Android Mobile Security alert against SMS Stealer Malware

A new type of malware, known as SMS Stealer, is making waves in the cybersecurity world. Designed to harvest one-time passwords (OTPs) and other sensitive information, this malware has already targeted over 600 global brands, according to experts from Zimperium.

Zimperium reports that SMS Stealer is spreading rapidly and affecting businesses in more than 113 countries, with a significant number of victims in Russia and India. The malware operates using 13 command-and-control (C&C) servers and enlists the help of over 2,600 Telegram bots to infect millions of users.

The malware’s function is straightforward: it gains read access to SMS messages and then sends the collected information to remote servers. This is particularly concerning as OTPs, which are commonly sent via text messages to authenticate online transactions, are used for securing banking and shopping activities against cyber-attacks and identity theft.

In October 2022, TrendMicro issued a warning about similar threats affecting Android users. Now, Zimperium has revealed that the new malware is being filtered by Google Play Protect tools, which may limit its ability to impact organizations.

Despite these protections, the sophistication of such attacks is increasing rapidly. Users must take proactive measures to safeguard themselves, including avoiding unsolicited emails and messages, not disclosing personal information to unknown callers, using security software, and keeping their devices updated with the latest patches.

Additionally, upgrading to newer devices can help mitigate risks associated with outdated hardware and software.

The post Android Mobile Security alert against SMS Stealer Malware appeared first on Cybersecurity Insiders.

August 01, 2024 at 10:47AM

Read More

VMware vulnerability leads ransomware to encrypt mass virtual machines

All these days we have seen hackers targeting Windows and Linux machines. But now they seem to be after the encryption of mass virtual machines by exploiting a vulnerability in VMware ESXi software. Hackers are now exploiting this flaw to encrypt virtual machines on a massive scale.

The vulnerability, identified as CVE-2024-37085, has been rated 7 out of 10 on the severity scale. It serves as a gateway for attackers to gain access to Active Directory and subsequently encrypt virtual machines extensively. This has led to a surge in ransomware attacks and large-scale data exfiltration.

Notable ransomware groups, including Evil Corp, Octo Tempest, Black Basta, and Akira, have previously leveraged ESXi machines in their attacks. However, the current situation is more severe, with hackers increasingly targeting Active Directory systems in bulk.

Broadcom, a major player in enterprise security, has released a fix for this vulnerability. While the company has provided general mitigation advice, including keeping systems updated, enforcing multi-factor authentication, enabling passwordless authentication, and ensuring robust backup and recovery plans, it has not delved deeply into how attackers are compromising ESXi hypervisors.

For context, Broadcom acquired VMware, the virtualization software giant, in May 2022 for $68 billion, with the deal officially closing in November 2023.

It’s also worth noting that in early June 2024, the APT Inc group—formerly known as SE$i ransomware—collaborated with the Play Ransomware group and the notorious automation tool Prolific Puma. This collaboration targeted ESXi environments, leveraging automated domain registration with shortened links for their attacks.

The post VMware vulnerability leads ransomware to encrypt mass virtual machines appeared first on Cybersecurity Insiders.

July 31, 2024 at 08:30PM

Read More

Can Negotiations Yield Success in Ransomware Attacks

In the escalating world of cybercrime, ransomware attacks have become a pervasive threat, affecting businesses of all sizes and industries. When faced with a ransomware attack, organizations are often confronted with a critical decision: to pay the ransom or not. In many cases, negotiations with the attackers become a key strategy in determining whether to comply with their demands. But can these negotiations truly lead to a successful resolution?

Understanding Ransomware Negotiations

Ransomware is a type of malicious software that encrypts a victim’s data, rendering it inaccessible until a ransom is paid. The attackers often demand payment in cryptocurrencies, such as Bitcoin, making transactions difficult to trace. Given the severity of these attacks, some organizations consider negotiating with the cybercriminals to either reduce the ransom amount or expedite the decryption process.

Negotiations typically involve several stages:

1. Initial Contact: The victim communicates with the attackers, often through a secure communication channel provided by the attackers themselves.

2. Assessment: The victim assesses the attack’s impact and evaluates the feasibility of paying the ransom versus the cost of downtime and recovery.

3. Negotiation: Discussions ensue where the victim attempts to reduce the ransom amount or seek assurances regarding the decryption key.

4. Payment: If an agreement is reached, payment is made, and the victim receives the decryption key—hopefully.

Factors Influencing the Success of Negotiations

1. Type of Attack: The nature and complexity of the ransomware strain play a crucial role. More sophisticated attacks may involve multiple layers of encryption, making negotiations less likely to succeed.

2. Attacker’s Reputation: Some ransomware groups are known for honoring their decryption promises, while others might not. Researching the attackers’ reputation and past behavior can provide insights into the likelihood of a successful outcome.

3. Negotiation Skills: Effective negotiation requires skill and experience. Specialized negotiators or cybersecurity firms often assist victims in this process, leveraging their expertise to secure a better deal.

4. Law Enforcement Involvement: Engaging with law enforcement can add pressure on the attackers, though it can also lead to complications in negotiations. Authorities might advise against paying or negotiating in order to avoid funding criminal enterprises.

5. Company’s Leverage: The victim’s position in the negotiation depends on factors such as the amount of data encrypted, the urgency of recovery, and the overall impact on operations.

Potential Outcomes of Negotiations

•    Successful Decryption: In some cases, victims manage to secure a reduced ransom and receive a working decryption key, allowing them to restore their data and resume normal operations.
•    Partial Success: Negotiations may lead to a partial reduction in ransom or a delay in payment, but the attackers might still demand a high price or fail to deliver a fully functional decryption key.
•    Failure: Negotiations might collapse if attackers refuse to lower the ransom or if the decryption key provided does not work, leaving the victim in a worse position than before.

Risks and Considerations

1. Funding Criminal Activity: Paying the ransom fuels further criminal activities and may incentivize attackers to target other victims.

2. No Guarantee of Recovery: Even if a ransom is paid, there’s no guarantee that the attackers will provide a decryption key or that it will work as promised.

3. Legal and Ethical Issues: Some jurisdictions have regulations against paying ransoms, and organizations might face legal consequences or reputational damage as a result.

Conclusion

Negotiating with ransomware attackers can sometimes yield positive results, but it comes with significant risks and uncertainties. Organizations must carefully weigh the potential benefits against the risks of funding criminal activity and the possibility of incomplete recovery. Engaging with cybersecurity experts and law enforcement can provide valuable support in making these critical decisions. Ultimately, the best defense against ransomware is a robust cybersecurity strategy that includes preventive measures, regular backups, and employee training to minimize the likelihood of an attack.

The post Can Negotiations Yield Success in Ransomware Attacks appeared first on Cybersecurity Insiders.

July 31, 2024 at 11:32AM

Read More

DDoS Attack on Microsoft Azure Cloud leads to another global IT Outage

Microsoft has issued a statement apologizing for a recent IT outage, which they attribute to a DDoS (Distributed Denial of Service) cyber attack on the infrastructure managed by Microsoft Azure Cloud.

Under the leadership of Satya Nadella, and amid a surge of media attention on his daughter Tara Nadella, the company revealed that the outage resulted from a malfunction in the automated protection system of their Microsoft Threat Intelligence software. This failure compromised the protection of IT assets against DDoS attacks.

The outage impacted a wide range of services, including Azure users, Minecraft players, and customers of Starbucks Corp, Cambridge Water, and NatWest. The disruption lasted for at least six hours, during which affected devices displayed error messages on Tuesday.

Down Detector reported that the issue began at 7 AM New York time and persisted until 5 PM. Some services, such as MS Office 365 and other Outlook applications, remained unavailable until 9 PM.

This incident follows a previous IT meltdown earlier this month, when a software update from CrowdStrike caused widespread issues, affecting around 8.5 million devices running Windows 10 and 11. CrowdStrike later clarified that the outage was due to a software bug, not a cyber attack.

Microsoft’s recent admission of the DDoS attack on its Azure cloud platform has led to a decline in its stock value, with shares falling over 2.9% in Tuesday’s trading. The company assures that they are working to resolve the disruption and restore services fully.

The post DDoS Attack on Microsoft Azure Cloud leads to another global IT Outage appeared first on Cybersecurity Insiders.

July 31, 2024 at 11:28AM

Read More

Western Maryland Community Colleges Receive Edwards Fund Grant for Cyber Ranges

Students Provided Training Opportunities and Help Meet Maryland’s Cybersecurity Talent Gap

Allegany College of Maryland, Garrett College, and Hagerstown Community College have received a $617,400 grant from the Senator George C. Edwards Fund toward a $686,000 project to implement two cyber ranges through the Cyber Workforce Accelerator program to assist cybersecurity students to prepare for careers, using real-world, cutting-edge simulation.

