Apr 04, 2024NewsroomVulnerability / Internet Protocol

New research has found that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct denial-of-service (DoS) attacks.

The technique has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.

“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream,” CERT/CC said in an advisory on April 3, 2024.

“An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.”

Like in HTTP/1, HTTP/2 uses header fields within requests and responses. These header fields can comprise header lists, which in turn, are serialized and broken into header blocks. The header blocks are then divided into block fragments and transmitted within HEADER or what’s called CONTINUATION frames.

“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments,” the documentation for RFC 7540 reads.

“Any number of CONTINUATION frames can be sent, as long as the preceding frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set.”

The last frame containing headers will have the END_HEADERS flag set, which signals the remote endpoint that it’s the end of the header block.

According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within several HTTP/2 protocol implementations that pose a more severe threat compared to the Rapid Reset attack that came to light in October 2023.

“A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation,” the researcher said. “Remarkably, requests that constitute an attack are not visible in HTTP access logs.”

The vulnerability, at its core, has to do with incorrect handling of HEADERS and multiple CONTINUATION frames that pave the way for a DoS condition.

In other words, an attacker can initiate a new HTTP/2 stream against a target server using a vulnerable implementation and send HEADERS and CONTINUATION frames with no set END_HEADERS flag, creating a never-ending stream of headers that the HTTP/2 server would need to parse and store in memory.

While the exact outcome varies depending on the implementation, impacts range from instant crash after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby affecting server availability.

“RFC 9113 […] mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly,” Nowotarski said.

“At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers.”

The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).

Users are recommended to upgrade affected software to the latest version to mitigate potential threats. In the absence of a fix, it’s advised to consider temporarily disabling HTTP/2 on the server.

An in-depth look into a proactive website security solution that continuously detects, prioritizes, and validates web threats, helping to mitigate security, privacy, and compliance risks.

[Reflectiz shields websites from client-side attacks, supply chain risks, data breaches, privacy violations, and compliance issues]

You Can’t Protect What You Can’t See

Today’s websites are connected to dozens of third-party web apps, trackers, and open-source tools like pixels, tag managers, and JavaScript frameworks. Some of these elements are stored on public CDNs, while others are loaded from third-party web servers that may be unfamiliar. These external web components and data items are not always visible to standard security controls, and they often expose you to security threats such as supply chain risks, client-side attacks, and vulnerabilities in your online software. This means that these serious challenges will frequently go unnoticed. Moreover, security and privacy regulations like GDPR, the Cyber Resilience Act, and CCPA have become stricter, creating compliance issues that can lead to costly fines and reputation damage.

The Result: Your web threat exposure is larger than you think.

No More Blind Spots

Reflectiz’s sandbox solution continuously monitors all first-, third-, and fourth-party web apps, external domains, and data items. It detects vulnerabilities and risks in your online environment, providing complete visibility over your web threat exposure, to reveal things like forgotten tracking pixels that are still collecting users’ data long after they should have stopped, or malicious e-skimmers running in iFrames that quietly harvest credit card details. The platform then effectively prioritizes and remediates these security threats and compliance issues.

The Reflectiz solution is executed remotely, requiring no installation. It does not impact your website performance and provides visibility over web components and data items that traditional web security tools may overlook. The platform’s intuitive user interface does not require any technical expertise.

Reflectiz’s Automated Detection Cycle –

Proactive Security is Crucial for Managing Sophisticated Security Threats

In today’s sophisticated threat environments, security teams need to effectively scope, identify, prioritize, and address a wider range of threats imposed on their online businesses, shifting from merely fixing vulnerabilities to exposure management. Unlike traditional security tools, a proactive approach solution enables teams to continuously combat sophisticated web-based cyber threats, achieve enhanced visibility of their entire web exposure, and mitigate security and privacy risks before actual damage has been done.

Want to try the Reflectiz platform? Sign up for a 30-day free trial here.

Analyzing the Web Risk Factors

Reflectiz has developed a unique proprietary browser that explores each webpage on a website, running it dynamically like a regular user. This allows it to analyze and monitor everything that happens on a webpage, including loaded components’ behaviors, Javascript execution, and network requests. This creates a broader view on your website’s immediate risks and threats.

