Share
a Free Entry-Level Cybersecurity

Certification Exam Voucher

Share the Link: www.isc2.org/Voucher-Offer 

Share the Code: CYBERSTART

 The bug (CVE-2021-45388) was discovered by researchers at SentinelOne. Researchers claim the high-severity flaw exists in the KCodes NetUSB kernel module used by a large number of network device vendors.

According to the researchers, NetUSB is a product by KCodes, that allows remote devices in a network to interact with USB devices connected to a router.

“For example, you could interact with a printer as though it is plugged directly into your computer via USB. This requires a driver on your computer that communicates with the router through this kernel module,” writes Max Van Amerongen, the author of the report.

Vendors like Netgear, TP-Link, Tenda, EDiMAX, DLink, Western Digital, and others are among the users of the module.

Threat actors could use the CVE-2021-45388 to execute code in the kernel module that doesn’t validate the size of a kernel memory allocation call, causing an integer overflow.

While Amerongen claims that code restrictions make it rather difficult to exploit the vulnerability, it isn’t impossible, which means that users of affected devices should look for firmware updates.

SentinelOne disclosed their finding to KCodes in September, and Netgear issued a security advisory for remediation in late December.

“While we are not going to release any exploits for it, there is a chance that one may become public in the future despite the rather significant complexity involved in developing one,” claims the report.

(ISC)² has begun the exciting process of exploring the creation of a new certification. To fill the cybersecurity workforce gap, we need to address the workforce shortage facing the industry, especially among entry- and junior-level positions. A foundational cybersecurity certification will help (ISC)² build a pathway to a rewarding career in cybersecurity for many around the world.

There are five domains to this certification, listed below. For further details, visit the Exam Outline.

When will (ISC)² begin administering the entry-level cybersecurity certification pilot exam?

The pilot exam administration period will begin Jan. 31, 2022. Registration for the pilot exam is now open with appointments currently available until May 31, 2022. Please note that the pilot exam administration period may be shortened or extended depending on the number or participants taking the exam. We recommend that any interested candidates schedule their exam as early as possible. Any unused vouchers or undelivered exams that are a part of this pilot will be converted to the regular certification program when it becomes available.

All standard (ISC)² exam policies and practices, including rescheduling and special accommodations, also apply to the pilot exam program. Learn more here. For questions, please contact ExamAdministration@isc2.org

To learn more go here

Microsoft 365 Zero Trust deployment plan

This article provides a deployment plan for building Zero Trust security with Microsoft 365. Zero Trust is a new security model that assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to “never trust, always verify.”

Zero Trust security architecture

A Zero Trust approach extends throughout the entire digital estate and serves as an integrated security philosophy and end-to-end strategy.

This illustration provides a representation of the primary elements that contribute to Zero Trust.

In the illustration:

• Security policy enforcement is at the center of a Zero Trust architecture. This includes Multi Factor authentication with conditional access that takes into account user account risk, device status, and other criteria and policies that you set.
• Identities, devices, data, apps, network, and other infrastructure components are all configured with appropriate security. Policies that are configured for each of these components are coordinated with your overall Zero Trust strategy. For example, device policies determine the criteria for healthy devices and conditional access policies require healthy devices for access to specific apps and data.
• Threat protection and intelligence monitors the environment, surfaces current risks, and takes automated action to remediate attacks.

For more information about Zero Trust, see Microsoft’s Zero Trust Guidance Center.

Deploying Zero Trust for Microsoft 365

Microsoft 365 is built intentionally with many security and information protection capabilities to help you build Zero Trust into your environment. Many of the capabilities can be extended to protect access to other SaaS apps your organization uses and the data within these apps.

This illustration represents the work of deploying Zero Trust capabilities. This work is broken into units of work that can be configured together, starting from the bottom and working to the top to ensure that prerequisite work is complete.

In this illustration:

• Zero Trust begins with a foundation of identity and device protection.
• Threat protection capabilities are built on top of this foundation to provide real-time monitoring and remediation of security threats.
• Information protection and governance provide sophisticated controls targeted at specific types of data to protect your most valuable information and to help you comply with compliance standards, including protecting personal information.

To read the rest of the blog go here 

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting a number of U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products. Since March 31, 2021, CISA and Ivanti have assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. 

These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. 

The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian) architecture. 

•     Persistence is maintained throughout the legitimate device firmware update process. 
•     Implements a modular framework consisting of a core component and additional modules that
  are executed as child processes. 
•         Modules to download/upload files, extract device information, and update the malware have
  been built-in and are executed at startup. 
•         Command and control (C2) communication uses a custom binary protocol underneath TLS,
  and messages are individually encrypted. 

Introduction
Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian)
architecture. NCSC, FBI, CISA, NSA and industry analysis has associated it with a large-scale botnet
targeting Small Office/Home Office (SOHO) network devices. This botnet has been active since at
least June 2019, affecting WatchGuard Firebox and possibly other SOHO network devices.
This report covers the analysis of two samples recently acquired by the FBI from WatchGuard Firebox
devices known to have been incorporated into the botnet.