Created by the Maryland Association of Community Colleges (MACC) and BCR Cyber, the Cyber Workforce Accelerator program is designed to dramatically expand Maryland workforce development efforts and provide the state’s community colleges with BCR Cyber Series 3000 Cyber Ranges, offering access to advanced experiential training and education technology to train and certify thousands of entry level IT and cyber practitioners.

The Senator George C. Edwards Fund grant facilitates the procurement, configuration, and deployment of the cyber ranges, as well as required infrastructure upgrades, enhancements, and staff training. Delivery of the cyber ranges and training commencement is expected by April 1, 2025.

“This is going to be a game changer for our students,” says Hagerstown Community College president, Jim Klauber. “Our cybersecurity students will learn how to effectively identify and address cyber threats. Employers will be able to watch students as they work through the simulations, giving the students the opportunity to showcase their skills and employability.”

The Senator George C. Edwards Fund is a four-year, $50 million program aimed to spur economic growth in Washington, Allegany, and Garrett Counties.  

“This cyber range project will help our competitiveness in Western Maryland and will yield return on investment in this fast-growing industry. It is a great partnership between our three community colleges,” says Jake Shade, executive director of the Senator Edwards Fund.

BCR Cyber created a public-private consortium of more than 35 cybersecurity companies and government agencies that will steer course content development and recruit entry-level employees trained at the community college cyber ranges. Each school will have a center with five workstations in which the students will complete approximately 40 hours of training for their capstone work, followed by a live experience with up to 10 hours of testing in simulated cyber threats. BCR Cyber has trained thousands of people to work in the cybersecurity industry.

“There are not enough skilled professionals to meet the talent gap in cybersecurity here in Maryland and across the country,” says Michael Spector, president of BCR Cyber. “Partnering with these community colleges through the accelerator program is an effective way not only to create well-paid career opportunities, but also bring more students into an industry that desperately needs them.”

Recently, MACC – in partnership with BCR Cyber – was awarded $935,680 through the Maryland Department of Commerce’s “Build Our Future Grant Pilot Program” to fund the Cybersecurity Workforce Accelerator. This award leverages $2 million of Congressionally Directed Spending obtained by U.S. Senators Ben Cardin and Chris van Hollen that was allocated for the Accelerator earlier this year in the Federal FY25 Budget as matching funds. The total amount awarded year to date for the accelerator is $3.6 million.

For more information about the program visit www.bcrcyber.com

The post Western Maryland Community Colleges Receive Edwards Fund Grant for Cyber Ranges appeared first on Cybersecurity Insiders.

July 30, 2024 at 08:13PM

Read More

Crowdstrike preliminary report as sourced from Richard Ford

Crowdstrike have now published their preliminary post incident report (PIR) into the issue that brought 8.5m Windows hosts, and a lot of the world, to a halt. Their preliminary report is available in full on the CrowdStrike website (here: https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/) but here are initial thoughts after reviewing the report and considering against the backdrop of what we’ve observed within our affected customer base.

With such a wide scale, and brand affecting, incident, the recovery for CrowdStrike was always going to be rooted in transparency. No software company will ever be 100% bug free, that’s just not reality, and issues, outages and vulnerabilities will occur. But we can judge a software organisation on two things; how robust their development & testing processes are to limit the frequency of issues and, when an incident occurs, how they respond to it.

The scrutiny placed on CrowdStrike is derived from their position in the IT stack. As an endpoint security platform, and specifically an Endpoint Detection & Response (EDR) solution, it operates in kernel mode via kernel drivers that permit access to lower-level internals of the Windows operating system. Operating in kernel mode gives an EDR great power to gain visibility into system processes and activity, and provides the ability to act and prevent malicious actions. But, as with Spiderman, with great power comes great responsibility. Kernel drivers must be developed to be completely robust and stable. Unlike in user mode, where a runtime issue can fail gracefully and only affect that application, failure of a kernel driver will lead to the type of exception that ends with a Blue Screen of Death (BSOD).

At the very tail of the preliminary report CrowdStrike have promised a future root cause analysis (RCA) once they have completed their investigation in full. Even with the promise of a full root & branch RCA, there’s a fair amount of detail in preliminary report. The transparency we need seems to be coming. If we look at how CrowdStrike have reacted in the face of adversity they’ve done a reasonably good job. They’ve held their hands up, they rolled back the faulty Channel File reasonably quickly, on the whole they’ve communicated with customers and partners regularly and often with updates, have provided fixes and recovery steps, and now we’re seeing some of the transparency required to rebuild that trust.

What does the report say?

We can fully test that last point once the full RCA is available as the preliminary report still leaves questions unanswered and niggling doubts. So, what does the preliminary report say? Within the report CrowdStrike detail their security content configuration update architecture, along with what happened and how these components had the affect they did.

CrowdStrike’s security content configuration architecture, as laid out in the PIR, is broken down into two component parts; the Sensor Content and the Rapid Response Content. The former is shipped only with the CrowdStrike Falcon agent updates, which are fully controllable by end users through the Sensor Update Policy settings and provides a wide range of security capabilities – either introduced or updated as part of Sensor Content updates. This includes new Template Types that allow threat detection engineers to define threat content. Rapid Response Content, on the other hand, are the security definitions and IOCs, that utilise capabilities and Template Types available in the Sensor Content updates, in order to instruct the Falcon agent on how to detect current and emerging threats. These are pushed globally to customers by CrowdStrike when available, regardless of and Sensor Update Policies.

In terms of what happened on the 19th July, CrowdStrike have outlined the series of events that led to the global outage as part of the preliminary report. Firstly, as part of a Sensor Content Update released 28th Feb 2024 (Falcon agent v7.11), a new IPC Template Type was introduced to detect novel attack techniques that abuse Named Pipes. Releases of Sensor Content is rigorously tested through unit testing, integration testing, performance testing and stress testing, and then further tested internally and with early adopters prior to being made generally available. This was the case with this update and the new IPC Template Type, with stress testing completed on the 5th March 2024 and successful deployments to production completed on the 8th & 24th April 2024.

The problem is when we look at the testing of the IPC Template Instances that make up the Rapid Response Content. It appears, from the information available in the preliminary report, that these are only tested by a Content Validator tool that performs validation checks on content prior to being released. Unfortunately, in this instance, a bug in this tool allowed the invalid content to pass muster and, along with the confidence in the stress testing and success of the previous releases, ended up with the corrupt file being pushed to all online Falcon agents.

So clearly there was a deficiency in the testing process when it came to Rapid Response Content, and probably down to the fact this was never considered an issue, or the impact of an issue with it never fully considered. That, and the level of vigorous testing carried out on Sensor Content Updates. The other issue was the deployment strategy. Deploying globally meant the issue was that much more impactful, and the rollback and recovery that much more difficult once the error had been identified.

Lesson learnt. CrowdStrike are implementing steps to make sure this doesn’t happen again:

Software Resiliency and Testing

•Improve Rapid Response Content testing by using testing types such as:

• Local developer testing
• Content update and rollback testing
• Stress testing, fuzzing and fault injection
• Stability testing
• Content interface testing

•Add additional validation checks to the Content Validator for Rapid Response Content. A new check is in process to guard against this type of problematic content from being deployed in the future.

•Enhance existing error handling in the Content Interpreter.

Rapid Response Content Deployment

•Implement a staggered deployment strategy for Rapid Response Content in which updates are gradually deployed to larger portions of the sensor base, starting with a canary deployment.

•Improve monitoring for both sensor and system performance, collecting feedback during Rapid Response Content deployment to guide a phased rollout.

•Provide customers with greater control over the delivery of Rapid Response Content updates by allowing granular selection of when and where these updates are deployed.

•Provide content update details via release notes, which customers can subscribe to.

There are still some questions that need to be answered, and I’m sure will come out once the full RCA is released. One of the core questions is not how the Content Validator missed the invalid file but how did that file become invalid in the first place?

As we get closer to the end of this incident, I think it’s clear that we will look back on it, and the way it was handled by CrowdStrike, as an example of what good can look like in the face of adversity. They’ve been transparent, they’ve quickly implemented the immediate fix and identified the long-term solution to prevent it from happening again and they actively engaged with customer and partners to recover. There are valuable lessons to learn and implement across the industry.

The post Crowdstrike preliminary report as sourced from Richard Ford appeared first on Cybersecurity Insiders.

