برچسب: information security

What is the OWASP Top 10, and – just as important – what is it not? In this review, we look at how you can make this critical risk report work for you and your organisation.
What is OWASP?
OWASP is the Open Web Application Security Project, an international non-profit organization dedicated to improving web application security.
It operates on the core principle that all of its materials are freely available and easily accessible online, so that anyone anywhere can improve their own web app security. It offers a number of tools, videos, and forums to help you do this – but their best-known project is the OWASP Top 10.
The top 10 risks
The OWASP Top 10 outlines the most critical risks to web application security. Put together by a team of security experts from all over the world, the list is designed to raise awareness of the current security landscape and offer developers and security professionals invaluable insights into the latest and most widespread security risks.
It also includes a checklist and remediation advice that experts can fold into their own security practices and operations to minimise and/or mitigate the risk to their apps.
Why you should use it
OWASP updates its Top 10 every two or three years as the web application market evolves, and it’s the gold standard for some of the world’s largest organizations.
As such, you could be seen as falling short of compliance and security if you don’t address the vulnerabilities listed in the Top 10. Conversely, integrating the list into your operations and software development shows a commitment to industry best practice.
And why you shouldn’t
Some experts believe the OWASP Top 10 is flawed because the list is too limited and lacks context. By focusing only on the top 10 risks, it neglects the long tail. What’s more, the OWASP community often argues about the ranking, and whether the 11th or 12th belong in the list instead of something higher up.
There is some merit to these arguments, but the OWASP Top 10 is still the leading forum for addressing security-aware coding and testing. It’s easy to understand, it helps users prioritise risk, and its actionable. And for the most part, it focuses on the most critical threats, rather than specific vulnerabilities.
So, what’s the answer?
Web application vulnerabilities are bad for businesses, and bad for consumers. Big breaches can result in huge quantities of stolen data. These breaches aren’t always caused by organizations failing to address the OWASP Top 10, but they are some of the biggest issues. And there’s no point worrying about obscure zero-day flaws in your firewall if you’re not going to block injection, session capture, or XSS.
So, what should you do? Firstly, train everyone in good security hygiene. Do dynamic application security testing, including penetration testing. Ensure admins adequately protect applications. And use an online vulnerability scanner.
Beyond OWASP
Like most organizations, you may already be using a number of different cyber security tools to protect your organization against the threats listed by OWASP. While this is a good security stance, vulnerability management can be complex and time-consuming.
But it doesn’t have to be. Intruder makes it easy to secure your apps by integrating with your CI/CD pipeline to automate the discovery of any cyber weaknesses.
You can perform security checks across your perimeter, including application-layer vulnerability checks, including checks for OWASP Top 10, XSS, SQL injection, CWE/SANS Top 25, remote code execution, OS command injection, and more.
In addition to web app checks, Intruder performs reviews across your publicly and privately accessible servers, cloud systems, and endpoint devices to keep you fully protected.
Read the latest report for a more in-depth look at the OWASP Top 10. Or if you’re ready to discover how Intruder can find the cyber security weaknesses in your business, sign up for a free trial today.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

An unofficial version of the popular WhatsApp messaging app called YoWhatsApp has been observed deploying an Android trojan known as Triada.
The goal of the malware is to steal the keys that “allow the use of a WhatsApp account without the app,” Kaspersky said in a new report. “If the keys are stolen, a user of a malicious WhatsApp mod can lose control over their account.”

YoWhatsApp offers the ability for users to lock chats, send messages to unsaved numbers, and customize the app with a variety of theming options. It’s also said to share overlaps with other modded WhatsApp clients such as FMWhatsApp and HeyMods.
The Russian cybersecurity company said it found the malicious functionality in YoWhatsApp version 2.22.11.75.

Typically spread through fraudulent ads on Snaptube and Vidmate, the app, upon installation, requests the victims to grant it permissions to access SMS messages, enabling the malware to enroll them to paid subscriptions without their knowledge.
A successful theft of the keys can lead to a total compromise of the account, allowing the adversary to access chat messages and even impersonate the victim to send malspam and conduct financial fraud.

