FireSale HackBoy

Knowledge Shared By FireSale HackBoy...

Hacking

The Art Of Exploitation...

Ethical Hacking

Security Experts...Same Techniques To Make Hacker's Stuff Useless.

Black Hat Hacking

Dark Side Of Hacking... In Short Destruction Of Cyber Stuff.

Digital Stuff

All The Digital Stuff Is Under The Influence Of Cyber Attacks... Be Safe

Friday, June 30, 2023

Cybersecurity is not a tool or software piece; is a state of mind: Bridging the gap for career changers

Introduction

In recent years, the field of cybersecurity has witnessed a significant influx of professionals from non-Information Technology (IT) backgrounds who are making the leap into this dynamic industry. As a cybersecurity technical developer and instructor, I have had the privilege of delivering many customers in-person and virtual training courses and meeting numerous individuals seeking to transition into cybersecurity from diverse non-IT related fields.

I can remember Cindy, a lawyer in a large firm, not really finding fulfillment after a “boring” eighteen months at the firm. Also, Ann, an actress with over 17 successful years of movie and theater experience, wanting to get into the industry for higher income to support her daughter. Then Richard, a radiologist tired of the customer abuse he was receiving and wanting more in life.

Everything starts with the right mindset at the onset; and not every career in cybersecurity is deeply technical.

Cybersecurity is a broad field and cybersecurity professionals may do their jobs in a variety of ways. This includes the following roles – keeping in mind that at least two of them are not 100% technical.

  • They can have roles that protect a company’s internal networks and data from outside threat actors as information security professionals.
  • They can have roles in risk management where they can confirm businesses take appropriate measures to protect against cybercrime.
  • They can have roles where they can confirm businesses comply with local, state, and federal cybersecurity and data protections laws.

Aside from being super solid on the OSI Model, hands-on TCP/IP, networking skills, a couple of industry certifications, a drive to self-study, some basic coding and a couple of bootcamps, an aspiring cybersecurity professional must also consider their skills. They bring things to the table from the fields where they come from, which are useful, fully transferable and appreciated!

Sometimes as “seasoned professionals” we forget to investigate fresh ways to pivot in incident response (IR) scenarios for example.

Technical skills can, with some education, hands-on practice, and self-study, be mastered, but the main ones that you will need for the transition are not going to be found in the classroom, or in the computer screen. These are the face-to-face interactions we have with friends, family, coworkers, and strangers. In other words, the soft skills; those skills that cannot be coded or productized but indeed can be monetized. 

Transitioning from entertainment/law/health and many other industries to the cybersecurity field does bring valuable transferable skills. In this article I aim to explore the many valuable skills career changers bring to the table and highlight seven essential skills they must possess to successfully embark on this exciting and amazing journey.   

Attention to detail:

Actors pay great attention to detail, focusing on nuances in dialogue, characterization, and stage directions. In cybersecurity, meticulousness is essential when reviewing code, identifying vulnerabilities, conducting security assessments, and analyzing logs. Her ability to spot inconsistencies and pay attention to minute details can be valuable.

Radiology technicians work with complex medical imaging equipment, where precision and attention to detail are crucial. This skill translates well to the cybersecurity field, where professionals need to analyze large amounts of data, identify vulnerabilities, and detect potential threats with accuracy.

Lawyers pay great attention to detail when reviewing legal documents, contracts, and evidence. This attention to detail can be valuable in cybersecurity, where professionals must review policies, analyze security controls, and identify potential vulnerabilities. They can also contribute to ensuring cybersecurity practices align with legal and regulatory standards.

Communication and persuasion skills:

Radiology technicians often collaborate with radiologists, other healthcare professionals, and patients, conveying complex medical information effectively. This communication skill is essential in the cybersecurity field, where professionals need to explain technical concepts to non-technical stakeholders, present findings, and provide guidance on security measures.

Ann, as an actress, she has likely honed excellent verbal and nonverbal communication skills. This skill is crucial in cybersecurity, as professionals need to effectively convey complex technical concepts to non-technical stakeholders, write clear reports, and collaborate with team members.

Lawyers are skilled in written and oral communication, as they draft legal documents, argue cases, and negotiate on behalf of their clients. In cybersecurity, effective communication is vital for conveying complex technical concepts, presenting findings to stakeholders, and advocating for security measures. Cindy’s ability to articulate and persuade can be beneficial in this field.

Analytical thinking, research skills, and adaptability:

Lawyers are trained to analyze complex legal issues, conduct thorough research, and extract relevant information from vast amounts of data. These analytical and research skills can be applied to cybersecurity, where professionals need to investigate security incidents, analyze threats, and evaluate legal implications of cybersecurity practices.

Radiology technicians analyze and interpret medical images, looking for abnormalities and making diagnostic decisions. This analytical mindset is highly relevant in cybersecurity, where professionals need to assess and analyze complex systems, identify patterns, and evaluate potential risks and vulnerabilities.

Actors often face diverse roles and quickly adapt to different characters, settings, and situations. This adaptability translates well to the dynamic and ever-evolving nature of the cybersecurity field. The ability to learn and adapt to new technologies, methodologies, and threats is crucial for success.

Problem-solving and critical thinking:

Actors regularly encounter challenges during rehearsals and performances and need to find creative solutions. This skillset is valuable in cybersecurity, where professionals face intricate problems related to system vulnerabilities, breaches, and data protection. Ann can leverage her creative problem-solving abilities to analyze and mitigate risks effectively.

Lawyers are trained to identify and solve legal problems by applying critical thinking skills. This ability to assess situations, identify key issues, and propose logical solutions is valuable in the cybersecurity field, where professionals encounter complex technical challenges and need to mitigate security risks.

Radiology technicians often encounter challenges while operating imaging equipment, troubleshooting technical issues, or adapting to unique patient circumstances. This problem-solving ability is valuable in the cybersecurity field, where professionals face complex security issues, breaches, and emerging threats. Richard can leverage his experience to approach cybersecurity challenges systematically.

Compliance, legal, and regulatory knowledge:

In the healthcare field, radiology technicians must adhere to strict privacy and compliance regulations, such as HIPAA (Health Insurance Portability and Accountability Act). This familiarity with regulatory frameworks and data protection can be advantageous in the cybersecurity field, where professionals must navigate various compliance requirements, such as GDPR (General Data Protection Regulation) or PCI DSS (Payment Card Industry Data Security Standard).

With a background in law, Cindy possesses a strong understanding of legal frameworks, regulations, and compliance requirements. This knowledge is crucial in the cybersecurity field, where professionals must navigate various laws and regulations pertaining to data privacy, intellectual property, and cybersecurity standards.

In the entertainment industry, as an actress, Ann has encountered contracts and agreements throughout her career, such as talent contracts, license agreements, or production contracts. She may have developed an understanding of copyright laws, trademarks, intellectual property (IP) and trade secrets during her career. This knowledge can be valuable in cybersecurity where professionals need to safeguard sensitive information, protect proprietary systems, and ensure compliance with IP laws. In the same manner, she will have a solid understanding of the importance of data protection, confidentiality, and consent, when working with sensitive information in the cybersecurity field.

Ethical mindset and ethical hacking skills:

Integrity and an ethical mindset are fundamental prerequisites for success in the cybersecurity industry. Professionals in this field handle sensitive information and possess immense power to protect or exploit digital assets. Career changers should understand the ethical considerations surrounding cybersecurity and uphold the principles of integrity, confidentiality, and privacy.  

Additionally, possessing strong ethical hacking skills can be advantageous. Ethical hackers, known as penetration testers or white hat hackers, play a crucial role in identifying vulnerabilities within systems and networks, helping organizations fortify their defenses against malicious actors.

Teamwork and collaboration:

This is the one that is most transferable for all three “non-IT related” fields. Perhaps it’s time that we in cybersecurity put on our humble hats on accept our new brothers and sisters where we will always find a plethora of unique experiences directly transferable and are 1000% “IT Related”. Career changers can bridge the gap between technical and non-technical teams, fostering a more secure and productive environment.

Conclusion:

By honing their analytical abilities, career changers can excel in threat analysis, incident response, and vulnerability assessment—key areas in which cybersecurity professionals are in high demand.

As the cybersecurity industry continues to grow rapidly, individuals from non-IT backgrounds are increasingly venturing into this field. While career changers bring diverse perspectives, they must possess certain essential skills to thrive in the cybersecurity domain.