July 30, 2024 at 07:42PM

Read More

X allows users to turn off GROK AI Training due to data concerns

X, the social media platform formerly known as Twitter, is introducing a new feature that allows users to opt out of its AI training program involving Grok. Grok is an AI assistant developed by xAI, a company owned by Elon Musk, which learns from user posts and interactions.

Previously, users were automatically included in this training program, meaning their posts and interactions were used to help Grok improve its responses. However, due to growing concerns about data privacy, X has decided to make participation in this program optional.

Grok was designed to enhance its capabilities by analyzing millions of user interactions and posts. This data-driven approach helps the AI identify patterns and improve its functionality. However, users raised concerns when it became clear that their content was being used as open-source data without explicit consent.

In March 2024, privacy advocates in Europe, particularly from Ireland, voiced their objections to the use of social media data for training Generative AI models. The Irish Data Protection Commission intervened, noting that this practice violated GDPR regulations. The Commission threatened X with a €20 million fine, prompting the platform to introduce the opt-out feature.

To opt out, users can navigate to the “Privacy and Safety” tab, select “Data Sharing and Personalization,” choose “Grok,” and uncheck the box that permits data usage. Users also have the option to delete their chat history, ensuring that their information is removed from Grok’s training dataset.

Similar opt-out options are available on other major tech platforms like Facebook and Google, reflecting a broader trend towards respecting user consent in AI training practices. This move comes as companies aim to mitigate media scrutiny and avoid regulatory penalties related to data usage.

The post X allows users to turn off GROK AI Training due to data concerns appeared first on Cybersecurity Insiders.

July 30, 2024 at 10:47AM

Read More

Ransomware attacks are inevitable on Paris Olympics 2024

A recent study by ExtraHop reveals that ransomware attacks on the Paris 2024 Olympics are almost unavoidable. Over the past year, the IT infrastructure supporting the games has been a frequent target, with some incidents resulting in ransom payments totaling $2 million.

The scale of the event, featuring over 15,000 athletes competing in 54 sports and attracting millions of visitors, places immense pressure on the IT systems.

Cisco, the official security partner for Paris 2024 and also responsible for securing the Tokyo 2020 Games—which faced more than 450 million cyber-attacks—emphasizes the critical nature of the challenge.

Cyble, a cybersecurity firm, reported a significant rise in attacks on French Olympic websites between June and July 2024. The International Olympic Committee (IOC) identified two Russian-speaking hacking groups, “People’s Cyber Army” and “HackNet,” as responsible for these breaches.

While some attacks have been financially motivated through ransomware, others have been Distributed Denial of Service (DDoS) attacks intended to disrupt the event and cause chaos among organizers, athletes, and visitors.

Experts predict that future attacks will become increasingly sophisticated, leveraging phishing, social engineering, and advanced technologies such as Generative AI and deepfake techniques.

To combat these threats, the IOC has assembled a specialized Cyber Troop consisting of 15 military and civilian cybersecurity experts, working around the clock. This team is part of the larger 3,000-member COJOP staff dedicated to safeguarding France’s critical infrastructure.

Additional support is provided by ANSSI and other French state agencies, reinforcing the Cybersecurity Operations Center as needed. Both teams will remain active until the conclusion of the Olympics and Paralympics on September 8, 2024, after which their operations will be scaled down.

The post Ransomware attacks are inevitable on Paris Olympics 2024 appeared first on Cybersecurity Insiders.

July 29, 2024 at 08:37PM

Read More

Strategies for Mitigating the Human Element of Cyber Risk

The primary cause of the majority of data breaches today is human error. Verizon’s 2024 Data Breach Investigations Report (DBIR) found that 68% of all breaches involved a non-malicious human element in 2023. This data highlights the critical need for enterprises to mitigate the human element of cyber risk to keep digital assets safe and secure.

As cyber threats continue to grow in frequency and sophistication and the human factor remains a threat to cybersecurity, more CISOs than ever (80%) see human risk, in particular negligent employees, as a key cybersecurity concern over the next two years.

Cybercriminals are also well aware that the human element can be a gateway to infiltrating systems and accessing sensitive business information. Bad actors are targeting employees with a barrage of malware, phishing, social engineering, and password attacks designed to exploit human vulnerabilities. Research by Fortinet found that 81% of organizations faced malware, phishing, and password attacks last year which were mainly targeted at users.

There is no doubt that people are critical to the cybersecurity of enterprises. As such, organizations must integrate the human element into data security strategies to transform employees from a cybersecurity vulnerability to a cybersecurity strength. 

To mitigate the human element of cyber risk, enterprises must take a proactive, human-centric approach to cybersecurity that includes:

Investing in employee awareness training

Providing regular cybersecurity training that educates employees on common threats such as phishing, malware and social engineering and teaches cybersecurity best practices reduces the risk of human error, helping employees take proactive steps to protect sensitive company data and information. Investing in this training is also the cheapest, easiest way to boost cybersecurity, according to the National Cybersecurity Alliance.

Regular training sessions should equip employees with the tools and knowledge they need to spot and combat cyber threats. Training should address topics such as how to identify suspicious links and attachments, the necessity of creating strong passwords, the importance of adhering to security policies, and the proper procedures for promptly reporting security incidents.

To increase the effectiveness of cybersecurity training, enterprises should also make training role-specific so that it is more relevant and impactful, conduct phishing simulations to help users recognize what real-world attacks look like, and reinforce that everyone plays a critical role in keeping the organization cyber secure.

Setting and enforcing clear policies

Employees can become one of the most effective security controls in an organization when clear cybersecurity policies are established, communicated, and enforced. These policies should prohibit the use of shadow IT (the use of unsanctioned applications that are not monitored and managed by the enterprise IT department) and define acceptable use for BYOD (bring your own device).

Policies prohibiting the use of shadow IT are particularly important for employees to be aware of and understand. The danger of employee use of shadow IT such as unsecure messaging apps lies in lack of IT control. IT teams can’t control what they don’t know about which can lead to unauthorized access to an organization’s IT infrastructure. Setting and enforcing policies that prohibit the use of shadow IT means employees will avoid using apps and tools that can increase enterprise risk exposure to data breaches and compliance violations.

To combat the cyber risks introduced by BYOD, security leaders should establish and enforce BYOD policies that define acceptable use including what devices and apps are permissible. This policy should also outline the security protocols that must be followed such as creating strong passwords, enabling multi-factor authentication, avoiding public Wi-Fi, and never leaving devices unattended.

Implementing a zero trust architecture

Enterprises should also adopt zero trust, a framework that mandates identity verification and authentication for all users and devices, to help reduce the human cyber risk factor and enhance data protection, usability, and governance in the digital workplace. As part of zero trust, enterprises should implement strong identity and access management including multifactor authentication and biometric technologies such as facial recognition. By implementing a zero trust approach, organizations can minimize the risk of unauthorized access, strengthen data protection, and enhance overall security.

Building a strong security culture

Building a strong security culture is critical for mitigating the human element of cyber risk, yet many organizations are lacking in this area. According to a survey of IT and cybersecurity professionals by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA), more than one-quarter (27%) of respondents rate their organization’s cybersecurity culture as fair or poor. A weak security culture is a significant problem for organizations that can lead to the exposure of sensitive business information.

Building a strong security culture in an organization involves not only training but also fostering an environment where employees understand that security is a shared responsibility across the enterprise and where all employees understand their role in reducing cyber risk. Fostering a culture that makes employees partners in safeguarding enterprise data and information goes a long way toward minimizing the human element of cyber risk.

Providing employees with secure by design collaboration tools

When employees are provided with secure collaboration tools, they will not turn to unsecure messaging and collaboration apps that expand the cyberattack surface in organizations. Today, CISO’s are increasingly concerned about the widening attack surface created by the proliferation of these tools in the enterprise. According to data from Proofpoint, 39% of CISOs view Slack/Teams/Zoom/other collaboration tools as one of the top three systems introducing risk to their organizations.

Using secure by design mobile messaging technology closes security gaps created by employee use of unsecure communication and collaboration apps that leave enterprises vulnerable to cyberattacks and data breaches. Mobile messaging platforms designed for the enterprise feature end-to-end encryption (E2EE), protecting data at rest and in transit, ensuring that only the sender and receiver can read messages. The E2EE built into these platforms coupled with robust administrative controls that embed data security and compliance into business communication across every channel reduce the attack surface, providing no point of entry for malicious hackers intent on accessing sensitive enterprise data.

Encouraging reporting of security incidents

To be human is to make mistakes and cybersecurity errors will happen. When employees do err by clicking on a suspicious link or becoming the victim of social engineering, it is important for them to understand how to report security incidents like these. Enterprises should establish procedures and clear channels of communication for reporting potential security incidents or suspicious activities. This allows organizations to initiate the response process more quickly and raise awareness of reported incidents or suspicious activities so other employees do not fall victim to these attacks.

