Top – INDIA NEWS

Brazilian Feds Dismantle Grandoreiro Banking Trojan, Arresting Top Operatives

admin — Tue, 30 Jan 2024 18:00:19 +0000

[ad_1]

Jan 30, 2024NewsroomCyber Crime / Malware

A Brazilian law enforcement operation has led to the arrest of several Brazilian operators in charge of the Grandoreiro malware.

The Federal Police of Brazil said it served five temporary arrest warrants and 13 search and seizure warrants in the states of São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso.

Slovak cybersecurity firm ESET, which provided additional assistance in the effort, said it uncovered a design flaw in Grandoreiro’s network protocol that helped it to identify the victimology patterns.

Grandoreiro is one of the many Latin American banking trojans such as Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily targeting countries like Spain, Mexico, Brazil, and Argentina. It’s known to be active since 2017.

In late October 2023, Proofpoint revealed details of a phishing campaign that distributed an updated version of the malware to targets in Mexico and Spain.

The banking trojan has capabilities to both steal data through keyloggers and screenshots as well as siphon bank login information from overlays when an infected victim visits pre-determined banking sites targeted by the threat actors. It can also display fake pop-up windows and block the victim’s screen.

Attack chains typically leverage phishing lures bearing decoy documents or malicious URLs that, when opened or clicked, lead to the deployment of malware, which then establishes contact with a command-and-control (C&C) server for remotely controlling the machine in a manual fashion.

“Grandoreiro periodically monitors the foreground window to find one that belongs to a web browser process,” ESET said.

“When such a window is found and its name matches any string from a hardcoded list of bank-related strings, then and only then the malware initiates communication with its C&C server, sending requests at least once a second until terminated.”

The threat actors behind the malware are also known to employ a domain generation algorithm (DGA) since around October 2020 to dynamically identify a destination domain for C&C traffic, making it harder to block, track, or take over the infrastructure.

A majority of the IP addresses these domains resolve to are provided primarily by Amazon Web Services (AWS) and Microsoft Azure, with the life span of the C&C IP addresses ranging anywhere between 1 day to 425 days. On average, there are 13 active and three new C&C IP addresses per day, respectively.

ESET also said that Grandoreiro’s flawed implementation of its RealThinClient (RTC) network protocol for C&C made it possible to get information about the number of victims that are connected to the C&C server, which is 551 unique victims in a day on average mainly spread across Brazil, Mexico, and Spain.

Further investigation has found that an average number of 114 new unique victims connect to the C&C servers each day.

“The disruption operation led by the Federal Police of Brazil aimed at individuals who are believed to be high up in the Grandoreiro operation hierarchy,” ESET said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

[ad_2]

Source link

China-Linked Hackers Target Myanmar’s Top Ministries with Backdoor Blitz

admin — Tue, 30 Jan 2024 15:08:25 +0000

[ad_1]

Jan 30, 2024NewsroomMalware / Cyber Espionage

The China-based threat actor known as Mustang Panda is suspected to have targeted Myanmar’s Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans.

The findings come from CSIRT-CTI, which said the activities took place in November 2023 and January 2024 after artifacts in connection with the attacks were uploaded to the VirusTotal platform.

“The most prominent of these TTPs are the use of legitimate software including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious dynamic-link libraries (DLLs),” CSIRT-CTI said.

Mustang Panda, active since at least 2012, is also recognized by the cybersecurity community under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, and TEMP.Hex.

In recent months, the adversary has been attributed to attacks targeting an unnamed Southeast Asian government as well as the Philippines to deliver backdoors capable of harvesting sensitive information.

The November 2023 infection sequence starts with a phishing email bearing a booby-trapped ZIP archive attachment containing a legitimate executable (“Analysis of the third meeting of NDSC.exe”) that’s originally signed by B&R Industrial Automation GmbH and a DLL file (“BrMod104.dll”).

The attack takes advantage of the fact that the binary is susceptible to DLL search order hijacking to side-load the rogue DLL and subsequently establish persistence and contact with a command-and-control (C2) server and retrieve a known backdoor called PUBLOAD, which, in turn, acts as a custom loader to drop the PlugX implant.

“The threat actors attempt to disguise the [C2] traffic as Microsoft update traffic by adding the ‘Host: www.asia.microsoft.com’ and ‘User-Agent: Windows-Update-Agent’ headers,” CSIRT-CTI noted, mirror a May 2023 campaign disclosed by Lab52.

On the other hand, the second campaign observed earlier this month employs an optical disc image (“ASEAN Notes.iso”) containing LNK shortcuts to trigger a multi-stage process that uses another bespoke loader called TONESHELL to likely deploy PlugX from a now-inaccessible C2 server.

