Xiologix Wins an Award for Top Emerging Managed Security Services Company for 2022 by Cyber Security Review

TUALATIN, Ore.–(BUSINESS WIRE)–Xiologix is pleased to announce they were awarded a Top Emerging Managed Security Services Company in 2022 by Cyber Security Review. As a white-glove managed security service provider, they give their customers reliable IT services to meet their technological needs.

At Xiologix, their team provides customized business IT solutions to help companies remain compliant and protect their data from cybersecurity threats. Many companies take a reactive approach to cybersecurity and wait until an attack takes place to take action. However, Xiologix understands the importance of a proactive approach to cybersecurity. They build customized solutions to help every client achieve the best results for their IT needs.

Xiologix is proud to offer businesses of all sizes the IT solutions required to remain compliant with relevant regulations and protect their sensitive data for peace of mind. Their team is dedicated to helping clients find the best IT solutions to address their unique needs. Brian Page, CTO at Xiologix, states, “In terms of security, we can help with compliance requirements, Incident Response, monitoring, and detection response problems addressing ransomware and indicators of compromise. We’re constantly developing our professionals internally to address and be aligned with the entire industry, preparing us to support our clients during even their most dire situations.”

With this recognition from Cyber Security Review, businesses gain peace of mind in the services offered by Xiologix. They recognize the value of protecting sensitive information and maintaining compliance surrounding IT matters.

Anyone interested in learning about the award received can find out more by visiting the Xiologix website or calling 1-503-691-4364.

About Xiologix: Xiologix is a full-service business IT solutions provider offering customized services to meet each client’s unique needs. They work closely with clients to develop compliance solutions and provide cybersecurity to protect sensitive data. Their team serves as a trusted technology partner for their clients.

The post Xiologix Wins an Award for Top Emerging Managed Security Services Company for 2022 by Cyber Security Review appeared first on Cybersecurity Insiders.

June 01, 2022 at 09:08AM

Read More

Trellix Finds Workforce Shortage Impacts 85% of Organizations’ Cybersecurity Posture

SAN JOSE, Calif.–(BUSINESS WIRE)–Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), conducted new research into the talent shortage afflicting the cybersecurity industry. Among the key findings, 85% of those surveyed believe the workforce shortage is impacting their organizations’ abilities to secure increasingly complex information systems and networks. Of the current workforce, 30% plan to change professions in the future.

“Our industry is already 2.72 million people short¹. Cultivating and nurturing a cybersecurity workforce for our future requires expanding who we view as talent and changing our practices across the public and private sectors,” said Bryan Palma, CEO of Trellix. “Closing the cybersecurity talent gap is not only a business imperative, but important to national security and our daily lives. We need to remove barriers to entry, actively work to inspire people to do soulful work and ensure those in the field are retained.”

The findings are based on a Vanson Bourne survey, commissioned by Trellix, of 1,000 cybersecurity professionals in Australia, Brazil, Canada, France, Germany, India, Japan, the U.K and the U.S. across a variety of sectors.

More Education is Needed. As threats from nation-state actors and cybercriminals grow in volume and sophistication, the worldwide shortage of cybersecurity professionals grows as well. While some countries like Russia and China invest deeply in nurturing cybersecurity talent through state-funded education, many nations are without dedicated programs. Trellix sought to understand education levels and found over half (56%) believe that degrees aren’t needed for a successful career in cybersecurity. The survey also found:

• Support for development of skills (85%) and the pursuit of certifications (80%) were selected as highly or extremely important factors for the industry to expand the workforce.
• Employers could be doing more to encourage community mentoring programs with a presence in K-12 schools (94%).
• Areas most likely to attract people to cybersecurity included efforts to promote the soulfulness of cybersecurity careers (43%), encouragement of STEM students considering cybersecurity careers (41%), and more financial support for students in cybersecurity career paths (39%).

Diversity Drives Better Outcomes. Of the cybersecurity professionals surveyed, 78% are male, 64% white and 89% straight, and a large majority of respondents (91%) believe there needs to be wider efforts to grow the cybersecurity talent pool from diverse groups. When it comes to encouraging more people to consider a career in cybersecurity, respondents reported inclusivity and equality for women (79%), diversity of the cybersecurity workforce (77%) and pay gaps between different demographic groups (72%) as highly or extremely important factors for the industry to address. Additional findings include:

• Most respondents (92%) believe greater mentorship, internships, and apprenticeships would support participation of workers from diverse backgrounds into cybersecurity roles.
• 85% believe individuals are discouraged from entering the profession simply because they lack perspective into the field’s various potential roles and opportunities for upward mobility.
• 94% of those surveyed believe their employers could be doing more to consider employees from non-traditional cybersecurity backgrounds and 45% report having previously worked in other careers.

Cybersecurity is Soulful Work. The survey found the vast majority (94%) believe the role of those working in cybersecurity is greater now than ever before and a similar amount (92%) report cybersecurity as purposeful, soulful work that motivates them. However, cybersecurity professionals are hungry for recognition, with 36% noting they feel a lack of acknowledgement for the good done for society. Of those looking to leave the field, 12% say it is due to lack of feeling appreciated. The survey discovered:

• More than half (52%) report working within cybersecurity because it’s progressive, evolving and they enjoy exploring challenging new trends.
• 41% report cybersecurity is continuously growing in relevancy and roles will always be accessible as a reason for staying in the profession.
• Around one in five (19%) note they value doing something to help society for the greater good.

On Tuesday, June 7, Trellix CEO Bryan Palma will deliver a keynote, “Soulless to Soulful: Security’s Chance to Save Tech,” at the RSA^® Conference in San Francsico, Calif. Palma will address the growing cybersecurity talent gap while providing recommendations to build a larger, stronger cybersecurity workforce. RSA^® Conference attendees can attend the address at 10:50 a.m. PDT at the Moscone Convention Center West Hall, others can view virtually or on-demand.

Additional Resources

1. (ISC)² Cybersecurity Workforce Study, 2021

About Trellix

Trellix is a global company redefining the future of cybersecurity. The company’s open and native extended detection and response (XDR) platform helps organizations confronted by today’s most advanced threats gain confidence in the protection and resilience of their operations. Trellix’s security experts, along with an extensive partner ecosystem, accelerate technology innovation through machine learning and automation to empower over 40,000 business and government customers. More at https://trellix.com.

About Vanson Bourne

Vanson Bourne is an independent specialist in market research for the technology sector. Their reputation for robust and credible research-based analysis is founded upon rigorous research principles and their ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets.

For more information, visit www.vansonbourne.com.

The post Trellix Finds Workforce Shortage Impacts 85% of Organizations’ Cybersecurity Posture appeared first on Cybersecurity Insiders.

June 01, 2022 at 09:08AM

Read More

Italy on high alert as Russian Killnet group starts Cyber Attacks

Italy has placed all its Critical Infrastructure on high alert as it is facing a cyber threat from the Pro-Russian hacking group Killnet. Information is out that the group of cybercriminals has already hit the infrastructure with digital assaults that have been neutralized by Italy’s Computer Security Incident Response Team(CSIRT).

However, the intensity of the attacks is increasing because of sophistication and so CSIRT has asked all public and private entities to increase vigil over their digital infrastructure.

About 3,000 attacks were launched on the infrastructure between May 11 to May 21, and this includes the attack launched on the voting system of the Eurovision Song Contest that witnessed Ukraine winning the competition on a high note.

Meanwhile, the Anonymous hacking group has made it official that it has officially started a cyberwar on Killnet infrastructure via DDoS attacks and will try to nibble it from its roots. And to a certain extent, the organization succeeded in doing so.

However, Kremlin-backed Killnet is adamant in targeting the infrastructure of Ukraine and is also into downing other infrastructure of countries that are supporting Zelensky by offering essentials, artillery, and finances.

NOTE-Anonymous has also warned the Chinese government about launching any kind of war on Taiwan. The hacking group claims to have full control over the nuclear power stations operating in the Republic of China and can trigger devastation within no time.

 

The post Italy on high alert as Russian Killnet group starts Cyber Attacks appeared first on Cybersecurity Insiders.

May 31, 2022 at 08:40PM

Read More

CLOP Ransomware targets 21 victims in a single month

CLOP Ransomware gang has targeted over 21 organizations from March to April this year and the numbers might increase as the time progresses. According to a survey conducted by NCC Group, CLOP returned in February this year from a hiatus of almost 16 months and is now only after industrial sector.

CLOP is seen infecting mostly firms operating in the industrial sector and that too mainly those partnering with US Companies.