Wrapping up

There is no question that the human element is critical for effectively preventing cyber intrusions. To mitigate the human error behind 68% of the cyber breaches occurring today, enterprises should take a proactive, human-centric approach to cybersecurity. That approach should include investing in employee awareness training, setting and enforcing clear policies, implementing a zero trust architecture, building a strong security culture, providing employees with secure by design collaboration tools and encouraging reporting of security incidents.

 

The post Strategies for Mitigating the Human Element of Cyber Risk appeared first on Cybersecurity Insiders.

July 29, 2024 at 08:00PM

Read More

Microsoft CrowdStrike Software Update leading to Phishing Attacks

A couple weeks ago, an IT outage hit Microsoft Windows 10 and 11 servers shortly after CrowdStrike released a Falcon Sensors software update. Rather than resolving, the update transformed into a software bug , affecting over 8.2 million PCs and servers globally.

The disruption, initially caused by the software update, has since been exploited by hackers, who are using the vulnerability to launch phishing attacks.

The Computer Emergency Response Team (CERT) of India has issued a worldwide alert, warning that CrowdStrike Threat Monitoring software users are being targeted in a phishing scam. Thousands in India and potentially millions worldwide are at risk.

CERT-India’s advisory, released last Saturday, cautions Windows 10 and 11 users to be vigilant against phishing attempts. Hackers are posing as CrowdStrike support staff through phone calls, emails, or SMS messages. Their goal is to infiltrate networks, gather intelligence, or deploy malware, exacerbating the IT crisis that began with the Microsoft outage on July 19, 2024.

CrowdStrike is grappling with a loss of trust, customer migration, and other business challenges following the incident. If customers fall victim to these phishing attacks, it could further damage the company’s reputation and financial stability, potentially leading to significant losses and a severe impact on this year’s profits.

To protect against these threats, it’s crucial to verify the identity of anyone claiming to be IT support before taking any action. Additionally, raising awareness among employees about these phishing schemes is essential to mitigate potential damage.

It’s worth noting that CERT-India’s warning coincides with media speculation about the hacking group USDoD allegedly leaking data from CrowdStrike’s servers earlier this year.

In response, John Cable, Microsoft’s VP of Program Management, has stressed the importance of end-to-end resilience. Microsoft plans to restrict kernel access for security software by focusing on alternatives like Azure Attestation Service and VBS Enclave—measures similar to those Apple implemented for macOS in 2020. Additionally, Microsoft has hired over 5,000 support engineers to help affected organizations recover from the outage, aiming to enhance its service levels by 100% by the first week of August 2024.

The post Microsoft CrowdStrike Software Update leading to Phishing Attacks appeared first on Cybersecurity Insiders.

July 29, 2024 at 10:29AM

Read More

Crowdstrike Threat Intelligence data leaked by hackers

The threat actor known as USDoD, infamous for leaking sensitive information from major databases including those of Airbus, TransUnion, and the US Environmental Agency, has resurfaced in the news. On July 25, 2024, USDoD released a portion of a dataset related to threat intelligence compiled by CrowdStrike, the Florida-based cybersecurity firm.

The leaked information was posted on a data breach forum and included a link shared with CrowdStrike’s partners and some of its clients. Following the breach, CrowdStrike confirmed the authenticity of the leaked data and stated that they would provide further details after a thorough investigation.

The released data encompasses various aspects of threat actors, such as their status, country of origin, last active dates, targeted industries, the nationalities of their victims, and any state-sponsored intelligence linked to them.

The timing of this leak is notable, coming exactly one week after CrowdStrike faced a significant IT crisis involving Windows Operating Systems worldwide, caused by a bug in their Falcon Sensors. Analysts suggest that USDoD might have released this information either to gain notoriety or to damage CrowdStrike’s reputation, which has already been impacted by the global IT outage experienced by Microsoft on July 18-19, 2024.

Typically, such Indicators of Compromise (IOCs) are used to estimate or predict the attack strategies of threat actors. USDoD has indicated that more information will be released by the end of the month but has not made any demands, suggesting that this initial leak may simply be a precursor to further revelations.

The post Crowdstrike Threat Intelligence data leaked by hackers appeared first on Cybersecurity Insiders.

July 26, 2024 at 08:44PM

Read More

Harnessing Defensive AI: Safeguarding the Digital Realm

In an increasingly interconnected world where digital threats loom large, the integration of Defensive Artificial Intelligence (AI) emerges as a critical bulwark against cyberattacks. From sophisticated ransomware assaults on critical infrastructure to relentless phishing schemes targeting sensitive data, the need for proactive defense mechanisms has never been more apparent. Defensive AI, with its ability to preempt, detect, and respond to threats autonomously, stands poised at the vanguard of cybersecurity, offering multifaceted benefits to organizations and individuals alike.

1. Proactive Threat Detection and Mitigation

Defensive AI operates on the principle of proactive threat detection, constantly scanning and analyzing vast volumes of data to identify anomalous patterns or suspicious activities. Unlike traditional cybersecurity measures that rely heavily on reactive responses, Defensive AI anticipates potential threats before they materialize, thereby significantly reducing the window of vulnerability. By leveraging advanced algorithms and machine learning techniques, AI can detect even subtle deviations from normal behavior, enabling swift intervention to mitigate risks and thwart potential breaches.

2. Real-Time Response Capabilities

In the fast-paced realm of cyber warfare, timeliness is paramount. Defensive AI excels in its capacity for real-time response, enabling rapid decision-making and execution of countermeasures in the face of evolving threats. Through continuous monitoring and analysis, AI systems can autonomously isolate compromised systems, contain malicious activities, and initiate remedial actions without human intervention. This capability not only minimizes the impact of attacks but also enhances overall operational resilience by maintaining critical services uninterrupted.

3. Enhanced Accuracy and Scalability

Human error and fatigue remain persistent challenges in cybersecurity operations. Defensive AI addresses these limitations by offering unparalleled accuracy and scalability in threat management. By learning from historical data and adapting to emerging threats, AI algorithms refine their detection capabilities over time, achieving levels of precision that surpass human capabilities. Moreover, AI-driven defenses are inherently scalable, capable of safeguarding diverse digital ecosystems—from small enterprises to global networks—with equal efficacy, thereby ensuring comprehensive protection across varying scales and complexities.

4. Cost-Efficiency and Resource Optimization

Beyond its efficacy in threat mitigation, Defensive AI offers significant cost-efficiency benefits by optimizing resource allocation and operational expenditure. Automated threat detection and response mechanisms reduce reliance on labor-intensive security protocols, freeing human resources for strategic initiatives and higher-value tasks. Moreover, by minimizing the likelihood and impact of cybersecurity incidents, AI-driven defenses mitigate potential financial losses, regulatory penalties, and reputational damage associated with breaches, thereby safeguarding long-term business continuity and sustainability.

5. Adaptability to Evolving Threat Landscapes

The landscape of cybersecurity is characterized by constant evolution, with threat actors perpetually innovating their tactics and techniques. Defensive AI, with its adaptive learning capabilities, remains agile in the face of emerging threats, continuously updating its knowledge base and response protocols to stay ahead of adversaries. This adaptability enables organizations to maintain a proactive stance against dynamic cyber threats, effectively future-proofing their defenses and ensuring resilience in an ever-changing digital environment.

Conclusion

As cyber threats grow in sophistication and frequency, the imperative for robust defensive measures becomes increasingly evident. Defensive AI represents a transformative paradigm in cybersecurity, empowering organizations to preemptively detect, swiftly respond to, and effectively mitigate a broad spectrum of cyber threats. By harnessing the capabilities of AI-driven defenses, businesses can fortify their digital perimeters, safeguard critical assets, and uphold trust in an interconnected world. As technology continues to evolve, the integration of Defensive AI promises to redefine cybersecurity paradigms, offering a proactive defense strategy that is as dynamic and resilient as the threats it confronts.

The post Harnessing Defensive AI: Safeguarding the Digital Realm appeared first on Cybersecurity Insiders.

July 26, 2024 at 11:28AM

Read More

NHS Ransomware Attack leads to extreme blood shortage

On June 3rd of this year, Synnovis, a provider of technology and pathology services, fell victim to a ransomware attack, causing significant disruptions to IT systems within Britain’s National Health Service (NHS).

The British healthcare organization has issued a public warning that the malware incident has now led to a severe shortage of blood supplies. Despite having adequate stocks earlier this month, blood repositories are now experiencing a steady decline.

