Thursday, March 24, 2022

New Bot net Linked to Russian group Sandworm attacking ASUS and WatchGuard Devices

 Researchers discovered that Cyclops Blink, a botnet linked to Russian advanced persistent threat group Sandworm, is actively targeting ASUS routers and WatchGuardfirewall appliances. The malware is modular – meaning it can easily be updated to target new devices – and features a specialized module that may allow the malware to read flash memory in order to gather information about critical files, executables, data, and libraries. The malware then receives a command to nest in the flash memory and establish persistence, as this storage space can survive factory resets. Due to the number of indiscriminate targets, analysts assess that the group’s intent behind this iteration of distribution is to build and maintain a botnet infrastructure for future attacks on high-value targets.

Friday, March 18, 2022

A tale of Caution

A few days ago, I found an interesting and dangerous situation that I would like to warn you about.

 A company I know well was under attack from a weakness on their web site.  It was a major intrusion that needed immediate attention.

 My issues started when I tried to contact anyone at the company to warn them about the problem.  

 I had to go through a “phone tree” for support. When I finally got a human to answer, and I explained the nature of the problem, and how it was time sensitive, the response I got was, "Thanks for the information. Someone will get back to you in a WEEK!  (the people who answered the phone were not IT support!)  

 What are your support staff trained to do when an issue is called in? Do you train them and test the process?  Think about the issues if this was ransomware!!  How long would support have waited to call level 2 support?  How much data would your company lose while waiting for a ticket to even get to the proper person ?

 TRAIN YOUR STAFF NOW so that they can handle and respond to risks quickly in an appropriate manner.  Don't become a victim! 

 


Thursday, March 17, 2022

Good site to learn about Exploit Kits

The list provided below is meant to provide an overview of the most prevalent exploit kit variants currently impacting US victims. This page is updated regularly with new information as it becomes available.


Go here 

High severity vulnerability in the Kubernetes container

CrowdStrike security researchers discovered a high severity vulnerability, dubbed “cr8escape,” in the Kubernetes container engine CRI-O – an open source, community-driven container engine. Each Kubernetes node includes a container runtime such as CRI-O. Among other tasks, the container runtime allows containerized apps to safely share each node's underlying Linux kernel and other resources. The flaw, tracked as CVE-2022-0811  (CVSS v3 8.8), exists due to the addition of sysctl support in version 1.19 used to configure kernel parameters at runtime. Researchers determined that this flaw will now “blindly set any kernel parameters it is passed without validation, meaning that anyone who can deploy a pod on a cluster using the CRI-O runtime can abuse the kernel.core_pattern  parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.” Malicious threat actors may be able to exploit the vulnerability in the components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications, to exfiltrate data and move laterally across pods. The potential impact of this flaw is widespread due to the number of platforms that use CRI-O, such as OpenShift and Oracle Container Engine for Kubernetes. The vulnerability has been resolved and researchers urge users to patch immediately.

 

QNAP Network Attached Storage (NAS) high severity Linux vulnerability

 QNAP is notifying users that Network Attached Storage (NAS) devices are impacted by the high severity Linux vulnerability dubbed “Dirty Pipe” that allows attackers with local access to gain root privileges. 

Dirty Pipe a vulnerability was discovered in the Linux kernels' handling of pipe buffer flags affecting Linux kernel versions 5.8 and later as well as some Android kernel versions. CVE-2022-0847 (CVSS v3 7.8), may allow a non-privileged user to overwrite data in arbitrary read-only files and SUID binaries. Successful exploitation of this vulnerability may allow for root privilege escalation through the editing of administrative files such as /etc/passwd and SUID programs. 

Proof of Concept (PoC) exploits have been made publicly available. Although a patch was released for the flaw, QNAP states that there is no mitigation available at this time, further recommending that users install the security updates as soon as possible. Impacted NAS devices comprise of those running QTS 5.0.x and QuTS hero h5.0.x, including: QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS; and QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS.

To learn more go here

Tuesday, March 15, 2022

Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols

 CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges. The advisory provides observed tactics, techniques, and procedures, as well as indicators of compromise and mitigations to protect against this threat. 

CISA encourages users and administrators to review AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. For general information on Russian state-sponsored malicious cyber activity, see cisa.gov/Russia. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure, as well as additional mitigation recommendations, see AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and cisa.gov/shields-up.

Updated: Kubernetes Hardening Guide

 The National Security Agency (NSA) and CISA have updated their joint Cybersecurity Technical Report (CTR): Kubernetes Hardening Guide, originally released in August 2021, based on valuable feedback and inputs from the cybersecurity community. 

Kubernetes is an open-source system that automates deployment, scaling, and management of applications run in containers. A container is a runtime environment that contains a software package and its dependencies. Kubernetes is often hosted in a cloud environment. The CTR provides recommended configuration and hardening guidance for setting up and securing a Kubernetes cluster.

CISA encourages users and administrators to review the updated Kubernetes Hardening Guide—which includes additional detail and explanations—and apply the hardening measures and mitigations to manage associated risks.

Friday, March 11, 2022

Changes to CISSP Exam Process

 Beginning June 1, 2022, the CISSP exam in the Computerized Adaptive Testing (CAT) format will contain 50 pretest (unscored) items, which will increase the minimum and maximum number of items candidates will need to respond to from 100-150 to 125-175 items during the exam. To allow for these additional items, the maximum exam administration time will increase from three to four hours.