• The browser acts like a super client-side proxy, ensuring that no activity on a given webpage goes undetected.

• The browser collects millions of events that Reflectiz processes, allowing the platform to perform root cause analysisand map the entire supply chain.

• All web components and their activities are monitored and analyzed for behavior changes, including scripts, iFrames, tags, pixels, cookies, and http-headers.

• The browser has no limitations and can see all activities on any webpage, including iFrames, non-origin content, and first-party components

Reflectiz’s Unique WWW Approach

Dedicated dashboards for websites and subdomains offer extensive data and details based on Reflectiz’s WWW approach—WHO are your third-party vendors? WHAT are they doing on your websites? WHERE do they send the data they collect? The combination of the answers for each element allows Reflectiz to accurately assess the activity of any web app, domain, or data item, and immediately alert security teams.

For example, Reflectiz recently discovered sophisticated Magecart web skimming attacks involving counterfeit shops on the popular Shopify platform. By utilizing its WWW approach and analyzing browser activity from the outside, Reflectiz promptly identified the malicious activity and mitigated the attackers’ tactic.

For further insights read the Shopify Magecart attack case study.

Exposure Rating

Modern websites carry inherent risks. For instance, a financial website cannot function without user login and financial transaction capabilities, and an e-commerce platform is rendered useless without purchasing functionalities. But these vulnerable areas are precisely where risks are most likely to occur.

Have you ever wondered how secure your website is compared to your competitors? Have you ever thought that knowing would be a competitive advantage? Reflectiz recently introduced an innovative rating system to answer that question.

Reflectiz continuously monitors thousands of websites every day and has now developed the capability to analyze the data gathered and communicate web risk exposure levels in a simple metric.

Leveraging an extensive database, every Reflectiz client can now determine exposure rating for various categories, including web apps (1st-, 3rd-, and 4th-party), external domains, and website structure.

Every website receives an exposure rating based on an A-F scale, benchmarked against industry leaders. This score indicates your level of web threat exposure to web risks. Clients use it not just to see how they compare, but as a tool to guide their efforts to improve.

Complete Inventory

The foundation of exposure rating lies in Reflectiz’s comprehensive inventory of web apps, open-sources, domains, and data items across all websites. This includes global search and filtering options, making it easy to locate any data item within any web environment and allowing users to delve into different elements of risk.

• Applications – a complete list of all first-, third-, and fourth-party vendors’ applications running on your website. It includes details such as scripts, locations, hierarchy, and more. Additionally, clients can get access to the pages themselves or the code of each script, along with the current risk factors associated with each application.

• Domains – a comprehensive inventory of external and owned domains communicating with third parties. This information includes SSL certificate data, domain Whois records, cyber-reputation tests, and more.

• Data – This section contains analyzed records of all active data items on the website, covering inputs, network parameters, trackers, and pixels. It connects these items to the bigger story of the WWW [Who? What? Where?], including related applications and domains. Furthermore, it identifies which third parties are accessing each data item.

• Alerts – This section displays all alerts generated by the system, along with detailed information and recommendations for each one. The information is presented in understandable language to ensure all users can make informed decisions.

Deeper Exploration of Specific Risk

Reflectiz aggregates all scripts into a single web app or data item view, along with the current risk factors for each, allowing you to easily identify problematic applications and take immediate actions. The list is dynamic, enabling you to view new third-, fourth-, and nth-party applications and scripts that are added, including those through tag managers or other means.

Managing of specific data items provides the following:

• Identification of remote web servers connected to data items, including the applications that load them and those they load. For example, when integrating a third-party web app like Google Tag Manager into your website, you also integrate fourth-party web apps that already exist on it, such as Meta pixel or TikTok pixel. These elements often go unnoticed by standard security controls and may be exploited.

• Utilization of business intelligence statistics like global popularity rank, which informs you if a specific data item is commonly used by others, and site coverage rate, where you can observe the spread of a certain data item across your web pages. For example, Google Tag Manager boasts an 80% global popularity rank, indicating widespread adoption, whereas the SnapChat pixel lags behind at 10%. This means that 80% of modern websites use Google Tag Manager, while only 10% incorporate the SnapChat pixel. Armed with this information, security teams can assess the necessity of integrating less popular elements like the SnapChat pixel, thereby reducing overall risk.