Adaptability, analytical thinking, communication and collaboration, and an ethical mindset, are crucial abilities that aspiring cybersecurity professionals must acquire. By embracing these skills, career changers can successfully transition into this exciting industry, contribute to the ever-expanding and cross-pollinated disciplines of the cybersecurity workforce, and help safeguard digital ecosystems against emerging threats.

The very last thing is job interview preparation. That goes without saying. If you’re transferring internally to a cybersecurity position, or if you are coming in new, nailing the interview is paramount. The hard skills will get you the interview; the “soft” skills will get you the dream job of your future. Interview practice is another topic that plays a huge role in getting hired, but mastering the interview is another topic for another day.

We must act NOW and push for diversity and engrain it into our everyday life. If we hire people from diverse backgrounds, we gain the benefit of different viewpoints and different ways of thinking that we had not thought about. This will enrich and make it where we can go to work and have fun while doing already challenging tasks. 

The post Cybersecurity is not a tool or software piece; is a state of mind: Bridging the gap for career changers appeared first on Cybersecurity Insiders.


July 01, 2023 at 09:11AM

Turning fridges into SIM cards: An ecological SIM portfolio

This is equivalent to 20,000 tons of polymers – the weight of almost 2 Eiffel towers or 40 Airbus A380s at take-off.

Inevitably most of these SIM cards will end up as waste. However, there is another way. In this blog we’ll be looking at the efforts being made to make SIM cards greener.

Commitment to going green

At Thales we have an unrivalled, ecological SIM portfolio that is aimed at mobile operators looking for sustainable strategies to reduce the environmental impact of their SIM activity, while improving brand awareness in front of their end customers.

We have a long history in this area, so to recap some of our key milestones:

2009 – We measured our first global footprint in 2009, and as a result started engaging in different action plans to address our most important emissions sources.

2014 – In order to cut down on wastage we introduced the Half SIM Trio as early as 2014, but our best development was yet to come…

2020 – In 2020 we partnered with Veolia, the global leader in optimized resource management, to co-develop the world’s first EcoSIM. This venture resulted in the first eco-designed SIM card made from 100% post-consumer recycled plastic…. From discarded fridges to be exact.

Turning old fridges into new SIM cards  

After three years of joint development, Thales and Veolia mastered the process of turning polystyrene waste from these discarded fridges into pellets that are then used to manufacture the SIM card body.

This eco-designed product is part of an innovative offer (which includes the eco-friendly Eco Touch SIM packaging) for telecom operators looking for real sustainable strategies to reduce the impact of their SIM card activity.

So just how exactly does a fridge get turned into a SIM card? Watch here to find out:

Completing the offer with ecofriendly packaging

With more than 300 million packs delivered each year and more than 30 years of experience in the telecommunications sector as the world’s number one provider of SIM packaging, we’ve designed an ecofriendly packaging offer with:

  • Vegetal & water-based inks for safer products
  • Small and smart layouts to reduce paper consumption
  • Recycled papers to decrease waste and PEFC or FSC Certified papers to protect forests

EcoSIM, the world’s first certified carbon neutral SIM card

On top of the recycled card body itself, Thales commits to offsetting the carbon footprint of the other components of the SIM (such as the chip) in order to achieve a controlled environmental impact.

Our eco-designed SIM card is a CarbonNeutral® certified product in accordance with The CarbonNeutral Protocol – the global standard for carbon-neutral programs. The carbon footprint of each SIM has been calculated and offset through a program that supports impactful emission reduction projects – such as energy savings and renewable energy development in developing countries.

For this launch received a “Best Practice on Circular Economy” award from telecom operator sustainability association JAC, in recognition of our consistent approach regarding environmental impact reduction in products. This award was given in recognition of everything through from the recycled card body, half card, energy efficiency of sites, renewable electricity sourcing, carbon offset offer, and life cycle assessment tool for the eco-design of the SIM products.

Increasingly, it’s important for companies to take a “Life Cycle” approach to product design.

What is “Life Cycle” thinking?

Life cycle thinking is a holistic approach to tackling the environmental impact of products beyond manufacturing. This style of thinking considers the processes involved in the use of a product from the point of its creation to the end of its useful life.

Here at Thales, we use this approach for the development of our eco-designed products where raw materials extraction, material processing, transportation, distribution, consumption, reuse/recycling, and disposal are examined to reduce at its minimum the carbon footprint impact. Thanks to our factories scattered around the world, we’re able to produce SIM cards as close as possible to our customers by producing the minimum carbon emission.

Want to hear more about our eco initiatives?

The post Turning fridges into SIM cards: An ecological SIM portfolio appeared first on Cybersecurity Insiders.


June 30, 2023 at 09:10PM

Top five things to do in Amsterdam

Amsterdam, the capital city of Netherlands, is renowned for its artistic heritage and vibrant culture. An amazing blend of old-world charm and contemporary culture, the city offers a plethora of activities for tourists. From history, to art, or dabbling in unique experiences, Amsterdam has something for everyone.

Every summer, the city plays host to Money 20/20, the largest global fintech event enabling payments and financial services for connected commerce. We’ll be there this year to talk about our key solutions that are designed to help financial institutions, fintechs, neo-banks, retailers, and cryptocurrency exchange platforms in their digital transformation.

If you’re heading to Amsterdam this year for the event, then don’t miss out on the opportunity to explore what the city has offer outside the RAI Amsterdam.

We’ve complied our top five must-see attractions:

1. Van Gogh Museum

Art lovers should make their way to the Van Gogh Museum, home to the world’s largest collection of works by the iconic Dutch painter, Vincent Van Gogh. The museum presents an impressive range of his paintings, drawings, and letters, allowing visitors to walk into the artists life and his profound influence on the art world. From the vibrant Sunflowers to the introspective self-portrait, each masterpiece showcases a glimpse into Van Gogh’s unique artistic vision. 

2. Anne Frank Museum

A museum dedicated to Jewish wartime diarist Anne Frank. The building is located on the Prinsengracht canal, close to the Westerkerk, in central Amsterdam. As a visitor, you experience this story through an audio tour, quotes, photos, videos, and original items. The Anne Frank House can only be visited with an online ticket for a specific date and time.

3. Vondelpark

Take the opportunity to escape the city and find a calming presence in the peaceful oasis of Vondelpark. This sprawling urban park is a favourite among locals and tourists, offering a serene settling for relaxation and recreation. Take a leisurely walk or rent a bicycle to explore the park’s lush greenery, beautiful ponds, and charming bridges. During the summer months, the open-air theatre hosts various cultural performances, making it a lively hub of entertainment.

4. Albert Cyup Market

Immerse yourself in the lively atmosphere if the Albert Cuyp Market, Amsterdam’s largest street market. Located in the vibrant De Pjip neighbourhood, this bustling market has been a local favourite for over a century. Wander through the colourful stalls offering a diverse array of products, including fresh produce, flowers, clothing, and delicious street food. Indulge in traditional Dutch treats or sample international flavours from the multicultural food stands. The Albert Cuyp Market is a vibrant melting pot of cultures and a fantastic place to soak up the energetic spirit of Amsterdam.

5. Canal Tour

No visit to Amsterdam is complete without a leisurely cruise along its enchanting canals. Embark on a canal tour and witness the city’s stunning architecture, picturesque bridges, and charming houseboats from a unique perspective. Drift along the historic waterways, passing by iconic landmarks such as the Westerkerk and the Skinny Bridge, while learning about Amsterdam’s fascinating history. Whether you chose a guided tour or opt for a self-guided boat rental, the canal tour offers an unforgettable experience and showcases the best of the capital.

Visiting Money 20/20 this year – pay us a visit in Hall 1, Stand D90 – or click here to book a meeting with us.

The post Top five things to do in Amsterdam appeared first on Cybersecurity Insiders.


June 30, 2023 at 09:10PM

Thursday, June 29, 2023

NHS data breach after ransomware attack on University of Manchester

A ransomware attack on University of Manchester (UoM) has led to the data breach of over a million patients related to NHS and the data includes NHS numbers of those who took treat-ment, the first three letters of their postal codes, patients suffering from terror attacks and those seeking treatment for major trauma.

The gathered data set was being used for research purposes by some students of the University and unfortunately hackers accessed information from the data set causing embarrassment to the staff of the educational institution.

It is unclear on how the stolen information being stored on the backup servers remained unen-crypted.

However, some sources from the Manchester University claim that the data stored on the ma-chines was encrypted. But the hackers managed to break into the algorithm and read & copy the data.

Prima Facie says that the cyber crooks managed to siphon about 250 gigabytes of data and the stolen data includes info related to GP services as well.