The development comes amid Meta Platforms filing a lawsuit against three developers in China and Taiwan for distributing unofficial WhatsApp apps, including HeyMods, that resulted in the compromise of over one million user accounts.
The findings also arrive a little over a year after threat actors were found delivering the Triada malware through FMWhatsApp.
“Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps,” the researchers pointed out. “This means that users who choose popular apps and official installation sources, may still fall victim to them.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

The operators behind the BazaCall call back phishing method have continued to evolve with updated social engineering tactics to deploy malware on targeted networks.
The scheme eventually acts as an entry point to conduct financial fraud or facilitate the delivery of next-stage payloads such as ransomware, cybersecurity company Trellix said in a report published last week.
Primary targets of the latest attack waves include the U.S., Canada, China, India, Japan, Taiwan, the Philippines, and the U.K.

BazaCall, also called BazarCall, first gained popularity in 2020 for its novel approach of distributing the BazarBackdoor (aka BazarLoader) malware by manipulating potential victims into calling a phone number specified in decoy email messages.
These email baits aim to create a false sense of urgency, informing the recipients about renewal of a trial subscription for, say, an antivirus service. The messages also urge them to contact their support desk to cancel the plan, or risk getting automatically charged for the premium version of the software.
The ultimate goal of the attacks is to enable remote access to the endpoint under the guise of terminating the supposed subscription or installing a security solution to rid the machine of malware, effectively paving the way for follow-on activities.

Another tactic embraced by the operators involves masquerading as incident responders in PayPal-themed campaigns to deceive the caller into thinking that their accounts were accessed from eight or more devices spread across random locations across the world.
Regardless of the scenario employed, the victim is prompted to launch a specific URL – a specially crafted website designed to download and execute a malicious executable that, among other files, also drops the legitimate ScreenConnect remote desktop software.
A successful persistent access is followed by the attacker opening fake cancellation forms that ask the victims to fill out personal details and sign in to their bank accounts to complete the refund, but in reality are fooled into sending the money to the scammer.

The development comes as at least three different spinoff groups from the Conti ransomware cartel have embraced the call back phishing technique as an initial intrusion vector to breach enterprise networks.
The ties to Conti don’t end there. BazarBackdoor, for its part, is the creation of a cybercrime group known as TrickBot, which was taken over by Conti earlier this year before the latter’s shutdown in May-June 2022 over its allegiance to Russia in its assault on Ukraine.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