In June last year, CLOP gang members announced that there were shutting down their business as earnings from cyber attacks were decreasing on a drastic note. All thanks to the law enforcement groups like CISA, FBI, NCSC and Europol. As the noose around those laundering cryptocurrency was being tightened by law enforcement agencies such as INTERPOL, it was getting difficult for the hackers to gain money from targets.

Recently, after the start of war between Russia and Ukraine, six gang members belonging to CLOP were arrested by Ukrainian authorities after making through searchers for them in various regions of Kyiv.

Intel 471 states that CLOP claimed approximately 7 victims in 2019, that includes Software Giant AG IT, ExecuPharm, Indiabulls, Maastricht University and Accellion software.

Britain has also tightened its noose around the necks of gangs spreading file encrypting malware and is using many techniques to block their earnings from various means.

Eventually, such steps have worked in the favor of the Biden led government as many ransomware spreading gangs such as CONTI have announced that there are leaving the business because of a significant drop in earnings.

CLOP went into a hiatus till January this year and might have probably regained strength after the start of Putin’s war with Zelensky led nation, as it seems like it resumed its notorious operations from March 2022.

 

The post CLOP Ransomware targets 21 victims in a single month appeared first on Cybersecurity Insiders.

May 31, 2022 at 09:37AM

Read More

US Universities credentials published on dark web

The Federal Bureau of Investigation, aka FBI, has issued a notification that student credentials from many renowned colleges and universities operating in the US were up for sale on the dark web and some public domains.

According to the report, the data was dumped in January 2022 on a Russian criminal forum and was being sold single digit figure in thousands of US Dollars. While some email IDs ending with. edu were found on a public platform, some credentials, say about 36,000 of email and password combinations, were found being sold for $1200.

It is unclear how many of those published credentials were functioning now. However, the fee offered was reportedly low and so those interested in buying were ready to grab them in a deal without checking for the credibility of the leaked information.

Usually, such credentials are exploited by cyber criminals in credential stuffing campaigns to compromise computer networks of Universities and other educational institutes.

FBI argues that the criminals might have gained the information from ransomware attacks, spear-phishing campaigns, and by using other cyber invasion tactics.

Interestingly, the law enforcement agency is asking the IT heads of such institutes to maintain strong bonding with their local FBI Field Office and is asking them to improve their current cybersecurity posture by taking proactive measures.

It is also asking its users to keep their computer systems updated with the latest software, create awareness among employees about the current threats lurking in the cyber landscape, and training the students and staff in phishing exercises from time to time, along with a habit of implementing strong password hygiene.

 

The post US Universities credentials published on dark web appeared first on Cybersecurity Insiders.

May 31, 2022 at 09:36AM

Read More

SentinelOne Global Culture Named To Leading Workplaces Lists

MOUNTAIN VIEW, Calif.–(BUSINESS WIRE)–SentinelOne (NYSE: S), an autonomous cybersecurity platform company, today announced the company has been recognized for its best-in-class global workplace culture, highlighting its commitment to maintaining a winning culture that’s rewarding and values-driven.

“As we work together to make the world a safer place, we are committed to creating an equitable and inclusive culture for our employees,” said Divya Ghatak, Chief People Officer, SentinelOne. “With flexible work schedules, unlimited time off and 16 weeks of paid parental leave to all parents, regardless of gender or sexual orientation, we are redefining what it means to enable employees to do their life’s best work.”

SentinelOne was named to Inc. Magazine’s 2022 Best Workplaces List, San Francisco Business Times and Silicon Valley Business Journal’s 2022 Bay Area Best Places to Work list, Great Place to Work’s UK’s Best Workplaces 2022 list, and Great Place to Work’s UK’s Best Workplaces for Wellbeing 2022 list.

• Inc. Magazine’s 2022 Best Workplaces List features American companies that have excelled in creating exceptional workplaces and company culture. Honorees took part in an employee survey, conducted by Quantum Workplace, which included topics such as management effectiveness, perks, fostering employee growth, and overall company culture.
• The 2022 Bay Area Best Places to Work ​​presented by the San Francisco Business Times and the Silicon Valley Business Journal highlights Bay area companies that have created exceptional workplaces that their employees value highly. Honorees rated highest on values including fun, collaborative culture, solid compensation and benefits offerings.
• The UK’s Best Workplaces 2022 by Great Place to Work was determined through rigorous evaluations of hundreds of employee survey responses alongside Culture Audit submissions from leaders at each company. Great Place to Work then used these data insights to benchmark the effectiveness of companies’ employee value propositions against the culture their employees actually experience.
• The UK’s Best Workplaces for Wellbeing 2022 by Great Place to Work rewarded companies praised for people’s holistic experiences of wellbeing at work. The list was determined based on a survey asking employees to comment on how their company supports their work-life balance, sense of fulfillment, job satisfaction, psychological safety and financial security.

For more information about SentinelOne’s workplace and career opportunities, visit www.sentinelone.com/careers.

About SentinelOne

SentinelOne’s cybersecurity solution encompasses AI-powered prevention, detection, response and hunting across endpoints, containers, cloud workloads, and IoT devices in a single autonomous platform.

The post SentinelOne Global Culture Named To Leading Workplaces Lists appeared first on Cybersecurity Insiders.

May 31, 2022 at 09:08AM

Read More

Security First Initiative Gaining Momentum

SALT LAKE CITY–(BUSINESS WIRE)–Following a successful launch of the Security First Initiative in March, Whistic is pleased to announce the addition of more companies adding weight to the movement to proactively share their security documentation using a Whistic Profile. Companies endorsing the Security First initiative now include Cloud Security Alliance, Drata, RiskRecon, RFPIO, Tevora and more.

Whistic and other leading technology companies formed the Security First Initiative in response to the growing number of third-party security incidents impacting businesses of all sizes with the goal of proactively sharing security documentation including standard questionnaires, certifications, and audits. Founding members of the security first initiative include Okta, Airbnb, Zendesk, Asana, Atlassian, Notion, G2, TripActions, and Whistic.

“The desire for proactive vendor security is reaching a tipping point,” said Nick Sorensen, CEO at Whistic. “The threat of third-party security incidents isn’t going away any time soon, and a company’s security is only as strong as its weakest vendor. That’s why the collaborative approach to vendor security that’s baked into the Security First Initiative has resonated with so many companies and has helped this movement grow so quickly.”

To help companies meet this new Security First expectation, Whistic is offering vendors access to a free version of Whistic Profile, which includes the ability to proactively share their security information with their customers, streamlining and accelerating partner relationships and sales by eliminating the need to repeatedly complete security policy questionnaires.

Visit www.whistic.com/securityfirstinitiative to join the Security First Initiative and start building your Whistic Profile today.

Supporting Quotes

Drata

“At Drata, we are staunchly focused on easing the path to continuous compliance and guiding our customers with transparency. Joining the Security First Initiative furthers our ongoing commitment to building trust on the internet, starting with our own security posture.”

— Adam Markowitz, Cofounder and CEO of Drata

Cloud Security Alliance

“It’s no secret that the Cloud Security Alliance has always supported proactive vendor security. Through our STAR Registry, companies have been able to display security information to prospects and customers. Efforts like the Security First Initiative elevate proactive vendor security to another level, making it available to any business regardless of size or program maturity.”

— Jim Reavis, CEO, Cloud Security Alliance

RiskRecon

“RiskRecon’s longtime partnership with Whistic helps participants of Whistic’s Vendor Security Network accurately determine the risks associated with engaging with a particular vendor. RiskRecon applauds the guiding principles of Whistic’s Security First Initiative, and believes transparency helps drive the speed of business without compromising attention towards security.”

— Kelly White, Founder, RiskRecon, a Mastercard Company

Tevora

“As an organization that has helped small businesses, Fortune 500s, and state entities build and manage their third-party risk programs, Tevora can confidently say one of the biggest hurdles to developing an effective and secure third-party ecosystem is the lack of visibility into vendor’s security programs. We view the Security First Initiative as a much-needed investment that will allow organizations to fully realize the value proposition of vendors, without burdensome information chasing”

— Jeremiah Sahlberg, Managing Director Third-Party Risk Management, Tevora

RFPIO

Through our partnership with Whistic, we make it easy for companies to complete Whistic Profile questionnaires. Whistic’s Security First Initiative is excellent and our decision to join the initiative further strengthens our partnership.

