Software risk management firm Finite State has raised a $20 million growth round led by Energy Impact Partners (EIP).
The post Finite State Raises $20 Million to Grow Software Supply Chain Security Business appeared first on SecurityWeek.
SecurityWeek – Read More
German authorities took down the Nemesis Market, a major online marketplace for drugs, cybercrime services and stolen credit card data.
The post German Authorities Shut Down Online Marketplace for Drugs, Data and Cybercrime Services appeared first on SecurityWeek.
SecurityWeek – Read More
The security update comes just weeks after the release of iOS 17.4, but Apple has not included CVEs or information about the fixes.
darkreading – Read More
The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years.
Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches.
On March 14, KrebsOnSecurity published a story showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story.
But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 — around the same time he launched Onerep.
Shelest maintained that Nuwber has “zero cross-over or information-sharing with Onerep,” and said any other old domains that may be found and associated with his name are no longer being operated by him.
“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.” The full statement is available here (PDF).
Onerep CEO and founder Dimitri Shelest.
In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product.
“Though customer data was never at risk, the outside financial interests and activities of Onerep’s CEO do not align with our values,” Mozilla wrote. “We’re working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first.”
KrebsOnSecurity also reported that Shelest’s email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University.
Shelest denied ever being associated with Spamit. “Between 2010 and 2014, we put up some web pages and optimize them — a widely used SEO practice — and then ran AdSense banners on them,” Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). “As we progressed and learned more, we saw that a lot of the inquiries coming in were for people.”
Shelest also acknowledged that Onerep pays to run ads on “on a handful of data broker sites in very specific circumstances.”
“Our ad is served once someone has manually completed an opt-out form on their own,” Shelest wrote. “The goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep.”
Reached via Twitter/X, HaveIBeenPwned founder Troy Hunt said he knew Mozilla was considering a partnership with Onerep, but that he was previously unaware of the Onerep CEO’s many conflicts of interest.
“I knew Mozilla had this in the works and we’d casually discussed it when talking about Firefox monitor,” Hunt told KrebsOnSecurity. “The point I made to them was the same as I’ve made to various companies wanting to put data broker removal ads on HIBP: removing your data from legally operating services has minimal impact, and you can’t remove it from the outright illegal ones who are doing the genuine damage.”
Playing both sides — creating and spreading the same digital disease that your medicine is designed to treat — may be highly unethical and wrong. But in the United States it’s not against the law. Nor is collecting and selling data on Americans. Privacy experts say the problem is that data brokers, people-search services like Nuwber and Onerep, and online reputation management firms exist because virtually all U.S. states exempt so-called “public” or “government” records from consumer privacy laws.
Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, and bankruptcy filings. Data brokers also can enrich consumer records with additional information, by adding social media data and known associates.
The March 14 story on Onerep was the second in a series of three investigative reports published here this month that examined the data broker and people-search industries, and highlighted the need for more congressional oversight — if not regulation — on consumer data protection and privacy.
On March 8, KrebsOnSecurity published A Close Up Look at the Consumer Data Broker Radaris, which showed that the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.
On March 20, KrebsOnSecurity published The Not-So-True People-Search Network from China, which revealed an elaborate web of phony people-search companies and executives designed to conceal the location of people-search affiliates in China who are earning money promoting U.S. based data brokers that sell personal information on Americans.
Krebs on Security – Read More
Amazon Web Services CISO Chris Betz explains why generative AI is both a time-saving tool as well as a double-edged sword.
darkreading – Read More
New AcidPour variant can attack a significantly broader range of targets including IoT devices, storage area networks, and handhelds.
darkreading – Read More
Accenture’s $1 billion investment in LearnVantage, an AI-powered learning platform, aims to bridge the growing skills gap and help businesses upskill their workforces to capitalize on emerging technologies like generative AI, cloud computing, and cybersecurity.Read More
Security News | VentureBeat – Read More
By Waqas
Using a WordPress website? Lookout for Sign1 malware!
This is a post from HackRead.com Read the original post: Thousands of WordPress Websites Hacked with New Sign1 Malware
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Talos’ analysis, in coordination with CERT.NGO, reveals that Turla infected multiple systems in the compromised network of a European non-governmental organization (NGO).