The White House has recently announced a $1 billion cyber security grant program that is designed to help state and local governments improve their cyber defenses, especially about protecting critical infrastructure. The recent executive order stems from the $1.2 trillion infrastructure bill that was signed almost a year ago. That bill allocated $1 billion for protecting critical infrastructure against cyber-attack in the wake of a series of high-profile ransomware attacks such as the one that brought down the Colonial Pipeline.
Those government agencies who wish to take advantage of these funding opportunities must submit a grant proposal by mid-November. Proposals are only being accepted for the sixty days following the program’s announcement.
Grant recipients can use the funding to invest in new cybersecurity initiatives or to make improvements to existing defenses. Awardees are guaranteed to receive a minimum of $2 million. However, the program’s requirements stipulate that 80% of the funding must be invested in local or rural communities. Additionally, recipients are required to distribute at least 3% of funds received to tribal governments.
Although companies in the private sector are not eligible for these grants, the private sector will likely see an indirect benefit. The fact that governments are placing an increased focus on cyber security will surely help IT security teams because of the attention that it will bring to the seriousness of addressing cyber security threats.
This national attention, in turn, should make it easier for IT security teams to get their budgets approved.
Securing your own IT security budgets for 2023
Getting funding for IT initiatives can be tricky in even the best of circumstances. The current economic recession would ordinarily make it all but impossible for IT security teams to get funding for new security initiatives, barring some sort of disaster. However, the emphasis that the federal government is currently placing on cyber security may give IT pros the opportunity they need to have a frank discussion about security within their organization, which may ultimately lead to getting security projects funded.
Here are six basic steps IT pros can use to improve their odds of receiving the funding that they need:
Step One: Outline the problem
The first step involves demonstrating to higher-ups that your project is intended to protect against a credible threat. Recent headlines can help to provide the evidence that you need and gives you the chance to make the case that if the government is taking cybersecurity threats seriously, then your organization should too. Besides, if the government is stepping up its cyber defenses, then attackers may be inclined to move on to softer targets, such as businesses that are still relying on legacy security tools.
Step Two: Prove your point
This leads to the second step outlined in the article, which is to use data to your advantage. This might mean citing recent cybercrime statistics or using the available security tools to gather statistics from your own organization, highlighting the problem that you are trying to solve.
Step Three: Present a solution
Next, you’ll want to highlight what your proposed solution would do. It’s one thing to demonstrate that a security problem is real, but you also need to be prepared to explain how your intended solution will fix the problem.
Step Four: Set the date
Step 4 is all about creating an implementation schedule. Those who are tasked with managing an organization’s finances are almost always concerned about return on investment. In other words, how long is it going to take for a newly acquired product to provide enough of a benefit to offset its cost. You need to demonstrate that your proposed solution’s cost is justified and that it will be implemented and provide a return on investment in a reasonable amount of time. This also keeps your entire stakeholder team accountable to the agreed-upon timeframe.
Step Five: Show them the money
In this approval process, you’ll need to demonstrate estimated savings for the company. Yes, your new security tool might protect an organization from catastrophic financial loss due to a ransomware attack or a regulatory violation, but it’s important to show savings in other ways too. For example, will adopting a new tool reduce the number of overtime hours that the IT department works?
Step Six: Bring the research
Finally, you’ll want to show that you have looked at competing solutions and prepared a price comparison. It’s okay if your proposed solution is not the cheapest option. Just make sure that you can rationalize why you are not recommending the least expensive option.
Prove the need for IT Security Budget with data
Of course, before you can even begin seeking funding for an enhanced cybersecurity defense, you need to show how your organization could potentially be at risk for a cyber-attack. Since many such attacks target the Active Directory, you might begin your data-gathering efforts by using Specops Password Auditor to scan your Active Directory for password vulnerabilities.
This free, read-only tool can help you detect passwords that do not adhere to your password policy or to, compliance requirements or industry best practices. More importantly, you can find out which users are using passwords that are known to have been leaked from a database of over 875 million, making those accounts vulnerable because their passwords are available for purchase on the dark Web.
Specops Password Auditor is just one of the countless free security tools that are available online, but it is a great place to start because it does a good job of detecting real security vulnerabilities that exist right now within your own organization.
Get a leg up on IT security funding in 2023 and test out Specops Password Auditor in your Active Directory today.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A new piece of research has detailed the increasingly sophisticated nature of the malware toolset employed by an advanced persistent threat (APT) group named Earth Aughisky.
“Over the last decade, the group has continued to make adjustments in the tools and malware deployments on specific targets located in Taiwan and, more recently, Japan,” Trend Micro disclosed in a technical profile last week.
Earth Aughisky, also known as Taidoor, is a cyber espionage group that’s known for its ability to abuse legitimate accounts, software, applications, and other weaknesses in the network design and infrastructure for its own ends.
While the Chinese threat actor has been known to primarily target organizations in Taiwan, victimology patterns observed towards late 2017 indicate an expansion to Japan.

The most commonly targeted industry verticals include government, telcom, manufacturing, heavy, technology, transportation, and healthcare.
Attack chains mounted by the group typically leverage spear-phishing as a method of entry, using it to deploy next-stage backdoors. Chief among its tools is a remote access trojan called Taidoor (aka Roudan).
The group has also been linked to a variety of malware families, such as GrubbyRAT, K4RAT, LuckDLL, Serkdes, Taikite, and Taleret, as part of its attempts to consistently update its arsenal to evade security software.

Some of the other notable backdoors employed by Earth Aughisky over the years are as follows –

• SiyBot, a basic backdoor that uses public services like Gubb and 30 Boxes for command-and-control (C2)
• TWTRAT, which abuses Twitter’s direct message feature for C2
• DropNetClient (aka Buxzop), which leverages the Dropbox API for C2

Trend Micro’s attribution of the malware strains to the threat actor is based on the similarities in source code, domains, and naming conventions, with the analysis also uncovering functional overlaps between them.

The cybersecurity firm also linked the activities of Earth Aughisky to another APT actor codenamed by Airbus as Pitty Tiger (aka APT24) owing to the use of the same dropper in various attacks that transpired between April and August 2014.
2017, the year when the group set its sights on Japan and Southeast Asia, has also been an inflection point in the way the volume of the attacks has exhibited a significant decline since then.
Despite the longevity of the threat actor, the recent shift in targets and activities likely suggests a change in strategic objectives or that the group is actively revamping its malware and infrastructure.
“Groups like Earth Aughisky have sufficient resources at their disposal that allow them the flexibility to match their arsenal for long-term implementations of cyber espionage,” Trend Micro researcher CH Lei said.
“Organizations should consider this observed downtime from this group’s attacks as a period for preparation and vigilance for when it becomes active again.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.