In response to the crisis, the NHS is urgently calling for blood donors to come forward, emphasizing the critical role their contributions play in saving lives.

Jo Farrar, Chief Executive of NHS Blood and Transplant, stated, “The NHS Blood Repository is currently facing a shortage of O Group blood. This group is essential because it can be transfused to patients with A and B positive and negative blood types. If the situation does not improve in the coming week, we could face an unprecedented blood shortage that might endanger patients’ lives.”

Typically, blood donors in the UK are proactive and do not require reminders. However, the combination of summer holidays and increased dehydration has led to a notable decrease in donations.

As a result, doctors and nurses are encountering difficult situations, unable to accurately predict blood stock levels. This has led to the postponement of treatments and transfusions or the redirection of patients to other healthcare facilities.

This incident highlights a disturbing trend where cybercriminals targeting hospital networks are now contributing to life-threatening shortages, demonstrating the far-reaching consequences of their actions.

The post NHS Ransomware Attack leads to extreme blood shortage appeared first on Cybersecurity Insiders.

July 26, 2024 at 11:25AM

Read More

Ransomware shift from Cyber Espionage for North Korea

APT45, a cyber threat group associated with North Korea’s Reconnaissance General Bureau, known by aliases such as Stonefly, Silent Colima, Nickey Hayatt, Andriel, and Onyx Sleet, has recently shifted its focus from cyber espionage to spreading ransomware. The group has been observed targeting organizations in South Korea, Japan, and the United States.

Security researchers from Google’s Mandiant have analyzed the group’s activities and found them deploying Shattered Glass Ransomware. This ransomware variant was last detected between June 2021 and June 2022 by Kaspersky.

Previously, APT45 had concentrated on stealing healthcare and crop science information from research and development institutions linked to various governments worldwide.

North Korea, under Kim Jong Un’s leadership, has historically conducted cyber attacks targeting cryptocurrency companies to steal digital assets and gather intelligence for resale to interested parties. The recent shift towards ransomware may be motivated by the potential for substantial financial gains to fund North Korea’s nuclear ambitions.

The discovery of APT45’s new tactics coincided with KnowBe4’s revelation that it had been targeted by a North Korean cyber crime group. The group attempted to infiltrate KnowBe4’s development network by planting a fake employee with a fabricated identity. KnowBe4 robust administrative and security measures prevented the infiltration before any intelligence could be extracted from their servers or malware could be deployed on their network.

Remember, paying a ransom doesn’t guaranty a decryption key for sure and moreover it increases the risk level by a mile as the criminals try to attack the same network multiple times in a year, by exploiting the same vulnerability. Furthermore it gives a confidence to threat actors that their malicious motives will surely be rewarded.

The post Ransomware shift from Cyber Espionage for North Korea appeared first on Cybersecurity Insiders.

July 25, 2024 at 08:27PM

Read More

Akira Ransomware Gang targets Split Airport of Croatia

It’s deeply concerning to hear about the ransomware attack on Split Airport, affecting its operations and causing significant disruptions to flights and passenger services. Ransomware attacks targeting critical infrastructure such as transit systems can have severe consequences, not just for the organizations involved but also for public safety and trust.

The response of the Split Saint Jerome Airport staff in resorting to manual operations shows their dedication to mitigating the impact and ensuring some level of service continuity despite the cyberattack. It’s commendable that the IT staff worked tirelessly to restore a significant portion of digital operations by Tuesday evening, although the situation remains challenging as the official website is still unreachable.

The stance of the airport’s leadership in refusing to negotiate or pay the ransom demands is consistent with the advice often given by cybersecurity experts and law enforcement agencies. Paying ransom can encourage further attacks and fund criminal activities, making it a risky proposition even when faced with severe operational disruptions.

The mention of the Akira Ransomware group, which has been active for over a year and has affected numerous organizations worldwide, underscores the growing threat posed by such cybercriminal groups. The FBI advisory warning about Akira’s activities highlights the need for heightened vigilance and robust cybersecurity measures across public and private sectors.

In situations like these, collaboration between affected organizations, law enforcement, and cybersecurity experts is crucial to mitigate the immediate impact, investigate the incident thoroughly, and strengthen defenses to prevent future attacks. It’s essential for organizations to continuously update their cybersecurity protocols and train staff to recognize and respond effectively to potential threats.

As the situation develops, it will be important to monitor how Split Airport and other affected entities recover and bolster their cybersecurity resilience to prevent similar incidents in the future.

The post Akira Ransomware Gang targets Split Airport of Croatia appeared first on Cybersecurity Insiders.

July 25, 2024 at 03:20PM

Read More

KnowBe4 targeted by North Korea with Insider Threat

In recent years, cybersecurity threats have often involved hackers stealing identities through various digital channels to gather sensitive information. However, a recent incident within the administrative environment of cybersecurity firm KnowBe4 has highlighted concerns about insider threats.

According to a blog post by KnowBe4, the incident unfolded when the company advertised a software engineer position for an AI development project and received applications from candidates worldwide. One applicant from the United States stood out to recruiters and was hired after successfully passing multiple interviews, including two video conferences.

Initially, everything appeared routine as the new employee was onboarded and provided with a Mac workstation via mail. However, the situation took a troubling turn when the company’s Endpoint Detection and Response (EDR) software flagged malicious activities on the device and network. These activities included unauthorized downloads of malware, transferring sensitive files to remote servers, and running espionage-related software.

Efforts to contact the employee were unsuccessful, prompting the Security Operations Center to isolate the device and launch an investigation. It was later revealed that the supposed IT worker was not genuine and had been manipulated to act on behalf of entities in North Korea. The objective was to infiltrate KnowBe4’s corporate environment, gain access to servers, and potentially deploy ransomware to extort funds. Additionally, funds were intended to support North Korea’s nuclear ambitions through an e-wallet linked to the regime.

Further investigation uncovered that the device sent to the fake employee had been redirected to a clandestine location, connecting to North Korean networks via a VPN.

In response to this incident, KnowBe4 has shared several tips to help organizations detect fraudulent IT worker scams:

a.) Conduct thorough background checks as soon as candidates submit their resumes, particularly for remote IT roles.

b.) Verify recommendations independently rather than relying solely on email correspondence, which can be falsified.

c.) Conduct video interviews for all stages of the hiring process to ensure the authenticity of the applicant.

d.) Monitor and restrict access to sensitive information and systems during the initial months of employment or project initiation.

e.) Implement robust access control and authentication measures for all new hires, especially during probation periods.

f.) Maintain close oversight of employee activities, particularly during training periods, and restrict access to critical IT infrastructure accordingly.

This incident serves as a stark reminder of the importance of vigilance and stringent security measures in protecting against insider threats and cyber espionage activities.

The post KnowBe4 targeted by North Korea with Insider Threat appeared first on Cybersecurity Insiders.

July 24, 2024 at 08:36PM

Read More

Ransomware attack shuts down Superior Court of Los Angeles County

A ransomware attack has crippled operations at the Superior Court of Los Angeles County, shutting down court services since last Friday morning. The incident affected all 36 courthouse locations across the county, prompting ongoing efforts to recover compromised systems.

Initially, it was anticipated that court services would resume by Tuesday afternoon. However, technical challenges, exacerbated by issues with a faulty CrowdStrike software update on Windows 10 and 11 devices, delayed the restoration of IT infrastructure. Security experts involved in the recovery efforts indicated that the recovery of applications and data could have been achieved within hours post-attack, if not for the IT system meltdown.

It’s crucial to note that effective data recovery and business continuity tools rely heavily on robust software support from operating systems like Windows. When such support falters, the process of restoring applications and data can become prolonged, potentially spanning weeks or even months.

A spokesperson from the Los Angeles Superior Court assured the public that, as of now, there have been no signs of data compromise. However, the court remains vigilant and prepared to mitigate any consequences related to potential information breaches affecting over 10 million county residents.

The identity of the ransomware group responsible for the attack remains undisclosed. Initial investigations suggest the group may be affiliated with a Russian-speaking community, although conclusive evidence linking them to the incident has yet to be established by court IT staff.

It is currently unknown whether the IT assets of the county are covered by a cyber insurance policy. If such coverage exists, the insurance provider would typically reimburse costs associated with downtime, expenses for technical expertise required to recover lost information, and any subsequent expenses. The extent of reimbursement would depend on the specifics of the insurance policy, including the premium paid and the coverage it provides.

Cyber insurance policies vary widely in terms of what they cover and the conditions under which they pay out. Factors such as the scope of coverage, deductible amounts, and any exclusions specified in the policy would all influence the extent to which the county could recoup financial losses stemming from the ransomware attack.