• Investigation of risk factors for each data item involves addressing questions such as whether it has access to sensitive information or communicates with unsecure locations. For example, Reveal.js, a framework for creating attractive presentations using HTML, can exhibit several risk factors, including low popularity ranking, execution outside of trusted domains, loading from an open CDN, and access to sensitive inputs. The combination of these risk factors results in a high alert severity level.

Management Panel

The high-level management panel enables decision-makers to obtain a comprehensive overview of their web security status for all their websites in one place. This is achieved by providing a summary of alert severity levels and categories, such as malicious detections, privacy concerns, misconfigurations, and more. Additionally, it includes geographic and workflow displays, allowing managers to observe detected anomalies in their web environment over the past three months.

Addressing PCI DSS v4 New Web Requirements

Reflctiz has recently introduced an add-on feature: a dedicated PCI Dashboard.

The current version of PCI DSS is set to expire by the end of March 2024. With the new PCI DSS 4.0 requirements coming into effect in Q1 2025, Reflectiz enables clients to ensure compliance with mandates such as 6.4.3, by demonstrating how you monitor and manage all payment page scripts executed in the consumer’s browser, and 11.6.1, by showing how you activate a change and tamper detection mechanism for prompt alerts on unauthorized modifications.

The Reflectiz PCI Dashboard also facilitates the generation of compliance reports essential for audits by the PCI’s Quality Security Assessor (QSA). Reflectiz’s PCI compliance solution operates remotely, eliminating the need for installations and providing security teams with immediate real-time visibility into the online ecosystem. This means staying in compliance without imposing a heavy resource burden.

Beyond PCI compliance, the dashboard empowers you to monitor third-party web apps and data items accessing payment and credit card data, while maintaining a comprehensive inventory of all third- and fourth-party scripts. Experience watertight web security that exceeds PCI standards with Reflectiz and take advantage of a free 30-day trial of our PCI DSS Dashboard to seamlessly meet the latest v4.0 requirements.

Establish a Security Baseline

So, how do you start with Reflectiz? The first step for every client is to create a security baseline that aligns with the organization’s risk appetite for approved third-party web apps, marketing pixels, open-source activities, and more. It ensures safe execution and continuous monitoring of all actions.

The security baseline also helps identify any new items that bypass your allow list or detect anomalies in behavior. By design, it reduces the number of alerts and keeps track of changes.

For example, if an unapproved cookie or marketing pixel collects user data without consent, an immediate alert will be issued. You can then approve or unapprove the specific cookie or pixel behavior according to your business context. If choosing to eliminate the risk, Reflectiz will provide mitigation steps to resolve the issue quickly by removing or blocking the specific rogue web app or data items.

About Reflectiz

Reflectiz is a cybersecurity company specializing in web exposure management. Years of research by infosec experts have gone into the creation of their cutting-edge platform, which global companies now rely on to keep their websites safe. Reflectiz offers a suite of powerful cybersecurity tools gathered within a user-friendly dashboard. It empowers online businesses to continuously monitor both their websites and the web apps they rely on, so they can quickly identify and resolve security threats and privacy issues before they can become a problem.

Want to try the Reflectiz platform? Sign up for a 30-day free trial here.

Mar 05, 2024NewsroomMalware / Artificial Intelligence

More than 225,000 logs containing compromised OpenAI ChatGPT credentials were made available for sale on underground markets between January and October 2023, new findings from Group-IB show.

These credentials were found within information stealer logs associated with LummaC2, Raccoon, and RedLine stealer malware.

“The number of infected devices decreased slightly in mid- and late summer but grew significantly between August and September,” the Singapore-headquartered cybersecurity company said in its Hi-Tech Crime Trends 2023/2024 report published last week.

Between June and October 2023, more than 130,000 unique hosts with access to OpenAI ChatGPT were infiltrated, a 36% increase over what was observed during the first five months of 2023. The breakdown by the top three stealer families is below –

• LummaC2 – 70,484 hosts
• Raccoon – 22,468 hosts
• RedLine – 15,970 hosts

“The sharp increase in the number of ChatGPT credentials for sale is due to the overall rise in the number of hosts infected with information stealers, data from which is then put up for sale on markets or in UCLs,” Group-IB said.

