Project Hyphae

Information Security News 12-12-2022

Share This Post

JSON-Based SQL Injection Attacks Trigger Need to Update Web Application Firewalls

Article Link:

  • Security researchers from Claroty’s Team82 have developed a generic technique for SQL injection that bypasses multiple web application firewalls (WAFs) by taking advantage of WAF vendors failing to add support for JavaScript Object Notation (JSON) inside SQL statements. Utilizing JSON, attackers could hide malicious SQL injection payloads.
  • The vulnerability was found by Team82 while researching other vulnerabilities. Essentially, they noticed that many WAFs identify SQL syntax by searching for specific words that are recognized as SQL syntax and by attempting to parse parts of requests as valid SQL syntax. From there, the researchers embarked on the quest to find SQL syntax that WAFs wouldn’t recognize.
  • Team82 disclosed its findings to 5 leading WAF vendors (Palo Alto, AWS, Cloudflare, F5, and Imperva), all of which have since added JSON support when looking at SQL statements. However, it was noted that the technique may work against other WAF solutions so users should ask their vendors if they can detect and block JSON-based SQL attacks.
  • Claroty Team82’s Full Report:

This Broken Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom

Article Link:

  • Victims of a recently uncovered form of Windows ransomware, known as Cryptonite, are being warned not to pay the ransom demand, simply because the ransomware isn’t able to decrypt files, it just destroys them instead.
  • Rather than this being an intentionally malicious act of destruction by design, researchers suggest that the reason Cryptonite does this is because the ransomware has been poorly put together. Likewise, the issue appears to be that the ransomware lacks a “decryption-only” mode. As such, every time the code is run, everything is re-encrypted with a different key.
  • Cyber agencies, including CISA, the FBI, and the NCSC, recommend against paying ransoms because it only serves to embolden and encourage cyber criminals, particularly if they can acquire ransomware at a low cost or for free, such as Cryptonite, which was available for free on Github up until recently.

Healthcare Systems Face a “Royal” Cybersecurity Threat From New Hacker Group

Article Link:

  • U.S. healthcare organizations could be in the crosshairs of a new cyberthreat collective, dubbed Royal. According to the U.S. Department of Health and Human Services (HHS), Royal is purely financially motivated with ransom demands ranging from $250,000 to over $2 million.
  • Royal has been known to deploy 64-bit executables written in C++ targeting Windows systems and any volume shadow copies on infected Windows machines. Royal is said to infect machines through malvertising and phishing links that point to a malware downloader with links found in spam emails, fake forum pages, and blog comments.
  • It was highlighted that hospitals are particularly vulnerable to ransomware because hospitals tend to have money, a large threat surface, outdated systems, and life-and-death consequences for downtime, which make them they’re more likely to pay ransoms.

Clinicians Need the Right Messaging to pay Attention to Cybersecurity

Article Link:

  • According to experts at a recent healthcare cybersecurity forum, medical professionals (and employees in many industries) just want technology to work. Likewise, medical professionals are busy, and get so many messages, that when they receive an email message from the CISO, that information had better be attention-grabbing to rise above the noise.
  • As the article highlights, the question becomes, “How do we get the clinical workforce cyber aware and how do we get cyber clinically aware?” Additionally, it was noted that personnel need a steady drip of information to understand the “whys” of cybersecurity.

What Stricter Data Privacy Laws Mean for Your Cybersecurity Policies

Article Link:

  • Data privacy is already a big headache, and with modern privacy laws, such as the GDPR and CPRA, expanding to more of the world’s population, regulatory compliance is on track to become a more complicated, high-stakes process touching on every aspect of an organization. In fact, Gartner predicts that by 2024, 75% of the Global Population will have its data covered under privacy regulations.
  • In the face of the growing cyber onslaught, organizations globally spent about $150 billion in 2021 in their quest for better cyber defense, growing by 12.4% annually. Thus, the surge in cybercrime and subsequent need for better defense are the key drivers for privacy laws and greater cyber awareness.
  • The article offers several tips to stay ahead of changing and more prevalent data privacy regulations. These include updating your organization’s data privacy policies, reviewing your organization’s data security standards, implementing data security best practices, facilitating regular employee training, and strengthening your organization’s password policy.