The post Ransomware attack shuts down Superior Court of Los Angeles County appeared first on Cybersecurity Insiders.

July 24, 2024 at 11:13AM

Read More

Play Ransomware targets VMware ESXi Servers

In June of this year, the SE#i Ransomware group, now rebranded as APT Inc, targeted VMware ESXi server environments, employing double extortion tactics to extort money from victims.

Following this trend, the Play Ransomware group has also adopted similar strategies, focusing primarily on companies operating within the United States.

According to cybersecurity firm Trend Micro, which disclosed these findings in a recent blog post, the Play Ransomware group has been adept at infiltrating ESXi environments while evading detection by security measures such as those provided by VirusTotal. This evasion is facilitated through collaboration with a threat actor known as Prolific Puma, which provides tools for automating domain registration and offers link shortening services to other malicious actors.

Originating in June 2022, the Play ransomware has since targeted over 300 organizations worldwide, including those in Australia, Canada, Germany, the UK, the Netherlands, and the United States. Their victims span across medical institutions, financial services such as banks, as well as the manufacturing and real estate sectors, in addition to healthcare providers. Currently, their focus has shifted towards infiltrating VMware environments to encrypt virtual machines and restrict access to critical applications.

Defending against such attacks is crucial for proactively safeguarding IT environments from malware infections. Effective measures include deploying threat monitoring solutions, implementing robust backup mechanisms that can automatically restore operations in the event of a malware incident, and refraining from paying ransoms, as this only serves to incentivize further criminal activity.

The post Play Ransomware targets VMware ESXi Servers appeared first on Cybersecurity Insiders.

July 23, 2024 at 08:35PM

Read More

How To Manage Alert Overload and Build the Skills of Your Security Team

The security operations center faces significant challenges in the form of data overload and the resulting increases in ingestion costs. But companies looking to sufficiently protect their systems also face heavy pressure inside their own four walls.

To overcome this challenge, they must manage and alleviate internal pressure that pops up from things like alert overload, skill shortages, analyst retention and growth, and an overall lack of time and resources. It won’t be easy, but as we’ve worked to understand how those pressures manifest within our own client base, we’ve developed approaches that any operation can take to reduce the burden and point their resources in the right direction.

Optimizing alerts and reducing false positives

The increases in data ingestion call for solutions to the challenges caused by a growing volume of alerts pinging at security personnel. It’s vital that companies strike the right balance to manage alert overload without compromising detection. Endpoint detection and response (EDR), for one, is proving to be a critical piece of the equation—our analysis shows that EDR is highly effective and generates lower data volumes and a higher percentage of “true positives” than other detection methods. But for all its upside, EDR is not comprehensive.

To fully and accurately discern false positives from true positives, companies need to take a broad approach that captures malicious activity not only at the target level, but as it enters the environment. Adding additional detection capabilities and employing data standardization can help us quiet some of the alert noise. Holistic Security Operations, hyperautomation and enrichment take things a step further still, helping contextualize alerts with greater detail so that they can be prioritized based on risk, exposure, and the potential business and operational impact.

Time considerations

Companies increasingly face internal pressure from an overall lack of time and resources. So, it’s crucial that they take measures to save time where possible—and where it won’t compromise security. That can include:

• Number of alerts: Finding ways to cut down on the total number of alerts hitting the security operations center is a sure-fire way to get time back. It’s not easy to do it right. As discussed, reducing alert overload requires not only strong endpoint detection but a combination of additional strategies.
• Enrichment, validation, and triage: Companies can accelerate enrichment, validation, triage, and impact assessment by implementing hyperautomation and establishing data standards. That will enable expedited enrichment searches and enrichment from non-standard open-search intelligence or external searches, and will facilitate the use of complex playbooks for validation and triage.
• Collecting context: It’s difficult to enhance security without a complete view of how threat actors are seeking to penetrate defenses. So, companies must take care to collect context and historical data points that not only further reduce alert load, but also help teams train and advance analysts.

Effective response and remediation

It’s important to ensure analysts are well-trained and up-to-speed on the latest risk information, because they play a key role in helping companies more efficiently move through threats and clear the alert queue. Analysts decipher true positives from false positives and escalate cases as necessary.

Those analysts need all the available information and context at their fingertips to do their job effectively. Reducing the time it takes to investigate, respond, or take action will ultimately alleviate internal pressure on analysts, improving operational efficiency.

Yet these are not simple, one-time exercises. Regaining time is an ongoing process that takes a long-term commitment. Companies should aim to find the right dual-focus on high-quality analysis and effective, efficient response—and then to regularly review their programs and capabilities to find new ways to improve and save cost.

Toward truly effective responses

For many companies, the greatest challenge today is overcoming status quo. It’s easiest to continue throwing bandaids on deeper problems, but the successful security teams will be the ones that rethink their strategies from the ground up. The long-term solutions will meld hyperautomation, standardizing and decentralizing data locations, and trained unified AI guides. Those measures will alleviate stress on over-tasked security analysts and allow security teams to more efficiently investigate issues and elevate the ones that present the most risk.

If insanity is doing the same thing over and over again and expecting a different result, companies that continue to wish away alert overload, skill shortages, and a lack of resources are headed for the asylum. It’s time security operations evolve to meet the current demands of the market.

The post How To Manage Alert Overload and Build the Skills of Your Security Team appeared first on Cybersecurity Insiders.

July 23, 2024 at 07:12PM

Read More

Standalone Service Mesh Solution or Lightweight Option: Which is Right for You?

Service mesh is a tool for adding observability, security, and traffic management capabilities at the application layer. A service mesh is intended to help developers and site reliability engineers (SREs) with service-to-service communication within Kubernetes clusters. The challenges involved in deploying and managing microservices led to the creation of the service mesh, but service mesh solutions themselves introduce complexities and challenges.

Here, we’ll explore use cases, challenges, and how to decide if a service mesh is right for you.

Use Cases Driving Adoption 

There are four main use cases driving interest from DevOps teams and platform and service owners in service mesh adoption: security/encryption, service-level observability, and service-level control.

•  
• Data-in-transit encryption – Security for data in transit within a cluster. Often this is driven by industry-specific regulatory concerns, such as PCI compliance or HIPAA. Or, it may be driven by internal data security requirements. When the security of internet-facing applications is at the core of an organization’s brand and reputation, security becomes a top priority.
•  
• Service-level observability – Visibility into how workloads and services are communicating at the application layer. Kubernetes is a multi-tenant environment. As more workloads and services are deployed, it becomes harder to understand how everything is working together, especially if an organization is embracing a microservices-based architecture. Service teams want to understand their upstream and downstream dependencies.
•  
• Service-level control – Controlling which services can talk to one another. This includes the ability to implement best practices around a zero-trust model.
•  
• Secure cross-cluster connectivity – As services become shared and centralized in multi-cluster environments, securing and authorizing communication between clusters is another requirement for platform operators.

These are the main drivers for service mesh adoption, but the operational complexity involved in achieving robust security, encryption, service-level observability, and service-level control through the use of a service mesh can be a deterrent to adoption. 

Challenges of Service Mesh 

Complexity and performance are the two main challenges posed by service mesh. 

• Additional control plane: Service mesh is difficult to set up and manage, and requires a specialized skill set. Using a service mesh introduces an additional control plane for security teams to manage, which causes increased deployment complexity and significant operational overhead. 
• Specialized skills: While there are many service meshes available, there’s no one-size-fits-all solution to address the needs of different organizations. With that, it’s likely that security teams will spend time figuring out which service mesh will work for their applications. Use of a service mesh requires domain knowledge and specialized skills around whichever service mesh the user chooses. That adds another layer of complexity in addition to the work the team is already doing with Kubernetes. 
• Performance issues: Because service mesh introduces latency, it can also create performance issues.

Platform owners, DevOps teams, and SREs have limited resources, so adopting a service mesh is a significant undertaking due to the resources required for configuration and operation. So, who needs a standalone service mesh?

Do I Need a Service Mesh?

If security and observability are your primary drivers, a lightweight approach versus a separate, standalone service mesh will likely suffice. With a lightweight service mesh, you can easily achieve full-stack observability and security, deploy highly performant encryption, and tightly integrate with existing security infrastructure like firewalls.

