Author: blogmirnet

Malicious copies of popular apps have been discovered on the Apple App Store. These apps are designed to be mistaken for legitimate apps and conduct malicious activity, such as stealing login credentials and other sensitive information. Malicious crypto wallet drainers and password vault impersonations have been reported to target unsuspecting victims and trick them into entering their credentials and crypto seed phrases, allowing threat actors to access their accounts to steal their funds and identities.   Leather warned about a malicious Leather app on the Apple App Store. They emphasized that users should refrain from inputting their secret seed phrases into the fake app and prompted victims to transfer their cryptocurrency into a new wallet to protect user assets from being drained by threat actors. They further advised users that the only legitimate Leather download is available directly from their website. As of March 12, the fake Leather app is no longer available on the Apple App Store.   Similar to Leather, Rabby Wallet does not yet offer an app through the Apple App Store. In addition to the fake versions of Rabby Wallet discovered on the platform in October and December 2023, a malicious crypto drainer app, dubbed Rabby Wallet and Crypto Solution, was uploaded to the Apple App Store in February. Apple has since removed all three cases.   The Apple App Store also approved a malicious imitation of the LastPass app. The fake app, dubbed LassPass, resembled the legitimate app’s branding, logo, and interface. The malicious copycat has since been removed, as it violated Apple’s copycat app guidelines. The persistence of malicious copycat apps and the recurring vulnerabilities in Apple’s app verification process highlight the critical need for more robust app screening procedures to prioritize user safety and security.

NIST will host a workshop on the development of a new block cipher mode of operation on June 20–21, 2024, at the National Cybersecurity Center of Excellence in Rockville, Maryland. 

Important Dates

Workshop: June 20–21, 2024

Submission deadline: May 1, 2024

Notification date: May 17, 2024

Registration deadline: June 13, 2024

NIST plans to develop a new mode of the AES that is a tweakable, variable-input-length-strong pseudorandom permutation (VIL-SPRP) with a reduction proof to the security of the underlying block cipher.

The term “accordion cipher mode” (or “accordion mode”) refers to a mode that acts as a cipher on a range of input sizes. A well-designed accordion mode could potentially provide significant advantages over most of the block cipher modes that NIST currently approves. For example, an accordion mode could provide better resistance to cut-and-paste attacks than CBC, or it could be adapted to provide authenticated encryption with associated data (AEAD) with better properties than GCM, such as resistance to nonce misuse, support for short tags, nonce hiding, and key commitment. An accordion mode could also be adapted to provide key wrapping that is more efficient than KW and KWP.

NIST intends to post preliminary ideas and plans by early April 2024. The goal of the workshop is to solicit public input on the specific requirements for the design and use of an accordion mode and the evaluation criteria in the development process. Potential topics for discussion include:

• Parameter lengths for the accordion mode: keys, tweaks, data input
• Whether the accordion mode should support an underlying block cipher with 256-bit blocks
• Formal security goals for the accordion mode
• Requirements and features for the main use cases (e.g., AEAD )
• Potential design strategies
• Performance targets
• Implementation considerations
• The development and standardization process

Attendees may submit extended abstracts or slides for a short presentation (up to 10 minutes) for any number of the sessions. Submissions must be provided electronically in PDF format and sent to [email protected] by May 1, 2024. NIST will post the accepted abstracts and presentations on the workshop website, though no formal proceedings will be published. 

Most of the workshop sessions are expected to include a panel discussion or extensive open discussion. Time will also be allotted for impromptu “lightning talks” — brief presentations of recent research results without slides. All sessions and lightning talks will be recorded.

Waivers of the registration fee are available for a limited number of students, but no waivers are available for speakers.

Updates and additional information will be posted to the workshop website and ciphermodes-forum email distribution list. Instructions for subscribing to the email forum can be found at https://csrc.nist.gov/Projects/block-cipher-techniques/email-list-ciphermodes-forum.