UoM is not interested in revealing more details about the incident. But has contacted ICO, NCSC and the National Crime Agency to investigate the incident to the core.

Cyber Crooks seem to be super interested in information related to finance, education and healthcare. As such data often sells like hot cakes on the dark web, provided its raw and abides by the laws of data freshness.

NOTE- For the past two years, NHS has been constantly hitting news headlines for data breaches and its callousness in protecting information of its patients and staff. Though the not-for-profit organization claims to have taken all proactive measures to safeguard information of its users, it still seems to lack that seriousness in practical.

The post NHS data breach after ransomware attack on University of Manchester appeared first on Cybersecurity Insiders.


June 30, 2023 at 11:06AM

Blacktail: Unveiling the tactics of a notorious cybercrime group

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In recent months, a cybercrime group known as Blacktail has begun to make headlines as they continue to target organizations around the globe. The group was first spotted by the Unit 42 Team at Palo Alto Networks earlier this year. Since February, the group has launched multiple attacks based on their latest ransomware campaign labeled Buhti.

An interesting detail about the organization is that they do not make their own strains of malware. Rather, they opt to repurpose pre-existing strains to achieve their end goal of monetary gain. Two of the most popular tools that have been used by the cybercrime group are LockBit 3.0 for targets using Windows OS and Babuk for targets using Linux OS. Both LockBit 3.0 and Babuk are strains of ransomware that encrypt files on a victim’s machine and demand payment in exchange for decrypting the files. These tools allow Blacktail to operate using a RaaS (ransomware as a service) model which falls in line with their goal of monetary gain.

Lockbit 3.0 is the latest version of the Lockbit ransomware which was developed by the Lockbit group in early 2020. Since its launch it has been linked to over 1400 attacks worldwide. This has led to the group receiving over $75 million in payouts. This ransomware is most distributed through phishing attacks where the victim clicks on a link which starts the download process.

Babuk is a ransomware that was first discovered in early 2021. Since then, it has been responsible for many cyber-attacks that have been launched against devices using Linux OS. This strain of ransomware serves a similar purpose to Lockbit 3.0 and its main purpose is to compromise files on a victim’s machine and make them inaccessible until the ransom is paid.

buhtiRansom

Recently, this group has been seen leveraging two different exploits. The first is CVE-2023-27350 which allows attackers to bypass the authentication required to utilize the Papercut NG 22.05 on affected endpoints. They leverage this vulnerability to install programs such as Cobalt Strike, Meterpreter, Sliver, and ConnectWise. These tools are used to steal credentials and move laterally within the target network. The second vulnerability, CVE-2022-47986, which affects the IBM Aspera Faspex File Exchange system allows attackers to perform remote code execution on the target devices.

Blacktail represents a significant threat in the world of cybercrime, employing a wide range of sophisticated methods to attack its victims. From phishing and social engineering to ransomware campaigns and APT attacks, their tactics demonstrate a high level of expertise and organization. To counter such threats, individuals, businesses, and governments must prioritize cybersecurity measures, including robust firewalls, regular software updates, employee training, and incident response plans. The fight against cybercrime requires constant vigilance in order to stay one step ahead of the attackers.

Reference:

https://heimdalsecurity.com/blog/buhti-ransomware-blacktails-newest-operation-affects-multiple-countries/

The post Blacktail: Unveiling the tactics of a notorious cybercrime group appeared first on Cybersecurity Insiders.


June 30, 2023 at 09:10AM

Stories from the SOC: Fighting back against credential harvesting with ProofPoint

Executive summary

Credential harvesting is a technique that hackers use to gain unauthorized access to legitimate credentials using a variety of strategies, tactics, and techniques such as phishing and DNS poisoning. Phishing is the most frequent type of cyber threat and can lead to more harmful attacks such as ransomware and credential harvesting.

According to recent research, phishing assaults targeted credential harvesting in 71.5% of cases in 2020. 72% of employees admitted to clicking on a phishing email’s malicious link, making it easy for attackers to gather credentials.

Phishing is a type of social engineering attack that tricks victims into disclosing personal information or downloading malicious software. It is one of the most difficult cyber threats to eliminate as it relies on human defenses, and organizations must consistently teach personnel to spot the newest phishing techniques. 

The Managed Extended Detection and Response (MXDR) SOC team received an alert regarding a user clicking on a suspicious URL in an email and the subsequent traffic was allowed. However, ProofPoint effectively rewrote the URL to prevent some of the potential threats. The SOC team notified the customer about the successful phishing attack by creating an investigation report containing all the events between the attack and lockout.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The first alert was triggered when a user clicked on a link contained in a phishing email, which was permitted to pass through. The email’s content was crafted to deceive the user into divulging their login credentials. Because the link’s URL did not have a signature indicating a poor reputation on Open-Source Intelligence (OSINT), ProofPoint did not intercept the initial click.

phishing

Expanded investigation

Events search / Event deep dive

While investigating phishing cases, you must check all recipients who received the same phishing email and who clicked the attachment URL, and whether the firewall allowed the HTTP URL request or not. A review of the previous ninety days of events revealed there was one additional recipient, however, logs showed the email was quarantined after user’s click. The first click on the malicious URL by the initial user was allowed. However, ProofPoint’s URL defense feature conducted a heuristic behavioral-based analysis and determined the URL to be malicious. As a result, the second click by the initial user and any subsequent clicks by other users were effectively blocked by ProofPoint.

blocked by Proofpoint

After conducting an OSINT analysis, it was determined that the sender’s email fails to pass DMARC (Domain Message Authentication Reporting and Conformance), and MX record authentication. This raises concerns regarding the legitimacy of the email. Also, OSINT searches indicate that both recipient emails have been compromised, though the exact time remains unknown.

have I been pwned

DMARC is a protocol used to authenticate emails and prevent phishing attacks by verifying the sender’s domain. It checks if the sender’s domain matches the domain in the emails “From” header. If they do not match, the email is fraudulent and can be rejected or marked as spam. On the other hand, MX records are DNS records that specify the mail server responsible for accepting email messages on behalf of a domain. Attackers can use MX records to redirect email traffic to a fraudulent mail server and steal sensitive information. Therefore, DMARC and MX records are crucial in preventing phishing attacks by ensuring that email traffic is directed to legitimate mail servers and verifying the authenticity of email senders.

overwhelmed

Further investigation into the email’s URL using advanced tools like Urlscan.io and screenshotmachine.com identified it as malicious – attempting to extract user outlook credentials. However, the attachments’ file hash has no OSINT record, which renders static analysis impossible to determine whether the file attachment poses a threat or not. Therefore, it would be a good option to identify the file by analyzing it with a full sandbox* analysis.

sandbox analysis

A sandbox is a controlled environment used to test software and applications without affecting the host system. Sandboxing is important because it helps to identify and mitigate potential security vulnerabilities, viruses, and malware. It also minimizes the risk of damage to the production system by limiting the impact of potential threats to the sandbox, providing an extra layer of security against malicious activity.

Reviewing for additional indicators

At this point, the attacker tried to get “Initial Access (tactic)” into the network by using a “phishing” technique based on the Mitre Att&ck Framework.

During the initial access phase of a cyberattack, attackers use techniques like exploiting vulnerabilities or phishing to gain their first foothold in a network. This foothold then enables them to conduct further attacks. To prevent this, organizations should have a robust defense strategy and perform regular security assessments.

Proofpoint MITRE

ProofPoint approach

ProofPoint’s URL Defense feature works to protect users from malicious links. This feature uses a two-step approach to ensure maximum protection.

Firstly, if a URL doesn’t have any known malicious signatures, ProofPoint’s URL Defense feature allows the user to click on it using a “URL rewritten” feature. This feature prevents many types of malicious activity, but it’s important to note that until ProofPoint’s heuristic-based analysis determines whether the URL has any potentially malicious behavior, the user may be vulnerable to credential loss if they share their credentials.

Once the user clicks on a URL, ProofPoint’s system analyzes the destination website to identify any potential signs of malicious behavior. If any suspicious activity is detected, access to the website is blocked, and a warning message is displayed to the user. However, if the system doesn’t detect any malicious behavior, the user is able to proceed to the destination website.

URL defense

It’s important to note that ProofPoint’s URL Defense feature provides significant protection against malicious links, but it may not be able to detect every instance of phishing or malware-based attacks. Therefore, users should remain vigilant when clicking on links in emails and take additional security measures such as multi-factor authentication and employee training to help mitigate the risk of credential loss.

Response

Building the investigation

An investigation was created by following the incident response process. The investigation included identifying the incident, finding the root cause of the incident and Indicators of compromise. Then we made recommendations to the customer on mitigation/remediation steps. We communicated with the customer to ensure necessary actions are executed.