Lightweight Approach to Service Mesh

When looking for a lightweight service mesh, it’s important to consider the following:

• Security: Look for a solution that offers encryption for data in transit that leverages the latest in crypto technology. This will ensure that encryption is highly performant while still allowing visibility into all traffic flows.
• Observability: The solution should offer visibility into service-to-service communication in a way that is resource efficient and cost effective. It should provide Kubernetes-native visualizations of all the data it collects so you can visualize communication flows across services and team spaces, to facilitate troubleshooting. This is beneficial to platform operators, service owners, and development teams.
• Implementing controls: Your chosen solution should provide capabilities for implementing controls for the full stack, from the network layer up through the application layer. This will ensure that you get the application-layer controls you would get with a service mesh, but are able to combine those with controls you might want to implement at the network or transport layer.                                                                                                          One specific capability to look for is egress access control. This capability makes it easy to integrate with firewalls or other kinds of controls where you might want to understand the origin of egress traffic, and implement certain controls around that. If you’re working with a SIEM or other log management system or monitoring tool, it’s really helpful to be able to identify the origin of egress traffic, to the point where you have visibility into the specific application or namespace from which egress traffic seen outside the cluster came.
• Cluster mesh and federation: Look for a solution that provides a cluster mesh that can be used to federate the identity of endpoints and services across clusters, allowing teams to define policies that explicitly authorize and secure the cross-cluster communication that is required as more shared services and APIs become centralized. This allows platform owners to realize all of the benefits of a multi-cluster environment without incurring the overhead of operating a service mesh in each cluster.

Deciding What’s Right for You 

While standalone services meshes are right for some use cases, if security and observability are your organization’s main goals, a bespoke solution probably isn’t necessary. Other solutions can provide granular observability and security – not just at the application layer, but across the full stack – while avoiding the operational complexities and overhead often associated with deploying a service mesh.

Looking for a lightweight service mesh? Try Calico Cluster Mesh for secure microservices communication.

 

 

The post Standalone Service Mesh Solution or Lightweight Option: Which is Right for You? appeared first on Cybersecurity Insiders.

July 23, 2024 at 06:54PM

Read More

Major Cyber Threats lurking at Paris Olympic Games 2024

The 2024 Paris Olympic Games, set to begin later this week and extend through mid-August, are anticipated to face significant cybersecurity risks according to experts. Here are the primary concerns:

1. State-sponsored Hacking: French intelligence agency ANSSI has issued warnings that state-funded actors, particularly from Russia, may target the digital infrastructure of the games. This comes in response to Russia’s ban from participation due to doping and geopolitical tensions. Hackers may aim to disrupt the event and attract global media attention through various cyber attacks including data breaches, DDoS attacks, and other forms of fraud. Groups like the People’s Cyber Army have already expressed intent by targeting French websites.

2. Fraudulent Mobile Applications: Organizers have developed mobile apps to aid visitors, volunteers, and athletes with navigation, accommodations, and transactions. How-ever, security experts caution that malicious apps disguised as legitimate ones have surfaced on app stores. These fake apps aim to steal personal data and financial information.

3. Dark Web Data Sales: Recent incidents, such as data sets being sold on the dark web, highlight the risk of sensitive information being compromised. Credentials and personal data can be sold for profit, posing a threat before and during the games.

4. Email and SMS Phishing: Cybercriminals are increasingly using phishing scams to ex-tract valuable information from volunteers, organizers, and visitors. Users are advised to avoid clicking on suspicious links that could lead to malicious websites designed to collect personal data.

5. Ticket Sale Frauds: Experts advise against disclosing personal information when purchasing tickets or using transit services related to the Olympics. Unauthorized access to personal information like dates of birth, social security numbers, and bank details can lead to identity theft and other fraudulent activities.

To mitigate these risks, it is recommended to download tickets exclusively from official plat-forms and use only verified apps like the official Olympic Games Paris 2024 mobile app. Additionally, monitoring bank statements regularly for unauthorized transactions is advised to detect and mitigate potential fraud promptly.

The post Major Cyber Threats lurking at Paris Olympic Games 2024 appeared first on Cybersecurity Insiders.

July 23, 2024 at 11:08AM

Read More

Indian PM Narender Modi asks to Log Off of each Microsoft Windows Sessions

Indian Prime Minister Narendra Modi has offered a valuable tip to enhance cybersecurity for home PCs and laptops: consistently logging out of Microsoft Windows sessions. This advice applies universally across Windows 10 and Windows 11 operating systems.

Highlighting this cybersecurity principle, Prime Minister Modi emphasized its critical application in both private and public sectors. He suggested assigning responsibility for logging out at the end of each day in IT environments.

From a technical standpoint, regularly logging out clears session caches accumulated since initial login, reducing network interception opportunities. This measure mitigates risks such as malware interception upon visiting malicious websites, which can exploit vulnerabilities through open browsers.

By logging out, all active programs are closed, effectively severing remote desktop connections and bolstering security by safeguarding files, apps, and settings from unauthorized access.

Additionally, covering laptop cameras and microphones is recommended to prevent potential eavesdropping and unauthorized video or audio capture, a practice endorsed by figures like Facebook’s Mark Zuckerberg, reportedly influenced by advice from Windows OS founder Bill Gates.

These proactive steps advocated by Prime Minister Modi and supported by industry leaders contribute to bolstering cybersecurity hygiene and protecting sensitive information from unauthorized access.

The post Indian PM Narender Modi asks to Log Off of each Microsoft Windows Sessions appeared first on Cybersecurity Insiders.

July 22, 2024 at 08:35PM

Read More

How to Negotiate Ransomware Attacks: A Strategic Guide

In an increasingly digital world, ransomware attacks have become a prevalent threat to businesses and individuals alike. These malicious attacks involve cyber-criminals encrypting data or locking users out of their systems, demanding payment (often in cryptocurrency) to restore access. While prevention and robust cybersecurity measures are crucial, knowing how to negotiate in the unfortunate event of a ransomware attack can also be essential.

Here’s a strategic guide on navigating through such a crisis:

1. Assess the Situation: Upon discovering a ransomware attack, gather all relevant information promptly:

•    Identify the Type of Attack: Determine whether it’s a data encryption or system lock-down attack.
•    Scope of Impact: Assess which systems and data are affected to gauge the severity of the attack.
•    Communicate Internally: Notify key stakeholders such as IT personnel, legal advisors, and senior management to form a response team.

2. Understand the Demands
•    Engage with the Attacker: Establish communication through the provided channels (usually email or a dark web portal).
•    Clarify Demands: Understand the ransom amount, payment method (typically cryptocurrency), and any deadlines imposed.
•    Verify Legitimacy: Be cautious of negotiating with attackers and consider seeking advice from cybersecurity experts or law enforcement.

3. Prepare for Negotiation
•    Determine Negotiation Strategy: Assess the feasibility and risks of paying the ransom versus other recovery options.
•    Set Limits: Decide on a maximum amount you are willing to negotiate and communicate this clearly during discussions.
•    Maintain Communication: Keep channels open with the attacker to negotiate terms and potentially reduce the ransom amount.

4. Document Everything
•    Record Communications: Document all interactions with the attacker, including negotiations, demands, and any promises made.
•    Legal Counsel: Involve legal advisors to ensure compliance with regulations and mitigate legal risks associated with negotiating with cyber-criminals.

5. Payment and Recovery
•    Payment Procedure: Follow recommended guidelines for securely transferring cryptocurrency if the decision to pay is made.
•    Verify Restoration: After payment, verify that the attacker provides decryption keys or access as promised.
•    Recovery Plan: Implement a comprehensive recovery plan to restore affected systems and data, including updating security measures to prevent future attacks.

6. Post-Attack Analysis and Prevention
•    Incident Review: Conduct a thorough post-attack analysis to understand vulnerabilities exploited and improve cybersecurity defenses.
•    Educate and Train: Provide ongoing cybersecurity education and training to staff to recognize and respond effectively to ransomware threats.
•    Backup Strategy: Maintain regular backups of critical data and systems to minimize the impact of potential future attacks.

Conclusion

While negotiating with ransomware attackers is complex and risky, it can sometimes be a necessary step to regain access to vital systems and data. Organizations should prioritize prevention through robust cybersecurity measures and readiness plans. However, in the event of an attack, following a strategic negotiation process can help mitigate damage and facilitate recovery.

By staying informed, preparing adequately, and seeking professional guidance when needed, businesses can navigate ransomware attacks with greater resilience and minimize the impact on their operations.

The post How to Negotiate Ransomware Attacks: A Strategic Guide appeared first on Cybersecurity Insiders.

July 22, 2024 at 11:29AM

Read More

Microsoft 2024 Windows IT meltdown impacts about 8.5 million devices

The recent update to CrowdStrike Falcon sensor software has caused widespread issues, leading to the infamous BSOD “blue screen of death” on over 8.2 million Windows OS devices globally. Despite initial fears of a cyber attack, experts indicate this incident could mark one of the worst in history, echoing concerns akin to the Y2K bug in 2038.

