattia to discourage Ukrainians and instill panic by pushing false information about the Russian invasion of Ukraine.

Ukraine’s President Volodymyr Zelenskyy was also targeted in several misinformation campaigns, two of them pushing video deepfakes on Facebook and hacked Ukrainian radio stations to spread fake news that Zelenskyy was in critical condition—Russian threat actors are believed to be behind both.

 

(c) Lawrence Abrams

Check Point warns of countless fake websites on Amazon Prime Day

/in /by

Fast 1.500 neue Fake-Domains

The security researchers have discovered almost 1,500 risky fake domains and expect a new high in phishing attacks on Amazon Prime Day this year

Since its inception in 2015, Amazon Prime Day has been a shopping extravaganza eagerly awaited by many customers with its exclusive offers and discounts. This year, Amazon Prime Day falls on July 11th and 12th and, according to the online retailer, has reached a new high in 2022: Prime members worldwide purchased more than 300 million items during Prime Day 2022. Amid the excitement, however, there is a risk that cannot be ignored: cybercriminals are using this opportunity to launch phishing attacks and lure unsuspecting shoppers. Attackers use a variety of fraudulent tactics to do this. They send fake emails or create fake websites to steal personal information or financial credentials.

Alarming insights into domain registration and phishing attacks

This year, Check Point Research (CPR) found 16 times more malicious phishing attacks related to Amazon Prime in June than in May. The overall increase in all Amazon-related phishing attacks was 8 percent. During that period, there were nearly 1,500 new domains containing the term “Amazon,” of which 92 percent were classified as risky—meaning either malicious or suspicious.

1 out of 68 new domains associated with the keyword “Amazon” was also associated with “Amazon Prime”. About 93 percent of these domains were classified as risky.

How phishing works

The basic element of a phishing attack is a message sent via email, social media, or other electronic means of communication.

A “phisher” may use public resources, particularly social media, to gather background information about their victim’s personal and professional experiences. These sources are used to collect information such as the potential victim’s name, job title, and email address, as well as their interests and activities. The “phisher” can then use this information to create a fake message.

Usually, the emails that the victim receives appear to come from a known contact or organization. The attacks are carried out via infected attachments or links to malicious websites. Attackers often set up fake websites that appear to belong to a trusted entity, such as the victim’s bank, workplace, or university. Attackers then use these websites to try to collect private information such as usernames and passwords or payment information. Some phishing emails can be recognized by poorly written text and improper use of fonts, logos, and layouts. However, many cybercriminals are becoming more sophisticated when it comes to crafting authentic-looking messages,

Here’s how to stay safe when shopping online on Amazon Prime Day

To help online shoppers stay safe this year, Check Point researchers have compiled some safety and protection tips:

  1. Watch out for misspellings of Amazon.com . Look out for misspellings or websites that use a top-level domain other than Amazon.com. For example, a “.co” instead of “.com”. The offers on these imitation websites may look just as attractive as on the real website, but this is how the hackers trick consumers into giving up their details.
  2. Create a strong Amazon.com password ahead of Prime Day . Once a hacker gets into your account, it’s too late. Make sure your Amazon password is uncrackable well before July 11th.
  3. Look out for the lock . Avoid buying anything online using your payment details from a website that does not have Secure Sockets Layer (SSL) encryption installed. To determine if the website has SSL, look for the “S” in HTTPS instead of HTTP. An icon with a closed padlock usually appears to the left of the URL in the address bar or in the status bar below. A missing lock is an important warning sign.
  4. Share only what is necessary . No online shopping retailer needs your birthday or social security number to do business. The more hackers know, the more they can spy on your identity. Always share what is necessary when it comes to your personal information.
  5. Always pay attention to the language in the email . Social engineering techniques are designed to exploit human nature. These include the fact that people are more likely to make mistakes when they are in a hurry and that they tend to follow instructions from those in (perceived) positions of authority. In phishing attacks, these techniques are typically used to convince the target to ignore their potential suspicions about an email and click a link or open an attachment.
  6. Beware of bargains that are too good to be true . Sometimes it’s hard to resist discounts because Prime Day is all about cheap deals. But if an offer looks too good to be true, it probably is. Go with your gut: An 80 percent discount on the new iPad isn’t usually a reliable or trustworthy buying opportunity.
  7. Stick to credit cards . During Prime Day, it’s best to stick to your credit card. Because debit cards are linked to our bank accounts, we are at a much higher risk if someone can hack our details. If a card number is stolen, credit cards offer more protection and less liability.

 

(c) Herbert Wieler

Complex IT environments complicate the integrity of devices and applications

/in /by

Spending on cyber security solutions has exploded in recent years. Tens of billions of dollars are now spent every year on new tools to protect companies from the threat of cybercriminals. Although the move toward greater prevention and protection is fundamentally positive, attackers are becoming more sophisticated and finding new ways to penetrate organizations.

Torsten George, VP at Absolute Software, explores the question of how companies can guarantee the integrity of devices and applications even with growing IT environments:

Research shows that cyber attacks increased by 77 percent between 2021 and 2022, and the examples we are constantly presented with remind us that despite the fact that organizations have security strategies in place, they still face threats are. This is often due to the complexity of enterprise endpoint environments and the vulnerability of mission-critical security controls. The general condition and resilience of devices and applications also play a role.

With the ever-evolving threat landscape, one-time investments in cyber security are simply not enough. The continuous visibility and thatMonitoring the current status of applications and devices is still necessary to strengthen the protection of companies and their IT assets. And even then, it’s not a foolproof way to stop cybercriminals in principle.