Recommended mitigation steps were:

  • Resetting the account password to a stronger one
  • Removing the email and email attachments
  • Enabling Multi-Factor Authentication (MFA).
  • Blocking the URL domain and IP.
  • Running an antivirus scan on the asset.

Incident response is an organizational approach and process to manage cybersecurity breaches, incidents, or cyberattacks. It includes multiple steps:

  • Identifying an incident/attack
  • Minimizing damage
  • Eradicating the root cause
  • Minimizing recovery cost and time
  • Learning lessons from the incident
  • Taking preventative action

Customer interaction

The MXDR team responded quickly to the incident and worked with the customer to identify the problem. They confirmed that someone lost their account credentials, but fortunately, no suspicious logins were detected before the account was disabled. The company confirmed they followed the recommended steps, so the email and attachments were quarantined, the URL blocked, and the affected device was scanned by antivirus.

The post Stories from the SOC: Fighting back against credential harvesting with ProofPoint appeared first on Cybersecurity Insiders.


June 29, 2023 at 09:11PM

Paracetamol maker Granules India hit by ransomware attack

Granules, the Indian Pharmaceutical company that manufactures Paracetamol has released an official statement that a ransomware attack that targeted its servers last month has resulted in substantial loss of revenue and profitability.

As per the details available to our Cybersecurity Insiders, a noted ransomware group targeted Drug maker on May 25th and the information security incident brought in financial loss that could hit the profit margin to a great extent this year.

Currently, the production of the drugs is going slow, however, the IT staff has restored the pro-duction to normal to a great extent and are sure that the dispatching of stock will return to nor-malcy by early next week.

Granules India has made an official statement that it did not pay any ransom to the criminals and instead recovered the encrypted data through a backup plan.

NOTE- Cyber criminals indulging in malware spread are involving in double extortion tactics were they first steal a portion of data and threaten the victim of encrypting the entire database until a ransom is paid. In case, the victim fails to pay the ransom on time or doesn’t pay heed to the demand, they sell the stolen data for monetary benefits. FBI released a press statement in November 2020 that the victims should not pay the ransom, as it not only encourages crime, but also doesn’t guarantee a decryption key for sure. Also, there is an apparent threat that the ransomware spreading gang can also target the same victim twice or thrice in the same year.

The post Paracetamol maker Granules India hit by ransomware attack appeared first on Cybersecurity Insiders.


June 29, 2023 at 08:29PM

Wednesday, June 28, 2023

Threat Hunt: KillNets DDoS HEAD Flood Attacks cc.py

Executive Summary

Killnet is a hacktivist group based in Russia that has been active since at least 2015. The group is known for launching DDoS attacks on a diverse range of industries, including state and local governments, telecommunications, and defense.

Killnet has been linked to several high profile attacks, including distributed denial-of-service (DDoS) attacks against U.S. airports and Elon Musk’s Starlink satellite broadband service.

The motivations behind these attacks vary, but recently, they have primarily targeted those who are the most vocal supporters of Ukraine and its political agenda.

The aim of this threat hunt is to create a virtual attack environment that simulates Killnet’s tactics, techniques, and procedures (TTPs). Subsequently, detections and threat hunt queries will be written to proactively identify the emulated TTPs while compensating for the limitations of traditional IOC historical searches.

The results of the threat hunt will include high-level dashboards, code, and network artifacts generated from the attack range, which will be used to explain how a hypothesis was formed. The outcomes will also contain the pseudo and translated query logic in a format that can be utilized by tools such as Suricata, Snort, Splunk, and Zeek. The query output will then be employed to confirm the initial hypothesis generated.

Network Artifacts

To emulate the attack, cc.py was utilized to generate continuous HEAD requests against an Apache server, refer to Appendix A for further details. Once the attack was launched, the captured log traffic was examined, as shown in Figure 1 and Figure 2. Upon reviewing the HEAD HTTP traffic, it was discovered that the digits between the ranges of 11-12 appeared after “HEAD /?” consistently. This pattern will serve as the basis for our first hypothesis, as outlined in the next section.

Figure 3 also contains the Apache logs that were generated on the server as the attack script kept trying to access different files in the ‘/var/www/html/’ directory. The script reiterates in a brute force type style, until CPU resources are rendered exhausted by sheer traffic volume.

Killnet wireshark

Figure 1 –Wireshark – Dynamically Generated 11-12 Digits

Wireshark IPs

Figure 2 –Wireshark – Forged Referrer & Anonymized IPs

Apache error logs

Figure 3 – Splunk – Apache Server Error Logs – Failed File Access Attempts

Detection Guidance

Perl compatible regular expressions can be used to leverage the context derived from the packet capture during threat analysis, as shown in Figure 1. This allows us to write Suricata/Snort rules that will match observed patterns in headers. Detections tend to scale more than hunt queries and can be applied strategically on a per sensor basis. Specifically, the following rule will match any instance when an HTTP HEAD request containing 11-12 digits has been captured by a network sensor on a forward looking basis. This serves as our first hypothesis to identify the usage of DDoS HEAD floods:

alert tcp any any -> any any (msg:”Killnet cc.py DDoS HTTP HEAD Flood”; content:”HEAD”; depth:4; content:” /?”; distance:0; content:” HTTP/1.1|0d0a|Host: “; distance:0; fast_pattern; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”|0d0a|Referer: https://”; distance:0; content:”|0d0a|Accept-Language: “; distance:0; content:”|0d0a|Accept-Charset: “; distance:0; content:”|0d0a|Connection: Keep-Alive|0d0a0d0a|”; distance:0; pcre:”/^HEADx20/?[0-9]{11,12}x20HTTP/”; sid:10000001;)

Hypothesis #1

Hunting Process

The following is a Splunk hunt query that utilizes the Zeek/Bro dataset to identify “High connections from common source over a short amount of time”. The query breaks the time column (shown in Figure 2) into 1-second chunks. Once an appropriate threshold has been established, the “where count > 10” statement can be adjusted accordingly to search retroactively within the last 7 days from when the activity was first observed. This query serves as our second hypothesis to identify the usage of DDoS HEAD floods:

index=zeek sourcetype=zeek_conn | eval datetime=strftime(ts,”%Y-%m-%d %H:%M:%S”) | bucket span=1s datetime | stats count by datetime, id.orig_h | where count > 10 | rename datetime as “Date & Time” id.orig_h as “Attacker IP”

Hypothesis #2

Appendix A – Adversary Emulation

Cc.py is a Python tool publicly available on the internet that can be used for Layer 7 DDoS attacks. The tool, created by a student in 2020, uses various dynamic characteristics to launch DDoS attacks against web assets. The script automates the process of using open proxy servers to relay attacks while maintaining anonymity, which can render traditional IP-based blocking techniques ineffective.

Figure 4 depicts a Python function called “head” that performs an HTTP HEAD request to a target server. The function takes two arguments: “event” and “proxy type”. These arguments control the flow of the request and specify the type of open proxy to leverage. Additionally, the code concatenates the variables where the forged/randomized headers will be used.

cc python

Figure 4 – cc python script

To generate a dynamic list of compromised open proxies that will be used to relay attacks on behalf of the attacker, the following command is utilized:

python3 cc.py –down –f proxy.txt –v 5

Once the list is generated, the following command is used to launch an attack against a server running Apache web server within the attack range. The command specifies the use of the “head” module and sets the duration of the attack to 30 seconds. The “head” module floods the target server with continuous HTTP HEAD requests until it is knocked offline.

python3 cc.py –url http:// -f proxy.txt –m head –v 4 –s 30

Appendix B – IOCs

At OTX pulse was created listing over the 12K+ indicators from this research.

https://otx.alienvault.com/pulse/642dd6df987a88229012d214

References

https://github.com/Leeon123/CC-attack

https://securityresearch.samadkhawaja.com/

The post Threat Hunt: KillNet’s DDoS HEAD Flood Attacks – cc.py appeared first on Cybersecurity Insiders.


June 29, 2023 at 09:09AM

Toward a more resilient SOC: the power of machine learning

A way to manage too much data

To protect the business, security teams need to be able to detect and respond to threats fast. The problem is the average organization generates massive amounts of data every day. Information floods into the Security Operations Center (SOC) from network tools, security tools, cloud services, threat intelligence feeds, and other sources. Reviewing and analyzing all this data in a reasonable amount of time has become a task that is well beyond the scope of human efforts.

