برچسب: information security

U.S. cybersecurity and intelligence agencies on Tuesday disclosed that multiple nation-state hacking groups potentially targeted a “Defense Industrial Base (DIB) Sector organization’s enterprise network” as part of a cyber espionage campaign.
“[Advanced persistent threat] actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data,” the authorities said.

The joint advisory, which was authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), said the adversaries likely had long-term access to the compromised environment.
The findings are the result of CISA’s incident response efforts in collaboration with cybersecurity company Mandiant from November 2021 through January 2022. It did not attribute the intrusion to a known threat actor or group.
The initial infection vector used to breach the network is also unknown, although some of the APT actors are said to have obtained a digital beachhead to the target’s Microsoft Exchange Server as early as mid-January 2021.
Subsequent post-exploitation activities in February entailed a mix of reconnaissance and data collection efforts, the latter of which resulted in the exfiltration of sensitive contract-related information. Also deployed during this phase was the Impacket tool to establish persistence and facilitate lateral movement.

A month later, the APT actors exploited ProxyLogon flaws in Microsoft Exchange Server to install 17 China Chopper web shells and HyperBro, a backdoor exclusively used by a Chinese threat group called Lucky Mouse (aka APT27, Bronze Union, Budworm, or Emissary Panda).
The intruders, from late July through mid-October 2021, further employed a bespoke malware strain called CovalentStealer against the unnamed entity to siphon documents stored on file shares and upload them to a Microsoft OneDrive cloud folder.
Organizations are recommended to monitor logs for connections from unusual VPNs, suspicious account use, anomalous and known malicious command-line usage, and unauthorized changes to user accounts.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Professional developers want to do the right thing, but in terms of security, they are rarely set up for success. Organizations must support their upskilling with precision training and incentives if they want secure software from the ground up.
The cyber threat landscape grows more complex by the day, with our data widely considered highly desirable “digital gold”. Attackers are constantly scanning networks for vulnerable applications, programs, cloud instances, and the latest flavor of the month is APIs, with Gartner correctly predicting that they would become the most common attack vector in 2022, and that is in no small part thanks to their often lax security controls.
Threat actors are so persistent that new apps can sometimes be compromised and exploited within hours of deployment. The Verizon 2022 Data Breach Investigations Report reveals that errors and misconfigurations were the cause of 13% of breaches, with the human element responsible overall for 82% of the 23,000 analyzed incidents.
It’s becoming very clear that the only way to truly fortify the software being created is to ensure that it’s built on secure code. In other words, the best way to stop the threat actor invasion is to deny them a foothold into your software in the first place. Cybercriminals are at a distinct advantage against organizations scrambling to defend their often vast attack surface, and any windows of opportunity that can be shut for good significantly reduce risk.
We make it hard for security stars to shine
The current status quo for developers at many organizations is such that their primary role is to build awesome features and deploy software at speed. The faster that developers can code and deploy, the more valuable they tend to be seen in terms of their performance reviews.
Security can be an afterthought, if considered at all, and is conspicuously absent as a measure of developer success. The 2022 State of Developer-Driven Security Survey in conjunction with Evans Data supports this outlook, with 86% of surveyed developers revealing that they do not view application security as a top priority. Instead, much of that is left to the application security (AppSec) teams to figure out. AppSec teams tend to be a source of frustration to most developers, because they would often send completed applications back into development to apply security patches, or to rewrite code to remediate vulnerabilities. And every hour that a developer spent working on an app that was already “finished” was an hour they were not creating new apps and features, thus decreasing their performance (and their value, in the eyes of a particularly punitive company).
However, the modern threat environment has forced everyone, from companies to government departments, to rethink the importance and prioritization of security, and they would be well-placed to consider how the development cohort fits into a defensive approach. According to the recent 2022 Cost of a Data Breach Report from IBM and the Ponemon Institute, the average cybersecurity breach now costs about $4.24 million per incident, although that is hardly the upper limit. The companies of today want the security offered by DevSecOps, but, sadly, have been slow to reward developers who answer that call.
Simply telling the development teams to consider security won’t work, especially if they are still being incentivized based on speed alone. In fact, within such a system, developers who take the time to learn about security and secure their code could actually be losing out on better performance reviews and lucrative bonuses that their less-security-aware colleagues continue to earn. It’s almost like companies are unwittingly rigging the system for their own security shortcomings, and it comes back to their perception of the development team. If they’re not seeing them as the security frontlines, then it’s very unlikely a viable plan to utilize their workforce will come to fruition.
And this doesn’t even account for the lack of training. Some very skilled developers have decades of experience coding, but very little when it comes to security… after all, it was never required of them, nor a measure of success or quality work. Unless a company provides a good training program, it can hardly expect its developers to suddenly gain new skills and put them into action in a meaningful way that actively reduces vulnerabilities.
(Want to compete against other elite developers from around the world, or nominate your own dev team of security superstars? Join Secure Code Warrior’s 2022 Devlympics, our biggest and best global secure coding tournament, and you could win big!)
Rewarding developers for good security practices
The good news is that the overwhelming majority of developers do their job because they find it both challenging and rewarding, and because they enjoy the respect that their position entails. Lifelong software engineer Michael Shpilt recently wrote about all of the things that motivate him and his colleagues in their development work. Yes, he lists monetary compensation among those incentives, but it’s surprisingly far down the list. Instead, he prioritizes the thrill of creating something new, skills development, and the satisfaction of knowing that his work is going to be directly used to help others. He also talks about wanting to feel valued within his company and community. In short, developers are no different to a lot of good people who take pride in their work.
Developers like Shpilt don’t want threat actors compromising their code and using it to harm their company, or the very users they are trying to help. But, they can’t suddenly shift their priorities to security without support.
To help development teams improve their cybersecurity prowess, they must first be taught the necessary skills. Utilizing a tiered approach to learning – as well as tools that are purpose-built to integrate seamlessly into their actual workflow – can make this process much less painful while helping to build upon existing knowledge in the right context.
With a commitment to upskilling in place, the old methods of evaluating developers based solely on speed need to be eliminated. Instead, developers should be rewarded based on their ability to create good, secure coding patterns, with the best candidates becoming security champions that help the rest of the team improve their skills. And those champions need to be rewarded with both company prestige and monetary compensation. It’s also important to remember that developers don’t typically have a positive experience with security, and uplifting them with positive, fun learning and incentives that speak to their interests will go a long way to ensuring both knowledge retention and a desire to keep building skills.
(Want to compete against other elite developers from around the world, or nominate your own dev team of security superstars? Join Secure Code Warrior’s 2022 Devlympics, and you could take out a major cash prize in our global tournaments!)

