Author: blogmirnet

A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with administrative user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.   Threat Intelligence There are reports of this vulnerability being exploited in the wild.   Systems Affected   Chrome prior to 124.0.6367.201/.202 for Windows and Mac Chrome prior to 124.0.6367.20 for Linux    Risk Government: – Large and medium government entities: High – Small government entities: Medium   Businesses: – Large and medium business entities: High – Small business entities: Medium   Home Users: Low   Recommendations   Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.   References Google: https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html   CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4671

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) released this Joint Cybersecurity Advisory to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

This advisory provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May, Black Basta affiliates have impacted over 500 organizations globally.

Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the TOR browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.

The authoring organizations urge the HPH Sector and all critical infrastructure organizations to apply the recommendations in the mitigations section of this advisory to reduce the likelihood of compromise from Black Basta and other ransomware attacks.

The Federal Bureau of Investigation (FBI) released this Private Industry Notification (PIN) to highlight cybercriminals’ activity using phishing and Short Message Service (SMS) phishing (SMiShing) campaigns against employees at US retail corporate offices in order to create fraudulent gift cards resulting in financial loss.

As of January, the FBI noted a cybercriminal group labeled STORM-0539, also known as Atlas Lion, targeting national retail corporations; specifically the gift card departments located in their corporate offices. STORM-0539 used SMiShing campaigns to target employees and gain unauthorized access to employee accounts and corporate systems. Once they gained access, STORM-0539 actors used phishing campaigns to target other employees to elevate network access and target the gift card department in order to create fraudulent gift cards.

This FBI PIN includes some of the techniques, tactics, and procedures (TTPs) observed by STORM-0539 actors, recommended mitigations to reduce the likelihood and impact associated with similar attack campaigns, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

The Cyber Army of Russia Reborn (CARR), a hacktivist group connected to the Russian government, is actively targeting Water and Wastewater facilities across the United States to break into Supervisory Control and Data Acquisition (SCADA) systems, which are commonly used to control and monitor water utilities.

Numerous incidents have been reported nationally, and the frequency of these incidents has spiked in recent weeks. While none of the cyberattacks impacted drinking water for communities, the incidents mark a notable escalation in Russia’s targeting of critical infrastructure in the United States.

In January, a cyberattack against a water facility in Muleshoe, Texas caused a water tank to overflow. During the incident, hackers used a compromised password to break into a remote login system for industrial software that allows operators to interact with the water tanks. Officials took the system offline and switched to manual operations following the attack. Around the same time, authorities in several nearby Texan towns also implemented defensive strategies after detecting suspicious activity on their networks.

Related cyber threat activity targeting water utilities has recently increased, with additional incidents across the United States. CARR has claimed responsibility for the cyberattacks in a series of posts shared online. The posts are accompanied by screen recordings depicting the hackers infiltrating the water supply systems, changing passwords, and manipulating controls. Similar tactics, techniques, and procedures (TTPs) have been employed in the attacks, including using compromised passwords for accounts that did not have multi-factor authentication (MFA) enabled. In all instances, the hackers were observed attempting to access SCADA systems.

Mandiant has recently determined that CARR is connected to Sandworm, also known as APT44. Sandworm is part of Russia’s GRU military intelligence agency. Their research showed that Sandworm helped create CARR and can likely influence CARR’s activities. However, they are still determining if the group is operating independently.

Recommendations:

• Use strong, unique passwords and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Apply the Principle of Least Privilege.
• Keep systems up to date and apply patches after appropriate testing.
• Install endpoint security solutions to help protect against malware. · Employ a comprehensive data backup plan.
• Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
• Ensure operational technology (OT) environments are segmented from the information technology (IT) environments.

Phishing attacks posing as popular delivery services are becoming more challenging to spot. Many of these scams begin with a text message or email , often claiming that a package cannot be delivered. They may use language, such as “final notice,” to scare users into acting immediately. These messages provide a link stating that more information is needed to finish the pending delivery.