— Ganesh Shankar, Chief Executive Officer, RFPIO

About Whistic

Located in the heart of the Silicon Slopes in Utah, Whistic is the network for assessing, publishing, and sharing vendor security information. The Whistic Vendor Security Network accelerates the vendor assessment process by enabling businesses to access and evaluate a vendor’s Whistic Profile and create trusted connections that last well beyond the initial assessment. Make security your competitive advantage and join businesses like Airbnb, Okta, Betterment, and Atlassian who are leveraging Whistic to modernize their vendor security programs. For more information, visit Whistic.com.

The post Security First Initiative Gaining Momentum appeared first on Cybersecurity Insiders.

May 31, 2022 at 09:08AM

Read More

China monitors UK and US populace through AI Satellites and thousands of CCTV Cameras

Britain’s government received a red alert last week to the Chinese government monitoring the country’s populace through its AI Satellites and thousands of CCTV Cameras.

Fraser Sampson, the Commissioner for Bio-metrics and Surveillance Cameras, wrote a detailed report to Micheal Grave, the Cabinet Minister, over the dominance of Chinese companies in the supply and deployment of surveillance equipment in Britain.

Mr. Samson is extremely concerned about the dominance of two companies Dahua and Hikvision that have grabbed about 60% of the market share in Britain’s CCTV Market.

As both companies are being controlled by the Chinese Communist Party(CCP), Mr. Fraser is of the opinion that both these firms have the potential to turn the tables anytime.

What’s concerning is that most of the cameras manufactured at these companies are installed at schools, NHS Trusts, army headquarters, and Universities. And a third of them are having backdoors that can be exploited to access images and data without the permission of the owner.

Estimates conducted by the UK-based privacy group Big Brother Watch suggest that Britain has about 164,000 Hikvision cameras installed in public places, while Dahua has its presence felt with over 14,000 cameras installed on-premises of various government bodies.

If this isn’t enough, China is also reportedly using CCTV cameras set up for precision-based missile strikes. This is done by mapping the location of CCTV cameras with satellites and then using the technology of Artificial Intelligence to launch missile attacks based on the guidance given by satellites and CCTV camera coordinates.

IPVM which maintains a huge repository of CCTV camera information says that the Chinese People’s Liberation Army (PLA) has developed weapons that operate by integrating surveillance technology and can destroy targets when mapped through surface-to-air systems and surface-to-surface systems using both moving and fixed launchers.

Hope, someone from the white house has noted these developments!

 

The post China monitors UK and US populace through AI Satellites and thousands of CCTV Cameras appeared first on Cybersecurity Insiders.

May 30, 2022 at 08:39PM

Read More

Hackers pay a $5000 monthly fee to gain fraudulent access to banking apps

A research group from ESET has discovered that cyber-crooks are paying a monthly fee of $5000 to gain fraudulent access to 467 android apps to steal banking-related details. Information is out that the campaign has been running for quite some time and is aiming to siphon cryptocurrencies along with fiat.

Dubbed an ERMAC banking Trojan, the malware is seen impersonating android users in Poland and has now spread slowly to New Zealand.

In parallel, Cyble researchers who conducted research on the same claim that the bad guys are paying a monthly rent ranging between $5000 to $21,000 for targeting Android users, and on seeing the craze, the developers are now about to present a new version of ERMAC that has the potential to spy on the device without being recognized by detection servers owned by noted anti-malware solution providers.

Meanwhile, BUG Hunters working for Microsoft 365 Defender Research Team have documented evidence that android system apps are running with high severity vulnerabilities that allow hackers to install backdoors on Android devices.

Details provided to our Cybersecurity Insiders show evidence that the issue is found in the software provided to mobile carriers by Israel-based MCE Systems and a fix is already available that has to be set in the mobile framework by the network admins.

The Redmond Giant also added in its security revelation that Google Play did not detect such vulnerabilities in apps till March this year. However, it started to red flag such objects in April this year, thus defending its Android users from being infected by malware, trojans, and mobile ransomware.

 

The post Hackers pay a $5000 monthly fee to gain fraudulent access to banking apps appeared first on Cybersecurity Insiders.

May 30, 2022 at 09:57AM

Read More

Britain hospitals to be cyber attacked by Russian Sleeper cells

Dr. Melanie Garson, an international security specialist working for the University College of London, expressed her deep concerns about national security while interacting with a news web resource.

She said that hospital infrastructure was on the verge of being cyber-attacked by Russian sleeper cells, whose aim is to disrupt the healthcare infrastructure and to create panic among patients and their near & dear.

Melanie claims that a hacking group named Killnet, supposed to be funded by Kremlin, was threatening to hit the ventilators operating for NHS, after the arrest of a cyber crook working for a pro-Russian hacking organization.

As the threat was posted on a Telegram group, Dr. Garson expressed more concern as it was going in lines of the 2017 Wannacry Ransomware attack that crippled the IT infrastructure of the NHS to the core.

In another story linked to a Russian hacking group named Coldriver, information is now out that the said notorious hacking group was involved in stealing email content pertaining to former MI6 Director Sir Richard Dearlove, Gisela Stuart, and Robey Tombs between Aug’18 to July 2019.

According to an investigation launched by Reuters, Coldriver was the group behind the leak of Terra May’s Brexit campaign in early 2020, officially known as the ‘Clean’ EU Exit deal. The group was assigned the job of tarnishing the image of May in the political circuit that paved the way to the election of Boris Johnson.

Now, Coldriver’s are launching phishing attacks on Ukraine officials to steal vital details related to military help, financial help and essential supply made to the Zelensky-led country from foreign nations.

Their aim is to discover the data and publish it in the media to malign the sympathy image gained by Ukraine in the international field after the Russian invasion.

 

The post Britain hospitals to be cyber attacked by Russian Sleeper cells appeared first on Cybersecurity Insiders.

May 30, 2022 at 09:55AM

Read More

Why Managed Detection and Response (MDR) is your most important security investment

Ed Williams, EMEA Director of SpiderLabs, Trustwave

After years of a severe skills drought, the availability of security professionals appears to be gradually improving. The global shortfall in security professionals dropped from 3.12 million to 2.72 million last year. However, although this is notable progress, it is not taking place fast enough. Cyberattacks have become highly intense in nature, as threat actors are constantly using new attack vectors and target mechanisms to carry out large-scale attacks.

To address this evolved intensity and pace of cybersecurity risks, organizations are choosing to invest in proactive solutions like managed detection and response (MDR). Gartner has predicted that nearly half of all organizations will be using MDR services by 2025. Vendors are also recognizing this trend and providing more defensive solutions rather than only offering reactive services like the investigation of automated alerts. As a result, the MDR services of today are much more extensive and dynamic than what had previously been available, which is why we believe MDR is one of the most sustainable security investments a business can make.

So, what should be the key consideration for security leaders when investing in MDR?

Conventional security solutions cannot provide a proactive response

Organizations today cannot solely rely on reactive response as an effective cybersecurity strategy, as aggressive attacks like ransomware, supply chain attacks, and malware injection can compromise valuable assets in a very short span of time. Reactive response means that organizations have already suffered some form of impact from the breach, which is not feasible for establishing a sustainable security infrastructure. Simply securing endpoints and putting up firewalls is not effective, as zero-day threats can slip under the radar and compromise the system before it is detected by endpoint solutions.

That’s why a proactive defense is the best way to respond to potential cyber risks. Organizations should be actively searching for threats, identifying vulnerabilities, monitoring risks, and responding quickly once a potential attack or risk has been identified. A proactive cyber defense structure should combine real-time risk monitoring with threat hunting and effective threat response. However, conventional technologies such as security information and event management (SIEM) and extended detection and response (XDR) are often missing these key elements.

These solutions can provide the data regarding threats and security investigations, but they require critical human intervention to be interpreted. More specifically, organizations need to recruit professional and highly skilled analysts to interpret the data provided by these conventional security technologies and take responsive actions. However, such human resources are not always available due to the ongoing skills shortage, even though this situation has improved of late. Moreover, conventional solutions like SIEM and XDR require significant organizational resources to be implemented, including extensive time, knowledge, and effort from the security teams. Even when a successful implementation has been achieved, organizations must continually train their security teams to maintain and configure the new systems.

Attaining MDR services can solve all these issues by improving upon XDR, SIEM, and other existing security solutions. Efficient MDR providers have a vault of skilled resources that can provide high-quality threat intelligence and round-the-clock risk monitoring services. MDR allows organizations to free up their resources, reduce the burden of in-house security teams and receive proactive support from experienced professionals who can bring out the best from existing security tools.