The development comes as Microsoft and OpenAI revealed that nation-state actors from Russia, North Korea, Iran, and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their ongoing cyber attack operations.

Stating that LLMs can be used by adversaries to brainstorm new tradecraft, craft convincing scam and phishing attacks, and improve operational productivity, Group-IB said the technology could also speed up reconnaissance, execute hacking toolkits, and make scammer robocalls.

“In the past, [threat actors] were mainly interested in corporate computers and in systems with access that enabled movement across the network,” it noted. “Now, they also focus on devices with access to public AI systems.

“This gives them access to logs with the communication history between employees and systems, which they can use to search for confidential information (for espionage purposes), details about internal infrastructure, authentication data (for conducting even more damaging attacks), and information about application source code.”

Abuse of valid account credentials by threat actors has emerged as a top access technique, primarily fueled by the easy availability of such information via stealer malware.

“The combination of a rise in infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders’ identity and access management challenges,” IBM X-Force said.

“Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores or accessing enterprise accounts directly from personal devices.”

Jan 22, 2024NewsroomVulnerability / Malware

Cybersecurity researchers are warning of a “notable increase” in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.

“The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners,” Trustwave said. “Notably, despite the binary’s unknown file format, ActiveMQ’s JSP engine continues to compile and execute the web shell.”

CVE-2023-46604 (CVSS score: 10.0) refers to a severe vulnerability in Apache ActiveMQ that enables remote code execution. Since its public disclosure in late October 2023, it has come under active exploitation by multiple adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.

In the latest intrusion set observed by Trustwave, susceptible instances have been targeted by JSP-based web shells that are planted within the “admin” folder of the ActiveMQ installation directory.

The web shell, named Godzilla, is a functionality-rich backdoor capable of parsing inbound HTTP POST requests, executing the content, and returning the results in the form of an HTTP response.

“What makes these malicious files particularly noteworthy is how the JSP code appears to be concealed within an unknown type of binary,” security researcher Rodel Mendrez said. “This method has the potential to circumvent security measures, evading detection by security endpoints during scanning.”

A closer examination of the attack chain shows that the web shell code is converted into Java code prior to its execution by the Jetty Servlet Engine.

The JSP payload ultimately allows the threat actor to connect to the web shell through the Godzilla management user interface and gain complete control over the target host, facilitating the execution of arbitrary shell commands, viewing network information, and handling file management operations.

Users of Apache ActiveMQ are highly recommended to update to the latest version as soon as possible to mitigate potential threats.

Jan 08, 2024NewsroomFinancial Fraud / Cybercrime

The U.S. Department of Justice (DoJ) said it charged 19 individuals worldwide in connection with the now-defunct xDedic Marketplace, which is estimated to have facilitated more than $68 million in fraud.

In wrapping up its investigation into the dark web portal, the agency said the transnational operation was the result of close cooperation with law enforcement authorities from Belgium, Germany, the Netherlands, Ukraine, and Europol.

Of the 19 defendants, three have been sentenced to 6.5 years in prison, eight have been awarded jail terms ranging from one year to five years, and one individual has been ordered to serve five years’ probation.

One among them includes Glib Oleksandr Ivanov-Tolpintsev, a Ukrainian national who was sentenced to four years in prison in May 2022 for selling compromised credentials on xDedic and making $82,648 in illegal profits.

Dariy Pankov, described by the DoJ as one of the highest sellers by volume, offered credentials of no less than 35,000 hacked servers located all over the world and obtaining more than $350,000 in illicit proceeds.

The servers were infiltrated using a custom tool named NLBrute that was capable of breaking into protected computers by decrypting login credentials.

Also of note is a Nigerian national named Allen Levinson, who was a “prolific buyer” with a particular interest in purchasing access to U.S.-based Certified Public Accounting firms in order to file bogus tax returns with the U.S. government.

Five others, who have been accused of a conspiracy to commit wire fraud, are pending sentencing.

Alongside these administrators and sellers, two buyers named Olufemi Odedeyi and Oluwaseyi Shodipe have been charged with conspiracy to commit wire fraud and aggravated identity theft. Shodipe has also been charged with making false claims and theft of government funds.

Both individuals are yet to be extradited from the U.K. If convicted, they each face a maximum penalty of 20 years in federal prison.