The Changing Role of the MITRE ATT@CK Framework

Article Link:

  • After nine years, MITRE ATT&CK and its use cases have evolved well beyond a reference architecture. ATT&CK has become a common language in security operations. According to ESG research based on feedback from 376 IT and cybersecurity professionals, 48% of organizations say they use the ATT&CK framework “extensively” for security operations while another 41% use it on a limited basis. When asked how important ATT&CK is for their future security operations strategy, 19% claim that ATT&CK is critical, 62% say it’s very important, and 15% believe ATT&CK is an important component of their security operations strategy.
  • Over ATT&CK’s existence, new ways to use the tool more effectively have emerged. Specifically, it was noted that 38% of organizations use ATT&CK to help apply threat intelligence into alert triage and investigation, 37% use it as a guideline for security engineering, 35% use it to better understand adversary tactics, techniques, and procedures (TTPs), 34% use it to understand the full extent of cyber-attacks, and 33% use it to supplement vendor-provided threat intelligence. Likewise, many see ATT&CK as a tool to take advantage of in their organizations’ security operations.
  • Top 10 Free MITRE ATT&CK tools and resources:

Top 7 Factors Boosting Enterprise Cybersecurity Resilience

Article Link:

  • According to Cisco’s annual Security Outcomes Report which received survey responses from over 4,700 participants, cybersecurity resilience has emerged as a top priority as a staggering 62 percent of organizations said they had experienced a security event that impacted business in the past two years.
  • Of those surveyed, the leading types of incidents were network or data breaches at 51.5%, network or system outages at 51.1%, ransomware events at 46.7%, and DDoS attacks at 46.4% of those surveyed. These incidents resulted in severe repercussions for the companies that experienced them, along with the ecosystem of organizations they do business with. It was also highlighted that 96% of executives surveyed said that security resilience is a high priority for them.
  • Cisco’s report also has listed seven, data-backed, success factors that contribute to enhance cybersecurity resilience. These include establishing executive support, cultivating a culture of security, holding human resources in reserve, simplifying hybrid cloud environments, maximizing zero trust adoption, extending detection and response capabilities, and taking security to the edge.
  • Cisco’s Full Report and Analysis:

Cybersecurity Should Focus on Managing Risk

Article Link:

  • Organizations cannot prevent data breaches or cyberattacks altogether and avoiding a breach or cyber incident is nearly impossible in the modern era. Organizations can, however, take steps to reduce an attack’s negative impacts.
  • Threat actors are opportunistic. They will always look for the easiest targets to maximize their financial gain. So intimately understanding an organization’s level of risk is the first step to managing and reducing it and making yourself less of a target.
  • Not every organization can afford a dedicated security or IT team or sophisticated cybersecurity technologies, but any organization can implement an appropriate incident response plan and apply an offensive security mindset to mitigate overall risk. For example, hosting security training can increase positive cybersecurity behaviors from employees, such as developing strong passwords. Implementing MFA and instituting other security basics can help reduce risk as well.
  • Efforts focused on improving cybersecurity defenses, should be ever evolving. “Solving” dynamic digital risk is a journey, not a destination.

Cybercriminals are Scamming Each Other, Tipping Off Law Enforcement

Article Link:

  • Cybercriminals are scamming each other out of millions of dollars and using arbitration chat rooms to settle disputes about the scams, according to Sophos who investigated two Russian cybercrime forums that provide Access-as-a-Service (AaaS) listings and an English cybercrime forum specializing in data leaks. All three websites also have dedicated arbitration rooms.
  • Sophos noted that over 12 months, researchers examined approximately 600 scams that resulted in threat actors losing more than $2.5 million to each other, just on these three forums, with claims ranging from $2 to $160,000.
  • Researchers also discovered that the arguments and arbitration process left behind a wealth of untapped intelligence that security professionals and law enforcement could leverage to better understand and defend against cybercriminal behaviors. This is primarily due to how much evidence is needed to report scams to resolve the issues.
  • Sophos’ Report:

Reach out to our incident response team for help

More To Explore

Information Security News 4-15-2024

Roku Disclosed a Security Incident Impacting 576,000 Accounts Article Link: FBI Warns of Massive Wave of Road Toll SMS Phishing Attacks Article Link:

Firewall Fiasco: CVE-2024-3400

Palo Alto Networks has issued a warning about a severe command injection flaw in their PAN-OS firewall software, currently under active exploitation. The vulnerability is

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.