USPS SMiShing attempt. Source: Akamai

Upon clicking the provided link, users are directed to a well-crafted malicious website. The website’s design may appear to be a replica of the authentic delivery service’s website, using logos, color schemes, and a falsified tracking information page. These websites may ask for address information or state that a small fee must be remitted to release the package for delivery.

These malicious threat actors often use combosquatting domains to impersonate the delivery service. Researchers compared the amount of DNS traffic to the legitimate USPS.com and combosquatted domains over five months. The study was limited to domain names, which include “USPS,” and focused on the most apparent examples of combosquatting. Fully qualified domain names were ignored during their analysis due to the use of subdomains. Even within these parameters, the researchers discovered that the impersonated USPS domains receive as much traffic as the official domain and a much higher amount during holidays.

While threat actors continue improving their techniques, there are signs of malicious attempts to steal information:

The greetings are generic, as threat actors often send mass messages and do not have specific details. The message includes problems requiring personal details, payment information, or re-entry of address information. There is no prior knowledge of the incoming delivery. The provided link does not link to the official website for the delivery service.

Recommendations

Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Track incoming packages via websites obtained from verified and official sources. Navigate directly to legitimate websites and verify websites before submitting account credentials or providing personal or financial information. Report SMiShing to the FTC, FBI’s IC3, and the NJCCIC , and forward the message to 7726 (SPAM). USPS requests for any USPS-related SMiShing should also be reported to spam@uspis.gov.

The NJCCIC previously reported on the ransomware attack against Change Healthcare, one of the largest healthcare technology companies in the United States. This cyberattack showcases the cascading ramifications of ransomware incidents, including financial impacts and risks of paying ransom demands.

Financial Impacts: The ransomware attack caused considerable impacts, including disruptions to payment processing, prescription writing, and insurance claims. UnitedHealth, the parent company of Change Healthcare, disclosed that the incident has cost the company approximately $872 million so far. According to the American Hospital Association (AHA), about 94 percent of US hospitals reported damage to cash flow due to the incident, with over 50 percent reporting severe or significant financial damage, largely due to the inability to process claims.

Initial Attack Vector: In Change Healthcare CEO Andrew Witty’s written testimony for the House Energy and Commerce subcommittee hearing, Witty states that the BlackCat ransomware group breached Change Healthcare’s network via stolen credentials that were used to log into the company’s Citrix remote access service. It is believed that the credentials were obtained via information-stealing malware. The account did not have multi-factor authentication enabled, a security failure at odds with standard industry best practices.

Risks of Paying Ransom Demands: In early March, Change Healthcare reportedly paid a $22 million ransom demand to the cybercriminals behind the attack; however, the BlackCat ransomware operators failed to pay the ransomware affiliate, known as “Notchy.” The affiliate refused to delete the four terabytes of data they stole from Change Healthcare, which includes personally identifiable information and protected health information. In early April, the cybercriminals threatened to sell or release the data unless an additional ransom payment was made. UnitedHealth was removed from the ransomware group’s leak site, indicating the company may have paid the second ransom demand.

Hi reader of this blog here is an offer from Microsoft that might interest you.

We are thrilled to announce the Azure Business Continuity Center (ABCC, replacing BCDR Center preview with a new enhanced experience), an enhanced version of Backup center. With ABCC, you can easily identify gaps in your protection estate, take action to fix them, understand your protection settings across multiple policies, perform centralized monitoring with a single location for managing Azure Backup and Site Recovery jobs, and define governance and auditing compliance using Azure policies – all in one convenient location. ABCC also provides a simplified yet powerful security posture view of advanced protection capabilities to improve recoverability from accidental, malicious, or ransomware attacks. With ABCC, you improve productivity and efficiency while enhancing your security posture and overall BCDR experience You can manage all your Azure resources protected with Azure Backup /Site Recovery as well us VMware VMs replicating with Azure Site Recovery using Azure Business Continuity Center.

You can manage all your Azure resources protected with Azure Backup /Site Recovery as well us VMware VMs replicating with Azure Site Recovery using Azure Business Continuity Center.