Key considerations when choosing an MDR vendor

While most MDR vendors might offer the same range of services, the detection and threat hunting methods offered by vendors differ substantially. It is important that security leaders look for vendors that can provide human-led threat hunting and investigations, along with around-the-clock 24/7 monitoring and real-time analysis. MDR providers must have the expertise and capabilities to take remote actions immediately after a threat is detected.

Providers must be able to go beyond the endpoint, meaning that MDR should collect forensic data from all associated networks, clouds, email, and other parts of the IT infrastructure. Threat intelligence is a critical part of effective MDR services. Therefore, it is important to choose a supplier that has its own research department and expertise to draw from external intelligence. This will allow organizations always to remain a step ahead of their adversaries.

When choosing a provider, organizations must also understand how it conducts research and attains threat intelligence. An organization must consider if a product can monitor the dark web, reverse engineer malware, conduct behavioral analysis of the threat actors, and achieve profound visibility over open-source intelligence (OSINT) sources? These questions should guide the decision to choose the perfect MDR vendor.

As previously emphasized, a vendor’s experience is critical. MDR providers are not just security suppliers to an organization, rather they are security partners. They must have a positive portfolio of providing proactive responses to cyber threats in an organizational or enterprise environment. Finally, the provider’s culture should align with the organization’s culture to enable a sustainable and long-term partnership.

If the attained MDR services are not aligned with the business needs and operations, it can have an adverse impact on financial and security resources. That’s why businesses should consider the discussed points when choosing an MDR vendor, as it will guide them towards making a positive security investment for the present as well as for the future.

Security investment becomes sustainable when it helps bolster the business’ overall resilience. Choosing the right MDR vendor can help businesses to achieve security sustainability and stronger cyber resilience. An efficient MDR vendor becomes the strategic partner of the business and helps the company build a security infrastructure that is always ready to detect and deter both internal and external threats. Effective MDR partners do not just improve the security capability of a company, but also shape its decision-making process and provide a strategic guidance for improving its overall security posture.

The post Why Managed Detection and Response (MDR) is your most important security investment appeared first on Cybersecurity Insiders.

May 30, 2022 at 04:47AM

Read More

The disruptive impact of EU digital ID wallets

By Lokke Moerel, Senior Of Counsel, Morrison & Foerster (Brussels)

Europe is one of the most digitalized societies in the world, and this has only been accelerated by the COVID‑19 pandemic. Within no time, people started working from home and children were being schooled online. According to a 2020 report by McKinsey, the pandemic accelerated digital adoption by seven years. However, as we become increasingly digitized, the vulnerabilities that come with the changes also increase.

2020 saw a 70% increase in internet-related crime, including COVID‑19 scams, and a 150% increase in ransomware attacks exploiting work-from-home technologies. The rapid shift away from physical transactions accelerated the demand for trusted digital identities and also triggered new demands such as cross-border use capabilities, use in the physical world, and privacy friendly features such as sharing only specific attributes and entitlements, like identifying as a pensioner or student, having a driver’s license, or being older than 18.

The European Commission has recognized the new demands and has proposed a modernized EU regulation for electronic identity, introducing digital ID wallets. Where media and commentators focus on changes required by the Digital Services Act and the Digital Markets Act, the new digital identity regulation will likely have the biggest impact on current digital business models. The European digital ID wallets will likely become a new intermediary function in the digital ecosystem and disrupt the gatekeeper function of current digital platforms as well as their ability to collect and combine data of their users.

European “single market for data”

The EU Strategy for Data aims to establish a European single market for data by opening up access to data assets and driving data sharing in open digital ecosystems across the entire European economy. The single market will facilitate data also to be exchanged across sectors in a way that fits European values of self-determination, privacy, transparency, security, and fair competition.

The centerpiece of the data strategy is the concept of European data spaces, which bring together the EU data of nine defined clusters of organizations with common interests (e.g., financial, health care, and government) so the scale of data required for AI-driven innovation for the clusters can be achieved. The design of the data spaces will be based on full interoperability of the data exchange infrastructure and data sovereignty, whereby users will be provided with the tools to make decisions about data sharing and access.

With these measures, the EU intends to flip the current digital business models. The actual parties that generate the data will regain control, as a result whereof the current digital platforms will no longer be able to lock in the data of their users in their ecosystems. This strategy also fits the Data Governance Act, opening up public data for innovation through independent intermediaries. Where data spaces require many-to-many interactions, digital identity solutions and consent dashboards will become an inherent part of the design of any data exchange.

EU digital ID wallets

The modernized framework for a European digital identity is based on self-sovereignty of European citizens. Member states will now have to offer citizens and businesses at least one digital ID wallet, which is stored as an app on smartphones and enables EU citizens to authenticate and access online services across the EU.

Digital ID wallets will be issued by a member state or by a private entity (after the wallet is certified by accredited bodies designated by the member state). The wallet will enable citizens to do more than simply prove their identity; it will also store proof of other personal attributes and credentials, such as education certificates, birth certificate, and bank cards, and further enable citizens to digitally sign documents with a qualified electronic signature (which is a higher level of identity proofing and security and is well suited for banking transactions).

This will be a big change. For example, when renting a car, individuals will be able to prove they have a driver’s license by sharing the attribute “in possession of a driver’s license” from their digital ID wallet without having to actually provide a physical copy of the license. At the moment, citizens still have to log in for each and every digital service with the vulnerable system of a user name combined with a password and manually enter and disclose their personal data. To simplify the login process, many websites currently offer individuals the option to authenticate their identities via their account credentials from one of the major digital platforms. This creates large concentrations of both business and personal data on these platforms, which has a direct impact on citizens’ privacy and digital sovereignty.

Under the new digital identity regulation, large digital platforms will be required to accept the use of digital ID wallets as well as all service providers that offer services that require strong customer authentication (SCA). The new regulation further restricts the sharing of personal data to what is strictly necessary for the provision of the service, precludes the issuer of the wallet from collecting information on the use of the wallet, and prevents the issuer from combining personal data in the wallet with any other personal data in its possession, “unless the citizen expressly requested it.”

When data sharing across industries (“multi to multi markets” ) becomes the norm, digital ID wallets will become a new intermediary function in the ecosystem, potentially disrupting current platforms, as these platforms once did to others. Not surprisingly, some global technology companies are developing self-sovereign wallet functionality, which may well meet EU requirements. These wallets are expected to become their next big revenue source, even more so than their payment solutions.

Although the restrictions described above for issuers of wallets as to collection and combining of data may at face value seem detrimental to issuers’ digital business models, that is not actually the case. Where many market players have to accept the digital ID wallet for authentication, being the party offering the digital ID wallet actually creates a channel to request users’ consents in the first place and preserve customer contact strategy and relevance. Offering digital ID wallets then becomes a competitive advantage in and of itself.

The post The disruptive impact of EU digital ID wallets appeared first on Cybersecurity Insiders.

May 30, 2022 at 04:08AM

Read More

How DNS filtering can help protect your business from Cybersecurity threats

This blog was written by an independent guest blogger.

The Domain Name System (DNS) is an important tool that connects devices and services together across the Internet. Managing your DNS is essential to your IT cybersecurity infrastructure. When poorly managed, DNS can become a huge landscape for attackers.

Nonetheless, when properly configured, DNS is a key line of defense against cyber threats for your organization. DNS filtering is an essential component of business cybersecurity. The best part about DNS filtering is that it is simple and effective to implement. Think of DNS filtering as another component in building a secure network. Implementing a DNS web filtering solution will protect your network in many different ways.

In this article, we’ll discuss how DNS systems work and how DNS filtering works. Then we’ll take a look at how DNS filtering can improve the security of your network. Finally, we’ll take a look at some of the other issues you might face with your DNS system.

DNS filtering to improve security

What is the Domain Name System (DNS)?

The Domain Name System, abbreviated DNS, is a tech solution for matching domain names (also called web addresses) to IP addresses, like 192.168.1.1. DNS is useful because it allows you to access the web without memorizing IP addresses. If you’re old enough, you might remember memorizing all of your friends’ telephone numbers, but today most people don’t bother.

How does DNS work?

DNS works by taking a web address and then matching it to the right IP. 

1. When you open a web browser (like Safari or Firefox), you typically type in a web address, like www.att.com, into the address bar. The browser then sends a DNS query to a specialized web server called a DNS resolver.
2. The DNS resolver then checks for an IP that matches the name you type into the web browser. It does this by either checking additional DNS servers or by checking its own cache.
3. Third, the DNS resolver “resolves” the domain by sending a reply to the user’s web browser with the correct IP address.
4. Finally, the user’s web browser contacts the server at the IP address that the DNS resolver looked up to establish a connection and load the web page.