Cyware News – Latest Cyber News – Read More
Should serious-minded attackers choose namely your company to target, they’d certainly be looking to gain a long-term, persistent presence in your infrastructure. Some would deploy high-end malware to achieve this – but others prefer not to. Many, in fact, prefer to attack companies by exploiting vulnerabilities, stolen credential, and legitimate programs that are already in the system. This technique – known as Living off the Land (LotL) – has many advantages from an attacker’s point of view:
Malicious activity blends in with everyday network and administrative activities.
Tools already installed on computers are less likely to trigger endpoint protection (EPP).
There’s no need to spend time and resources on developing one’s own malicious tools.
Such activity doesn’t produce obvious indicators of compromise (IoC), making it hard to trace malicious activity and compare attacks across organizations.
Many companies fail to collect and store information about network monitoring and day-to-day network activity in sufficient detail, so it’s impossible to track the evolution of an attack in real time – much less historically. This makes preventing attacks and mitigating their consequences extremely tricky.
LotL tactics are used by various groups: spy groups (see here and here), money-minded cybercriminals, and ransomware gangs.
LotL attacks can be carried out in any environment: cloud, on-premises, hybrid; on Windows, Linux, and macOS platforms. Incidentally, attacks on macOS are sometimes known as Living off the Orchard – a reference to, yes, apples. In each of these environments, attackers have a variety of tools and techniques at their disposal:
Tools useful to attackers are usually called LOLBins (LOL binaries) or LOLBAS (LOL binaries and scripts). We analyzed the most popular LOLBins; a more complete list of all Windows tools seen in attacks can be found in this GitHub repository. To escalate privileges and disable defenses, threat actors can exploit legitimate software drivers, a list of which is available at loldrivers.io.
Unix/Linux. An extensive list of tools exploited by attackers can be found in the gtfobins repository on GitHub.
macOS. “Orchard” tools used in attacks are available at io.
It should be reiterated here that all the files listed in the links above are legitimate tools. They aren’t vulnerable per se, but can be used by an attacker who’s penetrated a system and gained sufficient privileges.
Even if an organization has a high level of information security maturity – with an expert team and advanced protective tools – in practice, defenders may be hampered in detecting LotL attacks due to the following reasons:
Non-adapted settings. Even advanced security tools need to be adapted to the specifics of the organization and the particularities of network segmentation, user-server interaction, and typical IT-system operating scenarios. Correlation rules need to be created and customized based on the available threat intelligence and known characteristics of the company. Sometimes defenders rely too heavily on IoC detection, and don’t pay enough attention to potentially dangerous behavioral signals. Sometimes InfoSec or IT services use broad exclusion rules and extensive allowlists that include many LOLBAS simply because they’re legitimate applications. All of the above significantly lowers the effectiveness of protection.
Inadequate logging. The standard level of logging in many systems doesn’t allow for the detection of malicious activity, storage of event parameters sufficient for incident analysis, or reliable differentiation between legitimate administrative actions and malicious ones.
Insufficient automation. Malicious actions in a heap of logs can only be detected after preliminary filtering and removal of background noise. The most effective filtering is telemetry from EDR, which collects relevant telemetry, increases flexibility in detecting attacker techniques, and reduces false positives. Without filtering and automated analysis, logs are useless. There are simply too many of them.
Isolation from IT. The above issues would be especially acute if IT and InfoSec services have little interaction: InfoSec is unfamiliar with IT work regulations, tool settings, and so on. In addition, if the teams don’t talk to each other, an investigation into suspicious activity can drag on for weeks or even months – during all of which time the threat actors would be further developing their attacks.
There are many practical cybersecurity recommendations for detecting LotL attacks – none of them exhaustive. The most recent and detailed public guidance comes from cyber agencies in the US, UK, and Australia. But even there, the authors emphasize that they’re only providing best practice benchmarks.
The most practical, effective, and implementable detection tips are as follows:
Implement detailed event logging. Collect logs in a centralized repository that’s write-once and disallows modifications. This prevents attackers from deleting or changing logs. Centralization of logs is critical because it enables behavioral analysis, retrospective searches, and targeted threat hunting. It also often makes it possible to save logs for longer periods of time.
To be useful, logs must be comprehensive and verbose. They must log security events – including all commands in management consoles (shells), as well as system calls, PowerShell activity, WMI event traces, and so on. It’s worth reiterating that standard logging configurations rarely cover all necessary events. What’s more, in some cloud environments, the right level of logging is only available as part of costly service packages. When Microsoft 365 customers got burned this last year, Microsoft revised its policy.
For proper implementation of logging, SIEM (centralization, aggregation, and event analysis) and EDR (collection of necessary telemetry from hosts) are indispensable tools.