The new Azure Business Continuity Center experience offers a range of features to help you manage your security and protection needs. Here’s a summary of benefits that you can expect in this preview:

     •      View summary of overall security and protection estate to identify and fix issues across Azure Backup and Site Recovery in real-time.
     •      Identify the not protected resources across Azure Backup & Site Recovery.
     •      Obtain entire protection estate in primary and secondary regions, identify gaps in protection and perform BCDR operations on all protected resources across Azure Backup & Site Recovery right from the same view.
     •      Assess the security of all your BCDR data and improve it by using advanced protection capabilities like immutable vaults, soft-delete, and multi-user authorization.
     •      Centrally monitor the jobs across Azure Backup and Site Recovery from a single location.
     •      Define and govern the resources against the configuration and audit compliance using Azure Policies.
     •      View protection policies used to meet your protection requirements across Azure Backup and Site Recovery and understand the settings configured.
     •      Manage vaults across Azure Backup and Site Recovery from a single location.

We believe that the new renewed ABCC will improve productivity and efficiency while enhancing your security posture and overall BCDR experience. We invite you to join our private preview and experience the benefits of ABCC for yourself.

Getting started is easy, no prerequisites steps are required to experience as well as there is no cost associated. To start with , simply navigate to Azure portal and search for Azure Business Continuity Center.

We look forward for you to give it a try to and give us your valuable feedback to help shape the experience. Let us know if you require demo for the new management capabilities via ABCC.

Below are few resources for you to get started :

     •      Revolutionize Business Continuity and Disaster Recovery with Azure’s Business Continuity Center
     •      What is Azure Business Continuity Center?
     •      Capabilities in Azure Business Continuity Center

I be talking about Hacker Tool Kit

See what hackers use to attack your company, both technical and socially.

Key Takeaways:

• See what hardware and software hackers use
• How the tools are used
• How can you protect your company

Get more info at NJ SECON

New Privacy-Preserving Federated Learning Blog Post!

Dear Colleagues,   

ln our last Privacy-Preserving Federated Learning (PPFL) post, we explored the problem of providing input privacy in PPFL systems for the horizontally-partitioned setting. In this new post, Protecting Model Updates in Privacy-Preserving Federated Learning: Part Two, we focus on techniques for providing input privacy when data is vertically partitioned. This is particularly challenging, and organizations will need to grapple with trade-offs between data leakage and performance costs. Learn more in the fifth post of our series.   

Protecting Model Updates in Privacy-Preserving Federated Learning: Part Two by David Darais, Joseph Near, Mark Durkee, and Dave Buckley

Read blogs #1 – #5 on our PPFL Blog Series page. We encourage readers to ask questions by contacting us at privacyeng@nist.gov.

Meanwhile—stay tuned for the next PPFL blog post!  

All the best, 
NIST Privacy Engineering Program

Read the Post

The National Cybersecurity Center of Excellence (NCCoE) has released for public comment the initial public draft of NIST CSWP 32 ipd, NIST Cybersecurity Framework 2.0: A Guide to Creating Community Profiles. The comment period is open through May 3, 2024.

About the Guide

The NIST Cybersecurity Framework (CSF) 2.0 introduced the term “Community Profiles” to reflect the use of the CSF for developing use case-specific cybersecurity risk management guidance for multiple organizations. This guide provides considerations for creating and using Community Profiles to help implement the Framework. The guide describes Community Profiles, provides guidance for the content that may be conveyed through a Community Profile, and offers a Community Profile Lifecycle (Plan, Develop, Use, Maintain).

Read more about this guide, including the benefits of using Community Profiles. 

Submit Comments

The public comment period closes at 11:59 p.m. EDT on Friday, May 3, 2024. Please email all draft comments to framework-profiles@nist.gov. We encourage you to submit all feedback using the comment template found on our project page.

Join the Community of Interest

Consider joining the Community of Interest (COI) to receive the latest project news and announcements. Email the team declaring your interest or complete the sign-up form on our project page.

Learn More