Face recognition software is commonly used as a gatekeeper for accessing secure websites and electronic devices, but what if someone can defeat it by simply wearing a mask resembling another person’s face? Newly published research from the National Institute of Standards and Technology (NIST) reveals the current state of the art for software designed to detect this sort of spoof attack.
The new study appears together with another that evaluates software’s ability to call out potential problems with a photograph or digital face image, such as one captured for use in a passport. Together, the two NIST publications provide insight into how effectively modern image-processing software performs an increasingly significant task: face analysis.
This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released this Joint Cybersecurity Advisory to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.
Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.
The FBI and CISA encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of ransomware incidents.
Cisco Talos has published an open-source report regarding the North Korean state-sponsored actor, the Lazarus Group, reported to be targeting internet backbone infrastructure and healthcare entities in Europe and the United States. The attackers have been exploiting a vulnerability in ManageEngine products, which is tracked as CVE-2022-47966. This vulnerability was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog in January 2023. Through this exploit, the attackers are deploying the remote access trojan (RAT) known as “QuiteRAT.” Security researchers previously identified this malware in February 2023, and it is reportedly the successor to the group’s previously used malware “MagicRAT,” which contains many of the same capabilities. Further analysis of this campaign has also shown that the group is using a new malware tool called “CollectionRAT,” which appears to operate like most RATs by allowing the attacker to run arbitrary commands among other capabilities. Both CISA and the FBI have previously warned that these types of vulnerabilities are common attack methods for malicious actors and can pose a significant risk to healthcare and public health organizations.
This HC3 Sector Alert provides additional details, indicators of compromise, mitigation recommendations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cyber criminals.
With a mention in the newNational Cyber Workforce and Education Strategy and even adedicated state law, K–12 cybersecurity education clearly has the eye of policymakers. However, despite public attention and new opportunities for high school students to pursue cybersecurity coursework, high schools often struggle to provide students with a clear understanding of what cybersecurity careers actually look like. Hands-on learning experiences, like those we’ve had at our schools and during our internship with NICE at NIST, can help bring cybersecurity education and career pathways into focus for young learners.
High school cybersecurity education, career awareness, and hands-on activities are in short supply
Cybersecurity can be a challenging topic for students. They may need to learn new programming languages, techniques to analyze large sets of data, and other new systems and technologies. Professional skills in communication, teamwork, and leadership, which are all essential in cybersecurity, also take time and practice to develop…
Multiple vulnerabilities have been discovered in Notepad++, the most severe of which could result in arbitrary code execution. Notepad++ is a free and open-source text and source code editor for use with Microsoft Windows. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat IntelligenceProof of concept exploits have also been published for these vulnerabilities.
System Affected – Notepad++ prior to 8.5.7
Risk Government: – Large and medium government entities: Medium – Small government entities: Medium
Businesses: – Large and medium business entities: Medium – Small business entities: Medium
Home Users: Low
Technical Summary Multiple vulnerabilities have been discovered in Notepad++, the most severe of which could allow for arbitrary code execution.
Civil society organizations and other communities on the frontlines of the fight for democracy and human rights are frequently targets of Advanced Persistent Threats. These same organizations require additional support from the Federal government and the broader cybersecurity community to protect, detect, and defend against cyber threats.
The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with industry and civil society, is developing a cyber defense plan to advance the following objectives:
Enhance baseline levels of cyber hygiene for civil society organizations. Improve the response and resilience of targeted organizations. Gain commitments from industry, government, and civil society to equitably distribute the burden of bolstering the cybersecurity of high-risk communities.
CISA is recruiting cyber volunteer programs to feature on the CISA.gov website (with consent) to:
Help prospective volunteers get in touch with their local volunteer corps or clinic; and Connect organizations in need of cybersecurity assistance with cyber volunteer programs that can assist.
CISA also wants to know if your organization offers free tools & services to high-risk communities.
Please contact CISA if you are aware of, or belong to:
A cyber volunteer program that can help, and should be included on CISA.GOV; or Free tools or services that can bolster cybersecurity protections to high-risk communities.
For more information and CISA contact information, click here.
Enterprise application environments consist of geographically distributed and loosely coupled microservices that span multiple cloud and on-premises environments. They are accessed by a userbase from different locations through different devices. This scenario calls for establishing trust in all enterprise access entities, data sources, and computing services through secure communication and the validation of access policies.