Identify and record typical, day-to-day activity of network devices, servers, applications, users, and administrators. To gather information about baseline behavior in a particular network, SIEM is recommended: all normal sequences of events, service relationships and the like are clear to see. Special attention should be paid to the analysis of “administrative” behavior, and the use of specific tools by privileged accounts – including system ones. Keep the number of administrative tools to a minimum, with detailed logging of their operation; use of other similar tools should be either blocked or set to trigger alerts. For administrator accounts, it’s important to analyze what time they are in use, what commands they run and in what sequence, what devices they interact with, and so on.
Use automated systems (such as machine learning models) to continuously analyze logs, match them against typical activity, and report anomalies to InfoSec. Ideally, implement user and entity behavior analytics (UEBA).
Continuously update settings to reduce background noise and adjust low-impact alerts or downgrade their priority.
You can fine-tune monitoring rules and alert triggers to better distinguish between routine administrative actions and potentially dangerous behavior. Avoid overly broad rules that will burden systems and analysts alike, such as “CommandLine=*”. Work with the IT team to reduce the variety of administration utilities used, their accessibility on unrelated systems, and the number of available protocols and types of accounts for logging in to corporate systems.
The very nature of these attacks makes it almost impossible to prevent them completely. However, proper configuration of your network, endpoints, applications, and accounts can dramatically narrow the attack surface, speed up detection, and minimize the damage caused by intrusion attempts.
Review and implement “hardening” recommendations from vendors of the hardware and applications you use. The following should be considered as the minimum:
For Windows systems, apply Microsoft updates promptly.
For Linux systems, review permissions for key applications and daemons by following an industry guide – such as Red Hat Enterprise Linux Benchmarks.
For macOS devices, be aware that there are no generally accepted hardening recommendations, but there is a misconception that they’re secure out-of-the-box. In mixed networks, Windows devices are often more prevalent, such that IT and InfoSec tend to focus on Windows, overlooking threats and suspicious events on Apple devices. Besides the advice to regularly update macOS to the latest version and implement EDR/EPP, we recommend studying the macOS Security Compliance Project, which lets you generate InfoSec recommendations for specific macOS devices.
For organizations that actively use Microsoft 365 and Google Workspace cloud services, it’s vital to implement the minimum InfoSec recommendations from Microsoft and Google.
Critical IT assets, such as ADFS and ADCS for Microsoft-based IT systems, warrant special attention and in-depth analysis of possible hardening measures.
Widely apply universal hardening measures such as minimizing the number of running services, the principle of least privilege, and encryption and authentication of all network communications.
Make the allowlisting (aka default deny) approach standard. If implementing it across all applications and all computers is troublesome, try a phased approach. Popular LOLBAS that your team doesn’t use for work and your system processes don’t need can be blocked. The tools that actually are needed should only be available to administrators, only on relevant systems, and only for the duration of administrative tasks. All sessions that use such tools must be carefully logged and analyzed for anomalies.
Conduct an in-depth inventory of configurations, policies, and software installed on each host. If an application isn’t needed on a host, remove it: this will take it out of the toolkit of attackers and eliminate the headaches associated with updates and vulnerabilities. EDR solutions are ideal for this task.
Strengthen IT and OT network segmentation and monitoring at the internal network level. Besides isolating the OT network, you can move administrative machines with high privileges, important servers and the like to a separate subnet.
When implementing such restrictions, many organizations allowlist excessively broad IP ranges, for example, all addresses of a particular cloud provider. Even if this cloud hosts legitimate servers that the company server needs to communicate with, neighboring IPs could be leased by attackers. Therefore, it’s imperative to specify precise IP ranges and keep the allowlist as short as possible.
Network analysis tools should also be used to monitor traffic between segments, with a focus on unusual sessions and communications with more important network segments. Such analysis requires deep packet inspection (DPI).
To significantly simplify monitoring and to make attacks much harder, introduce privileged access workstations (PAWs) in your organization. High-risk administrative actions should be allowed on these and nowhere else. As part of the minimum program for Windows environments, operations with Active Directory servers should be allowed from PAWs only.
Implement authentication and authorization for all human-machine and machine-machine interactions regardless of their network location.
Implement a comprehensive approach to infrastructure protection based on detection and response tools (SIEM + EDR), building both awareness and team expertise (threat intelligence + cybersecurity training), and continuous hardening of the company’s overall InfoSec posture.
Kaspersky official blog – Read More