AI-powered tools are changing the way security teams operate. Machine learning (which is a subset of artificial intelligence, or “AI”)—and in particular, machine learning-powered predictive analytics—are enhancing threat detection and response in the SOC by providing an automated way to quickly analyze and prioritize alerts.

Machine learning in threat detection

So, what is machine learning (ML)? In simple terms, it is a machine’s ability to automate a learning process so it can perform tasks or solve problems without specifically being told do so. Or, as AI pioneer Arthur Samuel put it, “. . . to learn without explicitly being programmed.”

ML algorithms are fed large amounts of data that they parse and learn from so they can make informed predictions on outcomes in new data. Their predictions improve with “training”–the more data an ML algorithm is fed, the more it learns, and thus the more accurate its baseline models become.

While ML is used for various real-world purposes, one of its primary use cases in threat detection is to automate identification of anomalous behavior. The ML model categories most commonly used for these detections are:

Supervised models learn by example, applying knowledge gained from existing labeled datasets and desired outcomes to new data. For example, a supervised ML model can learn to recognize malware. It does this by analyzing data associated with known malware traffic to learn how it deviates from what is considered normal. It can then apply this knowledge to recognize the same patterns in new data.

ChatGPT and transformersUnsupervised models do not rely on labels but instead identify structure, relationships, and patterns in unlabeled datasets. They then use this knowledge to detect abnormalities or changes in behavior. For example: an unsupervised ML model can observe traffic on a network over a period of time, continuously learning (based on patterns in the data) what is “normal” behavior, and then investigating deviations, i.e., anomalous behavior.

Large language models (LLMs), such as ChatGPT, are a type of generative AI that use unsupervised learning. They train by ingesting massive amounts of unlabeled text data. Not only can LLMs analyze syntax to find connections and patterns between words, but they can also analyze semantics. This means they can understand context and interpret meaning in existing data in order to create new content.

Finally, reinforcement models, which more closely mimic human learning, are not given labeled inputs or outputs but instead learn and perfect strategies through trial and error. With ML, as with any data analysis tools, the accuracy of the output depends critically on the quality and breadth of the data set that is used as an input.

types of machine learning

A valuable tool for the SOC

The SOC needs to be resilient in the face of an ever-changing threat landscape. Analysts have to be able to quickly understand which alerts to prioritize and which to ignore. Machine learning helps optimize security operations by making threat detection and response faster and more accurate.

ML-powered tools automate and improve the analysis of large amounts of event and incident data from multiple different sources in near real time. They identify patterns and anomalies in the data and then prioritize alerts for suspected threats or critical vulnerabilities that need patching. Analysts use this real-time intelligence to enhance their own insights and understand where they can scale their responses, or where there are time-sensitive detections they need to investigate.

Traditional threat detection methods, such as signature-based tools that alert on known bad traffic can be augmented with ML. By combining predictive analytics that alert based on behavioral anomalies with existing knowledge about bad traffic, ML helps to reduce false positives.

ML also helps make security operations more efficient by automating workflows for more routine security operations response. This frees the analyst from repetitive, manual, and time-consuming tasks and gives them time to focus on strategic initiatives.

New capabilities enhance threat intelligence in USM Anywhere

The USM Anywhere platform has long utilized both supervised and unsupervised machine learning models from AT&T Alien Labs and the AT&T Alien Labs Open Threat Exchange (OTX) for most of its curated threat intelligence. The Open Threat Exchange is among the largest threat intelligence sharing platforms in the world. Its more than 200,000 members contribute new intelligence to the platform on a daily basis.

Alien Labs uses ML models in several ways, including to automate  the extraction of indicators of compromise (IOCs) from user threat intelligence submissions in the OTX and then enrich these IOCs with context, such as associated threat actors, threat campaigns, regions and industries being targeted, adversary infrastructure, and related malware.

The behind-the-scenes capabilities in USM Anywhere have been reinforced by new, high-value machine learning models to help security teams find today’s most prevalent threats.

These new models help the platform generate higher-confidence alerts with less false positives and provide advanced behavioral detections to facilitate more predictive identification of both insider and external threats. Its supervised models can identify and classify malware into clusters and families to predict behaviors. They can also detect obfuscated PowerShell commands, domain generation algorithms, and new command-and-control infrastructure.

Since the platform has an extensible architecture, new models can be introduced as the threat landscape dictates, and existing models can be continuously refined.

For more on how machine learning is transforming today’s SOC and to learn how the USM Anywhere platform’s own analytics capabilities have evolved, tune in to our webinar on June 28.

Register now!

The post Toward a more resilient SOC: the power of machine learning appeared first on Cybersecurity Insiders.


June 28, 2023 at 09:10PM

Venn Redefines Remote Work Security with Innovative BYO-PC Solution

When COVID-19 disrupted our work environments and triggered a massive shift to remote work, organizations faced the daunting task of securing corporate data and apps across thousands of disparate locations and devices.

Companies, employees, and IT departments were forced to quickly adapt to this new reality of a remote-first world. The issue was further exacerbated by traditional remote desktop solutions that proved inadequate for this new landscape. The blurring of personal and professional time, the rise of gig workers, offshore employees, and the need for businesses to secure this dynamic world of remote work, strained traditional remote desktop systems like Virtual Desktop Infrastructure (VDI) to their limits.

Traditional Remote Work Solutions Fall Short

Traditional VDI systems are ill-equipped to handle this shift, offering subpar user experiences due to latency, slowness and management overhead. Enterprise Browsers, although a more innovative solution, also have limitations around application use and network integration. Before Venn’s emergence, companies often resorted to shipping secure, corporate laptops to their remote employees or relied on complex, costly VDI technology to stay compliant with regulatory requirements. These solutions not only frustrate users but also fall short in terms of security, cost effectiveness and ease of use. This situation also leads to the security workaround paradox, where users, restricted by too many security constraints, seek alternate, less secure methods to get their work done. The urgent need for a better solution to secure remote work is evident.

A New Approach to Securing Remote Work

Recognizing the mounting issues associated with securing distributed workforces, David Matalon and his team at Venn Software sought to revolutionize remote work security. Having previously helped hundreds of organizations overcome compliance and security issues for remote workers, they understood the challenge at hand. With Matalon’s vision, the team started Venn, a radical and less costly alternative to VDI, and the first MDM (Mobile Device Management) solution for laptops. This vision resonated with investors, leading NewSpring Capital to support the product development and growth, resulting in a successful $29 million Series A funding round.

Recently awarded with a key patent (U.S. Patent No. 11,687,644) for a “Secure Visual and Computational Boundary for a Subset of Resources on a Computing Machine”, Venn’s approach is innovative: Remote work activity now lives in a company-controlled Secure Enclave installed on the user’s computer where all work data is encrypted and access is managed.

Similar to MDM for mobile devices, work applications run locally within a virtual wrapper, visually indicated by a Blue Border™, which intuitively demarcates protected work apps from private user applications. This method provides control over what work data can be transferred in and out of an application. This way, businesses can restrict activities like copying and pasting corporate data outside of work applications or saving a file onto a personal desktop. Even network traffic can be protected to ensure certain applications only connect to approved servers. With this approach, business activity is isolated and protected from personal use on the same device, safeguarding company data without having to control the entire device.

With Venn, employees can now use their personal computers for work without compromising security, effectively bringing BYOD (Bring Your Own Device) to laptops. This not only enhances the user experience but also drastically reduces the costs associated with maintaining separate devices or running complex virtual environments.

Matalon explains, “Instead of having to buy, manage, and lock down every PC and device, remote work can now easily be secured on any BYOD or unmanaged computer. Venn gives organizations more control, without the need for costly backend infrastructure.” The granting of the patent further strengthens the company’s intellectual property and ability to expand investments in Secure BYO-PC (Bring Your Own Personal Computer) technology.

With its key patent granted, a successful Series A funding round, and growing customer validation, Venn is ideally positioned for the next phase of growth. More than 700 companies, including major players like Fidelity, Guardian, and Voya, already trust Venn to meet stringent standards like FINRA, SEC, NAIC, and SOC 2. The focus now is on driving further innovation, expanding the reach of their Secure BYO-PC technology, and helping more organizations securely navigate the world of remote work.

As the boundaries between personal and professional devices continue to blur, and remote work becomes the new norm, the need for efficient, secure, and user-friendly remote work solutions has never been greater. With Venn, businesses now have a radically simplified, cost-effective alternative that meets these needs while enhancing the user experience – setting a new bar for the future of secure remote work.