Why is DNS so important?

The DNS system is essential to be able to access the web. Unless you have the web addresses of all your favorite websites memorized, you can’t load any web content before the DNS resolution process occurs. As a result, DNS filtering is a smart, effective way of enhancing security.

Furthermore, today web security is a top priority for businesses. This is because cybersecurity is no longer just an IT issue, but it’s a practical business issue as well.

How does DNS filtering work?

Because all DNS queries go to a DNS resolver, DNS resolvers can also be used as a filter to block malicious activity. For instance, a specially configured DNS resolver can refuse to resolve queries for certain domains that are listed on a private or publicly-maintained blocklist (sometimes called a blacklist). 

Similarly, for even greater and enhanced security, DNS resolvers can also be configured to only permit access to the web through an allowlist (or whitelist). An allowlist is a list of websites that users are permitted to access. Any attempts to visit unauthorized websites will prevent the page from loading.

For example, imagine an employee browsing Facebook at work. The employee comes across a Facebook post with a link to win $1,000,000, so they never have to work again. When the employee clicks the link, the query is first sent to a DNS resolving service. The service compares the link to a list of unapproved websites. If it turns out that the link is to an unauthorized website, the DNS resolver will block the request.

As it turns out, in this scenario, the $1,000,000 prize was actually a phishing attempt, and the request is blocked. This is one way that you can configure DNS filtering services.

Bring phishing attacks and inappropriate browsing to a halt

A blocklist isn’t just for stopping phishing attacks. A blocklist can list harmful domains and IP addresses that are curated by the cybersecurity community or are maintained by your own cybersecurity team. Consider joining OTX, the Open Threat Exchange, where you can stay up to date on the latest developments in emergent cybersecurity threats.

In some cases, DNS filters are automated, where they will check websites for malicious code. Often, JavaScript is a primary culprit for these types of malicious websites. When malicious code is detected, the website and IP address are automatically added to the blocklist.

As a plus, DNS filtering can also be used to block objectionable content. A common way this is done is by blocking adult content. Unsurprisingly, these websites frequently contain malware and cause other security concerns, so they are probably best blocked anyway. DNS filtering is often used in conjunction with a firewall to enhance security protections.

Block malware with secure DNS servers

Malware is a type of software designed to execute bad code that steals information or takes control of a user’s device. Using secure DNS servers is one way to enhance security and prevent malware from taking hold. Secure DNS servers can also enhance the privacy of user data. Cloudflare, a popular web hosting backup service, offers a DNS resolving service called 1.1.1.1 that wipes all of its DNS query logs after 24 hours.

In order to increase security, it’s recommended that you enable several additional security tools when utilizing DNS resolution services. DNSSEC is a protocol that verifies DNS resolver information and makes sure they have not been compromised by an attacker.

Additional protocols like DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt your DNS queries and replies. Encrypting DNS queries is vital because it prevents attackers from analyzing your queries and tracking which websites your users visit. When used in conjunction with threat monitoring and detection, your security will be a step above everyone else.

Stop DNS spoofing

A final form of DNS security to be aware of is DNS spoofing. DNS spoofing is sometimes called cache poisoning. When a computer takes data from a cache (a saved index), it does not know if the IP has changed since the last time a website was visited. If that’s the case, a computer can maliciously change values in a cache and redirect users to malicious websites. 

DNS spoofing is done using malicious software like Ettercap, dns2proxy, SSLStrip+, and others. In some cases, hackers gain access using a user’s computer. When they do, the hackers gain access to the DNS cache and manipulate the addresses.

Preventing DNS spoofing is easy if you utilize a secure DNS service. Additionally, preventing users from phishing attempts also helps increase security.

Use multiple forms of protection

DNS filtering is just one step in building a cybersecurity defense net. Cybersecurity is all about identifying potential threat vectors and eliminating them. Remember, there are plenty of other dangers to educate yourself and be aware of, whether it’s e-mail security to potential threats from hackers and malware. Grab AT&T’s latest cybersecurity insights report to learn more about the latest issues in cybersecurity.

Additional thought: try using tools such as GetWeave to find out what people are saying online about the security of your business.

The post How DNS filtering can help protect your business from Cybersecurity threats appeared first on Cybersecurity Insiders.

May 30, 2022 at 04:06AM

Read More

Stories from the SOC – Persistent malware

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

One of the most prevalent threats today, facing both organizations and individuals alike, is the use of ransomware. In 2021, 37% of organizations said they were victims of some type of ransomware attack. Ransomware can render large amounts of important data inaccessible nearly instantly. This makes reacting to potential ransomware events in a timely and accurate manner extremely important. Utilizing an endpoint security tool is critical to  help mitigate these threats. However, it is vital to maintain vigilance and situational awareness when addressing these threats, and not rely solely on one piece of information when performing analysis.

The AT&T Managed Extended Detection and Response (MXDR) analyst team received an alarm stating SentinelOne had detected ransomware on a customer’s asset. The logs suggested the threat had been automatically quarantined, but further analysis suggested something more sinister was afoot. The same malicious executable had been detected on that asset twice before, both times reportedly being automatically quarantined. This type of persistent malware can be an indicator of a deeper infection such as a rootkit. After a more in-depth analysis and collaboration with the customer, the decision was made to quarantine and power off the asset, and replace the asset entirely due to this persistent malware.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial SentinelOne alarm alerted us to an executable ‘mssecsvc.exe’:

The name of the executable as well as the file path is cleverly crafted to imitate a legitimate Windows program.

Expanded investigation

Events search

Searching events for the file hash revealed it had been repeatedly detected on the same asset over the last 2 weeks. In each instance the event log reports the executable being automatically quarantined by SentinelOne.

Additionally, a search in USM Anywhere revealed two previous investigations opened for the same executable on the same asset. In both previous investigations the customer noted SentinelOne had automatically quarantined the file but did not take any further action regarding the asset.

Event deep dive

In the new instance of this alarm the event log reports SentinelOne successfully killed any processes associated with the executable and quarantined the file.

 

This may lead one to believe there is no longer a threat. But the persistent nature of this file raises more questions than the event log can answer.

Reviewing additional indicators

It is important to not rely on a single piece of information when assessing threats and to go beyond just what is contained in the logs we are given. Utilizing open-source threat intelligence strengthens our analysis and can confirm findings. Virus Total confirmed the file hash was deemed malicious by multiple other vendors.

The executable was also analyzed in JoeSandbox. This revealed the file contained a device path for a binary string ‘FLASHPLAYERUPDATESERVICE.EXE which could be used for kernel mode communication, further hinting at a rootkit.

Response

Building the investigation

Despite the event log suggesting the threat had been automatically quarantined, the combination of the repeat occurrence and the findings on open-source threat intel platforms warranted raising an investigation to the customer. The customer was alerted to the additional findings, and it was recommended to remove the asset from the network.

The customer agreed with the initial analysis and suspected something more serious. The analysts then searched through the Deep Visibility logs from SentinelOne to determine the source of the mssecsvc.exe. Deep Visibility logs allow us to follow associated processes in a storyline order. In this case, it appears the ‘mssecsvc.exe’ originated from the same ‘FlashPlayerUpdateService.exe’ we saw in the JoeSandbox analysis. Deep Visibility also showed us that mssecsvc.exe had a Parent Process of wininit.exe, which was likely to be the source of persistence.

Customer interaction

Another notable feature of USM Anywhere is the ability to take action from one centralized portal. As a result of the investigation, the analysts used the Advanced AlienApp for SentinelOne to place the asset in network quarantine mode and then power it off. An internal ticket was submitted by the customer to have the asset replaced entirely.

Limitations and opportunities

Limitations

A limiting factor for the SOC is our visibility into the customer's environment as well as what information we are presented in log data. The event logs associated with this alarm suggested there was no longer a threat, as it had been killed and quarantined by SentinelOne. Taking a single instance of information at face value could have led to further damage, both financially and reputationally. This investigation highlighted the importance of thinking outside the log, researching historical investigations, and combining multiple sources of information to improve our analysis.

The post Stories from the SOC – Persistent malware appeared first on Cybersecurity Insiders.