Organizations need to understand the increasing threats they face and take the necessary measures to effectively protect themselves, their users, devices and sensitive data. We all know that the impact of attacks on IT systems can be detrimental, and organizations are always at risk of enormous financial and reputational loss. This can only be compensated for with constantly increasing effort, while the introduction of effective and reliable security measures alone will not be enough.

The fundamental challenge

Enterprises continually face challenges in managing their complex endpoint environments . We live in a work-from-anywhere world where working five days a week within the four walls of a company is no longer the sole norm. While this evolution brings many benefits, it also means that a company’s equipment is more dispersed than ever before.

Companies are therefore now faced with the challenge of not only strictly controlling the devices, but also the applications on them. The ever-increasing number of applications makes the work of the security teams more and more difficult.

When companies invest in cyber security, it often involves multiple different types of software to create a complete and effective security posture. These are specially organized technologies for protecting end devices from potential threats: These include, for example, Unified Endpoint Management (UEM), Virtual Private Networks (VPN), Endpoint Detection and Response (EDR) and Zero Trust Network Access (ZTNA).

Enterprise devices typically have various security controls installed, as well as a variety of business and productivity applications, including those used by the enterprise and those downloaded by end users. Security teams have an overall responsibility to protect all of these applications equally.

While the purpose of security software is to function as thoroughly and directly as possible, no application is inherently immune from failure: its normal state can be compromised by many factors, from manipulation by a malicious attacker to simple fact that the software needs to be upgraded.

Research by Absolute Software, which monitored the health of security applications, found that applications are only working effectively on less than 80 percent of devices, and in some cases as little as 35 percent.

Organizations may believe they have effective security controls in place, but if they turn a blind eye to their current state, it can quickly deteriorate. The investments made to protect data run the risk of being wasted. And error-prone endpoints offer hackers an entry point to steal valuable data.

Endpoints are particularly vulnerable

The strength of an organization’s security posture is directly related to the health and resilience of devices and applications. Due to the high level of fragmentation in this sector, the average enterprise device is often months behind when it comes to installing the latest security patches.

Research has shown that up to 20,265 new software vulnerabilities were identified and reported in 2022, compared to 20,171 incidents in all of 2021. While the increase may seem small, in order to meaningfully address all of these vulnerabilities, security teams must closely monitor and update every single endpoint in an organization.

Not only does this take a lot of time, but in a working world that lacks the necessary cyber knowledge and experience, the resources and skills needed to actively combat it are not always available.

For devices running Windows 10, for example, new updates are made available by Microsoft every month on Patch Tuesday. But despite the general availability of updates, they are often neglected because companies are overwhelmed with the task of keeping every device up to date with the latest security developments every month.

While it may be easy for organizations to overlook such constant logging and intrusions, doing so exposes them to additional threats and generally reduces the effectiveness of their security measures. In fact, hackers have posted codes on the Internet that allow many people to attack a company’s devices if their vulnerabilities are not regularly patched. This basically means making it overly easy for cyber criminals.

Self-healing capabilities relieve security teams

Even if it is not a realistic goal to be able to prevent cyber attacks in principle and completely, all companies should take measures to reduce the risk of an attack as much as possible. To make this a reality, priority should be given to visibility, control, and self-healing capabilities across endpoints.

This also includes being aware of how many devices still work with outdated applications. One should be fully aware of the potential risks involved. But even if a company is aware of this, suitable countermeasures are often not taken. This is where self-healing solutions come into play, which can take over this task for a company.

Self-healing technologies can not only monitor the health of endpoints and applications, but also repair or reinstall them if necessary, without the user or the IT team having to do this themselves. This allows devices to be secured and important security controls to be up to date and working reliably.

It is in everyone’s interest that security measures are put in place that not only continuously monitor a device, but also update themselves automatically. They offer companies the best chance of being able to protect themselves effectively against cyber criminals.

 

(c) it-daily

South Korea sets independent sanctions for crypto theft against North Korea

/in /by

The sanctions against several well-known individuals and hacking groups came just hours after S. Korea announced a joint cyber venture with U.S. intelligence agencies against ransomware threats.

South Korea announced its first independent sanctions related to cryptocurrency thefts and cyberattacks against specific North Korean groups and individuals.

According to Seoul’s Ministry of Foreign Affairs, four North Korean individuals and seven businesses have been placed on a blacklist for their alleged involvement in cyberattacks and cryptocurrency theft. The blacklisted individuals include the infamous Park Jin-hyok, Jo Myong-rae, Song Rim and Oh Chung-Seong.

The most notorious of the four hackers, Park, works in information technology for the Chosun Expo Joint Venture, a front company connected to the Lazarus Group in North Korea. He is well-known for participating in the WannaCry ransomware assault in 2017 and the cyberattack on Sony Pictures Entertainment in November 2014. The United States Treasury placed him on a blacklist in 2018.

According to information provided by the foreign ministry, North Korean hackers have stolen virtual assets worth over $1.2 billion since 2017, including $626 million in 2022. As Cointelegraph reported, a confidential United Nations report has revealed North Korean hackers stole more crypto assets in 2022 than in any other year. The U.N. report put the theft amount between $650 million and $1 billion.

The independent sanctions against North Korean hackers and hacker groups come just hours after South Korea and the United States announced a joint cybersecurity venture against ransomware attacks. The National Intelligence Service of South Korea, in coordination with the National Security Agency and other U.S. intelligence organizations, released a joint cybersecurity alert on the threat posed by ransomware from North Korea.

These cyber activities, which are frequently connected to the Reconnaissance General Bureau — North Korea’s military intelligence agency — are thought to be one of the country’s main sources of funding for its nuclear and missile programs despite the country being subject to severe international sanctions.

 

(c) PRASHANT JHA