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Australia’s largest telecommunications company Telstra disclosed that it was the victim of a data breach through a third-party, nearly two weeks after Optus reported a breach of its own.
“There has been no breach of Telstra’s systems,” Narelle Devine, the company’s chief information security officer for the Asia Pacific region, said. “And no customer account data was involved.”

It said the breach targeted a third-party platform called Work Life NAB that’s no longer actively used by the company, and that the leaked data posted on the internet concerned a “now-obsolete Telstra employee rewards program.”

Telstra also noted it became aware of the breach last week, adding the information included first and last names and the email addresses used to sign up for the program. It further clarified that the data posted was from 2017.
The data was “basic in nature,” Devine said.

The company did not reveal how many employees were affected, but a Reuters report pegged the number at 30,000, citing internal staff email sent by Telstra.
The revelation comes a day after its rival Optus confirmed that nearly 2.1 million of its current and former customers suffered a leak of their personal information in the aftermath of a massive hack.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A novel Android malware called RatMilad has been observed targeting a Middle Eastern enterprise mobile device by concealing itself as a VPN and phone number spoofing app.
The mobile trojan functions as advanced spyware with capabilities that receives and executes commands to collect and exfiltrate a wide variety of data from the infected mobile endpoint, Zimperium said in a report shared with The Hacker News.
Evidence gathered by the mobile security company shows that the malicious app is distributed through links on social media and communication tools like Telegram, tricking unsuspecting users into sideloading the app and granting it extensive permissions.

The idea behind embedding the malware within a fake VPN and phone number spoofing service is also clever in that the app claims to enable users to verify social media accounts via phone, a technique popular in countries where access is restricted.
“Once installed and in control, the attackers could access the camera to take pictures, record video and audio, get precise GPS locations, view pictures from the device, and more,” Zimperium researcher Nipun Gupta said.

Other features of RatMilad, which is spread through apps named Text Me and NumRent, make it possible for the malware to amass SIM information, clipboard data, SMS messages, call logs, contact lists, and even perform file read and write operations.
Zimperium hypothesized that the operators responsible for RatMilad acquired source code from an Iranian hacker group dubbed AppMilad and integrated it into a fraudulent app for distributing it to unwitting users.
The scale of the infections is unknown, but the cybersecurity company said it detected the spyware during a failed compromise attempt of a customer’s enterprise device.

A post shared on a Telegram channel used to propagate the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited scope.
“The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security,” Richard Melick, director of mobile threat intelligence at Zimperium, said.
“From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A 46-year-old man in the U.S. has been sentenced to 25 years in prison after being found guilty of laundering over $9.5 million accrued by carrying out cyber-enabled financial fraud.
Elvis Eghosa Ogiekpolor of Norcross, Georgia, operated a money laundering network that opened at least 50 business bank accounts for illicitly receiving funds from unsuspecting individuals and businesses after falling victim to romance frauds and business email compromise (BEC) scams.
Ogiekpolor was charged by a federal grand jury in February 2022 with one count of conspiracy to commit money laundering and 15 counts of substantive money laundering. The scheme was operational from October 2018 to August 2020.

According to the U.S. Justice Department (DoJ), Ogiekpolor enlisted the help of eight “money mules” to open the phony bank accounts under the names of non-existent companies, which were subsequently used to stash the proceeds from their criminal activities.
These included creating fictitious personas on online dating sites to initiate conversations with potential targets, before tricking them into wiring funds directly into one of the sham accounts or mailing the cash to the money mules.

“Once the fraud proceeds posted to his accounts, Ogiekpolor laundered the funds, including wiring hundreds of thousands of dollars to overseas accounts, and withdrawing substantial amounts in cash and cashier’s checks,” the DoJ said, adding the scam targeted retired widows or widowers.
In one instance of BEC compromise highlighted by the agency, a victim business was deceived into making a payment to the tune of “several hundreds of thousands of dollars” to what it believed was a “long-standing vendor.”

BEC attacks are typically executed by sending spear-phishing email messages that purport to be from a known source that has ongoing contracts with the targeted victims and asking them to transfer funds to a different account under the cybercriminals’ control.
Ogiekpolor’s sentencing follows the conviction of five of his co-conspirators, all of whom have been accused of conspiracy to commit money laundering and have since pleaded guilty to the crime.
“There is no way we can make the victims of Ogiekpolor and this network whole again, but we hope this sentence will at least give them solace that people are being held accountable,” said Keri Farley, special agent in charge of FBI Atlanta.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.