May 29, 2022 at 09:08AM

Read More

Calling All College Women: Exabeam Announces Third-annual Cybersecurity Scholarship Program

FOSTER CITY, Calif.–(BUSINESS WIRE)–Exabeam, the leader in Next-gen SIEM and XDR, today announced its third-annual Exabeam Cybersecurity Scholarship Program. This year’s program is sponsored by the Exabeam women’s organization, ExaGals, and designed to support two women who are currently enrolled in an undergraduate degree program studying cybersecurity, computer science, or a related field. The first-place winner will receive a $10,000 scholarship and a paid summer internship in the department of their choice at Exabeam, and the runner-up will receive a $5,000 scholarship.

The scholarship program also supports Exabeam’s value-based initiatives Exabeam Cares and the Exabeam CommUNITY Council, which invests in various philanthropic efforts focused on education, diversity, and inclusion.

“Women are still underrepresented in the cybersecurity workforce. Through our internal efforts, we see the benefits of increasing mentorship and growth opportunities for women and people of all backgrounds first hand. We want everyone to feel welcome in cybersecurity,” said Gianna Driver, chief human resources officer, Exabeam. “This year’s scholarship program helps raise awareness that there are numerous exciting jobs in cybersecurity. Currently in the U.S., 600,000 jobs go unfilled each year in our industry, which puts an alarming number of organizations at risk. Bottom line, we need more women to help defend US organizations that are increasingly susceptible to cyber attacks.”

Recent reports revealed women make up just 24% of the cybersecurity workforce. This gender gap and fear of not fitting in often rank as the most common reasons women do not pursue careers in cybersecurity. Exabeam hopes to decrease the gap by supporting the next generation of talent and this year, the company is honing in on giving women more exposure to the vast opportunities in cybersecurity.

To participate, applicants must submit academic transcripts along with a 5-minute video between May 26 and July 31, 2022. Instructions can be found on the scholarship web page.

The video should cover the following:

• What inspired you to enter a submission for this scholarship?
• What – or who – inspired you to pursue a career in cybersecurity?
• Why is it important for the cybersecurity industry to recruit more women?
• Describe any contributions you have made to cybersecurity or any field, i.e., volunteer work, personal stories, and any other relevant hobbies or extracurricular activities – and what they mean to you.
• Tell us why you are the best candidate to receive this scholarship / remote internship.

Potential winners will be selected based on academic achievements, contributions, video clarity, and the response to Exabeam’s value-based questions.

The 2022 Exabeam Cybersecurity Scholarship Program is open to legal residents of the 50 United States and the District of Columbia who identify as a woman, are 16 years of age or older at the time of application and who are currently enrolled (or have been accepted to enroll) in an accredited post-secondary institution of higher learning (e.g., college or university) with a minimum 3.0 grade point average. To learn more, visit https://www.exabeam.com/scholarship/.

About Exabeam

Exabeam is a global cybersecurity leader that adds intelligence to every IT and security stack. The leader in Next-gen SIEM and XDR, Exabeam is reinventing the way security teams use analytics and automation to solve Threat Detection, Investigation, and Response (TDIR), from common security threats to the most critical that are difficult to identify. Exabeam offers a comprehensive cloud-delivered solution that leverages machine learning and automation using a prescriptive, outcomes-based approach to TDIR. We design and build products to help security teams detect external threats, compromised users and malicious adversaries, minimize false positives and best protect their organizations. For more information, visit www.exabeam.com.

Exabeam, the Exabeam logo, Exabeam Fusion, Smart Timelines, Security Operations Platform, and XDR Alliance are service marks, trademarks or registered marks of Exabeam, Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2022 Exabeam, Inc. All rights reserved.

The post Calling All College Women: Exabeam Announces Third-annual Cybersecurity Scholarship Program appeared first on Cybersecurity Insiders.

May 29, 2022 at 09:08AM

Read More

How to stay ahead of the Cybersecurity labor crisis and keep growing your business

This blog was written by an independent guest blogger.

Cybersecurity is a complex task that is never complete. It’s an ongoing proactive practice of securing, monitoring, and mitigating threats. It’s a constant cycle where threats and vulnerabilities are detected, teams investigate and mitigate any issues, then network cybersecurity systems are reinforced to combat the next potential threat. 

Business operations increasingly rely on numerous devices and digital tools to accomplish daily tasks. Laptops, smartphones, desktops, business applications, and software are used to protect sensitive data in an era of remote and hybrid working options. In today’s world, business endpoint security is an absolute requirement to prevent costly breaches. 

There’s no question that cybersecurity should be a number one focus for businesses that want to keep growing. But it’s challenging to improve and scale cybersecurity efforts in an environment that is constantly changing, with new threats and technologies constantly being developed. To make things worse, the cybersecurity labor crisis only intensifies. 

If your organization is struggling to maintain adequate cybersecurity personnel with the necessary knowledge and expertise to protect your organization’s most valuable assets, then look at these tips to help your company stay ahead of the cybersecurity labor crisis and keep growing your business. 

What is the cybersecurity labor crisis?

As the demand for cybersecurity services increases, the number of knowledgeable cybersecurity professionals looking for full-time employment dwindles. The US Bureau of Labor Statistics expects “IT security analyst” to be one of the top 10 fastest growing occupations over the next decade. Cybersecurity only accounts for 13% of the IT market overall, yet the amount of cybersecurity job postings is three times greater than other IT positions. 

2020 marked a significant shift as remote work became a reality in nearly every industry. This has led to increased cybersecurity needs as companies add numerous devices to their networks to accommodate remote workers. The result? Overworked technology professionals and IT teams. 

Despite the number of open cybersecurity positions, companies are having difficulty finding talent to fill in the gaps. Right now, it’s a workers’ game. Without adjusting to the needs of cybersecurity workers, businesses will be left without and could leave their networks vulnerable to damaging cyber-attacks. 

Tips to keep growing your business during the cybersecurity labor crisis

The past few years have pushed cybersecurity professionals to their limits. In one of the most in-demand industries, they experience heavy workloads, long hours, and limited flexibility. It’s no wonder that technology professionals are burning out and seeking work-from-home opportunities like freelancing, consulting, building their own small businesses, or working for competitors with a better offer. 

To overcome the cybersecurity labor shortage, companies must realign their business models to a customer-centric perspective. Instead of making business decisions purely for profits and productivity, companies should also improve their company cultures to enhance their employees' work experiences. Here are some tips to help you stay ahead of the cybersecurity labor shortage and attract top talent to your organization:

Update your benefits package

Arguably, the first thing businesses should do is update their benefits package. The values of workers have changed since the onset of the pandemic. Cybersecurity professionals now seek flexibility and remote working options that allow them to more efficiently manage their work-life balance. 

Recent surveys reveal the benefits that employees want the most: 

• 95% want better health care benefits
• 71% value retirement benefits
• 50% need family leave benefits
• 29% expect a more flexible work environment

Businesses should also take a look at their compensation and benefits packages. If your competitors offer the same salary with more time off, better 401(k) options, and six months of paid parental leave, you can guess where valued employees might end up. Adjust the salaries of your cybersecurity professionals to reflect the value they bring to your company and open up your company to a broader talent pool. 

Seek out diverse talent

Job experts say that there are plenty of opportunities to bring new talent to tech positions like cybersecurity. The best way to do that is through diversity. DE&I has been a hot topic for organizations in light of recent social movements calling for equality across people of different experiences, races, and genders. But committing to seeking out diverse talent is more than just the right thing to do. It can also be a smart business move for companies that want to grow during the cybersecurity labor shortage. 

Although gender equality in the workplace has come a long way since the 60s, when women couldn’t even open a bank account, only 25% of cybersecurity professionals are women in 2022. 

Even more shocking, only 3% of cybersecurity professionals are Black. Subconscious bias plays a big part in how recruiters evaluate potential candidates, so companies should work toward more equitable recruiting practices. 

Organizations should also look at the diversity represented across their existing teams. Look for crucial skills in historically underrepresented groups such as minorities and people with disabilities. And provide plenty of opportunities for training, advancement and high-level positions for people with diverse identities. 

Leverage third party monitoring and support

Another great way to continue scaling your business is to leverage technology. There are many different types of software and managed services that help businesses maintain their cybersecurity ecosystem without an in-house IT team or to help fill in talent gaps. Digital tools that utilize automation, machine learning, and AI can help reduce the number of tedious processes that workers have to devote time to so that they can focus on higher-value activities. 

A great example of an application that helps mitigate security risks through intuitive tools and automation is Visualping. Website defacement monitoring tool makes it easy to track visual or code changes, as well as monitor links and other sensitive elements on your organization’s website. Instead of cybersecurity personnel monitoring changes 24/7, this streamlined application allows teams to get security alerts through text, email, Slack, and more. 

