North Korean Hackers Stole Research Data in Two-Month-Long Breach
Article Link: https://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/
- The North Korean Lazarus hacking group has been attributed to a new cyber espionage campaign dubbed “No Pineapple!”, in which 100 GB of data were exfiltrated from several private and public research organizations between August and November 2022 without any destruction caused.
- As the article describes, two Zimbra vulnerabilities were exploited to gain access to the targeted mail servers. From there, the attackers began deploying tunneling tools to bypass the firewall allowing for easier extraction of emails over an extended period of time.
- Several new tactics that Lazarus was identified as using include the use of new infrastructure using IP addresses without domain names, a new version of the Dtrack info-stealer malware, and a new version of the GREASE malware – all of which further expedited the attack in some capacity.
- The attack was attributed to Lazarus due to the bad actors exposing a North Korean IP only once during the entire operation at a time of day when the hackers were seemingly starting their workday.
Fast-Evolving Prilex POS Malware can Block Contactless Payments
Article Link: https://www.theregister.com/2023/02/03/prilex_malware_contactless_payments/
- According to Kaspersky, Brazilian operators of the Prilex point-of-sales (POS) malware are forcing users to insert payment cards into less secure POS devices as opposed to more secure tap-to-pay systems.
- Although Prilex started in 2014 by targeting ATMs, it has since expanded to POS devices as well. Current versions of the malware can steal data off of inserted cards. However, tap-to-pay systems activate a card’s RFID chip, sending a unique single-use ID number and transaction to a POS terminal. Essentially, there isn’t anything that can be stolen when tap-to-pay is used, unlike with inserted cards.
- Due to an increase in contactless payments, Prilex operators have enhanced their software to not only force a contactless card error (requiring a card to be inserted), but also filter which cards are targeted with emphasis on Black/Infinite, Corporate, or other tiered cards with high transaction limits.
Discrepancies Discovered in Vulnerability Severity Ratings
Article Link: https://www.darkreading.com/application-security/discrepancies-discovered-in-vulnerability-severity-ratings
- An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000, or about 20%, had two severity scores, with 14,000 (56% of the 25%) having conflicting scores. One score was from NIST and the other from the vendor of the product with the bug.
- The article highlights how relying solely on one source for vulnerability severity information (either the vendor or NIST) can be dangerous. As such, it is encouraged to have multiple information sources.
- Link to VulnCheck Report: https://vulncheck.com/blog/cvss-accuracy-issues
Attackers Abuse Microsoft’s “Verified Publisher” Status to Steal Data
Article Link: https://www.theregister.com/2023/02/01/microsoft_oauth_attack_proofpoint/
- According to Proofpoint, bad actors using malicious OAuth applications abused Microsoft’s “verified publisher” status to gain access to organizations’ cloud environments, then steal data and pry into to users’ mailboxes, calendars, and meetings. Due to less security controls surrounding OAuth, users are less likely to spot the attack, compared to phishing and brute force attacks.
- OAuth is an open authentication standard used by Microsoft and other major tech players, including Amazon, Google, and Facebook, to enable users to share information about their accounts with third-party applications or websites.
- As noted in the report, the potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse.
- Link to Proofpoint Report: https://www.proofpoint.com/us/blog/cloud-security/dangerous-consequences-threat-actors-abusing-microsofts-verified-publisher
50% of Organizations Have Indirect Relationships With 200+ Breached Fourth-Party Vendors
Article Link: https://www.helpnetsecurity.com/2023/02/02/relationships-breached-fourth-party-vendors/
- According to a study by SecurityScorecard and The Cyentia Institute which looked at 235,000 primary organizations and 73,000 vendors, 98% of organizations have vendor relationships with at least 1 third-party that has experienced a breach in the last 2 years and 50% of organizations have indirect relationships with at least 200 breached fourth-party vendors (vendors of vendors) in the last 2 years.
- For every third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth-party relationships. Research showed that compared to the primary organization, third-party vendors are five times more likely to exhibit poor security.
- Link to SecurityScorecard Report: https://securityscorecard.com/company/press/securityscorecard-research-shows-98-of-organizations-globally-have-relationships-with-at-least-one-breached-third-party
How the Cloud is Shifting CISO Priorities
Article Link: https://www.darkreading.com/cloud/how-the-cloud-is-shifting-ciso-priorities
- The transition to remote or hybrid work models combined with accelerated cloud adoption has greatly expanded the attack surface CISOs must protect. Furthermore, they often have to deal with more than one cloud due to the variety of structures offered by major providers. Tackling the Cloud is broken up into two challenges: technical and human challenges.
- On the technical side of things, the article highlights the importance of reining in excess privileges, correlating excess privileges and misconfigurations, and prioritizing misconfigurations appropriately.
- Addressing the human challenge requires having personnel with skills in architectural competence, cloud engineering, and reactive capabilities.
Budget Constraints Force Cybersecurity Teams to do More With Less
Article Link: https://www.helpnetsecurity.com/2023/01/31/cybersecurity-budget-constraints/?web_view=true
- According to a survey run by the Neustar International Security Council, 51% of organizations lack a sufficient budget to fully meet their cybersecurity needs.
- Additionally, despite the rapidly changing threat landscape, 35% of information technology and security professionals responding to a survey said their organization’s cybersecurity budget would remain the same or decrease in 2023, and 44% of these individuals believe their business will be more exposed and at risk as a result.
- While a large majority of respondents agree that C-suite and board-level decision-makers understand the current security threats their business is facing (83%), recognize the importance of having a multilayered defense strategy (81%), and make protecting the organization an integral part of business operations (80%), a significant share of participants (69%) are also concerned that current budget constraints are limiting the use of new strategies, technologies, and implementation practices.
- Link to Neustar Report: https://neustarsecurityservices.com/blog/considerations-for-choosing-security-service-providers-when-budgets-get-tight
IoT, Connected Devices Biggest Contributors to Expanding Application Attack Surface
- According to a survey from Cisco AppDynamics, which surveyed 1,150 IT professionals, 89% of IT professionals believe their organization has experienced an expansion in its attack surface over the last two years.
- Respondents attributed this growth to a number of factors including IoT and connected device growth, rapid adoption of cloud technologies, accelerated digital transformation, and new hybrid working models.
- With all of the growth, IT teams can’t keep up. Specifically, 58% of respondents noted that they don’t know what to focus on due to inefficient visibility and contextualization of application security risks.
- The article highlights that a possible solution to the issues IT and security teams face could be implementing DevSecOps at a technical and cultural level. Specifically, this includes incorporating tools to enhance automation and oversight combined with IT personnel gaining additional competency in security topics through opportunities like additional training.