Zero trust architecture (ZTA) and the principles on which it is built have been accepted as the state of practice for obtaining necessary security assurances, often enabled by an integrated application service infrastructure, such as a service mesh. ZTA can only be realized through a comprehensive policy framework that dynamically governs the authentication and authorization of all entities through status assessments (e.g., user, service, and requested resource). This guidance recommends:
The formulation of both network-tier and identity-tier policies
The configuration of technology components that will enable the deployment and enforcement of different policies (e.g., gateways, infrastructure for service identities, authentication and authorization modules that enforce policies)
A comprehensive monitoring framework that provides coverage for various tasks, such as observing the status of resources and tracking events (e.g., user access requests, changes to enterprise directories)
The use of telemetry data to enhance security by fine-tuning access rights and enforcing step-up authentication
De-identification removes identifying information from a data set so that the remaining data cannot be linked to specific individuals. Government agencies can use de-identification to reduce the privacy risks associated with collecting, processing, archiving, distributing, or publishing government data. Previously, NIST published NIST Internal Report (IR) 8053, De-Identification of Personal Information, which provided a survey of de-identification and re-identification techniques. SP 800-188 provides specific guidance to government agencies that wish to use de-identification.
This final document was authored by experts at NIST and the U.S. Census Bureau and references up-to-date research and practices for both traditional de-identification approaches as well as the use of formal privacy methods, such as differential privacy, to create de-identified datasets. This document also addresses other approaches for making datasets that contain sensitive information available to researchers and for public transparency. Where appropriate, this document cautions users about the inherent limitations of traditional de-identification approaches when compared to formal privacy methods, such as differential privacy.
Threat actors are increasingly leveraging native, legitimate tools on targeted systems or networks—a technique known as Living off the Land (LOTL) attacks—to gain access, steal credentials, maintain persistence, obfuscate malicious activity, evade detection by legacy security tools, exfiltrate data, and more. These attacks are popular with threat actors because the tools are readily available and built into computers by default. The attacks are difficult to detect by security tools using signature-based methods, legacy security tools, allowlisting, sandboxing, and machine-based analysis. Therefore, it is challenging to distinguish between normal and malicious activity. Additionally, most environments cannot disable, uninstall, or block legitimate tools because they are not viewed or flagged as malicious.
According to CrowdStrike’s 2022 Global Threat Report, 62 percent of threat actors use fileless malware techniques in LOTL attacks, such as exploit kits, hijacked native tools, registry resident malware, memory-only malware, fileless ransomware, and stolen credentials. Threat actors utilize exploit kits to automate initial compromises and take advantage of vulnerabilities in operating systems or installed applications. They also hijack native, legitimate tools to escalate privileges, access other systems or networks, steal or encrypt data, install malware, set up backdoors, and more. Resident registry malware writes malicious code directly into the Windows registry, can be programmed to launch when the operating system starts, and remains persistent and undetected for long periods. Memory-only malware resides only in memory, remains hidden, and can serve as a backdoor to conduct reconnaissance, move laterally, and exfiltrate data. Threat actors utilize fileless ransomware first to embed malicious code in documents and hijack legitimate tools to encrypt files. Common tools used by ransomware groups include PowerShell, PsExec, Windows Management Instrumentation (WMI), Mimikatz, and Cobalt Strike. Threat actors also steal legitimate users’ account credentials to target other users in business email compromise (BEC) scams with the intent to harvest account credentials or other sensitive information, conduct reconnaissance of additional systems, hijack legitimate tools, and establish persistence.
Image Source: Recorded Future
Threat actors recently used legitimate tools in LOTL attacks. Advanced persistent threat (APT) groups abused trusted legitimate internet services (LIS), such as Microsoft’s OneDrive and Google Cloud, to obfuscate malicious activity and adversary infrastructure and improve operations and data theft efficiency. Additionally, threat actors exploited a vulnerability in Microsoft Teams to bypass client-side security controls and deliver malware. Once they compromised two Microsoft 365 accounts, they sent HR-themed phishing emails claiming there had been changes to the vacation schedule. The emails contained a malicious attachment that, if downloaded from the SharePoint website and opened, launched a script to install DarkGate malware. In another attack, threat actors used Google Looker Studio to initiate an email from Google that contained a link to a fake cryptocurrency investment strategies report. To access it, the target was directed to a login page that harvests account credentials. Finally, threat actors abused the Windows Advanced Installer tool to package other legitimate software installers with malicious scripts to execute cryptocurrency-mining malware on infected systems. Although they targeted graphic designers with GPU miners primarily in France and Switzerland, there were a few reported infections in the US.