Invest in professional development

While spending money is the last thing that business owners looking to scale want to do, it is often the best way to ensure that you have all the resources necessary to level up. And when it comes to personnel, your investment can mean the difference between growing or lagging. 

Companies should invest in their current employees just as much as (if not more than) acquiring new talent. By providing education and cross-training for roles in your organization, you can arm yourself against the cybersecurity labor shortage. Programs such as one-on-one coaching, in-house training, and shadowing help your current employees upskill while on the job. And you build a team of talented cybersecurity professionals. 

Professional development is a great way to retain employees and improve their skills simultaneously. Organizations should outline clear career paths for each role and offer competitive compensation to attract driven individuals that are eager to learn. This gives your workers a goal to work towards, as well as builds a sense of ownership and loyalty among employees. 

Partner with higher education

Another great way to stay ahead of the labor shortage and enhance your operations is to develop partnerships with higher education and other industry-related programs. Top companies know this secret to success and consistently offer funding and resources in exchange for a direct funnel into cybersecurity positions. Companies can offer internships, speak at industry events, and recruit at universities to find unique talent that can help scale your business. 

There are many ways that organizations can get involved in the education sector. Look at your competitors and discover the ways that they are encouraging young college students to look into the field of cybersecurity or how you can create a direct funnel of talented individuals to your organization. 

Final thoughts

The demand for, and demands on cybersecurity professionals has left workers burnt-out, tired, and willing to leave their positions to seek out better opportunities on their own. Companies that want to keep growing their business are facing challenges as the cybersecurity workforce dwindles. According to a recent study, 57% of organizations feel the negative impacts of the cybersecurity labor shortage. To attract and retain knowledgeable cybersecurity professionals, companies need to develop new employment models that give workers the things they need to be satisfied and successful. 

The post How to stay ahead of the Cybersecurity labor crisis and keep growing your business appeared first on Cybersecurity Insiders.

May 28, 2022 at 09:08PM

Read More

Meet “ZTNA Anywhere,” Powered by Genians #1 Proven NAC, at RSAC 2022

SAN JOSE, Calif.–(BUSINESS WIRE)–Genians, the industry pioneer in Zero Trust Network Access (ZTNA) solutions, will be exhibiting at the RSA Conference in San Francisco from June 6 through 9. Since 2005, Genians has simplified the complexity of traditional Network Access Control (NAC) features, then renovated its comprehensive enterprise-grade NAC solution to be delivered quickly to any size business by leveraging Cloud technology. In 2021, Genians introduced its industry-first Zero Trust NAC to establish a trusted path for secure access from endpoint to critical IT resources.

Now, team Genians has nicely reshaped its ZT-NAC technology with the newly-named Genian ZTNA to accelerate non-disruptive zero trust implementation, which can be applied seamlessly for remote workers, campus workers, campus devices, and cloud security groups alike. Genian ZTNA supports both endpoint-initiated and service-initiated ZTNA, delivered with both As-a-Service and Self-hosted options. Most importantly, Genian ZTNA can expedite a secure onboarding process for any type of network-enabled device at any location, anytime with a single touch. It also encompasses the following capabilities:

• Device Platform Intelligence to cover IT, OT, IoT Protocols
• Real-time Compliance and Risk Posture Measurement
• Zero Trust Segmentation
• Biometric (FIDO) Network Access Control
• ARP, 802.1X (RADIUS), Cloud Gateway, Agent Enforcement
• Actionable Compliance (PCI, HIPAA, NIST, ISO 27002)
• Secure Remote Access Anytime, Anywhere
• Application Visibility and Control
• Security Service Edge (SSE)
• White-labeled SASE Solution for MSSP

Over 2,400 organizations rely on Genians to secure their network connectivity. Now, you can be part of our successful journey. Seeing is believing. Come visit us to learn more (Booth #3333 @South hall) or visit www.genians.com to start a 30-day free trial right away. For existing customers, please contact your account manager to experience Genian ZTNA.

If you have not yet registered for RSAC 2022, please sign up here for free:

About Genians

Genians (KOSDAQ: 263860) provides a fundamental cybersecurity platform for building a trusted path to secure access for any connecting devices by leveraging its Device Platform Intelligence (DPI), Zero Trust Network Access (ZTNA), and Endpoint Detection and Response (EDR). Since 2005, the company has served more than 2,400 customers, in organizations of all sizes and industries, including global Fortune 500 companies, the government, the military, critical infrastructure, finance, healthcare, education, and more.

The post Meet “ZTNA Anywhere,” Powered by Genians #1 Proven NAC, at RSAC 2022 appeared first on Cybersecurity Insiders.

May 28, 2022 at 09:08PM

Read More

Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices

Executive summary

AT&T Alien Labs™ has been tracking a new IoT botnet dubbed “EnemyBot”, which is believed to be distributed by threat actor Keksec. During our investigations, Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. In addition, the malware base source code can now be found online on Github, making it widely accessible.

Key takeaways:

• EnemyBot’s base source code can be found on Github, making it available to anyone who wants to leverage the malware in their attacks.
• The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities.
• Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.
• The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)

Background

First discovered by Securonix in March 2022 and later detailed in an in-depth analysis by Fortinet, EnemyBot is a new malware distributed by the threat actor “Keksec” targeting Linux machines and IoT devices.

According to the malware Github’s repository, EnemyBot derives its source code from multiple botnets to a powerful and more adjustable malware. The original botnet code that EnemyBot is using includes: Mirai, Qbot, and Zbot. In addition, the malware includes custom development (see figure 1).

Figure 1. EnemyBot page on Github.

The Keksec threat group is reported to have formed back in 2016 by a number of experienced botnet actors. In November 2021, researchers from Qihoo 360 described in detail the threat actor’s activity in a presentation, attributing to the Keksec the development of botnets for different platforms including Windows and Linux:

• Linux based botnets: Tsunami and Gafgyt
• Windows based botnets: DarkIRC, DarkHTTP
• Dual systems: Necro (developed in Python)

Source code analysis

The developer of the Github page on EnemyBot self describes as a “full time malware dev,” that is also available for contract work. The individual states their workplace as “Kek security,” implying a potential relationship with the broader Keksec group (see figure 2).

Figure 2. EnemyBot developer description.

The malware repository on Github contains four main sections:

cc7.py

This module is a Python script file that downloads all dependencies and compiles the malware into different OS architectures including x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and more (see figure 3)

Figure 3. Compiling malware source code to macOS executable.

Once compilation is complete, the script then creates a batch file ‘update.sh’ which is used by the bot as a downloader that is then delivered to any identified vulnerable targets to spread the malware.

Figure 4. Generated `update.sh` file to spread EnemyBot on different architectures.

enemy.c

This is the main bot source code. Though it is missing the main exploitation function, it includes all other functionality of the malware and the attacks the bot supports by mixing the various botnet source codes as mentioned above (Mirai, Qbot, and Zbot) — mainly Mirai and Qbot (see figure 5).

 

Figure 5. EnemyBot source code.

hide.c

This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to hide strings in binary. For that, the malware is using a simple swap table, in which each char is replaced with a corresponding char in the table (see in figure 6).

Figure 6. String decode.

servertor.c

Figure 7 shows the command-and-control component (C&C) botnet controller. C&C will be executed on a dedicated machine that is controlled by the attacker. It can control and send commands to infected machines. (figure 7)

Figure 7. C&C component.

New variant analysis

Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality.

In new variants of EnemyBot, the malware added a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and web servers (see figure 8).

Figure 8. EnemyBot calls for a new function “webscan_xywz”.

To perform these functions, the malware randomly scans IP addresses and when it gets a response via SYN/ACK, EnemyBot then scans for vulnerabilities on the remote server by executing multiple exploits.

The first exploit is for the Log4j vulnerability discovered last year as CVE-2021-44228 and CVE-2021-45046:

Figure 9. Exploiting the Log4J vulnerability.

The malware also can adopt new vulnerabilities within days of those vulnerabilities being discovered. Some examples are Razer Sila (April 2022) which was published without a CVE (see figure 10) and a remote code execution (RCE) vulnerability impacting VMWare Workspace ONE with CVE-2022-22954 the same month (see figure 11).

Figure 10. Exploiting vulnerability in Razar Sila.

Figure 11. Exploiting vulnerability in VMWare Workspace ONE.

EnemyBot has also begun targeting content management systems (e.g. WordPress) by searching for vulnerabilities in various plugins, such as “Video Synchro PDF” (see figure 12).