It’s worth noting that a similar attack chain attributed to Mustang Panda was previously unearthed by EclecticIQ in February 2023 in intrusions aimed at government and public sector organizations across Asia and Europe.

“Following the rebel attacks in northern Myanmar [in October 2023], China has expressed concern regarding its effect on trade routes and security around the Myanmar-China border,” CSIRT-CTI said.

“Stately Taurus operations are known to align with geopolitical interests of the Chinese government, including multiple cyberespionage operations against Myanmar in the past.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

[ad_2]

Source link

Top Security Posture Vulnerabilities Revealed

admin — Tue, 30 Jan 2024 11:35:06 +0000

[ad_1]

Each New Year introduces a new set of challenges and opportunities for strengthening our cybersecurity posture. It’s the nature of the field – the speed at which malicious actors carry out advanced persistent threats brings a constant, evolving battle for cyber resilience. The excitement in cybersecurity lies in this continuous adaptation and learning, always staying one step ahead of potential threats.

As practitioners in an industry that operates around-the-clock, this hypervigilance becomes second nature. We are always in a constant state of readiness, anticipating the next move, adapting strategies, and counteracting threats. However, it remains just as crucial to have our fingers on the pulse of the most common vulnerabilities impacting security postures right now. Why? Knowing these weak points is not just about defense; it’s about ensuring robust, uninterrupted business continuity in an environment where risks are always around the corner.

The Importance of Regularly Assessing Your Security Posture

The journey to build a cyber resilient security posture begins with identifying existing vulnerabilities; however, when asked about their vulnerability visibility, less than half of cybersecurity professionals claim to have high (35%) or complete visibility (11%). At best, more than half of organizations (51%) have only moderate visibility into their vulnerabilities.[1]

Regular assessments are one of the primary ways you can evaluate your organization’s security posture and gain the visibility you need to understand where risks are. These assessments comprehensively review your organization’s cybersecurity practices and infrastructure and can range in scope and frequency depending on your organization’s needs and the maturity of your risk program.

Security Maturity and Your Testing Frequency

Immature or No Risk Strategy: Assessments are not conducted on an ongoing frequency or are conducted on an ad-hoc basis.
Emerging or Ad-Hoc Risk Strategy: Assessments are conducted with some frequency, typically quarterly or monthly.
Mature or Set Strategy: Assessments are conducted on an ongoing basis, usually monthly.
Advanced Strategy: Regularly assessments are engrained in the overall risk program and take place on a monthly or weekly basis depending on the type of test.

Suggested Testing Frequency by Common Framework

NIST CSF: The National Institute of Standards and Technology (NIST) guidelines vary from quarterly to monthly scans, based on the specific guidelines of the governing framework.
PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) mandates quarterly scans.
HIPAA: The Health Information Protection Accountability Act (HIPAA) does not require specific scanning intervals but emphasizes the importance of a well-defined assessment strategy.

Types of Regular Assessments

Vulnerability Scans
Penetration Tests
Breach and Ransomware Simulations
Security Reputation Scans
Business Impact Analyses
Security Posture Assessment

Conducting assessments routinely enables your organization to preemptively identify potential security threats and vulnerabilities, much like preventive health check-ups for your organization’s cybersecurity.

ArmorPoint has recently released a security maturity self-assessment. Take the 15-question quiz to determine the gaps in your security posture.

The Top 6 Vulnerabilities

Now, let’s explore the vulnerabilities commonly found during these regular security posture assessments and their potential impact on your organization’s security integrity.

Vulnerability Management Program Gaps

A structured vulnerability management program is the cornerstone of proactive cybersecurity for your organization. It serves as your organization’s radar for promptly identifying and addressing security weaknesses. Organizations that lack such a program expose themselves to significant risks such as increased exposure to known vulnerabilities, inefficient patch management, and the reduced ability to prioritize critical vulnerabilities.

Deficiencies in Detection and Monitoring

Inadequate detection systems can leave your organization blind to ongoing threats, allowing attackers to operate undetected for extended periods. Without adequate detection systems, such as advanced Intrusion Detection Systems (IDS) or Security Information and Event Management (SIEM) solutions, there is a risk of delayed or missed threat detection, increased dwell time for attackers, and a higher potential for data exfiltration. To improve this aspect, it’s crucial to introduce advanced monitoring tools and strategies. Deploying state-of-the-art threat detection and response technologies, utilizing behavior analytics for anomaly detection, and conducting threat-hunting exercises are some of the key approaches to enhance detection capabilities.