Inquiries: [email protected]

Learn More About This Workshop

March 22, 2024 | 2:00 PM – 3:00 PM | (GMT-05:00) Eastern Time (US & Canada)

Join us at Microsoft Discovery Hour: Differentiate with AI-Powered Intelligent Apps to discover how to drive competitive advantages using cloud computing, data, and AI. During this free event, you’ll explore ways to modernize, build, deploy, and scale applications with speed, flexibility, and enterprise-grade security using Azure services for AI, containers, and databases. Explore real-life use cases to understand ways to improve customer experiences and open new business opportunities with intelligent applications.

Who should attend:

• Chief technology, digital, experience, information, marketing, finance, and security officers
• Vice presidents, general managers, and directors of software and application development, engineering, and software architecture
• Vice presidents, general managers, and directors of product developmentDuring this event, you’ll be able to:
• Get to know the core data, AI, and app technologies used to build intelligent apps.
• Identify ways to reimagine and create a robust, modernized app strategy that builds on the architectural foundations of cloud-first applications.
• Discover opportunities to create revenue-building products and services based on Azure services.

Here’s what you can expect:

• EVENT PRESENTATION
• Welcome
• How AI is changing what software makes possible
• Real-world examples
• Reimagining app strategy in the era of AI
• Question and answer
• Closing

Click here for the Microsoft Event Code of Conduct.

Disclaimer: Microsoft Discovery Hour: Differentiate with AI-Powered Intelligent Apps is open to the public and offered at no cost. Prior to registering for this event, government employees must check with their employers to ensure that their participation is permitted and in accordance with applicable policies and laws.

Register Here

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this updated Joint Cybersecurity Advisory to disseminate known IOCs and TTPs associated with the ALPHV/BlackCat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.

This advisory provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022, and to this advisory released December 19, 2023. ALPHV/BlackCat actors have since employed improvised communication methods by creating victim-specific emails to notify of the initial compromise. Since mid-December 2023, of the nearly 70 leaked victims, the Healthcare and Public Health sector has been the most commonly victimized. This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.

FBI, CISA, and HHS encourage critical infrastructure organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of ALPHV/BlackCat ransomware and data extortion incidents.

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners are releasing this Joint Cybersecurity Advisory to warn of Russian state-sponsored cyber actors’ use of compromised Ubiquiti EdgeRouters to facilitate malicious cyber operations worldwide.

The FBI, NSA, US Cyber Command, and international partners assess the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium), have used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spearphishing landing pages and custom tools.

The US Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers. However, owners of relevant devices should take the remedial actions described in the advisory to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises.

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this Joint Cybersecurity Advisory to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open-source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million US dollars.

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents.

Subdomain hijacking occurs when threat actors gain control of a subdomain of a legitimate domain by taking over unused or abandoned subdomains or exploiting misconfigured DNS records. They systematically scan for forgotten subdomains with dangling CNAME records of abandoned domains via specific targeting or automated tools. The threat actors then register these subdomains under their ownership to host malicious content or initiate additional attacks, such as hosting phishing landing pages designed to harvest login credentials. Additionally, a DNS SPF record of a known domain may hold unused or abandoned subdomains associated with obsolete email or marketing-related services. Threat actors can take ownership of those subdomains, inject their IP address into the SPF record, and send emails on behalf of the primary domain name.

Since 2022, researchers have tracked a sophisticated subdomain hijacking operation dubbed SubdoMailing . Over 8,000 domains and 13,000 subdomains for legitimate brands and organizations have been impacted, including VMware, McAfee, Symantec, Better Business Bureau, and more. While subdomain hijacking is not new, what is concerning about this operation is the magnitude of identified domains and subdomains already compromised and counting. The impacts of these successful attacks can lead to reputational damage, financial losses, operational disruption, data breaches, phishing and fraud, and malware distribution.