Figure 12. EnemyBot targeting WordPress servers.

In the example shown in figure 12, notice that the malware elevates a local file inclusion (LFI) vulnerability into a RCE by injecting malicious code into the ‘/proc/self/environ’. This method is not new and was described in 2009. The malware uses LFI to call ‘environ’ and passes the shell command in the user agent http header.

Another example of how the malware uses this method is shown in figure 13. In this example the malware is exploiting a vulnerability in DBltek GoIP.

Figure 13. Executing shell command through LFI vulnerability in DBltek.

In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command. (figure 14)

Figure 14. EnemyBot “adb_infect” function to attack Android devices.

After infection, EnemyBot will wait for further commands from its C&C. However, in parallel it will also further propogate by scanning for additional vulnerable devices. Alien Labs has listed below the commands the bot can receive from its C&C (accurate as of the publishing of this article). 

Command	Action
SH	Execute shell command
PING	Ping to server, wait for command
LDSERVER	Change loader server for payload.
TCPON	Turn on sniffer.
RSHELL	Create a reverse shell on an infected machine.
TCPOFF	Turn off sniffer.
UDP	Start UDP flood attack.
TCP	Start TCP flood attack.
HTTP	Start HTTP flood attack.
HOLD	Start TCP connection flooder.
TLS	Start TLS attack, start handshake without closing the socket.
STD	Start non spoofed UDP flooder.
DNS	Start DNS flooder.
SCANNER ON | OFF	Start/Stop scanner – scan and infect vulnerable devices.
OVH	Start DDos attack on OVH.
BLACKNURSE	Start ICMP flooder.
STOP	Stop ongoing attacks. kill child processes
ARK	Start targeted attack on ARK: Survivor Evolved video game server.
ADNS	Receive targets list from C&C and start DNS attack.
ASSDP	Start SSDP flood attack.

We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet. (As of the publishing of this article.)

CVE Number	Affected devices
CVE-2021-44228, CVE-2021-45046	Log4J RCE
CVE-2022-1388	F5 BIG IP RCE
No CVE (vulnerability published on 2022-02)	Adobe ColdFusion 11 RCE
CVE-2020-7961	Liferay Portal – Java Unmarshalling via JSONWS RCE
No CVE (vulnerability published on 2022-04)	PHP Scriptcase 9.7 RCE
CVE-2021-4039	Zyxel NWA-1100-NH Command injection
No CVE (vulnerability published on 2022-04)	Razar Sila – Command injection
CVE-2022-22947	Spring Cloud Gateway – Code injection vulnerability
CVE-2022-22954	VMWare Workspace One RCE
CVE-2021-36356, CVE-2021-35064	Kramer VIAware RCE
No CVE (vulnerability published on 2022-03)	WordPress Video Synchro PDF plugin LFI
No CVE (vulnerability published on 2022-02)	Dbltek GoIP LFI
No CVE(vulnerability published on 2022-03)	WordPress Cab Fare Calculator plugin LFI
No CVE(vulnerability published on 2022-03)	Archeevo 5.0 LFI
CVE-2018-16763	Fuel CMS 1.4.1 RCE
CVE-2020-5902	F5 BigIP RCE
No CVE (vulnerability published on 2019)	ThinkPHP 5.X RCE
No CVE (vulnerability published on 2017)	Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE
CVE-2022-25075	TOTOLink A3000RU command injection vulnerability
CVE-2015-2051	D-Link devices – HNAP SOAPAction – Header command injection vulnerability
CVE-2014-9118	ZHOME < S3.0.501 RCE
CVE-2017-18368	Zyxel P660HN – unauthenticated command injection
CVE-2020-17456	Seowon SLR 120 router RCE
CVE-2018-10823	D-Link DWR command injection in various models

Recommended actions

1. Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
2. Enable automatic updates to ensure your software has the latest security updates.
3. Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.

Conclusion

Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept). This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

Log4j sids: 2018202, 2018203, 2034647, 2034648, 2034649, 2034650, 2034651, 2034652, 2034653, 2034654, 2034655, 2034656, 2034657, 2034658, 2034659, 2034660, 2034661, 2034662, 2034663, 2034664, 2034665, 2034666, 2034667, 2034668, 2034671, 2034672, 2034673, 2034674, 2034676, 2034699, 2034700, 2034701, 2034702, 2034703, 2034706, 2034707, 2034708, 2034709, 2034710, 2034711, 2034712, 2034713, 2034714, 2034715, 2034716, 2034717, 2034723, 2034743, 2034744, 2034747, 2034748, 2034749, 2034750, 2034751, 2034755, 2034757, 2034758, 2034759, 2034760, 2034761, 2034762, 2034763, 2034764, 2034765, 2034766, 2034767, 2034768, 2034781, 2034782, 2034783, 2034784, 2034785, 2034786, 2034787, 2034788, 2034789, 2034790, 2034791, 2034792, 2034793, 2034794, 2034795, 2034796, 2034797, 2034798, 2034799, 2034800, 2034801, 2034802, 2034803, 2034804, 2034805, 2034806, 2034807, 2034808, 2034809, 2034810, 2034811, 2034819, 2034820, 2034831, 2034834, 2034835, 2034836, 2034839, 2034886, 2034887, 2034888, 2034889, 2034890, 2838340, 2847596, 4002714, 4002715

4001913: AV EXPLOIT LifeRay RCE (CVE-2020-7961) 4001943: AV EXPLOIT Liferay Portal Java Unmarshalling RCE (CVE-2020-7961) 4002589: AV EXPLOIT LifeRay Remote Code Execution – update-column (CVE-2020-7961) 2031318: ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961) 2031592: ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)

2035955: ET EXPLOIT Razer Sila Router – Command Injection Attempt Inbound (No CVE) 2035956: ET EXPLOIT Razer Sila Router – LFI Attempt Inbound (No CVE)

2035380: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294) (set) 2035381: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294)

2035876: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954) 2035875: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954) 2035874: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954) 2036416: ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)

4002364: AV EXPLOIT Fuel CMS RCE (CVE-2018-16763)

2030469: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1 2030483: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2

2836503: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Inbound 2836504: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Outbound 2836633: ETPRO EXPLOIT BlackSquid Failed ThinkPHP Payload Inbound 2026731: ET WEB_SERVER ThinkPHP RCE Exploitation Attempt

2024916: ET EXPLOIT Netgear DGN Remote Command Execution 2029215: ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 2034576: ET EXPLOIT Netgear DGN Remote Code Execution

2035746: ET EXPLOIT Totolink – Command Injection Attempt Inbound (CVE-2022-25075)

4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051) 2034491: ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)

4000095: AV EXPLOIT Unauthenticated Command Injection (ZyXEL P660HN-T v1) 4002327: AV TROJAN Mirai faulty Zyxel exploit attempt 2027092: ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE

4002226: AV EXPLOIT Seowon Router RCE (CVE-2020-17456) 2035950: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456) 2035951: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)

2035953: ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)

 

AGENT SIGNATURES

Java Process Spawning Scripting Process

Java Process Spawning WMIC

Java Process Spawning Scripting Process via Commandline (For Jenkins servers)

Suspicious process executed by Jenkins Groovy scripts (For Jenkins servers)

Suspicious command executed by a Java listening process (For Linux servers)

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
IP ADDRESS	80.94.92[.]38	Malware C&C
SHA256	7c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6	Malware hash
SHA256	2abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5	Malware hash
SHA256	7785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820d	Malware hash
SHA256	8e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68	Malware hash
SHA256	31a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8	Malware hash
SHA256	139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806	Malware hash
SHA256	4bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767f	Malware hash
SHA256	7a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0	Malware hash
SHA256	ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9	Malware hash
SHA256	70674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0	Malware hash
SHA256	f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1e	Malware hash
SHA256	6a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aa	Malware hash
SHA256	b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8	Malware hash
SHA256	4869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0	Malware hash
SHA256	cdf2c0c68b5f8f20af448142fd89f5980c9570033fe2e9793a15fdfdadac1281	Malware hash

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0001: Initial Access:
  • T1190: Exploit Public-Facing Application
• TA0008: Lateral Movement:
  • T1210: Exploitation of Remote Services
  • T1021: Remote Services
• TA0011: Command and Control
  • T1132: Data Encoding
  • T1001: Data Obfuscation
  • T1030: Proxy:
    • 003: Multi-hop Proxy

The post Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices appeared first on Cybersecurity Insiders.

May 28, 2022 at 09:08AM

Read More