The absence of such measures delays the identification of threats and hampers the ability to respond effectively in a timely manner. Implementing a strong, well-rounded detection and monitoring system is essential for maintaining a robust defense against evolving cyber threats. This includes continuously updating and refining detection methodologies to stay ahead of the latest attack vectors and techniques used by cybercriminals.

Lack of Policies and Procedures

Organizations need formalized cybersecurity policies and procedures to effectively manage security risks. Without these in place, there are numerous consequences, including inconsistent security practices across departments, weakened incident response capabilities, difficulty in ensuring compliance with regulations, and greater exposure to legal, regulatory, financial, and reputational consequences. Crafting and implementing comprehensive security policies involves developing and documenting these policies clearly, ensuring they are communicated effectively to all employees, and educating them on the importance of compliance.

Regular reviews, updates, and adaptations of these policies are necessary to keep pace with the evolving cyber threat landscape. This also ensures that the organization’s cybersecurity measures remain relevant and effective. In addition, having a set of well-defined procedures helps in standardizing responses to security incidents, which aids in minimizing the impact and speeding up recovery times in the event of a breach.

Inadequate Testing Practices

Regular testing of security systems and incident response plans is vital for identifying weaknesses and ensuring preparedness for real-world attacks. This includes conducting regular penetration testing to uncover vulnerabilities, creating, practicing, and fine-tuning incident response plans, and engaging in third-party security assessments. The importance of regular testing cannot be overstated, as it not only helps in identifying vulnerabilities before attackers do but also assesses the effectiveness of existing security controls.

Additionally, regular testing ensures a swift and effective response to incidents, mitigating potential damage proactively. This practice is crucial in maintaining an updated and resilient cybersecurity posture, capable of defending against the latest security threats. Engaging with third-party experts for assessments brings an external perspective, often uncovering blind spots that internal teams might miss.

Training and Cyber Awareness

Insufficiently trained staff can inadvertently introduce vulnerabilities and make an organization more susceptible to attacks. The issue of insufficient training leads to misconfigurations, human errors, and failure to recognize and respond to threats, thus reducing the effectiveness of security controls. To address this, approaches for security awareness training are crucial. Providing ongoing cybersecurity training, encouraging professional development and certifications, and fostering a culture of security awareness are key measures.

These training initiatives help ensure that staff at all levels are equipped to identify and respond to security threats effectively. By keeping the workforce informed and vigilant, organizations can significantly reduce the risk of breaches caused by human error. This proactive approach to staff training is a critical component of a comprehensive cybersecurity strategy.

Framework Adoption and Implementation

Selecting and adhering to a cybersecurity framework is crucial for organizations looking to establish a structured approach to security. The necessity of frameworks lies in providing a clear roadmap for security, ensuring alignment with industry best practices, and facilitating compliance with regulations. The advised process for framework selection involves assessing your organization’s specific needs and risk tolerance, choosing a suitable framework (e.g., NIST Cybersecurity Framework), and customizing it to fit the organization’s unique requirements.

Framework adoption and implementation provide a structured and methodical approach to managing cybersecurity risks. They also offer guidelines for setting up robust security measures and protocols, thus enhancing the overall security posture of an organization. Customizing the chosen framework ensures that it aligns perfectly with the organization’s specific security needs, industry standards, and regulatory requirements.

Risk Appetite and Understanding

Understanding your organization’s risk appetite and integrating it into your cybersecurity strategy is essential for effective risk management. Determining the level of risk your organization is willing to accept varies from one organization to another and influences decision-making and resource allocation. This understanding of risk appetite is crucial in aligning cybersecurity efforts with the organization’s risk tolerance and prioritizing security measures based on risk assessments.

Risk informs strategy, and maintaining continuous vigilance is necessary to monitor evolving risks and adapt security strategies accordingly. This approach ensures that cybersecurity measures are not only reactive but proactive, anticipating potential threats and mitigating them before they materialize. By understanding and managing risk effectively, organizations can build a resilient and robust cybersecurity posture tailored to their specific needs and risk tolerance levels.

Mitigating Identified Vulnerabilities

Now that we’ve thoroughly examined these common vulnerabilities, it’s crucial to understand how to prioritize their resolution based on severity and potential impact. The first step is to gain more visibility into your organization’s vulnerabilities. Once identified, you can prioritize these vulnerabilities effectively to mitigate them. To mitigate these risks, it’s suggested to implement an industry-accepted framework such as NIST CSF, CIS, or SANS. These frameworks guide organizations in establishing robust cybersecurity practices and involves assessing current security measures against the framework’s standards, developing and implementing appropriate policies, and ensuring regular staff training for awareness. Continuous monitoring and improvement are key, as it allows for the timely identification and rectification of security gaps and vulnerabilities.