While Microsoft works to gradually restore affected IT infrastructures, former U.S. President Joe Biden and industry leaders like Satya Nadella of Microsoft have expressed concern and commitment to preventing such disruptions in the future. Nadella assured users that rigorous safeguards are being implemented to prevent recurrence of similar incidents.

Security advisors urge CIOs and CTOs to prepare for future threats by fortifying defenses and implementing robust data backup strategies. They also advocate for governments to foster competition in the OS market to mitigate risks associated with centralized systems.

Additionally, governments across the world should also ask their Operating System developers to bring-in a low-cost software, as a competitor. Otherwise, it will become extremely difficult for data intensive companies as they are putting all eggs in one basket. And this centralized business approach can spell a doomsday for the entire digital mankind.

Though, the outrage was not caused by any kind of cyber attack, threat actors funded by state governments can easily gain an upper hand as soon as they steal the credentials of a corporate network and then start compromising network, thereafter gather intelligence.

Microsoft says that its IT meltdown will be gradually restored phase-wise and so is requesting the users to quickly update their IT networks with the latest.

The post Microsoft 2024 Windows IT meltdown impacts about 8.5 million devices appeared first on Cybersecurity Insiders.

July 22, 2024 at 11:19AM

Read More

AI for Identity Security: 5 Ways AI Augments SecOps and IAM Teams Today

Identity security has become increasingly complex, presenting a formidable challenge for CISOs, security operations (SecOps), and identity and access management (IAM) teams worldwide. It’s not surprising then that a staggering 80% of today’s cyber attacks begin with compromised identities, making them everyone’s business as the most critical attack vector to protect. 

Unfortunately, many organizations are struggling to effectively get ahead and stay ahead of malicious attackers and compliance demands. Many times, awareness of an attack comes too late. Even when teams know they’re under attack, response times are too slow, and teams can’t get to the root of the problem fast enough or understand the potential areas of impact.  

The Identity Security Complexity Challenge 

Complexity makes it nearly impossible to detect and respond to identity threats effectively. Getting to the source of the breach and mapping the blast radius across a complex identity fabric takes too long, leaving organizations more vulnerable than ever.  

What makes it so hard? The answer centers around complexity caused by 3 main challenges:

1. Scale: The sheer number of identities, human and machine, to manage across an ever-expanding cloud landscape with hundreds of SaaS applications, internal users, third parties, and non-human identities is growing constantly. According to Gartner, non-human identities outnumber human identities by as much as 10 to 45 times.
2. Speed: The pace of change for identities operating in this dynamic environment is faster than any human could ever tackle manually. While the adoption of automated IAM tools has made it possible to provision and de-provision automatically, there is a tremendous amount of risk introduced in the “messy middle” of the user’s lifecycle, and access permissions must continuously adapt to risk levels. 
3. Blind Spots: Organizations operate in silos across disparate systems, processes, and teams. And, many are managing identities in siloes. This leads to a lack of situational awareness, leaving teams unable to see every identity, and its corresponding risk in real-time creates a lack of situational awareness.  

When an identity has been compromised, SecOps and IAM teams quickly must work together to identify and respond to the threat by answering these questions: 

• Which identities are impacted?
• Where are we vulnerable?
• Which of those impacted are privileged users?
• What stage of attack are we in?
• How can we stop the attack without disrupting the flow of business?

In the recent attacks on MGM and Okta, we saw that being unable to quickly answer these questions resulted in financial and reputational damage. Organizations must find a way to achieve always-on visibility, superhuman precision, speed, and intelligent insights. This is where AI for identity security can help.

AI – The Newest Ally on the Identity Security Battleground

AI offers hope for SecOps and IAM teams to jointly navigate the intricacies of identity security. From proactive identity threat detection to adaptive identity and access security, AI can revolutionize how organizations defend against these identity-driven attacks and manage the dynamic nature of digital identities by providing them with unparalleled capabilities that transcend human limitations in speed, scalability, and predictive accuracy. Here are some key ways AI can empower SecOps and IAM teams:

1.Reduce the Time of Exposure and Risk: AI-based systems can detect and analyze threats before human analysts are aware of their existence. By continuously verifying and cross-referencing data patterns, AI identifies deviations indicative of potential cyber threats. This early detection is crucial during cyberattacks, enabling SecOps teams to initiate swift response measures to contain and neutralize threats before they inflict significant damage.

2.Operate a Burnout-Free Zone: Unlike humans who require rest and downtime, AI operates continuously without fatigue. This perpetual vigilance allows AI to monitor systems around the clock, detecting threats and anomalies even during non-business hours. Consistent monitoring and response capabilities can reduce the risk of oversight due to human limitations. Cybercriminals are relentless, making slight modifications to their methods with great frequency and even using AI themselves. Hiring someone to take on this defense can become monotonous, leading to fatigue and an increase in human error. AI takes the redundancy out of the equation, deploying a system that doesn’t understand the concept of burnout. It goes above and beyond, handling repetitive tasks while also learning from all data that enters the system.

3.Achieve Faster Response Times: AI-based cybersecurity systems can respond immediately to threats compared to human analysts. Machines process and analyze vast amounts of data at incredible speeds, enabling them to detect and respond to anomalies in real time. While human intuition is invaluable, AI often identifies and addresses potential issues before they escalate, minimizing response times and mitigating risks quickly.

4.Stay Ahead of the Attackers: AI learns and improves continuously through algorithms, enhancing its ability to identify and mitigate risks over time. By analyzing historical data and current patterns, AI-powered solutions evolve to recognize new threat vectors and adapt defenses accordingly. This proactive approach ensures that SecOps and IAM teams stay ahead of emerging threats, leveraging AI’s evolving capabilities to bolster cybersecurity postures.  

5.Bridge the SecOps and IAM Gaps: One of the primary challenges in identity-centric security is the disparate nature of data and tools used by CISOs, IAM, and SecOps teams. AI bridges these gaps by integrating data from diverse sources and presenting unified insights into identity-related risks. By establishing a common language of risk assessment and threat detection, AI can enable seamless collaboration and coordination across functional boundaries. Identity security AI assistants can help with natural language processing in complex queries and threat-hunting efforts so that everyone can participate using the terms they regularly use and are comfortable using with AI responding with clear guidance for how to remediate risks most efficiently. 

Leverage AI for Identity-Centric Security Now

By harnessing AI’s superhuman abilities, organizations can bolster their cybersecurity defenses, respond swiftly to threats, and maintain a proactive security posture that adapts to the complexities of today’s digital landscape. 

As AI continues to evolve, its role in enhancing cybersecurity resilience and mitigating risks will become increasingly indispensable in safeguarding critical assets and maintaining trust in an interconnected world.

The post AI for Identity Security: 5 Ways AI Augments SecOps and IAM Teams Today appeared first on Cybersecurity Insiders.

July 20, 2024 at 09:01PM

Read More

Microsoft outage Windows not a cyber attack says Crowdstrike

Millions of PCs running Windows 10 and 11 Operating Systems have been experiencing a widespread issue identified as the Blue Screen of Death (BSOD) over the past few hours. This technical problem has resulted in significant global disruptions across various sectors, including government agencies, transit hubs such as airports, private companies, and municipalities.

Initially, speculation pointed towards a potential cyber attack originating from foreign entities like China or Russia. Certain Reddit groups even suggested state-sponsored hackers aimed at infiltrating servers belonging to Microsoft, led by CEO Satya Nadella, potentially causing billions in losses.

However, Microsoft quickly attributed the outage to a third-party error and issued an apology. The impact was severe, affecting IT systems in critical sectors like airports and healthcare, including England’s NHS, due to this technical glitch.

George Kurtz, CEO of CrowdStrike, a prominent cybersecurity firm based in Texas, refuted the cyber attack theories. He stated that the disruption stemmed from a technical glitch resulting from an improper software update rollout, effectively dispelling any notions of malicious intent as speculated in some media reports.

Interestingly, the glitch exclusively affected systems running Microsoft Windows, sparing those using Mac and Linux operating systems.

Meanwhile, sources from Telegram cited a Crowdstrike Falcon software update as the root cause of the disruption on Windows 10 and 11 systems. They provided guidance, including a screenshot, on resolving the issue through safe mode boot procedures.

In summary, this incident has been described as one of the most severe technological nightmares in recent history, incapacitating numerous networked computers. Comparisons were drawn to the 2017 WannaCry Ransomware attack, with industry experts noting this current disruption as having a more significant impact.

The post Microsoft outage Windows not a cyber attack says Crowdstrike appeared first on Cybersecurity Insiders.

July 19, 2024 at 08:14PM

Read More