The marketplace, until its takedown in January 2019, allowed cybercriminals to buy or sell stolen credentials to more than 700,000 hacked computers and servers across the world and personally identifiable information of U.S. residents, such as dates of birth and Social Security numbers.

Alexandru Habasescu and Pavlo Kharmanskyi functioned as the marketplace’s administrators. Habasescu, from Moldova, was the lead developer, while Kharmanskyi, who lived in Ukraine, managed advertising, payments, and customer support to buyers.

“Once purchased, criminals used these servers to facilitate a wide range of illegal activity that included tax fraud and ransomware attacks,” the DoJ said.

Targets of these attacks comprised government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.

Web Application Security consists of a myriad of security controls that ensure that a web application:

1. Functions as expected.
2. Cannot be exploited to operate out of bounds.
3. Cannot initiate operations that it is not supposed to do.

Web Applications have become ubiquitous after the expansion of Web 2.0, which Social Media Platforms, E-Commerce websites, and email clients saturating the internet spaces in recent years.

As the applications consume and store even more sensitive and comprehensive data, they become an ever more appealing target for attackers.

Common Attack Methods

The three most common vulnerabilities that exist in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC). Today, we will focus on Injections and Broken Access Control.

Injections

SQL is the most common Database software that is used, and hosts a plethora of payment data, PII data, and internal business records.

A SQL Injection is an attack that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.

The starting point for this, is a command such as the one below:

This will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. Going further with this, this method will also return passwords if there are any.

Picture an attack like this being performed against a large social media company, or a large e-commerce business, and one can begin to see how much sensitive data can be retrieved with just one command.

Broken Access Control

Broken Access Control (BAC) has risen the ranks on the OWASP top ten from fifth to the most common Web Application Security Risks. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category during OWASP’s recent testing.

The most common types of BAC, is Vertical and Horizontal privilege escalation. Vertical privilege escalation occurs when a user can elevate their privileges and perform actions, they should not have access to do.

The CVE-2019-0211, which was an Apache Local Privilege Escalation. This critical vulnerability, from 2019, affected Apache HTTP servers running on Unix systems, especially those utilizing the mod_prefork, mod_worker, and mod_event libraries.

This granted attackers the capability to execute unprivileged scripts, potentially leading to root access and compromising shared hosting services. Exploiting this flaw requires the manipulation of shared-memory regions within Apache’s worker processes, which must be done before initiating an Apache graceful restart.

The below is a screenshot of the POC code. As one can see, a certain level of technical ability is required in this respect, however, vertical privilege escalation can just as easily occur when a user’s permissions are overly permissive, or not revoked when they leave a business.

This takes us back to the principle of least privilege, a ubiquitous term found throughout the IT world, that is now becoming more commonplace as we realise how crucial web applications have become.

Horizontal Privilege Escalation is when a user gains access to data they are not supposed to have access to, but that data is held at the same level as their own permissions. This can be seen with one standard user accessing the data of another standard user. Whilst this should not be allowed, the privileges are not rising vertical, but spreading horizontally. This is sometimes seen as more dangerous, as it can occur without raising any alerts on security systems.

With BAC becoming ever more present in the last couple of years, it is important to remember:

• Solely depending on obfuscation is not a sufficient method for access control.
• If a resource is not meant to be accessible to the public, it should be denied access by default.
• Developers should explicitly specify allowed access for each resource at the code level, with access denial as the default setting.

Best Practices – Read between the Lines (of code!)

To maintain security, developers need to verify incoming data, implement parameterized queries when interacting with databases, and apply effective session management methods to protect sensitive data. Much of this relies on both the security of web browsers, but also of the back-end security of the web servers delivering web content, leading to a segregation of duties in web security.

The biggest problem that arises here, is that whilst Web Application Firewalls (WAFs), can mitigate these risks, much of the responsibility for secure implementation of web content lands at the feet of the developers who put these sites together. Cybersecurity can often become an afterthought, with functionality being preferred.

Practical Example – Input Validation

Input Validation is the simplest and most effective ways to implement secure coding, in this example to prevent SQL injections.