Take a proactive step towards strengthening your security posture. Collaborate with seasoned cybersecurity experts who can help identify and address your organization’s specific security gaps. Request a complimentary Cybersecurity Workshop from ArmorPoint today.

Cybersecurity is not a one-time effort; it’s an ongoing commitment to protecting your organization’s assets and reputation. By addressing these common vulnerabilities revealed in security posture assessments and staying vigilant, you can strengthen your security posture and reduce the risk of falling victim to cyberattacks.

Download a Cybersecurity Checklist to find out what gaps you have in your security posture.

1 https://www.tripwire.com/state-of-security/insight-vulnerability-management-report

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

[ad_2]

Source link

Microsoft’s Top Execs’ Emails Breached in Sophisticated Russia-Linked APT Attack

admin — Sat, 20 Jan 2024 06:19:06 +0000

[ad_1]

Jan 20, 2024NewsroomCyber Espionage / Emails Security

Microsoft on Friday revealed that it was the target of a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments.

The Windows maker attributed the attack to a Russian advanced persistent threat (APT) group it tracks as Midnight Blizzard (formerly Nobelium), which is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.

It further said that it immediately took steps to investigate, disrupt, and mitigate the malicious activity upon discovery on January 12, 2024. The campaign is estimated to have commenced in late November 2023.

“The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft said.

Redmond said the nature of the targeting indicates the threat actors were looking to access information related to themselves. It also emphasized that the attack was not the result of any security vulnerability in its products and that there is no evidence that the adversary accessed customer environments, production systems, source code, or AI systems.

The computing giant, however, did not disclose how many email accounts were infiltrated, and what information was accessed, but said it was the process of notifying employees who were impacted as a result of the incident.

The hacking outfit, which was previously responsible for the high-profile SolarWinds supply chain compromise, has singled out Microsoft twice, once in December 2020 to siphon source code related to Azure, Intune, and Exchange components, and a second time breaching three of its customers in June 2021 via password spraying and brute-force attacks.

“This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard,” the Microsoft Security Response Center (MSRC) said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

[ad_2]

Source link

Top 7 Trends Shaping SaaS Security in 2024

admin — Mon, 25 Dec 2023 04:39:14 +0000

[ad_1]

Over the past few years, SaaS has developed into the backbone of corporate IT. Service businesses, such as medical practices, law firms, and financial services firms, are almost entirely SaaS based. Non-service businesses, including manufacturers and retailers, have about 70% of their software in the cloud.

These applications contain a wealth of data, from minimally sensitive general corporate information to highly sensitive intellectual property, customer records, and employee data. Threat actors have noted this shift, and are actively working to breach apps to access the data.

Here are the top trends influencing the state of SaaS Security for 2024 — and what you can do about it.

Democratization of SaaS

SaaS apps have transformed the way organizations purchase and use software. Business units purchase and onboard the SaaS tools that best fit their needs. While this is empowering for business units that have long been frustrated by delays in procuring and onboarding software, it does require organizations to rethink the way they secure data.

Security teams are being forced to develop new ways to secure company data. Lacking access and visibility into an application, they are placed in the role of advising a business unit that is using SaaS applications. To further complicate matters, every SaaS application has different settings and uses different terminology to describe security features. Security teams can’t create a one-size-fits-all guidance document because of the differences between the apps.

Security teams must find new ways to collaborate with business units. They need a tool that offers visibility and guidance for each application setting so that they – and the business unit – understand the risks and ramifications involved in the configuration choices that they make.

ITDR Forms a Critical Safety Net

If a threat actor gains access to a high-privilege account, they gain unfettered access within the application. Organizations are now understanding that identity is the de facto perimeter for their SaaS applications.

When threat actors take over an authorized user account, they typically follow common tactics, techniques and procedures (TTP) as they work their way through the app toward the data they want. They leave behind indicators of compromise (IoC), which might be based on actions taken within the app or logs.

As we move into the new year, we are going to see more organizations adopting an Identity Threat Detection & Response (ITDR) approach. ITDR mitigates that concern. As a key component in Identity Security Posture Management, ITDR capabilities can detect TTPs and IoCs, and then send an alert to the incident response team. Through ITDR, threat actors who have managed to breach the identity perimeter can still be stopped before they steal critical data or insert ransomware into the application.