Read the full repost here

 Here is a great article form VMware

VMware report finds more than half of Cobalt Strike users are using the tool illicitly

PALO ALTO, Calif. – As the most common cloud operating system, Linux is a core part of digital infrastructure and is quickly becoming an attacker’s ticket into a multi-cloud environment. Current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks that target Linux-based workloads.

Today, VMware, Inc. (NYSE: VMW) released a threat report titled “Exposing Malware in Linux-based Multi-Cloud Environments.”(1) Key findings that detail how cybercriminals are using malware to target Linux-based operating systems include:

• Ransomware is evolving to target Linux host images used to spin workloads in virtualized environments;
• 89 percent of cryptojacking attacks use XMRig-related libraries; and
• More than half of Cobalt Strike users may be cybercriminals, or at least using Cobalt Strike illicitly.

“Cybercriminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware. “Rather than infecting an endpoint and then navigating to a higher value target, cybercriminals have discovered that compromising a single server can deliver the massive payoff and access they’re looking for. Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data. Unfortunately, current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems.”

As malware targeting Linux-based operating systems increases in both volume and complexity amid a rapidly changing threat landscape, organizations must place a greater priority on threat detection. In this report, the VMware Threat Analysis Unit (TAU) analyzed the threats to Linux-based operating systems in multi-cloud environments: ransomware, cryptominers, and remote access tools.

Read the full article here

 The Federal Bureau of Investigation (FBI) and the United States Secret
Service (USSS) have released a joint Cybersecurity
Advisory (CSA) identifying indicators of compromise associated with
BlackByte ransomware. BlackByte is a Ransomware-as-a-Service group that
encrypts files on compromised Windows host systems, including physical and
virtual servers.

CISA encourages organizations to review the joint FBI-USSS CSA and
apply the recommended mitigations.

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and
the National Security Agency (NSA), issued a joint Cybersecurity
Advisory titled, “Russian State-Sponsored Cyber Actors
Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense
Information and Technology.” Compromised
entities have included cleared defense contractors (CDCs) supporting the U.S.
Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Intelligence Community
programs. 

Over the last two years, both large and small CDCs and
subcontractors supporting various defense industries have been observed being
targeted for unclassified proprietary and export-controlled information such as
weapons development, communications infrastructure, technological and
scientific research, and other proprietary details. In the advisory, the three
agencies outline the activities and tactics used by the Russian state-sponsored
cyber actors that include:  

• Brute force techniques to identify valid
  account credentials for domain and M365 accounts and then use those
  credentials to gain initial access in networks.  
• Spearphishing emails with
  links to malicious domains, to include using methods and techniques meant
  to bypass virus and spam scanning tools.  
• Harvested credentials used in conjunction
  with known vulnerabilities to escalate privileges and gain remote code
  executions on exposed applications. 
• Map the Active Directory and connect to
  domain controllers, which would enable credentials to be
  exfiltrated.  
• Maintained persistent access, in multiple
  instances for at least six months, which is likely because the threat
  actors relied on possession of legitimate credentials enabling them to
  pivot to other accounts.  

The FBI, NSA, and CISA urge all critical infrastructure
organizations and CDCs to investigate suspicious activity in their
enterprise and cloud environments. Also, all organizations, with or
without evidence of compromise, are encouraged to apply the mitigations listed
in the advisory to reduce the risk of compromise by this threat actor. Some of
the specific actions that can be taken to protect against this malicious
activity include: enforce multifactor authentication, enforce strong, unique
passwords, enable M365 Unified Audit Logs, and implement endpoint detection and
response tools.   

The agency maintains a dedicated webpage that
provides an overview of the Russian government’s malicious cyber
activities. Read the full advisory here and we encourage you to share
this information.  

In addition to this latest advisory on Russian
state-sponsored malicious cyber activity, we encourage all
organizations to review our new Shields Up webpage to
find recommended actions on protecting their most critical assets from
these threat actors. 

Cybersecurity
and Infrastructure Security Agency

NIST requests comments on Draft Special Publication (SP) 800-219, Automated Secure
Configuration Guidance from the macOS Security Compliance Project (mSCP). It
provides resources that system administrators, security professionals, security
policy authors, information security officers, and auditors can leverage to
secure and assess macOS desktop and laptop system security in an automated way.
This publication introduces the mSCP, describes use cases for leveraging the
mSCP content, and gives an overview of the resources available on the project’s
GitHub site. The GitHub site provides practical, actionable recommendations in
the form of secure baselines and associated rules, and it is continuously
curated and updated to support each new release of macOS.

The public comment period is open
through March 23, 2022. See the publication
details for a copy of the draft and instructions for submitting
comments.