 

The additional 25 pretest items are evaluated for inclusion as operational (scored) items in future exams, however, as these pretest items are indistinguishable from operational (scored) items, candidates should consider each item carefully and select the best possible answer. Responses to pretest items do not impact a candidate's score or the pass/fail result on their examination.

The CISSP CAT exam currently contains 25 pretest items. The addition of another 25 enables (ISC)² to continue expanding our item bank to strengthen the integrity and security of the CISSP for all those who earn the certification.

There are no other changes to the content of the CISSP exam. The domains and domain weights contained within the CISSP exam outline have not changed.

CISSP exams scheduled on or after June 1, 2022 will reflect these changes. If you or your students have questions or need assistance, please contact examadministration@isc2.org.

 

New Version of CISM EXAM Process

The new Courseware is out. You have to decide if you like to take the old test by May 1 or new content On June 1 and beyond.

The new content is as follows

1 Information Security Governance

A Enterprise Governance

1A1 Organizational Culture

1A2 Legal, Regulatory, and Contractual Requirements

1A3 Organizational Structures, Roles, and Responsibilities


B Information Security Strategy

1B1 Information Security Strategy Development

1B2 Information Governance Frameworks and Standards

1B3 Strategic Planning (e.g., budgets, resources, business case).


2 Information Security Risk Management

A Information Security Risk Assessment

2A1 Emerging Risk and Threat Landscape

2A2 Vulnerability and Control Deficiency Analysis

2A3 Risk Assessment and Analysis

B Information Security Risk Response

2B1 Risk Treatment / Risk Response Options

2B2 Risk and Control Ownership

2B3 Risk Monitoring and Reporting


3Information Security Program

A Information Security Program Development

3A1 Information Security Program Resources (e.g., people, tools, technologies)

3A2 Information Asset Identification and Classification

3A3 Industry Standards and Frameworks for Information Security

3A4 Information Security Policies, Procedures, and Guidelines

3A5 Information Security Program Metrics

B Information Security Program Management

3B1 Information Security Control Design and Selection

3B2 Information Security Control Implementation and Integrations

3B3 Information Security Control Testing and Evaluation

3B4 Information Security Awareness and Training/td>

3B5 Management of External Services (e.g., providers, suppliers, third parties, fourth parties)

3B6 Information Security Program Communications and Reporting


4 Incident Management

A Incident Management Readiness

4A1 Incident Response Plan

4A2 Business Impact Analysis (BIA)

4A3 Business Continuity Plan (BCP)

4A4 Disaster Recovery Plan (DRP)

4A5 Incident Classification/Categorization

4A6 Incident Management Training, Testing, and Evaluation

B Incident Management Operations

4B1 Incident Management Tools and Techniques

4B2 Incident Investigation and Evaluation

4B3 Incident Containment Methods

4B4 Incident Response Communications (e.g., reporting, notification, escalation)

4B5 Incident Eradication and Recovery

4B6 Post-incident Review Practices


Updated CISM Exam Content Outline Effective Beginning 1 June 2022

To learn more go Here

Wednesday, March 9, 2022

Updated: Conti Ransomware

 CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the United States Secret Service (USSS) have re-released an advisory on Conti ransomware. Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000. 

CISA, the FBI, NSA, and the USSS encourage organizations to review AA21-265A: Conti Ransomware, which includes new indicators of compromise, for more information. See Shields Up and StopRansomware.gov for ways to respond against disruptive cyber activity.

Just released 2022 Annual Threat Assessment of the U.S. Intelligence Community

The Office of the Director of National Intelligence has released an annual report providing an assessment of worldwide threats to U.S. national security.

The 2022 Annual Threat Assessment of the U.S. Intelligence Community was released in accordance with Section 617 of the Intelligence Authorization Act for fiscal year 2021, ODNI said Tuesday.

The report details the national security challenges posed by China, Russia, Iran and North Korea to the U.S. across various areas, including military capabilities, economy, cyber and space domain.

The document explains how China works to modify global norms and threaten its neighbors and discusses Russia’s willingness to use military force to “impose its will on neighbors” as seen in Ukraine and other countries.

Other issues covered in the report are health security concerns including infectious diseases and the COVID-19 pandemic, climate change and environmental degradation, transnational organized crime, violent extremism, illicit drugs and surges in migration.

Article was posted on (executivegov.com)

 

Introduction to Cybersecurity for Commercial Satellite Operations

 Introduction to Cybersecurity for Commercial Satellite Operations: 2nd Draft of NISTIR 8270 is Available for Comment

Space operations are vital to advancing the security, economic prosperity, and scientific knowledge of the Nation. However, cyber-related threats to space assets and their supporting infrastructure pose increasing risks to the economic promise of emerging markets in space. This second draft of NISTIR 8270Introduction to Cybersecurity for Commercial Satellite Operations, presents a specific method for applying the Cybersecurity Framework (CSF) to commercial space business and describes an abstracted set of cybersecurity outcomes, requirements, and suggested controls.

The draft also:

  • Clarifies scope with an emphasis on the satellite itself,
  • Updates examples for clarity,
  • Adds more detailed steps for developing a current and target profile and risk analysis, and
  • Provides references for relevant regulations around commercial space.

Reviewers are asked to provide feedback on additional threat models that might help in the development of organization profiles, informative references on the application of security controls to satellites, and standards or informative references that might benefit all readers.

The public comment period is open through April 8, 2022. See the publication details for a copy of the draft and instructions for submitting comments