To learn more, please visit: https://www.venn.com/patent-technology-mdm-for-laptops

The post Venn Redefines Remote Work Security with Innovative BYO-PC Solution appeared first on Cybersecurity Insiders.


June 28, 2023 at 08:38PM

Wagner Ransomware targets Russian Computers operating on Windows

After the military group named Wagner took over the supremacy realms from Putin for a brief period in the last weekend, a new ransomware is said to be threatening all Windows machines operating in the Russian federation.

Wagner ransomware has started taking down computers operating on Microsoft software and is pleading the victim to join the paramilitary group that is getting ready to take down Shoigu, the military general leading Vladimir Putin army.

A note posted on the infected computers urges the victim to stop tolerating the atrocities of authorities and is urging them to wage a war against Shoigu, the Minister of Defense.

Cybersecurity firm Cyble has confirmed the news and added that the malware was written in Russian language and suggests that it was developed to take down systems of Moscow that waged war against Ukraine since February 24th,2022.

Wagner is a private army that is led by Yevgeny Prigozhin and operates beyond law and has powers to take down the government. All these days, the forces from Wagner were used abroad in various intelligence operations and succeeded to a certain extent. But now the group that is linked to far-right extremism and Neo-Nazism has become a fodder for the international media as its policies are going against the Putin led govt and are strongly condemning the national war against Kyiv.

Surprised by the oppose Putin administration is find ways to tackle and bring the situation under control and suspect that some western force is influencing their paramilitary forces to the core.

Currently, there is no news regarding who build Wagner Ransomware, and the military group hasn’t taken the responsibility of the development. However, Reddit is buzzing with a talk that those behind the spread of Chaos Ransomware could be involved in the file encrypting malware filled cyber-attack.

The post Wagner Ransomware targets Russian Computers operating on Windows appeared first on Cybersecurity Insiders.


June 28, 2023 at 08:30PM

Tuesday, June 27, 2023

Google AI aggression makes Bernstein research downgrade Alphabet

Google’s AI push in its search engine algorithms has made Bernstein the wealth management company downgrade the technology giant’s parent company Alphabet. Resulting in the value cut of shares by 1.5 percent that will closely mimic in the market performance over outperform results.

The reason for the market research company to downgrade the value of the internet juggernaut at the Wall Street stock exchange is the risks involved with the over-indulgence in Artificial Intelligence that might also affect the stocks of Microsoft and Nvidia, as both are following the same operational suit.

Alphabet was slow in adoption of AI. However, its vision changed from early this year, or probably after Microsoft released conversational AI chatbot ChatGPT. Suddenly, its vision gained an aggressive push that soon saw the integration of GenAI into its search results, follow-ing the footsteps of Microsoft with Bing search.

When robots start taking the human mind, there will be a sure-shot pull down in the search ad pricing. This resulted in a downgrade of buy, hold, and sell ratings and forced the tech giant witness a lowest downfall for the first time since April 2018 with only 4.655 out of 5 points.

Those in favor of the company’s well-being of stock prices predict that the downgrade phe-nomenon will be temporary as the internet search giant will be coming up with a new AI sur-prise to the world in September 2023. And it can take its relative stocks zoom past the ex-change corridor in flying colors.

The post Google AI aggression makes Bernstein research downgrade Alphabet appeared first on Cybersecurity Insiders.


June 28, 2023 at 10:38AM

What is NFV

In today’s fast-paced digital landscape, businesses proactively seek innovative ways to optimize their networks, enhance operational efficiency, and reduce costs. Network Functions Virtualization (NFV) emerges as a transformative technology that leads the charge.

NFV revolutionizes traditional, hardware-based network functions by converting them into flexible, software-based solutions. Virtual Network Functions (VNFs) can be deployed on commodity servers, cloud infrastructure, or even in data centers, freeing businesses from the constraints of specialized, proprietary hardware.

NFV simplifies network operations and significantly reduces hardware costs by allowing network functions, such as firewalls, load balancers, and routers, to run on general-purpose servers. This leads to substantial savings in both capital expenditure (CAPEX) and operational expenditure (OPEX).

Furthermore, NFV equips businesses with the agility and flexibility necessary to adapt quickly to changing network demands. Unlike traditional hardware-based network functions, which are static and require manual configuration, VNFs can be rapidly deployed, scaled, or modified to accommodate fluctuating network requirements. This provides a level of scalability and agility that was previously unattainable.

NFV also streamlines network management and automation. With NFV Management and Orchestration (MANO) systems, businesses can centrally manage and orchestrate VNFs, reducing the complexity and manual effort associated with network administration. This simplifies the deployment and management of network services, improves efficiency, and minimizes the risk of errors.

Moreover, NFV contributes to more sustainable and environmentally friendly operations by reducing energy consumption. By consolidating multiple network functions onto shared infrastructure, NFV lowers energy usage and cooling requirements.

The NFV architecture, standardized by the European Telecommunications Standards Institute (ETSI), provides a blueprint for implementing and deploying NFV solutions. It comprises three main components:

  • Virtual Network Functions (VNFs): Software implementations of network functions deployable on Network Function Virtualization Infrastructure (NFVI). Each VNF runs on generic server hardware and interconnects with other VNFs to create extensive networking communication services.
  • NFV Infrastructure (NFVI): The environment hosting the VNFs. It includes the hardware resources and the software layers that abstract, pool, and manage the physical resources.
  • NFV Management and Orchestration (MANO): The framework orchestrating and managing physical and/or virtual resources that support the VNFs. The MANO layer consists of the NFV Orchestrator, VNF Manager, and Virtualized Infrastructure Manager (VIM).

This architecture decouples network functions from proprietary hardware appliance which is how NFV enhances network flexibility, scalability, and service deployment speed, while cutting costs and energy consumption.

NFV not only brings cost savings and efficiency but also fosters innovation. The ability to quickly and easily deploy new network functions enables businesses to experiment with new services and features, accelerating innovation and enhancing competitiveness.

NFV represents a paradigm shift in networking. By transforming rigid, hardware-based network functions into flexible, software-based solutions, NFV equips businesses with the agility, cost-efficiency, and innovation potential necessary to thrive in the digital age. Embracing NFV is a strategic move for businesses looking to future-proof their networks and maintain a competitive edge in the digital era. Don’t let your current network setup hold you back; explore the possibilities NFV offers with AT&T Cybersecurity and transform your network infrastructure today.

The post What is NFV appeared first on Cybersecurity Insiders.


June 28, 2023 at 09:10AM

Digital dumpster diving: Exploring the intricacies of recycle bin forensics

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the vast realm of digital investigations, there exists a fascinating technique known as recycle bin forensics. Delving into the depths of this captivating field unveils a world where seemingly deleted files can still reveal their secrets, allowing digital detectives to reconstruct user activities and uncover valuable information. So, let’s embark on a journey to demystify recycle bin forensics and understand its role in the realm of cybersecurity.

Recycle bin forensics is a specialized branch of digital forensics that focuses on the retrieval and analysis of deleted files from the recycle bin or trash folder. This intriguing technique holds the potential to unlock a treasure trove of evidence, shedding light on cybercrimes and aiding in the investigation process.

To comprehend the intricacies of recycle bin forensics, it’s essential to grasp how the recycle bin functions.

When you delete a file on your computer, it often finds its way to the recycle bin or trash folder. It’s a convenient feature that allows you to recover accidentally deleted files with a simple click. But did you know that even after you empty the recycle bin, traces of those files may still linger on your system?

Welcome to the fascinating realm of recycle bin forensics, where digital detectives can uncover valuable information and shed light on a user’s activities.

Location of Deleted files

C:RECYCLED          Win 95/98/Me

C:RECYCLER          Win NT/2000/ XP

C:$Recycle.bin         Win Vista and later

Metadata file

INFO2(Win 95/98/Me)

C:RECYCLERSID*INFO2 (Win NT/2000/XP) (SID denotes security identifier)

Windows Vista and later

C:Recycle.binSID*$I******(Contains Metadata)

C:Recycle.binSID*$R******(Contents of deleted file)

Both files will be renamed to a random 6-character value. These directories are hidden by default; however, you can access them using command prompt with elevated privileges (Run as administrator) on your windows system using command dir /a.

Recycle bin forensics assumes a critical role in digital investigations, enabling law enforcement agencies, cybersecurity experts, and forensic analysts to piece together the puzzle. By analyzing deleted files, forensic professionals can reconstruct a timeline of events, unearth vital evidence, and recover seemingly lost data, aiding in the pursuit of justice.

