Your Daily Decrypt

8/08/2023 - Today’s news and insights for cybersecurity pros and leaders

📸 Cybersecurity Snapshot

  • Ransomware: Ransomware is a type of malware that encrypts a victim's files and demands a ransom payment in order to decrypt them. Clop, LockBit, and Conti are some of the most common ransomware strains.

  • Botnets: Botnets are networks of infected computers that are controlled by a hacker. Botnets can be used to launch DDoS attacks, steal data, or spread other malware. Mirai and Qbot are two of the most common botnets.

  • Trojans: Trojans are malicious programs that are disguised as legitimate software. Trojans can steal data, install other malware, or give hackers remote access to a victim's computer. Agent Tesla and TrickBot are two of the most common Trojans.

  • Phishing: Phishing is a social engineering attack that uses emails or text messages to trick victims into clicking on a malicious link or opening an infected attachment. Phishing attacks are often used to steal passwords, credit card numbers, or other sensitive information.

  • Zero-day attacks: Zero-day attacks exploit vulnerabilities in software that are not yet known to the software vendor. Zero-day attacks are often very difficult to defend against because there is no patch available to fix the vulnerability.

These are just a few of the most dangerous malware threats that are currently circulating. It is important to be aware of these threats and to take steps to protect yourself and your organization from them.

📰 Top Stories

DHS is harnessing facial recognition and AI to track down child abusers, leading to breakthroughs in numerous cold cases. After UK police discovered a concerning video, DHS's Homeland Security Investigations utilized facial recognition, identifying Missouri's Scott Barker from a vast online image database. Though tools like Clearview AI, which scrapes billions of online images, are invaluable in such investigations, concerns about misuse, especially regarding privacy and misidentification, remain pronounced.

Polish spyware company LetMeSpy has announced its "permanent shutdown" following a data breach in June that eradicated its servers, including vast amounts of stolen data from victims' phones. The breach allowed unauthorized access, downloading, and deletion of the website's data. A review of the compromised data revealed LetMeSpy's control over more than 13,000 Android devices globally, contradicting its claim of overseeing 236,000 devices. The spyware was developed by Krakow-based firm Radeal.

DHS's Cybersecurity and Infrastructure Security Agency (CISA) is urging a secure-by-design approach for Unified Extensible Firmware Interface (UEFI) updates, following challenges with the BlackLotus bootkit. BlackLotus, the first malware to bypass Microsoft's UEFI Secure Boot, highlights the need for a more resilient update distribution for UEFI. Jonathan Spring, senior technical advisor at CISA, emphasizes that automated security fixes should become the standard, and outlines strategies for UEFI component auditing, management, and updates.

🚨 Threat Alerts

Onwuchekwa Nnanna Kalu, a Nigerian national, admitted to being part of a business email compromise (BEC) scheme that defrauded a Boston investment firm of $1.25 million. Arrested in Nigeria in 2022, Kalu was later extradited to the U.S. and faces a maximum of 20 years in prison and a $250,000 fine. Kalu and his co-conspirators targeted the firm by deploying malware, creating fake email domains, and directing transfers to their accounts. U.S. Attorney Matthew M. Graves emphasized the importance of diligence in avoiding BEC scams and assured that perpetrators would be prosecuted. The FBI has sometimes been able to recover stolen funds from BEC attacks.

Cybersecurity researcher Jeremiah Fowler from VPNmentor has exposed a complex cryptocurrency scam that uses over 300 fake websites to defraud investors. The scam manipulates victims by posing as trusted acquaintances and directing them to professionally crafted fake sites. Initial withdrawals create a false sense of security, but later attempts lead to additional fee demands, entrapping victims in a continuous payment loop. The scam's vast web of domains points to an international operation, with links to Nigeria and the US.

⚖️ Regulatory Updates

The Securities and Exchange Commission (SEC) has recently mandated new cybersecurity disclosure rules for public companies, emphasizing transparency and accountability. Companies must annually detail their cybersecurity risk management, governance, and strategies in their 10-K filings. Additionally, any significant cybersecurity incidents must be reported within four days, unless immediate disclosure poses significant risks to public safety or national security. The ruling will be effective for annual filings post-December 15, 2023, and incident reports after December 18, 2023. To comply, organizations should evaluate and bolster their cybersecurity programs, refine incident responses, ensure robust governance, involve executives and boards, and invest in advanced IT security tools.

The Securities and Exchange Commission (SEC) has introduced new regulations, mandating greater transparency for publicly traded companies regarding cybersecurity risk management. Notably, the changes require firms to disclose cybersecurity governance, strategy, and prior incidents in their annual 10-K filings. Additionally, any significant cybersecurity breach must be reported within four business days, with exceptions granted for national security concerns. As the deadline approaches for these stringent requirements, companies must proactively evaluate and bolster their cybersecurity infrastructure, ensuring compliance and preserving investor trust.

👀 Curated Finds

Cloud misconfiguration remains a significant threat vector, potentially leading to data breaches, as highlighted in a new report by cloud security firm Qualys. The research, which analyzed misconfiguration issues across Amazon Web Services, Microsoft Azure, and Google Cloud Platform, found alarming vulnerabilities. Specifically, within Azure, 99% of disks are improperly encrypted or lack customer-controlled encryption keys. Furthermore, 85% of encryption keys aren't rotated annually, despite Amazon's feature offering this. The study also found widespread poor implementation of Identity and Access Management (IAM) and public exposure of data, with 31% of S3 buckets publicly accessible. The report underscores the critical need for organizations to continuously monitor and ensure proper cloud configurations to safeguard against potential cyber threats.

The Common Vulnerability Scoring System (CVSS), a standardized method for assessing technology vulnerabilities, is undergoing significant changes with its upcoming 4.0 version. Despite its wide adoption, including by the NIST National Vulnerability Database (NVD), CVSS has faced criticism for being complex and subjective. CVSS 4.0, set for publication on October 1, 2023, introduces new metrics and terminologies to address past critiques and better align with modern cybersecurity needs. However, while the new system offers improvements, experts highlight that CVSS by itself might not be sufficient for vulnerability prioritization and that organizations must apply their specific context to get accurate vulnerability assessments.

The article discusses how to attack Microsoft SQL Server using the SQLRecon toolkit, highlighting misconfigurations like weak authentication and privilege escalation methods like command execution and loading custom .NET assemblies. It provides demonstrations of attacking linked SQL Servers, decrypting credentials, and abusing SCCM databases. Defensive considerations like network segmentation, logging, and least privilege are outlined.

Thank you 🙏
Ali Abidi