Learn about how ITDR can help you handle these SaaS Security trends today

Cross-Border Compliance Means More Tenants to Secure

Global companies are increasingly facing different regulatory requirements from one country to the next. As a result, 2024 will see an increase in the number of geo-specific tenants as part of the effort to keep data segmented in accordance with the different regulations.

This change will have a limited impact on software costs as most SaaS app pricing is based on subscribers rather than tenants. However, it will have a significant impact on security. Each tenant will need to be configured independently, and just because one instance of the application is secure doesn’t mean that all tenants are secure.

To secure all these tenants, security teams should look for a security solution that allows them to set app benchmarks, compare tenants, and display security settings side-by-side without charging extra for each additional tenant. By applying best practices throughout the organization, companies can keep all their tenants secure.

Figure 1: Adaptive Shield’s platform monitoring and presenting all Salesforce tenants

Misconfigured Settings Are Leading to New Exploits

A default misconfiguration in ServiceNow triggered widespread panic in October. The setting, which was part of the application’s Access Control Lists, allowed unauthorized users to extract data from records. The misconfiguration impacted thousands of companies. A similar misconfiguration in Salesforce Community back in May also impacted a significant number of companies and led to data breaches.

Misconfigurations like these have the potential to cause major damage to companies. They lead to data leaks that break the trust between companies and their stakeholders, and have the potential to turn into onerous fines, depending on the nature of the data that leaked.

Securing misconfigurations is an organization’s best chance at preventing these exploits from impacting their operations and hurting their bottom lines.

See how to automate SaaS misconfigurations and regain control of your SaaS stack

Increased Reliance on Third-Party Applications Adds to SaaS Risk

Third-party applications add real value for end users. They improve processes, extend functionality, and connect data between multiple applications. Users connect these SaaS apps with the click of button, and instantly begin improving their workflows.

In March 2023, Adaptive Shield released a report showing that organizations using Google Workplace with 10,000-20,000 users averaged 13,913 third-party apps connected to Google Workplace alone. An astonishing 89% of these requested either high- or medium-risk permissions. Many of these high-risk apps are used once and forgotten about, or used by a small number of employees. However, even these dormant or lightly used applications have significant permissions and can be used to compromise or breach a SaaS application.

The use of third-party applications is only increasing, as more apps are developed and employees use their own judgment – rather than checking with their security team – when integrating third-party applications into their stack. Security teams must develop visibility into all their integrated apps, and gain insights into the permissions requested, the value the app contributes to the organization, and the risk it poses.

Figure 2: Adaptive Shield’s platform shows integrated third-party apps, their risk score, and the scopes granted

Multiple Devices to Secure as Working from Home Isn’t Going Anywhere

In 2023, nearly 40% of all employees worked from home at least part of the time. According to WFHResearch, approximately 12% of employees work exclusively in their homes, while another 28% have hybrid roles.

These figures should give pause to security personnel concerned about users logging in to their work accounts from personal devices. One of the biggest concerns security teams have is when high-privileged users log into their accounts using an unmanaged or unsecured device. These devices may have critical vulnerabilities, and create a new attack vector. For many teams, there is almost no way to tell which devices are used to access the SaaS app or see whether those devices are secure.

Organizations Are Turning to SSPM to Secure SaaS

While all these trends point to legitimate SaaS security concerns, SaaS Security Posture Management (SSPM) tools coupled with ITDR capabilities, like Adaptive Shield, can fully secure the SaaS stack. SSPMs are designed to automatically monitor configurations, looking for configuration drifts that weaken an app’s posture. In SaaS Security Survey, 2024 Plans & Priorities by Cloud Security Association and Adaptive Shield, 71% of respondents said their company had increased their investment into SaaS security tools over the past year, and 80% were either already suing SSPM or planned to invest in one within the next 18 months.

SSPMs can provide baselining tools for multiple tenants of the same app, and enable users to establish best practices, compare settings from different instances, and improve the overall posture of the SaaS stack.

SSPMs also detect and monitor third-party applications, alerting users if their integrated apps are requesting too much access and updating the security team when integrated apps are dormant. It tracks users, and monitors the devices being used to access applications to prevent the use of unmanaged or unsecured devices on corporate SaaS apps. Furthermore, their built-in communication tools make it easy for business units to collaborate with security personnel in securing their applications.

SaaS apps have grown in popularity for good reason. They allow organizations to scale as needed, subscribe to the apps they need at the moment, and limit investment in some IT. With SSPM, these applications can be secured as well.

See live in a ten-minute demo how you can start securing your SaaS stack

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

[ad_2]

Source link