Unveiling the secrets hidden within the recycle bin requires specialized tools and techniques. Forensic software empowers investigators to extract deleted files, even after the recycle bin has been emptied. Through careful analysis of file metadata, paths, and content, digital detectives can gain insights into file origins, modifications, and deletions, painting a clearer picture of the user’s activities.

One such utility we will be using is $IPARSE which can be downloaded here.

Steps to find metadata related to a deleted file ($I****** file)

  • Run command prompt as administrator

command prompt as admin

  • cd .. (Twice)

cd in command line

  • after that use command dir /a and check if you are able to see $RECYCLE.BIN directory

dir recycle

  • cd $RECYCLE.BIN to go inside the directory and use command  dir /a

now you will see multiple entries starting with S in the list of directories.

recycle bin

To check users associated with the SID directories you can use command wmic useraccount get name,sid

SID directories

It will list all the users associated with SID’s. After that copy any SID by selecting and using ctrl C (as well you can use tab key to autocomplete the SID after typing first few characters of SID).

Now, to move into the SID directory:
 

cd SID (paste the copied value)

for example, if the SID directory name was S-1-5-32

  • cd S-1-5-32

after that use command dir /a to list the components of that directory you shall see $I and $R files. In certain cases, only $I****** file will be available.

For illustration purposes, we are using files acquired from other systems.

drive d files

  • Now, create a folder and give a path to copy the file. Syntax would be file name “path” ($IABTIOW.doc “D:DesktopTest filesi filesTESTOutput”), you can alternatively use the copy command.

test files

  • Copy the file/folder name (while inside the said directory) and copy to path (where you wish to copy the said file or folder). The path can be copied by going in folder and clicking the address bar – your file will be copied and the associated software will try to open it, but won’t be able to open (like photos app for png/jpeg files)

test files wont open

  • Extract and run the $Iparse utility you downloaded. Browse the directory/folder you copied $I files in. Now, browse to the directory where you want to put the result file at and provide a file name.

$iparse tool

Click on save. After that, you should be able to see an interface like below:

$iparse output

Then click parse. It will display the file for you if it has successfully parsed it – the output file will be in .tsv format. You can open the .tsv file with notepad or notepad++. Now, you will be able to see details pertaining to the said $I file.

While recycle bin forensics is a powerful tool, it is not without its challenges and limitations. As time progresses and new files are created and deleted, older remnants in the recycle bin may be overwritten, making the recovery of certain deleted files more challenging or even impossible. Additionally, the effectiveness of recycle bin forensics can vary based on the operating system and file system in use, presenting unique obstacles.

To protect sensitive information and thwart potential recovery through recycle bin forensics, implementing secure data deletion practices is vital. Merely emptying the recycle bin offers no guarantee of permanent erasure. Instead, employing specialized file shredding or disk wiping tools can ensure that deleted data is securely overwritten, rendering it irretrievable.

In conclusion, recycle bin forensics is a remarkable field that uncovers the hidden remnants of deleted files, holding the potential to transform investigations. As we navigate the digital landscape, understanding the power of recycle bin forensics reminds us of the importance of safeguarding our digital footprint. Through knowledge, diligence, and secure practices, we can protect our sensitive information and fortify the realm of cybersecurity for the benefit of all.

The post Digital dumpster diving: Exploring the intricacies of recycle bin forensics appeared first on Cybersecurity Insiders.


June 27, 2023 at 09:11PM

Benefits of Using NFV with SASE

In today’s digital era, businesses actively strive to heighten network agility, boost security, and slash operational costs. Network Function Virtualization (NFV) and Secure Access Service Edge (SASE) stand at the forefront of this revolution, reshaping enterprise networking and security.

NFV breathes new life into traditional, hardware-based network functions, turning them into versatile, software-based solutions deployable on virtualized infrastructure. As a result, businesses cut hardware costs, speed up service deployment, and streamline network management and automation. When you incorporate NFV into your organization’s network architecture, you unlock these benefits:

  • Cut hardware costs and physical footprint: Virtual Network Functions (VNF) operate on general-purpose servers, delivering a more cost-effective solution.
  • Scale the edge swiftly: NFV grants networks that frequently or unpredictably change, greater flexibility and agility. You can deploy, modify, or scale them to adapt to shifting demand.
  • Speed up service deployment: Forget procuring, installing, and configuring specialized hardware. Instead, launch VNFs fast and hassle-free to deploy new network services.
  • Enhance network management and automation: NFV management and orchestration (MANO) systems allow central management and orchestration of VNFs, reducing network administration’s complexity and manual effort.
  • Decrease energy consumption: NFV consolidates multiple network functions onto shared infrastructure, lowering energy consumption and cooling requirements, contributing to greener and more sustainable operations.

On the flip side, SASE represents a departure from the traditional network architecture that depends on separate devices for each function. It pulls network and security services closer to the edge, providing consistent security policies, better performance, and simplified management. With its flexible, programmable, and secure networking capabilities, NFV is a critical enabler of SASE. NFV and SASE architectures also deliver these benefits:

  • Scalability: As a cloud-based service, SASE and NFV work in harmony to scale up or down effortlessly based on demand, helping organizations adapt quickly to evolving network conditions and requirements.
  • Performance and user experience: SASE and NFV draw network and security services closer to the edge, reducing latency and enhancing performance for users, especially those remote from the organization’s data centers or main offices.
  • Consistent security policies: SASE and NFV ensure the consistent application of security policies across the entire network, regardless of users or devices’ location. This is particularly advantageous for organizations with remote workers or multiple branches.
  • Cost efficiency: By merging multiple network and security functions into a single service, and on single physical servers, SASE and NFV help organizations slash costs linked to hardware procurement, installation, and maintenance.

The powerhouse duo of Network Function Virtualization (NFV) and Secure Access Service Edge (SASE) empowers modern businesses to amplify their network agility, bolster security, and curb operational costs. Their synergy keeps organizations in step with the fast-paced rhythm of today’s digital business landscape, offering a network architecture that is flexible, scalable, secure, and efficient.

Adopting NFV can fuel cost savings, expedite service deployment, enhance network management, and promote sustainability. Simultaneously, embracing SASE can deliver consistent security policies, improve performance, and simplify management, especially beneficial for businesses with a dispersed workforce or multiple branch locations. Together, NFV and SASE form a robust framework for securing and managing modern networks.

The time to integrate NFV and SASE into your network architecture is now. Considering the multitude of benefits they offer, it’s not a mere option; it’s a strategic imperative to future-proof your network infrastructure. Don’t let your current network setup hinder your business growth. Contact AT&T Cybersecurity to discover how NFV and SASE can revolutionize your network infrastructure and propel your business forward.

The post Benefits of Using NFV with SASE appeared first on Cybersecurity Insiders.


June 27, 2023 at 09:11PM

Submarine Cables vulnerable to Cyber Attacks

Most majority of educated individuals are aware that the internet connects people worldwide through underwater cables spanning the depths of the ocean. However, what many fail to realize is that these cables are susceptible to digital attacks that have the potential to trigger global internet disruptions lasting for days or even weeks.

A recent study conducted by Record Future sheds light on the fact that geopolitical tensions, such as the ongoing conflicts between China and Taiwan Province, Ukraine and Russia, and the United States and North Korea, could prompt adversarial forces to launch cyber assaults on the interconnected web.

Amidst the mounting challenges faced by Vladimir Putin, there is a looming possibility that he might initiate a cyber warfare campaign against the rest of the world by sabotaging the undersea cables linking Asia with the Western countries. Such an act would not only severely hamper communication channels, but it could also enable the Russian Federation to wreak havoc on the West by disrupting an overwhelming 91%, equivalent to $10 trillion, of daily internet transactions.

In today’s digital landscape, approximately 30% of data and voice communication relies on satellite technology, while the remaining 70% heavily relies on the interconnected web, which predominantly employs submarine fiber optic cables.

The United States has already encountered a similar predicament in April 2022 when its specialized security forces at the Pentagon thwarted an underwater cable attack that targeted the connection between the Pacific region and Hawaii. Subsequent investigations revealed that the attack was the result of a phishing scheme that exposed login credentials to malicious actors.

These examples merely scratch the surface, as the repercussions of such situations can extend far deeper. Cloud service providers, responsible for maintaining data centers worldwide, heavily depend on undersea cables. Consequently, any disruption to these cables could inflict lasting damage on their hosting services, with potentially irreversible consequences.

The post Submarine Cables vulnerable to Cyber Attacks appeared first on Cybersecurity Insiders.