1. User Input: The user provides input, for example:

2. Sanitization: The user input is not directly inserted into the SQL query. It is sanitized and treated as data, not as SQL code.
3. Query Execution: The SQL query is executed with the user input as a parameter:
4. As such, the query enters the backend as below:

In this code, the (user_input,) is a tuple containing the user’s input. The database driver takes care of escaping and properly handling this input. It ensures that the input is treated as a data value, not executable SQL code.

If the user input contains malicious code, such as “105 or 1=1,” it is not executed as SQL. Instead, it’s treated as a value to be compared to the UserId in the database.

The database driver automatically handles the escaping of the input, preventing it from affecting the structure of the SQL query or introducing security vulnerabilities.

Web Application Firewalls (WAFs)

A WAF operates at layer 7 of the OSI model, and acts as a reverse proxy, ensuring client traffic passes through the WAF before entering the backend server. The rules or policies on the WAF protect against the documented vulnerabilities that are present in these backend servers and filter out malicious traffic.

There are a plethora of WAFs on the market, and these can all provide a strong defence against the more novel attacks, and contribute well to a defence in depth approach, the practice of secure coding is something that ensure the foundations of the web application is secure and will not fall victim to more complex or novel attacks in the future.

WAFs are currently moving towards a mixture of security model that use behavioural-analysis technologies to detect malicious threats, and further mitigate against the threats of more advanced ‘bots’ which have been leveraged for low-effort attacks on websites.

The main drawback of using a WAF, aside from the added latency and HTTP overhead, is the fact that a WAF can be bypassed by using a 0-day exploit against a web application, which secure coding and correct sanitisation can mitigate against more effectively that offsetting all Web application security to a WAF. It is important to remember a WAF is simply a layer of security, and not the entire solution.

Incident Response and Recovery

SecurityHQ’s suggestions to mitigate against attacks:

1. Employing a WAF as a first line of defence is critical to ensure business can defend against a large volume of attacks.
2. Ensure up-to-date and strong standard algorithms and protocols are in use, this should be paired with proper key management.
3. Encrypt data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers, cipher prioritization by the server. Enforce encryption using directives such as HTTP Strict Transport Security (HSTS).
4. Enable bot management strategies on websites and have a documented incident response plan.
5. Ensure secure development practices are in place, with a documented process of testing new features on web applications and ensure input validation is deployed.
• This should be coupled with ensuring the principle of least privilege.
6. Regularly test for vulnerabilities, with Vulnerability Management, and Managed Defense with IBM tooling, and keep track of component versions.
7. Utilise a red application test to uncover vulnerabilities scanners cannot find.
8. Ensure Developers are regularly trained to keep up with the latest security trends and emerging threats.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

Note: This article was expertly written by Tim Chambers, Senior Cyber Security Manager at SecurityHQ

Dec 21, 2023NewsroomDark Web / Cybercrime

German law enforcement has announced the disruption of a dark web platform called Kingdom Market that specialized in the sales of narcotics and malware to “tens of thousands of users.”

The exercise, which involved collaboration from authorities from the U.S., Switzerland, Moldova, and Ukraine, began on December 16, 2023, the Federal Criminal Police Office (BKA) said.

Kingdom Market is said to have been accessible over the TOR and Invisible Internet Project (I2P) anonymization networks since at least March 2021, trafficking in illegal narcotics as well as advertising malware, criminal services, and forged documents.

As many as 42,000 products have been sold via several hundred seller accounts on the English language platform prior to its takedown, with 3,600 of them originating from Germany.

Transactions on the Kingdom Market were facilitated through cryptocurrency payments in the form of Bitcoin, Litecoin, Monero, and Zcash, with the website operators receiving a 3% commission for processing the sales of the illicit goods.

“The operators of ‘Kingdom Market’ are suspected of commercially operating a criminal trading platform on the Internet and of illicit trafficking in narcotics,” the BKA said, adding an investigation into the seized server infrastructure is ongoing.

In addition to the seizure, one person connected to the running of Kingdom Market has been charged in the U.S. with identity theft and money laundering. Alan Bill, who also goes by the aliases Vend0r and KingdomOfficial, has been described as a Slovakian national.

The development comes days after another coordinated law enforcement effort saw the dismantling of the BlackCat ransomware’s dark web infrastructure, prompting the group to respond to the seizure of its data leak site by wresting control of the page, claiming they had “unseized” it.