The threat actor behind the SubdoMailing operation, ResurrecAds, leverages trusted domains and a sophisticated distribution architecture to bypass email authentication controls and send millions of spam and phishing emails daily. The emails are designed to appear legitimate and evade detection of standard text-based spam filters by including an image that, if clicked, triggers a series of click-redirects through different domains. The redirects check the device type and geographic location to custom tailor the content and maximize profit, such as malicious advertisements, affiliate links, quiz scams, phishing websites, and malware downloads. The NJCCIC recommends that domain administrators and site owners utilize Guardio Lab’s SubdoMailing checker tool and website , which is updated daily, to search for impacted domains as detected by their systems. Additionally, the search results of affected domains display details of known abuses, type of hijack, and relevant subdomains and SPF records in need of attention. Furthermore, Guardio Labs offers recommendations, including monitoring all CNAME records, monitoring SPF policies, removing permissive SPF settings, and implementing DMARC. Also, regularly check DNS records for any unauthorized changes or unused or abandoned subdomains, train designated employees about subdomain hijacking to identify unusual changes to DNS records or website traffic, and confirm that third-party servers are not referenced in CNAME records of organization domains before deletion. If feasible, consider registering the domain name as intellectual property to provide legal protection in the event of a hijacking. Also, registrars recently have the option to block the registration of domains with similar appearances, spellings, or otherwise infringement on brand names to protect their trademark and help prevent malicious usage.   We recommend that users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders, and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, from trusted sources before taking action. If you suspect your PII has been compromised, please review the  Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling MFA on accounts. Additionally, we advise reporting suspicious or fraudulent correspondence to the respective entity. Impersonation scams and other malicious cyber activity can be reported to the NJCCIC.

NIST has published the final version of Internal Report (IR) 8472, Non-Fungible Token Security.

Non-fungible token (NFT) technology provides a mechanism to sell and exchange both virtual and physical assets on a blockchain. While NFTs are most often used for autographing digital assets (associating one’s name with a digital object), they utilize a strong cryptographic foundation that may enable them to regularly support ownership-transferring sales of digital and physical objects. For this, NFT implementations need to address potential security concerns to reduce the risk to purchasers.

This publication:

• Defines NFTs
• Identifies 11 properties that should be provided by most correctly functioning and secured NFT implementations
• Evaluates each property to reveal 27 potential security concerns

Read More

Work Role Categories and Work Roles Minor changes to Work Role Category names, descriptions, and ordering to create a more uniform and complementary approach modeled after technology lifecycles Updates to Work Role names, descriptions, and IDs to reflect category updates and to differentiate Work Role functions from job titles  New Insider Threat Analysis Work Role with associated TKS statements Competency Areas 11 Competency Areas with descriptions Task, Knowledge, and Skill (TKS) Statements Updates to align TKS statements with the TKS Authoring Guide principles Removal of duplicate and redundant statements Edits to address inconsistent and unclear language You can access version 1.0.0 of the NICE Framework components in the NICE Framework Resource Center. Also available is a summary of changes and the NICE Framework Components Mapping: 2017 to Version 1.0.0 (March 2024) spreadsheet.

Future Iterations of NICE Framework Components

Version 1.0.0 of the NICE Framework components is the first, official published version since 2017. The NICE Program Office intends to take a software update versioning approach for NICE Framework components, with a mix of minor and major updates over time. While users of the NICE Framework are always encouraged to reference the most recent published version of the components, users may choose to continue using older versions. Please note that outdated versions may not be supported by the NICE Program Office. A record of versions of the NICE Framework can be found on the NICE Framework History and Change Logs webpage. Stay Connected!   If you have ideas for new Work Roles, updates to existing components, or would like to be involved in identifying Competency Area statements, let us know: [email protected]. In addition, the NICE Program Office will continue to look at ways to support use of the NICE Framework in various tools and through alignments by developing new support resources. Stay in touch to learn about these efforts and how to get involved by joining the NICE Framework Users Group. Find out more: Learn more about the NICE Framework evolution, how it can be used, and how to engage in its continued development at the NICE Framework Resource Center. Updated and new resources have been added, including: Getting Started with the NICE Framework NICE Framework Frequently Asked Questions NICE Framework Revision Process NICE Framework Change Request FAQs NICE Framework History and Change Logs

In August 2021, NIST’s Crypto Publication Review Board initiated a review process for NIST Special Publication (SP) 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (2007).

On August 23, 2023, NIST proposed to revise SP 800-38D and received two public comments in response.

NIST has decided to revise SP 800-38D. See the full announcement for more details, links to comments received, and ways to monitor future developments.

Read More