June 27, 2023 at 08:42PM

Monday, June 26, 2023

Mayor candidate slaps Latitude with $1 million lawsuit for data breach

A Mayor candidate of Australia is suing Latitude for not protecting customer details from hackers. As the unsuccessful mayoral candidate was one victim of the data breach, the person is claiming $1 million as damages in the federal court.

Shahriar Sean Saffari is the person who launched a legal appeal against the financial services firm of Australia in the court and is seeking a financial compensation for the distress caused to him after the incident.

To those uninitiated, Latitude experienced a cyber-attack in March, leading to data steal of its 7.9 million customers. The incident took place when the suspected group of hackers took control of the servers of the company via a compromised employee account.

The company failed to protect its customers’ data, resulting in a lawsuit..

Since Saffari lost his Master Credit Card details in the attack, he was worried that the attack could lead to serious consequences like identity theft led to siphoning of funds from personal account/s.

Justice Melissa Perry has been assigned the case to resolve and is busy overseeing the developments.

Meanwhile, Latitude Financial Services has already kept aside a sum of $46 million related to the data breach for such customer remediation costs and will apparently allot the fund to the claimant after the case gets resolved.

Parallelly, a joint investigation is being held by the New Zealand Office of the Privacy Commissioner and Office of Australian Information Commissioner (OAIC) and the investigation might conclude by September this year.

If serious breaches are found, OAIC has the right to penalize the service provider with a hefty penalty that would be later equally distributed among the affected customers in the form of a discount given at the time of loan pay services.

NOTE- Latitude data breach made hackers access details such as driving license details, names, addresses, contact numbers, DoBs, income information of over 900,000 applicants who applied for loans including credit and debit card details. The hackers accessed no card expiry or CVC, as the company stored such details on an encrypted server.

 

The post Mayor candidate slaps Latitude with $1 million lawsuit for data breach appeared first on Cybersecurity Insiders.


June 27, 2023 at 10:28AM

Next-Generation Firewalls: A comprehensive guide for network security modernization

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The terms computer security, information security and cybersecurity were practically non-existent in the 1980s, but believe it or not, firewalls have existed in some form since that time. Over the years, the traditional firewall has transformed to meet the demands of the modern workplace and adapt to an evolving threat landscape. 

Next-Generation Firewalls (NGFWs), free from legacy technology constraints, take advantage of significant advancements in computational power, memory, and storage. NGFWs boast critical security features such as intrusion prevention, VPN, anti-virus, and encrypted web traffic inspection. This not only helps protect against malicious content but also aligns seamlessly with contemporary networking topologies like Software-Defined Wide Area Networks (SD-WAN) and zero-trust architectures

But what sets NGFWs apart from traditional firewalls? How do you know what features to look for and why should you invest in an NGFW? And finally, what do you do if you don’t have the security resources to devote to managing firewalls?  

In today’s crowded security marketplace, numerous firewall solutions are marketed as NGFWs. Without clear industry consensus on the definition of a next-gen firewall, it’s incumbent upon organizations to assess features and gauge if the solution aligns with their business needs. 

What makes next-generation firewalls a compelling choice for network modernization? 

NGFWs offer several advantages over traditional firewalls. Key among these are comprehensive application visibility and control, the ability to distinguish between dangerous and safe applications, and capabilities for preventing malware from penetrating a network. 

Here are several crucial ways an NGFW bolsters an organization’s cybersecurity posture. 

Protecting the Network from Viruses and Trojans: NGFW’s application awareness analyzes header information and the payload against established application signatures to validate the application’s integrity and permission for use. With so many apps and services required for employees to do their jobs, this is crucial for allowing users to download applications from the internet. 

Adaptability to the hybrid workplace: Even before the pandemic, businesses have been rapidly embracing hybrid work models, with teams working from everywhere, using a myriad of devices. This shift towards decentralized operations requires a significant effort towards adaptability and flexibility. NGFW’s robust security functionality can be invaluable in a hybrid work environment where the network perimeter is blurred and traditional security measures may fall short. NGFWs are also designed to seamlessly integrate with modern network architectures such as software-defined wide area networks (SD-WAN) and cloud services, allowing businesses to maintain robust security protocols as they transition between on-premises, cloud, and hybrid work setups. 

  • Preventing Known Productivity Distractors: With robust application control, organizations can manage which applications are run, which features are accessed, and which applications are prioritized for bandwidth. For example, social media or SaaS applications can be selectively enabled or disabled based on job function.  
  • Application Awareness: One of the fundamental enhancements NGFWs offer over traditional firewalls is application awareness. This feature allows NGFWs to identify and control applications — regardless of network port and protocol. This helps prevent unauthorized access and provides greater visibility and context into network activity. By recognizing application-specific characteristics and behaviors, NGFWs can effectively control access, provide prioritization, and offer bandwidth allocation for specific applications, enhancing both network performance and security. 
  • User-based Policies: User-based policies are another crucial NGFW functionality. Unlike traditional firewalls that enforce policies based on IP addresses, NGFWs align policies with specific users or groups. This ability to connect users with their applications and related network activities enables more precise control and more contextual reporting, which can be invaluable for both security and compliance. 
  • Intrusion Prevention System (IPS): Integrated into NGFWs is an Intrusion Prevention System (IPS) that actively identifies and blocks potential threats. The IPS scans traffic for cyber attack patterns or signatures in real-time and takes action to prevent these threats from infiltrating the network. This is a significant upgrade from traditional firewalls, which required a separate IPS solution. 
  • Deep Packet Inspection (DPI): DPI is a form of computer network packet filtering that inspects the data portion (and possibly also the header) of a packet as it passes an inspection point. This is critical in the identification, categorization, or blocking of packets with malicious data. NGFWs employ DPI to scrutinize both inbound and outbound traffic, providing protection against a broad range of cyber threats — from malware to data exfiltration. 
  • Leveraging External Security Sources: NGFWs facilitate the use of external security data, including directory-based policies, white lists, and black lists, saving time and resources.

By incorporating these advanced features, NGFWs offer far more granular control and visibility into network traffic than traditional firewalls. They empower organizations to better understand and manage the intricacies of modern network security, allowing for a stronger security posture and efficient use of resources. 

Why should you invest in a next-generation firewall? 

Firewalls primarily serve to protect against undesirable or malicious network traffic. But as threats evolve and detection becomes increasingly challenging, enterprise network security must advance to address the threat difficulty level. 

Traditional firewalls filter network traffic based on port number, IP address, or domain in an “all or none” approach. In a bygone era where most attacks targeted network services and components, this level of security sufficed. But nowadays, most exploits are directed towards specific application vulnerabilities. 

The emergence of NGFWs address these vulnerabilities, offering superior control over network security. 

Ready to Enhance Your Firewall Protection?

Explore our advanced firewall solutions and fortify your network security.

Discover Firewall Solutions

Next-Generation Firewalls vs. UTM and Virtual or Cloud-Based Firewalls 

Security discussions often blur the distinctions between NGFWs and Unified Threat Management (UTM) solutions or between appliance, virtual, and cloud-based firewalls (commonly referred to as Firewall-as-a-Service or FWaaS). 

NGFWs include IPS and some form of application intelligence. UTMs, however, include these features plus additional technologies such as wireless security, URL filtering, email security, VPNs, and web application firewalls. Given their multi-functional nature, UTMs simplify deployment and management, reduce costs, and enable quick incident response times. 

When comparing appliance, virtual, and cloud-based firewalls, we need to examine the form factor or the firewall’s location, not their features. Irrespective of hosting, a firewall with any of the above-discussed technical capabilities can be considered next-generation. Cloud firewalls are typically managed, configured, and updated by a third-party vendor, thereby reducing the managerial burden for the deploying company. 

How AT&T can help you leverage NGFWs for network modernization 

In a business environment where digital transformation is rapidly reshaping operations, it’s critical that your business deploys robust, adaptive security measures. NGFWs offer multiple layers of defense — securing your hybrid workforce and bolstering your security posture. They provide centralized visibility, reduce risk, and relieve the administrative burden on your tech teams.

Whether you’re building a foundation or upgrading your existing setup, managed firewall services from AT&T Cybersecurity make the transition smooth and efficient. Don’t wait until it’s too late; boost and modernize your network security today and protect your business against tomorrow’s threats

Ready to Deepen Your Knowledge of Firewall Solutions?

Watch our on-demand webinar to discover how the perfect blend of managed firewall, modern access management, and endpoint protection can create a robust and human-centric security solutions.

Watch On-Demand Webinar

The post Next-Generation Firewalls: A comprehensive guide for network security modernization appeared first on Cybersecurity Insiders.


June 27, 2023 at 09:11AM